June 8, 2021
min read
Kas Nowicka
Kas has spent the last decade working with Microsoft’s cloud solutions and sharing governance, adoption, and productivity best practices with the MVP community.

Microsoft 365 delegated administration is too often a blunt object, with admins laden with global credentials and – in the best of cases – assigned broad, overly powerful, and insecure roles.

CISA (Cybersecurity and Infrastructure Security Agency) in its Alert AA20-120A encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their M365 transition and better securing O365 services. Among the others, CISA recommends – Protecting Global Admins from compromise and use the principle of “Least Privilege.”

The answer comes in several forms, with several labels.

  1. Role-Based Access Control (RBAC), as the name indicates, focuses on roles – and here Microsoft pre-defines these roles which reduce flexibility
  2. Functional Access Control (FAC), pioneered by CoreView, in which rights are based on things you want the admin to do
  3. Virtual Tenants, also pioneered by CoreView, isolate various groups and departments from one another, which protects one admin from impacting the Virtual Tenant of another.

There is another term that speaks to the granularity and control of M365 admin rights – delegated administration. This approach has been broadly applied and speaks to the decentralization of IT administrative authority which RBAC provides – albeit in a limited fashion.

“As an organization grows, it can be difficult to keep track of which users have specific admin roles. If an employee has administrator rights they shouldn’t, your organization can be more susceptible to security breaches,” Microsoft advises. Microsoft states that M365 shops have only 2-4 Global Admins for just this reason.

Microsoft 365 Delegated Admin – Through Microsoft’s Eyes

Microsoft uses the Microsoft 365 delegated admin term, but this is a rather limited concept. It’s aimed largely at cloud service providers needing access to a client’s tenant – especially compared to how the term is used for Azure Active Directory – which refers to RBAC.

“If you’re a Microsoft partner or reseller, and you’ve signed up to be a Microsoft advisor, you can request delegated administration capabilities in your customer’s Microsoft 365 organization,” according to Microsoft. “Delegated administration allows you to manage Microsoft 365 (including EOP settings) as if you were an admin within that organization.”

Limitations of M365 Delegated Admin Permissions

The Microsoft partner community has found these M365 delegated administration functions too constrictive. “Permissions granted by delegated admin are too far-reaching, do not allow for fine-grained access, and even the ability to audit use is unclear or non-existent,” a partner community post argued.

The partner laid out further concerns. “The list of roles and permissions that can be applied through Partner Center is available at https://docs.microsoft.com/en-us/partner-center/permissions-overview. Of these, only ‘Admin Agent’, ‘Helpdesk Agent’, and maybe ‘Sales Agent’ apply to the customer tenants. ‘Admin agent’ is the equivalent of ‘Global Administrator’ within a customer tenant, and ‘Helpdesk Agent’ is effectively a ‘Helpdesk Administrator’ (Password Administrator),” the partner wrote. “As an O365 admin in my organization, I can delegate permissions to others through at least 262,144 different combinations of the 18 customized administrator roles currently available in my tenant. (This increases to 38 roles available and nearly 275 billion combinations when using the roles available in Azure AD.) As a partner with delegated admin to a customer, there are only 2: ‘Everything’, or ‘Helpdesk Agent’.”

This approach is a security risk. “Everything is “all or nothing”. We also have well over 100 engineers in our organization (not counting back-office staff, etc.). To assign either “Admin agent” or “Helpdesk Agent” to one of our staff means that they have that same permission across a few hundred customers. There is no way to filter a staff member’s access to only one customer, or ideally a group of customers,” the partner concluded.

Doing Delegated Administration Right – The CoreView Way

If the roles provided by Microsoft are not good enough to match your IT organizational model, you should look at CoreView. We enable you to create custom roles to assign to each operator; only using the rights they need for their function without following Microsoft’s pre-defined roles.

Microsoft is positioning delegated administration only for partners or vendors helping on managing the tenant — because they don’t have true, granular delegated administration built into Microsoft Office 365.

In contrast, CoreView was architected and designed from the ground up to enable more distributed organizations with the flexibility to delegate and distribute administration tasks, assign license pools, and provide total visibility into all aspects of Microsoft 365. This delegated administration is available to in-house IT.

With CoreView, you can segment your users pretty much any way you like—by location, business unit, department, and more. Once you have those user groups configured, you can grant a specific set of admin permissions to administrators who will ONLY be able to view and manage that specific subset of users. It’s that easy.

Failing to implement a strong “Least Privilege Principle” is not only against CISA recommendations but can also lead to compliance problems with ISO, SOC, GDPR, and other industry security standards, where access should be limited as much as possible. Microsoft is not the end game here — CoreView enhances the limits and improves security.

Protect Your M365 Tenant With Coreview

Sign up for a personalized CoreView demo.

Get a personalized demo today

Created by M365 experts, for M365 experts.