question

ConnorJohnston-4656 avatar image
0 Votes"
ConnorJohnston-4656 asked ·

AIP Roles and labeling.

I'm trying to help my administrator give me proper roles for setting up labels and policies in Azure Information Protection. I had him assign me AIP administrator and Security administrator. Then in our microsoft security and compliance center, I had him add me to the Security administrators group. I could now get to the security and compliance center and make sensitivity labels there with no problem.

Now when I go back to AIP to create labels there, It gives me an insufficient roles error:alt text



Shouldn't I have these roles now? I know the help page says there's a difference between exchange and o365 roles, but I'm pretty sure I'm in o365.

azure-information-protection
to-mssupport.png (8.1 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ConnorJohnston-4656 avatar image
0 Votes"
ConnorJohnston-4656 answered ·

This one was easier. I didn't know that Azure could take up to 30 mins to fill out the back end.

I was eventually able to make labels after that time period with no changes to my roles.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrandenNaidoo avatar image
0 Votes"
BrandenNaidoo answered ·

RBAC for Azure should follow the below hierarchical level, probably need to be compliance administrator on O365

"The inheritance order for scope is Management group, Subscription, Resource group, Resource. For example, if you assigned a Contributor role to a group at the Subscription scope level, it will be inherited by all Resource groups and Resources."

a good starting point for him would be https://docs.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/

hope this helps.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasBeran avatar image
0 Votes"
LukasBeran answered ·

Where do you want to create the labels? In Security & Compliance Center here https://protection.office.com/sensitivity?viewid=sensitivitylabels or in Azure portal here https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade or ... ?

For Security & Compliance Center, Seucirty admin role group should be enough.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.