Planning for role assignments
One of the core tenets of security is the use of a least-privilege model. Least privilege means delegating the minimum level of permissions to accomplish a particular task. In the context of Microsoft 365 and Azure AD, this translates to using the built-in roles for services, applications, and features where possible, instead of granting the Global Administrator role. Limiting the administrative scope for services based on roles is commonly referred to as role-based access control (RBAC).
In order to help organizations plan for a least-privileged deployment, Microsoft currently maintains this list of least-privileged roles necessary to accomplish certain tasks, grouped by application or content area: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task.
When planning role assignments in your organization, you can choose to assign roles directly to users or via a specially designated Azure AD group. If you want to use groups...
