Delegate Admin Capabilities for Office 365

The set of administrative roles provided by Microsoft for an Office 365 deployment are designed around a centralized management model. Within the admin center, there is no way to setup regional management rights for administrators who ONLY want to monitor and manage their local business unit or geographical site users. For large enterprise organizations, or companies that are split into multi-tenant Office 365 environments, there are complex administration requirements to support their deployments. What if they want to delegate admin tasks by different countries, business units, or office locations? What if they want to enable help desk engineers to perform ONLY simple admin tasks on their regional users?

Luckily, the folks at CoreView saw this gap and included it in their award-winning Office 365 management software: CoreView. With CoreView, you can segment your users pretty much any way you like—by location, business unit, department, and more. Once you have those user groups configured, you can grant a specific set of admin permissions to administrators who will ONLY be able to view and manage that specific subset of users. It’s that easy. Because CoreView was architected to enable flexible Office 365 administration, these capabilities are inherent.

This blog series will showcase some of the many ways in which the CoreView solution provides a flexible toolset for administrators to delegate role-based access control (RBAC) for admin capabilities. The free tools from Microsoft only go so far to help administrators get their work done, whereas we go the extra mile.

This blog series will cover the following main topics. The first blog information will be included below, followed by the additional entries in the weeks to come.

  1. Assigning Regional Administrators to Manage Their User Communities
  2. Enabling Management of Multi-Tenant Environments
  3. Empowering Help Desk Engineers with Support Services

Grouping Users and Assigning Regional Administration

The first step to enable regional administration for a subset of users in Office 365 is to segment common users into a group. This feature uses simple drop-down menus to create filters based on specific attributes that users have in their account information. For instance, in the example below, a new group called “Italy Sales” is created and the selection filter to delegate what users will be included has “Country = Italy” and “Department = Sales.” In effect, this segments all Italian employees in the sales organization into a specific grouping that can be assigned to a regional administrator to monitor and manage. This administrator will ONLY be able to perform account updates and view activities and reports for that list of users.
Screenshot of the New Group with Selection Filter
Delegate Office 365

Customized Admin Permissions for Regional Management

The final step is to create the specific set of permissions, or entitlements, that you want to assign to a regional administrator. To do this within CoreView, you just need to go back to the management menu and choose “Manage Permissions.” From there, you can create a new permission template, assign a remote admin with a controlled set of administration actions, and specify a set of reports they will be able to view. The available reports and admin actions are chosen from simple selection menus as shown in the example screenshots below.
Screenshot of the New Permission Template with Admin Actions Selected
Office 365 delegated admin permission
Screenshot of the New Permission Template with Specific Reports Selected
Office 365 admin roles

Once you have assigned a list of users to the membership of a group (i.e. by Country and Department) and assigned a specific admin to be restricted by the scope of that group, you have controlled the list of users that the admin can monitor. In addition, once you have assigned a remote administrator to a specific permission record and selected what reports they can view and actions they can perform (i.e. manage passwords), you have effectively delegated remote admin rights and access control within Office 365. When that regional administrator now logs into the CoreView portal, they will only be able to make changes to the users you’ve granted them access to, and will only be able to perform the admin actions that you’ve specifically assigned. Congratulations, you’ve successfully assigned a controlled set of management rights to a regional administrator!

Screenshot of the Available Admin Actions for a Regional Administrator
Office 365 admin actions

There you have it. Since there are no native Office 365 administrator rights needed within the tenant for these regional admins, there is no way for them to log onto the Office 365 portal and make any changes directly within the tenant or via PowerShell. With CoreView, a service account performs all the actions requested through the UI. So, your overall user community is secure and you can distribute and delegate the administration for your Office 365 environment how you want.

If you are interested in finding out more about our CoreView solution and how it can cut your administration time in half, please visit our overview page online or sign up for a free trial at https://www.coreview.com/free-trial.