Delegating Admin Capabilities for Office 365 – Managing Multi-Tenant Environments
This blog entry is a continuation of our series on improving administration efficiencies in Office 365. This topic covers the management of multi-tenant environments for companies that have grown through mergers and acquisitions over the past several years. For administrators at those types of organizations, I know this blog entry will be eye-opening to ways they can reduce their time spent performing admin tasks. This functionality is also very helpful for managed services providers who perform Office 365 admin tasks for multiple organizations using a centralized support group.
Monitoring Multi-Tenant Environments
The free administration tools like the Admin Center portal are designed around a centralized management model for a single tenant. There is no way to merge different tenants from a management perspective so that administrators can monitor, report, and manage user accounts across multiple tenants. Luckily, the folks at CoreView saw this gap and included it in their award-winning management software: CoreView. With CoreView, you can easily view and manage different tenants from a single console without having to log-out and log back in under a different account. This way, administrators can use single sign-on to monitor and manage their assigned user community, even though they might be deployed on different tenants.
Let’s look at an example in which you want to view all licenses across the different tenants that you manage. These types of converged reports are easily configurable within the CoreView toolset (see screenshot below).
You can also toggle between the different tenants to view different usage patterns. The example below shows the Spam & Malware traffic report sorted by date range. From the drop-down menu, an administrator can choose from the available tenants that they manage to identify different traffic patterns. And this can be performed from the same admin account logged into the CoreView portal.
Grouping Multi-Tenant Users and Assigning Regional Administration
To enable regional or departmental administration for a subset of multi-tenant user accounts, you will first need to segment those specific users into a new group. This feature provides simple drop-down menus to choose which tenants to include first and create user filters based on specific attributes that users have in their account information. In the example below, a new group called “Italy Sales” is created, and the selection filter to delegate what users will be included has “Country = Italy” and “Department = Sales” (as shown in the two screenshots below).
In effect, all Italian employees in the sales organization, but on different Office 365 tenants, are segmented into a specific virtual-tenant grouping that can be assigned to a regional administrator to monitor and manage. That administrator will ONLY be able to perform account update actions and view activities and reports for that segment of users.
The final step is to create the specific set of permissions, or entitlements, that you want to assign to that regional administrator. To do this within CoreView, you just need to go back to the management menu and choose “Manage Permissions.” From there, you can create a new permission template, assign a remote admin with a controlled set of administration actions, and specify a set of reports they will be able to view. The next time that admin logs into their CoreView portal, they will ONLY be able to view that group of users delegated to them and perform ONLY the actions assigned.
There you have it. No native Office 365 administrator rights need to be assigned within the different tenants, so there is no way for a regional administrator to log into the Office 365 portal and make changes directly within a specific tenant or via PowerShell. This ensures that your multi-tenant user community is secure and you can distribute and configure the administration capabilities for your complex, multi-tenant Office 365 environment how you wish.