AIP Roles and labeling.

Question

I'm trying to help my administrator give me proper roles for setting up labels and policies in Azure Information Protection. I had him assign me AIP administrator and Security administrator. Then in our microsoft security and compliance center, I had him add me to the Security administrators group. I could now get to the security and compliance center and make sensitivity labels there with no problem.

Now when I go back to AIP to create labels there, It gives me an insufficient roles error:

Shouldn't I have these roles now? I know the help page says there's a difference between exchange and o365 roles, but I'm pretty sure I'm in o365.

Answer 1

This one was easier. I didn't know that Azure could take up to 30 mins to fill out the back end.

I was eventually able to make labels after that time period with no changes to my roles.

Answer 2

RBAC for Azure should follow the below hierarchical level, probably need to be compliance administrator on O365

"The inheritance order for scope is Management group, Subscription, Resource group, Resource. For example, if you assigned a Contributor role to a group at the Subscription scope level, it will be inherited by all Resource groups and Resources."

a good starting point for him would be https://learn.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/

hope this helps.

Answer 3

Where do you want to create the labels? In Security & Compliance Center here https://protection.office.com/sensitivity?viewid=sensitivitylabels or in Azure portal here https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade or ... ?

For Security & Compliance Center, Seucirty admin role group should be enough.