Microsoft 365 delegated administration, bolstered by Virtual Tenants (taking a single Office 365 and creating sub-tenants), is key to IT efficiency and mitigating risk by limiting admin privileges. Here's a discussion of the utility of delegated administration, and some key M365 use cases.
The first step to enable regional administration for a subset of users in Microsoft 365 is to segment common users into a group. For instance, a new group called “Italy Sales” can be created and the selection filter to delegate what users will be included has “Country = Italy” and “Department = Sales.” In effect, this segments all Italian employees in the sales organization into a specific grouping that can be assigned to a regional administrator to monitor and manage. This administrator will ONLY be able to perform account updates and view activities and reports for that list of users.
Now that regional administrators are in place, you can create the specific set of permissions, or entitlements, that you want to assign to a regional administrator. Once you have assigned a list of users to the membership of a group (i.e. by Country and Department) and assigned a specific admin to be restricted by the scope of that group, you have controlled the list of users that the admin can monitor.
In addition, once you have assigned a remote administrator to a specific permission record and selected what reports they can view and actions they can perform (i.e. manage passwords), you have effectively delegated remote admin rights and access control within Microsoft 365. When that regional administrator now logs into the CoreView portal, they will only be able to make changes to the users you’ve granted them access to, and will only be able to perform the admin actions that you’ve specifically assigned.
Admin Actions for a Regional Administrator
Since there are no native Microsoft 365 administrator rights needed within the tenant for these regional admins, there is no way for them to log onto the M365 portal and make any changes directly within the tenant or via PowerShell. With CoreView, a service account performs all the actions requested through the UI. So, your overall user community is secure, and you can distribute and delegate the administration for your M365 environment how you want.
Microsoft Teams is an area where Virtual Tenants help because you can delegate the monitoring of Microsoft Teams usage to someone in the Virtual Tenant without giving them access to the global M365 tenant. Additionally, all of our reports can be filtered by any attribute in Active Directory. So, even if you don’t have Virtual Tenants defined, you can still run a Microsoft Teams usage report for everyone in Italy, for example.
RBAC and even Virtual Tenants can allow you to build a set of permissions that you can then delegate to a user who would be assigned to manage a given License Pool. These RBAC permissions also allow you to specify what reports or data the delegate can see, as well as what administrative capabilities you would like to grant.
Once you have delegated access to manage a License Pool, the delegate can then assign or revoke licenses, produce various license reports as well as manage license and chargeback costs – but only for the licenses and quantities that are assigned to that delegate’s business unit. This prevents someone from unintentionally using licenses that belong to another business unit or consuming more licenses than they are allotted.
Hiring sprees and acquisitions make IT jobs miserable as they struggle to create and provision new user accounts. But what if HR, who handles the hiring anyway, could do this work as well? With Delegated Administration and workflows that make provisioning easy, they can.
Gartner estimates that 20-50 percent of all help desk calls are for password resets, while Forrester researchers have calculated the cost of a single password reset to be $70. Delegate this function out, and the time and soft cost savings can add up quickly.
In fact, account lockouts and password problems are among the most common help desk issues. Delegation means central IT is less taxed, and problems are taken care of more quickly.
Delegating M365 admin responsibilities to those closest to the end users results in less micromanaging from the central office, and greater M365 uptime across the organization.