The Looming End for the Security and Compliance Center
Updated 18 June 2023
A reader asked how to create a report of the membership of Microsoft 365 role groups. Although this sounds like a straightforward question, the answer is complex. Here’s why.
Originally, compliance functionality was workload-based. Exchange Online had its own features as did SharePoint Online. In 2016, Microsoft introduced the Office 365 Security and Compliance Center (SCC) to bring together functionality which applied across all workloads. Permissions for the SCC follow the Exchange Online Role-Based Access Control (RBAC) model. Users receive permissions to perform actions through membership of role groups. If your account is a member of the right role group, you can perform a compliance action, like running a content search or managing an eDiscovery case. If it’s not, you won’t see the options to perform those actions displayed in the SCC.
Here’s where the situation becomes complicated. We are in the middle of a transition from the SCC to the Microsoft 365 compliance center, which Microsoft launched in 2018. Three years and a lot of confusion later, an April 15 blog post warns that Microsoft will soon start to redirect users automatically from the SCC to the Microsoft 365 compliance center. Message center notification MC256030 posted on May 12 confirms that a new permissions management page in the Microsoft 365 compliance center will make role management easier (Microsoft 365 roadmap item 72239).
Update: The Microsoft 365 compliance center is now the Microsoft Purview portal. I’ve also updated the PowerShell code in this post to use the Microsoft Graph PowerShell SDK.
New Permissions Management Page
The new permissions management page (Figure 1) allows management for both Entra ID roles and compliance center roles (more correctly, role groups). The differences between the two are:
- Entra ID built-in roles allow performance of directory-related tasks. The full set of Entra ID roles is visible by running the Get-AzureADDirectoryRole cmdlet or through the Roles and administrators section of theEntra admin center. Entra ID roles support advanced role management functionality like Privileged Identity Management to assign roles to users for limited periods.
- Compliance center role groups allow performance of compliance tasks like eDiscovery. Each role group contains one or more roles, which is how accounts gain permission. The 43 compliance role groups (my tenant has 44 because I created a specific role group to handle certain processing) have no other function except to control access to different compliance features. The SCC was the previous location to manage these roles. To update the set of users who receive permissions through membership of a compliance role group, an account must be a global administrator or assigned the Role Management role (a role assigned only to the Organization Management role group).
The permission management page shows Entra ID roles used to performance compliance tasks. Currently, the page lists nine Entra ID roles like compliance administrator and compliance data administrator. Other Entra ID roles like Teams Administrator don’t appear because they are not associated with compliance management.
Reporting Who Holds Compliance Roles
Returning to the original question of how to generate a report about the holders of different compliance roles, the answer depends on if you want to report the membership of compliance role groups or Entra ID roles. Given that more functionality is governed by the latter type at present, the following code is a solution.
The steps to create the report are:
- Uses the Connect-IPPSSession cmdlet (in the Exchange Online management module) to connect to the Compliance endpoint. You’ll need to use a tenant administrator account or one holding the compliance Organization Management role.
- Fetches the list of known role groups.
- Parses the set of members for each role group by converting the odd values used to represent members FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/office365itpros.onmicrosoft.com/cad05ccf-a359-4ac7-89e0-1e33bf37579e into mailbox display names (the last part of the name is the object identifier for the account).
- Writes details out into a PowerShell list and displays the results using the Out-GridView cmdlet.
Here’s the code:
Connect-IPPSSession
[array]$RoleGroups = Get-RoleGroup
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($RoleGroup in $RoleGroups) {
$Members = $RoleGroup.Members
$MemberNames = [System.Collections.Generic.List[Object]]::new()
ForEach ($Member in $Members) {
$MemberName = (Get-ExoMailbox -Identity $Member.SubString(($Member.IndexOf("onmicrosoft.com/")+16),36) -Erroraction SilentlyContinue).DisplayName
$MemberNames.Add($MemberName)
}
If ($RoleGroup.WhenChanged -eq "Wednesday 1 January 2020 00:00:00") {
$RoleGroupChanged = "Never"
} Else {
$RoleGroupChanged = Get-Date($RoleGroup.WhenChanged) -format g }
$MemberNames = $MemberNames -join ", "
$ReportLine = [PSCustomObject][Ordered]@{
"Role Group" = $RoleGroup.DisplayName
"Members" = $MemberNames
"Last Updated" = $RoleGroupChanged }
$Report.Add($ReportLine)
} #End ForEach $RoleGroup
$Report | Sort-Object "Role Group" | Out-GridView
Figure 2 shows what the report looks like. A simple Export-CSV command will write the details out to a CSV file if you want to manipulate the data in Excel.
The same approach works to create a report for the Entra ID roles. In this case, you use the Get-MgDirectoryRole cmdlet to find the set of roles and Get-MgDirectoryRoleMember cmdlet to process each role (here’s an example of using these cmdlets to report on Microsoft 365 admin accounts which aren’t protected by multi-factor authentication).
Connect-MgGraph -Scopes Directory.Read.All
[array]$RoleGroups = Get-MgDirectoryRole | Sort-Object DisplayName
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($RoleGroup in $RoleGroups) {
[array]$Members = Get-MgDirectoryRoleMember -DirectoryRoleId $RoleGroup.Id
$MemberNames = $Members.additionalProperties.displayName -join (", ")
$ReportLine = [PSCustomObject][Ordered]@{
"Role Group" = $RoleGroup.DisplayName
"Members" = $MemberNames
"Description" = $RoleGroup.Description }
$Report.Add($ReportLine)
} #End ForEach $RoleGroup
$Report | Out-GridView
Simple questions often have complex answers. In this case, it’s a matter of deciding what kind of role holders you want to report. Once you know that, the PowerShell to generate the report is relatively straightforward.
Learn lots more about how different parts of Office 365 work by subscribing to the Office 365 for IT Pros eBook. We go where other writing teams don’t, and we keep our book refreshed with monthly updates.