Reading time:
8 min

Office 365 Security Power Trio – Virtual Tenants, RBAC and Delegated Administration


Microsoft Office 365 is the core SaaS solution for the bulk of today’s enterprises – so proper management, administration and tenant structure are critical. These three issues when properly solved create a secure, efficient, well-governed O365 environment.

Virtual Tenant

The idea of Virtual Tenants arose in networking as network services and software became virtualized, and these services could be divided as Virtual Tenants.

In the world of cloud and SaaS, you had multi-tenants where organizations divided and essentially shared a cloud service. In contrast, having a single tenant was a big advantage in terms of security, performance and governance.

“Single-tenant (or hosted) Software as a Service (SaaS) is an architecture where each company has their own instance of the software application and supporting infrastructure. Think of it like a neighborhood community developed by the same architect and engineer where each household has the ability to change and customize their property as desired. By having a single hosted instance the purchaser can tweak and customize the software to meet their needs,” explained ERP powerhouse SAP.

Office 365 and the Single Tenant Problem

In the world of Office 365, most shops have a single tenant. If they acquire companies, they may have multiple tenants. Here, they usually merge the multiple tenants anyway into a single environment to ease management, and promote collaboration and information sharing.

Having a single tenant creates a uniform ‘known’ environment, but comes with a host of issues. First, managing a single tenant that could have hundreds of thousands of users is immensely complex. Creating help and service desks for such a mass of users is likewise difficult, and these desks can become overwhelmed and non-responsive. Managing 0365 licenses across a distributed massive environment is inefficient and expensive at best.

Security is the biggest issue. If you have a single tenant with 300,000 users, an O365 admin can access data and settings from all 300,000 users. Every single O365 admin has that ability. If a hacker cracks an O365 admin’s credentials, they have that same power. Scary.

Enter Tenant Virtualization

Instead of a single, monolithic and unwieldy O365 environment, a better idea is to virtualize the tenant the same way we use VMware to turn a single PC server into separate, dedicated servers based on virtual machines. In the case of O365, you should be able to create separate tenants based on geography, business unit, whatever.

Unfortunately, the native O365 Admin Center is designed around a centralized management model for a single tenant. With the admin center provided by Microsoft, there is no easy way to merge different tenants, perhaps due to acquisition, from a management perspective so administrators can monitor, report, and manage user accounts across multiple tenants.

The Pinnacle of O365 Virtual Tenants

Luckily, CoreView includes Virtual Tenant, or tenant virtualization, in our O365 management software. With CoreView, you can combine different tenants and segment your users into new groupings, or Virtual Tenants, for more efficient management. Once you have those segments configured, you can grant a subset of actions to administrators who will ONLY be able to monitor and manage that subset of users. This way, administrators can use single sign-on to monitor and manage their assigned user community, even though they might be deployed on different tenants.

The Benefits of Virtual Tenants

With CoreView, IT can segment a single tenant into Virtual Tenants that might reflect a department, country, region, or even a single location. By breaking into smaller groups, you can restrict what users can see and act on, making it much easier to manage than having to tackle the entire organization in one bite.

“Using a simple, intuitive interface, CoreView lets IT segment the Office 365 tenant in myriad ways — for example, by department, business unit, or location. This is what we call a ‘Virtual Tenant.’ After these groups are set up, IT can dive deeper, using CoreView’s deep RBAC capabilities to define specific permissions for administrators who then can only perform certain tasks — and only against a specific subset of users,” explained Michael Morrison, CEO of CoreView. “In essence, IT can take the entire organization served by Office 365 and break it into logical groups, or sub-tenants, perhaps based on Active Directory attributes. Once the organization is logically divided, regional admins can be assigned to the sub or Virtual Tenants.”


If you care about application, SaaS and network security, understanding four little letters is crucial – RBAC. “Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them,” explained TechTarget’s SearchSecurity.

RBAC for O365

While RBAC is critical for overall security, it has a special meaning in the Microsoft SaaS ecosystem. For Microsoft Office 365, RBAC is a key route to security, and admin efficiency.

Here is Microsoft’s spin on RBAC. “RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization,” Microsoft explained.

Take Microsoft Exchange, for example, where RBAC took a great leap forward in 2013. “In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups,” Microsoft said.

At first blush, Microsoft Office 365 seems to have role-based access control (RBAC) fully covered. After all, Office 365 comes with a wealth of administrator roles, dozens of different ones, such as Exchange or License Administrator. This looks great on the surface, but a deeper dive exposes the flaws.

RBAC Hindered by Global Permissions

Despite the RBAC label applied by Microsoft to O365 permissions, the native admin delegation tool in Office 365 is simply too blunt, lacking the granularity in giving rights large shops need. No matter how much you limit O365 permissions, all admins have global rights, which means they can reach out and touch all end users – a security nightmare.

The Office 365 Admin Center is a least common denominator style tool, not built to handle the demands of distributed enterprise deployments. Large organizations are, in essence, a group of separate, geographically dispersed entities, each with its own needs – are not served well by a one size fits all, centralized, globally-based administrative structure.

The native Office 365 Admin Center’s centralized management model of setting privileges entirely relies on granting “global admin rights” — even to regional, local, or business unit administrators. There is simply no facility for setting up regional and other geographic-based rights. Nor can you easily set up rights based on business unit, country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly so they can only perform limited and specific functions, such as changing passwords when requested.

Danger of One-Size-Fits-All Permissions

Any IT pro worth their salt recoils at granting a local or departmental IT administrator global rights. This is simply not the way modern enterprises are structured and no way to properly secure the environment.

Meanwhile, making everyone who needs a decent level of access a full administrator means there are too many people with full access to the Office 365 environment. Do not forget. IT pros are people too, and the more folks that have high-level access, the more chance these privileges are abused.

RBAC Done Right

A proper approach to Office 365 permissions and privileges is partitioning permissions based on roles through truly fine-grained RBAC, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your Office 365 environment.

The RBAC Payoff

Proper use of RBAC increases IT productivity by empowering more local administrators — saving time and money. In fact, The National Institute of Standards and Technology in its ‘Economic Analysis of Role-Based Access Control’ study found that a 10,000-person company saves some $24,000 in IT labor, and another $300,000 a year from reduced worker downtime through RBAC.

Delegated Administration

There is another term that speaks to the granularity and control of admin rights – delegated administration. This approach has been broadly applied and speaks to the decentralization of IT administrative authority which RBAC provides – albeit in limited fashion.  

“As an organization grows, it can be difficult to keep track of which users have specific admin roles. If an employee has administrator rights they shouldn’t, your organization can be more susceptible to security breaches,” Microsoft advises. In fact, Microsoft advises that M365 shops have only 2-4 Global Admins for just this reason.

CoreView was architected and designed from the ground up to enable more distributed organizations with the flexibility to delegate and distribute administration tasks, assign license pools, and provide total visibility into all aspects of Microsoft 365. This delegated administration is available to in-house IT, as well as partners and solution providers such as Managed Service Providers (MSP). 

Delegating Office 365 admin responsibilities to those closer to the end users results in less micromanaging from the central office, and greater Office 365 uptime across the organization.


Get your O365 security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page:

Or sign up for a personalized CoreView demo.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.