Overview π₯
Partners may observe an Actionable Alert triggered in Liongard indicating that a user or service account has been assigned the Places Administrator role.
This commonly raises concerns that:
A privileged administrator role was assigned unexpectedly
A security risk or privilege escalation occurred
Liongard incorrectly classified the role
Reference :
In most cases:
β
Liongard behavior is expected
β
The role assignment is valid
β
The alert is informational rather than indicative of compromise
This article explains why the alert occurs and how the Places Administrator role should be interpreted.
What Is the Places Administrator Role? π€
The Places Administrator role is a Microsoft Entra built-in role designed to manage Microsoft Places / workplace location services, including:
Buildings
Rooms
Workspaces
Location metadata
Hybrid workplace configuration
This role supports Microsoftβs modern workplace and scheduling ecosystem.
Why Liongard Generates an Alert π
Liongardβs Microsoft 365 Inspector monitors Microsoft Entra administrative role assignments through Microsoft Graph.
Alerts trigger when:
β
A directory administrative role is assigned
β
A new admin identity appears
β
Role membership changes between inspections
Because Places Administrator is an administrative role, Liongard detects and reports the assignment change. This ensures visibility into all administrative access changes, not only security-critical ones.
Is Places Administrator a Privileged Role? βοΈ
No β Microsoft does NOT classify Places Administrator as a privileged role.
Microsoft defines privileged roles as those capable of:
Modifying credentials
Changing authentication policies
Elevating permissions
Accessing protected directory data
Examples include:
Global Administrator
Privileged Role Administrator
Authentication Administrator
Microsoft documentation defines privileged roles as those containing permissions that can modify authorization or credential controls. The Places Administrator role does not include these permissions.
Why the Alert Still Appears β
Liongard intentionally monitors all administrator role assignments, including service-specific roles. This design prevents situations where:
Newly introduced Microsoft roles go unnoticed
Service integrations silently gain admin permissions
Operational access expands without visibility
Therefore:
π The alert indicates role assignment activity, not necessarily elevated privilege risk.
Common Real-World Scenarios π§βπ»
The role is often assigned automatically when:
Microsoft Places features are enabled
Workspace booking or room management is configured
Third-party workplace integrations are deployed
Testing or pilot features are enabled by Microsoft
Administrators may not explicitly assign the role themselves.
Recommended Validation Steps π¨βπ§
1οΈβ£ Verify Role Assignment
Navigate to: Microsoft Entra Admin Center
β Roles & administrators
β Places Administrator
β Assignments
Confirm:
Assigned user or application
Assignment reason
Expected ownership
2οΈβ£ Review Account Type
Determine whether assignment belongs to:
β Human administrator
β Service principal
β Microsoft-managed application
Service identities are commonly expected.
3οΈβ£ Confirm Least Privilege Alignment
Validate that the assigned identity:
Requires location/workplace management access
Matches organizational governance policy
Security Impact Assessment π‘οΈ
Risk Area | Impact |
Directory privilege escalation | β No |
Credential modification | β No |
MFA policy changes | β No |
Tenant-wide admin control | β No |
Workplace/location management | β Yes |
Result:
Low security risk β operational visibility alert.
Expected Behavior Summary π€©
Capability | Behavior |
Role detected by Liongard | β Expected |
Alert generated | β Expected |
Privileged admin access | β No |
Security incident indication | β No |
Requires investigation | β οΈ Verify only |
Root Cause π
The alert occurs because:
Microsoft introduced the Places Administrator Entra role
Liongard monitors administrative role membership changes
The role is administrative but not privileged
Liongard correctly reports the assignment to maintain full administrative visibility.
Recommended Partner Action πββοΈ
β
Review assignment once
β
Confirm legitimacy
β
Suppress alert if operationally expected
No remediation is required unless the assignment is unauthorized.
Frequently Asked Question π£οΈ
Why is Liongard alerting if the role is not privileged?
Liongard alerts on administrative role changes, not only privileged roles, to ensure partners maintain awareness of tenant access expansion.
Additional Notes π
Liongard aligns Microsoft 365 inspection behavior with Microsoft Entra role definitions exposed through supported Microsoft Graph APIs. Newly introduced Microsoft roles may generate alerts until partners validate operational intent.
Additional Resources π
βΌοΈ Disclaimer
This article references third-party documentation published by Microsoft for informational purposes only. External documentation is owned and maintained by the respective vendor and may change without notice. Liongard does not control or guarantee the accuracy, availability, or future behavior of third-party APIs, features, or documentation referenced herein.