Help Center
Find help articles, support information and more.
Audit Vault for M365 Roles and Permissions Guide
Introduction:
This guide gives you an overview of the roles and permissions in Audit Vault for M365. It also explains best practices for managing roles and user group membership over time.
What you'll learn:
- The roles and permission groups in Audit Vault for M365, and what level of access each provides.
- Best practices for setting up and managing user groups in Audit Vault for M365.
Prerequisites:
Before you begin, make sure the following is already set up:
- Audit Vault for M365 has been successfully configured for your organization.
- Your Microsoft 365 tenant is properly connected to Audit Vault.
Audit Vault Roles & Groups:
Audit Vault for M365 works seamlessly with Microsoft 365 (Office 365). Any user in your organization or Microsoft 365 tenant can be given access by being added to a Role Group in the application. Just like Microsoft 365, Audit Vault uses Role Groups to control access to different features.
Users and Roles Explained:
- Users: These are any users within your Microsoft 365 organization or tenant.
- Roles: A role is a group that holds one or more users. Each role gives access to specific features in the application. You add users to the role that matches the level of access they need.
Role Permissions Hierarchy:
The roles are arranged in a top-down structure:
- Higher roles include all the permissions of the roles below them.
- Lower roles do not have access to the permissions of the roles above them.
This setup helps ensure that users only have access to what they need, while administrators and power users can access more advanced features.
Company Administrator:
Description:
- Has full access to all management features in this application
Who should be assigned to this role:
- Assign the Company Administrator role to users who need access to all permissions, features and data across the application. Giving too many users Company Administrator access is a security risk. We recommend that you have between 2 and 4 Company Administrators.
- Note: The person who signed up for this service was automatically assigned as a Company Administrator. You should evaluate to ensure that person should have that level of access.
Access:
- Manage Company Settings
- Manage Users
- Manage Role Assignments
- Manage Billing
- View User Activity Logs
- Manage Tenant Privacy Settings (restrict selected fields from being viewed in Audit Log Details)
- And all access from the roles below
Tenant Administrator:
Description:
- Privileged users who can manage the specified Tenant in this application
Who should be assigned to this role:
- Assign the Tenant Administrator role to users who need access to administer the day-to-day operations of the application. This includes granting users’ access, running reports and reviewing the status of the application. We recommend that you have between 2 and 4 Tenant Administrators.
Access:
- Manage Tenant Role Assignments
- Manage Tenant Settings
- View, Run, Manage and Delete any Insights Searches that belong to the Tenant
- And all access from the roles below
Tenant Report Reader:
Description:
- Can run and view reports, insights searches, and view audit information for the specified Tenant
Who should be assigned to this role:
- Assign the Tenant Report Reader role to users who need access to run and view reports, insight searches, and view audit information for the specified Tenant.
Access:
- View and Run Reports
- View, Run, Manage and Delete your own Insight Searches
- And all access from the roles below
Tenant Viewer:
Description:
- Can view Tenant status, and can be used to manage access to SharePoint View Item Audit History Page for the Tenant
Who should be assigned to this role:
- Assign the Tenant Viewer role to users who need access to view App status, and can be used to manage access to SharePoint View Item Audit History Page for the Tenant.
Access:
- View Tenant Status, and option for access to the SharePoint View Item Audit History Page for the Tenant
Best Practices:
To get the most out of Audit Vault for M365, it's important to plan your roles and user access carefully. Here are some tips to help:
- Plan Ahead
- Before you start using Audit Vault, make a list of who in your organization needs access, and what roles they should have.
- Use role groups to control access. This makes it easier to manage who can do what in the application.
- When first setting up Audit Vault for M365, use your list to add users to the correct role groups.
-
Review Permissions Regularly
- A Company or Tenant Administrator should review role group membership on a regular basis—ideally once every quarter.
- During the review, check if the right people are still in the right roles:
- Has anyone changed jobs or responsibilities?
- Should anyone be added or removed from a role group?
- Update the role group memberships as needed to keep access up to date and secure.
- Be Careful with Role Assignments
- Assigning a user to a role group gives them all the permissions associated with that role.
- Make sure users are only assigned roles that match their job responsibilities.
Planning out your permissions and first-use in your organization
- List out who needs access to which roles in your organization
- You can simply use the role groups to manage who has access to what for Audit Vault for M365
- When first setting up Audit Vault for M365 - based on your list, add the appropriate users to the role groups
Periodic review of permissions
- The Company or Tenant Administrator(s) should perform a review (ex. Quarterly) of your role membership to ensure they are accurate and still valid. Review the role membership and determine if user membership is still valid or have users changed roles and need to be removed or added from a role. Perform updates to role membership as required.
Use care when assigning users to Audit Vault for M365 role groups - as that will effectively grant those users the permissions provided by that role group.
Need Help? Reach out to support by clicking the button below.