Shield Admin Access

Description

In this article, we'll delve into the access levels available for the Superuser and Administrator roles within Shield Control and highlight the exclusive control that remains with the end user. Shield's zero-trust model ensures that end users have full authority over who is trusted to reach their Inbox while still giving partners access to provide essential support and guidance.

Admin Access

Login to Shield

Each user signs in with their Microsoft 365 credentials. Once in Shield, those with Admin Access can toggle from end user to their admin access (Control Mode). There are no separate logins for end user and admin in Shield, the access for each is toggled through Control Mode.

 

Toggle Admin Access

When signed into Shield as an end user, enable Control Mode in the upper-right corner. This changes your experience to the Admin Access level you are granted for your Organization(s). To return to End User Access, toggle Control Mode to the off position, and you will be brought to the End User Access screen.

Control_Mode.png

 

Admin Access is set per Shield User via Manage Access (below). There are four Admin Access levels in Shield:

  1. Superuser*: Can perform all actions for this Organization and all Organizations belonging to it.
  2. Administrator: Can perform all admin access actions for an individual Organization for any user access below the Superuser level. Each Administrator requiring admin access must be assigned at each Organization's level. Veto review requests can be disabled or enabled per Administrator, per Organization.
  3. Advisor: Can review vetoes and search mail flow for an individual Organization. Each Organization within the primary organization must be assigned admin access for each admin requiring Advisor access. Veto review requests can be disabled or enabled per Advisor, per Organization.
  4. Reader: Can view Organization information and search mail flow but cannot perform any actions on behalf of users.

*The account that activates the Shield Organization is automatically assigned Superuser access. This Superuser can assign additional Superusers and Administrators, Advisors, and Readers. All other admins besides the activating Superuser must be manually added to an Organization.

IMPORTANT: Any access granted at the Organization level is applied to all domains within the Organization. If a Shield User should have Admin Access to multiple Organizations, Admin Access must be set for each Shield User requiring Admin Access within each Organization. 

 

Admin Access at the Control Level

Screenshot 2024-09-13 at 14.15.50.pngThe following features are accessible to both Superuser and Administrator accounts at the Organization Control level:

  • Find Email with Spotlight
    • Use Spotlight to quickly find emails sent to or from this Organization.
    • Use Search & Rescue to find mail users expected to receive but haven't seen yet.
    • View Recently Sent to see what mail has made its way out of the Organization.
    • View mail Recently held in Jail.
  • Manage Access
    • Superusers can set access for all users.
    • Administrators can set access for anyone below the Superuser level.
    • Both Superusers and Administrators can set Veto access for all users.
  • Adjust Risk Levels
    • Both Superusers and Administrators can set Risk Levels for the Organization and all users.
  • View Groups
    • Both Superusers and Administrators can view the list of Groups configured in Microsoft for the Organization, as well as Sync with Microsoft.
    • Changes to Groups may only be performed in M365 by authorized accounts.
  • View Domains
    • Both Superusers and Administrators can view the list of Domains that are part of the Organization, as well as which domain is considered the Primary domain, and can Sync with Microsoft.
    • Changes to Domains may only be performed in M365 by authorized accounts.
  • View Users
    • Both Superusers and Administrators can view the list of Users in the Organization and Sync with Microsoft.
    • Changes to Name, Primary Email Address, and Alias Addresses may only be performed in M365 by authorized accounts. All Shield-specific Preferences can be changed by both Superusers and Administrators. Within Shield Control, Admin Access allows for changes to Experience Level and Mailbox Mode. Admin Access also allows sending welcome emails.

The following features are also available from the Control page:

  • Veto Messages
    Screenshot 2024-09-13 at 14.13.46.png
    • Both Superusers and Administrators can Veto messages, provided that they have been granted access to do so.
  • View recent activity for the Organization
    Screenshot 2024-09-13 at 14.13.37.png
    • Both Superusers and Administrators can view all Recent Activity logged for the Organization.

 

Admin Permissions at the Shield User Level

As previously mentioned, because of the zero-trust model, partners cannot make all changes for an end user in Shield. The table below highlights which actions a Superuser or Administrator can perform for a Shield User and which actions only the Shield User can take.

 

  Superuser Administrator Shield User
View mail headers
View message body
View message insights, links, files, details, timeline, location
View Lockbox
Lock a message
Unlock a message
View Trusted/Silenced Senders
Trust/Silence Senders
Deliver immediately vs Bundled
Change Bundle delivery times

 

For further assistance with Shield, please contact the Partner Success Team.

Have more questions? Submit a request

Comments