On April 18th, I posted instructions for O365 admins to add team members to their Project “Madeira” Preview tenant.
Marko Perisic (@mpnav, Project “Madeira” GM at Microsoft), came across that post / tweet and was kind enough to share a quicker way to do this, with no help needed from admins:
Simply have your team members navigate to the Project “Madeira” Preview website (www.projectmadeira.com), click on “Try the Preview” and use their work Office 365 credentials, and follow the prompts. Within minutes, they will be added to Project “Madeira” as a user, with the SUPER permission set assigned to them.
I tried it, it works as advertised, but….
It’s quick, yes, but I really hope this is a Preview-Only “feature” that will be gone when Project “Madeira” goes live.
Why? The fact that any user in your organization with an O365 account can not only add themselves to your ERP system but also have unrestricted (SUPER) access to all your sensitive data has to be cause for concern.
The admin can disable access for a user afterwards, or replace the SUPER permission set with more restrictive permission set(s), but that’s still a little unnerving…
If this “feature” were to make the final cut, there would another area of concern: The cost of Project “Madeira”, being a SaaS offering, will be a function of the number of users per billing period, and unneeded users adding themselves to Project “Madeira” would also impact subscription costs for an organization.
Reminder to Self: Calm down and repeat, “This is a Preview. This is a Preview. This is a Pr….”
It’s entirely possible that this feature was put in place to help people get easy access to the Preview, and not burden administrators.
One way of improving upon this for the final release:
Ideally, when Project “Madeira” is finished and officially released (with its yet-to-be-known formal name), we would have a way to add users that is both quick and secure.
One thought that comes to mind is a hybrid of what we have now:
- Allow an O365 user to get the process started by going to the Project “Madeira” site and entering their credentials. This would create the user in Madeira, but in a Disabled state and/or with no permission sets assigned.
- Have that kick off an Approval Workflow in Project “Madeira” where the administrator is notified, so that the request can be reviewed and a determination can be made as to whether the user should have access to Madeira at all, and if so, to which companies and permission sets.
- Upon Approval or Rejection, notify the O365 user of the outcome.
Update (response from Marko):