What is RBAC in Microsoft 365?
Role-Based Access Control (RBAC) assigns permissions based on a user’s role within an organisation. Microsoft 365 employs multiple RBAC scopes: Entra ID roles (formerly Azure AD), Azure resource roles (for services like Azure Storage), and Microsoft 365 service admin roles. Built-in roles provide predefined permissions, while custom roles allow for granular control tailored to specific business needs. Careful design of custom roles is crucial to avoid excessive permissions.
RBAC Governance in Australian Tenants
A common failing observed in AU mid-market Microsoft 365 environments is an overabundance of Global Administrator accounts. To mitigate this, implement Privileged Identity Management (PIM) to grant temporary elevated access. Regular Access Reviews help identify and remove unnecessary role assignments. Combining these with Conditional Access policies provides a robust governance loop, aligning with ACSC Essential Eight guidance and demonstrating due diligence under the Privacy Act 2024. This approach also supports APRA CPS 234’s requirements for cyber resilience.