May 2 2018 |
Leveraging Regional Administrators
Most organizations running on Office 365 cringe at the thought of providing “Global Admin Rights” to regional administrators so they can support their specific business unit or geographic site. The tools provide by Microsoft are designed around a centralized management model which doesn’t really translate into the real world of how companies are structured for IT support. Within the Admin Center portal, there is no way to setup regional management rights for administrators who ONLY want to monitor and manage their local business unit or geographical site users. What if an enterprise organization wants to delegate admin tasks by different countries, business units, or office locations? What if they want to enable help desk engineers to perform ONLY simple admin tasks like password changes?
Luckily, the folks at CoreView saw this gap and included it in their award-winning Office 365 management software: CoreView. With CoreView, you can segment your tenant pretty much any way you like—by location, business unit, department, and more. Once you have those user groupings configured, you can use the built-in Role Based Access Control (RBAC) features to grant a specific set of permissions to administrators who will ONLY be able to view and manage their specific subset of users. It’s that easy. Because CoreView was architected to enable flexible Office 365 administration, these capabilities are inherent.
This blog series will showcase some of the many ways in which the CoreView solution provides a flexible toolset for administrators to securely delegate admin capabilities. This blog series will cover the following main topics. The first blog information will be included below, followed by the additional entries in the weeks to come.
- Securely Delegating Admin Rights to Regional IT Support
- Efficient Management of Multi-Tenant Environments
- Empowering Help Desk Support with Specific Capabilities
Segmenting Users and Assigning Regional Administration
The first step to enable regional administration for a subset of users in Office 365 is to segment your tenant into different sub-tenants. This feature uses simple drop-down menus to create filters based on specific AD attributes that users have in their account information. For instance, in the example below, a new group called “Italy Sales” is created and the selection filter to delegate what users will be included has “Country = Italy” and “Department = Sales.” In effect, this segments all Italian employees in the sales organization into a specific grouping that can be assigned to a regional administrator to monitor and manage. This administrator will ONLY be able to perform account updates and view activities and reports for that list of users.
Screenshot of the New Group with Selection Filter
Using RBAC to Assign Admin Permissions
The final step is to create the specific set of permissions, or entitlements, that you want to assign to a regional administrator. To do this within CoreView, you just need to go back to the management menu and choose “Manage Permissions.” From there, you can create a new permission template, assign a remote admin with a controlled set of administration actions, and specify a set of reports they will be able to view. The available reports and admin actions are chosen from specific list of simple selection menus as shown in the example screenshots below.
Screenshot of the New Permission Template with Admin Actions Selected
Screenshot of the New Permission Template with Specific Reports Selected
Once you have segmented your tenant (i.e. by Country, or Business Unit, or Department) and assigned a specific admin, or admins, to be restricted by the scope of that group, you have effectively secured the list of users that the admin can monitor. In addition, once you have assigned a remote administrator to a specific permission record and selected what reports they can view and what actions they can perform (i.e. manage passwords), you have successfully delegated remote admin rights within Office 365. When that regional administrator now logs into the CoreView portal, they will only be able to make changes to the users you’ve granted them access to, and will only be able to perform the admin actions that you’ve specifically assigned. Congratulations, you’ve securely delegated a controlled set of management rights to a regional administrator!
Screenshot of the Available Admin Actions for a Regional Administrator
There you have it. Since there are no native Office 365 admin rights needed within the tenant for these regional administrators, there is no way for them to log onto the Office 365 portal and make any changes directly within the tenant or via PowerShell. With CoreView, a service account performs all the actions requested through the UI. This helps keep your overall user community secure and you can distribute and delegate the administration for your Office 365 environment how you want.
If you are interested in finding out more about our CoreView solution and how it can cut your administration time in half, please visit our overview page online or sign up for a free demo at https://www.coreview.com/request-a-demo/.