Skip to main content

Atlas M365 Security Groups Created in Azure Entra ID on Deployment

Adam Alston
  • Updated

There are a number of Microsoft 365 Security Groups created in Azure Entra ID when you first deploy Atlas or include additional tooling in an Atlas Upgrade. These Security Groups are created via the deployment script as they have a specific naming conventions and specific GUIDS which must be followed. This means that these groups cannot be created manually as random GUIDs would be assigned to the security group and would not interact with the Atlas code in the correct way. The instructions for deployment and creation of these groups is documented thoroughly in the Deployment Runbook. 

This article will provide an overview of each of the groups deployed with Atlas. We will not cover any of the deployment or group creation processes. If you have questions on this topic please review the Runbooks where thorough instructions and screenshots can be found and reach out to your Atlas representative with any questions you might have. 

m365 Security Groups deployed with Standard Atlas

Connex Permission Groups

These Groups provide permissions to provision our Atlas OOTB workspace Types or access our templating tool ConneX Studio.

Full article on ConneX Permissions here

Group Name ConneX Permissions
Atlas ConneX Enterprise Administrators

Full access to create all workspace template types as well as manage all templates in ConneX Studio. It also provides the ability to manage all existing m365 workspaces in your tenant and view them in ConneX, but does not grant any additional permissions to the existing sites or content.
Atlas ConneX Creators Ability to create any workspace using any template. This is the default group for Atlas Project Team and Atlas stakeholders. It does not grant access to ConneX Studio.

Atlas ConneX All Teams Creators

Ability to create Collaboration workspaces using any template. It does not grant access to ConneX Studio.
Atlas ConneX Communication Workspace Creators Ability to create workspaces using the Communication workspace template. It does not grant access to ConneX Studio.
Atlas ConneX Knowledge Workspace Creators Ability to create workspaces using the Knowledge workspace templates. It does not grant access to ConneX Studio.
Atlas ConneX Legal Workspace Creators Ability to create workspaces using the Legal workspace templates. It does not grant access to ConneX Studio.
Atlas ConneX Workspace Template Managers Ability to access and manage templates from within ConneX Studio. If you are unable to be an Enterprise Administrator, you will need to be part of this group in order to see and access ConneX Studio for workspace templating

 

Atlas Settings

Atlas ConneX Enterprise Administrators

From 6.1 this group is used to manage access to the Atlas Platform Settings, replacing Tenant Properties

 

m365 Security Groups deployed with Atlas AI & Intelligent Knowledge Studio (optional)

These will be set-up on deployment of our Atlas AI/IKS tooling. They remain optional until then. Please note licensing and scope will need to be agreed first and then processed by ClearPeople before these features and functions can work. but you can deploy AI/IKS at anytime by following the AI sections in the Upgrade runbook. 


Full article on Atlas AI & IKS Permissions here

 

AI Assistant

Atlas AI Users

If any user needs to use the Atlas AI Assistant tool (chatbot) in the Atlas main menu they will need to be part of this group. This is where permissions to interact with the AI User Interface is granted.

It does not grant any other permissions to specific data in Knowledge Collections (KC) but will be a pre-requisite for accessing any KC the user has been included in.

If a user cannot see the AI icon in the right of the Atlas main-menu, they'll need to be added to this group.

Atlas AI Administrators (depreciated from 6.0)

 Being superseded by Atlas IKS Administrators. It will be renamed for existing versions of Atlas or no longer deployed in new versions of Atlas.

 

Intelligent Knowledge Studio (IKS - AI data & content management)

The following groups will provide different levels of access and responsibilities within the IKS tool (found within 'My Atlas', as shown below). So any of the Atlas IKS groups will still need to be added to the Atlas AI Users group in order to interact with the chatbot interface. 

Atlas IKS Administrators

(superseding Atlas AI Administrators in 6.0)

 Users in this group will be able to administer the IKS and will have the full administrative capabilities to:
  • Create new Knowledge Collections (KCs)
  • View all KCs and their details regardless of being included in the KC membership
  • Edit any KCs regardless of their membership
  • Delete any KCs regardless of their membership
  • Trigger Incremental/Full Sync for any KCs regardless of their membership

They will not be able to Export feedback on KCs unless added as an Auditor to that specific KC. They will have permissions to add themselves.

Atlas IKS Creators

Users in this group will be able to create new KCs.

It does not provide any more permissions, so IKS Creators will not be able to view, edit or delete a KC, Trigger Incremental/Full Sync or Export feedback unless they have KC membership. They will not have permissions to add themselves.

Atlas IKS Auditors

Users in this group will be able to see all KCs and export feedback from any KC regardless of their membership, as well as export global feedback.

Auditors will not receive any more permissions, so will not be able to view, edit, delete a KC, Trigger Incremental/Full Sync or Export feedback unless they have KC membership. They will not have permissions to add themselves to KCs.

Atlas IKS Users

Permissions for IKS users allows access to the IKS UI to manage KCs where they have also been granted a role. It will only enable users to view the interface for IKS, so is a pre-requisite to be able to view and manage KCs but membership or permissions to the specific KCs is still needed.

So IKS Users in this group will not receive any more permissions, so will not be able to view, edit, delete a KC, Trigger Incremental/Full Sync or Export feedback unless they have KC membership or other permissions.

 

Unless you are an Administrator, all other groups will not provide the ability to manage or use any KCs. Auditors will be able to see all KCs but only to export feedback, as outlined above.


365 Security groups can nest other groups. 365 groups (workspace permissions) cannot use nested permissions, so it is possible, for example, to put the IKS Administrators group into the IKS Auditors group, so all admins have ability to audit to.

Rules and summary breakdown

  • To use and interact with the AI Assistant (chatbot) = Atlas AI Users
  • To see the IKS tool = Atlas IKS Users
    • Membership to KCs still needed. An IKS user with no other permissions will see an empty window until other permissions are granted
  • To create KCs = Atlas IKS Creators
  • To audit KCs by exporting feedback = Atlas IKS Auditors

All of the groups above to not provide any access to KCs unless specifically permissioned.

  • To manage the IKS 'globally' and perform tasks on any KC regardless of membership = Atlas IKS Administrators
    • However this does not grant Auditorship - this permission still needs to be granted to Administrators via the Atlas IKS Auditors Group or be part of a KC's specific Auditor permissions.

Extranet & Miscellaneous Permissions

Atlas Trusted External Users

This group is created upon Atlas deployment and can be utilized in various ways, depending on your governance rules. The primary purpose of this group is to include external guest user accounts that you trust, granting them specific 'guest' permissions and functionalities to enhance their experience, making it more akin to that of internal users. You can then assign this group to specific Atlas functions, templates, content, and more.

However there are some important functions coded to this group. Guests who are added to this group will:

  • See a different ATLAS HOME LOGO link experience (no link or a different link) - article here
  • Not be able to see the Feedback button or My Preferences options in the Atlas main menu.

These group members will not be limited in the same way as the standard Microsoft “All External Users” group.

You are able to make this group Dynamic to configure specific rules if needed.

Details on all Atlas Extranet features can be found here

Please see the Groups and recommendations for bulk permissions management article here.

 

Related to

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.