As Office 365 and Azure AD are evolving, the need for more granular administration role is more and more important.
2 new administration roles have been introduced to reduce the need for more elevated privileges:
- Information Protection Administrator: to grant all Azure Information Protection (AIP) administration aspects without granting global administrator permission. This covers Azure Information Protection configuration settings, read and configure Azure Service Health (as AIP can now provides log to Logs Analytics) and support request creation from both Azure and Office 365 administration portal
- Privileged Role Administrator: to grant all Privileged Identity administration aspects, such as update of the Directory Roles in Azure AD
You can manage membership of these new roles from the Azure AD administration portal (https://aad.portal.azure.com) or Azure portal (https://portal.azure.com) by accessing the Azure AD\Roles and administrators configuration blade