October 26, 2020
min read
Kas Nowicka
Kas has spent the last decade working with Microsoft’s cloud solutions and sharing governance, adoption, and productivity best practices with the MVP community.

Office 365 delegated administration is too often a blunt object rather than a precise tool, with admins laden with global credentials and – in the best of cases – assigned broad, overly powerful, and insecure roles. 

CISA (Cybersecurity and Infrastructure Security Agency), in its Alert AA20-120A, encourages organizations to implement an organizational cloud strategy that both protects against attacks related to their M365 transition and better secures their O365 services. 

Chief amongst CISA’s various recommendations aimed at reducing cyber-security threats are calls for organizations to protect O365 Global Admin accounts from becoming compromised and to use the principle of “least privilege,” which means that the users should be granted the least possible administrative rights required to do their work.

This can be achieved in several ways:

  1. Role-Based Access Control (RBAC): As the name indicates, RBAC focuses on user roles that are pre-defined by Microsoft and are thus relatively inflexible.
  2. Functional Access Control (FAC): Pioneered by CoreView, it is a system in which user rights are assigned according to actions you want the admin to be able to perform.
  3. Virtual Tenants: Also pioneered by CoreView, subdivide your M365 tenant to precisely define the administrative controls being assigned to admin users of various types. protecting one admin from impacting the Virtual Tenant of another.
  4. Delegated Administration: This approach has been broadly applied and enables organizations to decentralize the IT administrative authority which RBAC provides – albeit in a limited fashion.

“As an organization grows, it can be difficult to keep track of which users have specific admin roles. If an employee has administrator rights they shouldn’t, your organization can be more susceptible to security breaches, "Microsoft advises. Microsoft states that M365 shops have only 2-4 Global Admins.

Microsoft 365 Delegated Admin – Through Microsoft’s Eyes

Microsoft uses the Microsoft 365 delegated admin term, but this is a rather limited concept. It’s aimed largely at cloud service providers needing access to a client’s tenant – especially compared to how the term is used for Azure Active Directory – which refers to RBAC.

“If you’re a Microsoft partner or reseller, and you’ve signed up to be a Microsoft advisor, you can request delegated administration capabilities in your customer’s Microsoft 365 organization,” according to Microsoft. “Delegated administration allows you to manage Microsoft 365 (including EOP settings) as if you were an admin within that organization.”

Limitations of Office 365 Delegated Admin Permissions

The Microsoft partner community has found these M365 delegated administration functions too constrictive. “Permissions granted by delegated admin are too far-reaching, do not allow for fine-grained access, and even the ability to audit use is unclear or non-existent,” a partner community post argued.

The partner then laid out further concerns. “The list of roles and permissions that can be applied through Partner Center is available at https://docs.microsoft.com/en-us/partner-center/permissions-overview. Of these, only ‘Admin Agent’, ‘Helpdesk Agent’, and maybe ‘Sales Agent’ apply to the customer tenants.

‘Admin agent’ is the equivalent of ‘Global Administrator’ within a customer tenant, and ‘Helpdesk Agent’ is effectively a ‘Helpdesk Administrator’ (Password Administrator),” the partner wrote. 

“As an O365 admin in my organization, I can delegate permissions to others through at least 262,144 different combinations of the 18 customized administrator roles currently available in my tenant. (This increases to 38 roles available and nearly 275 billion combinations when using the roles available in Azure AD.)

As a partner with delegated admin to a customer, there are only 2: ‘Everything’, or ‘Helpdesk Agent’.”

This approach is a security risk, as went on to explain. “Everything is ‘all or nothing.’ We also have well over 100 engineers in our organization (not counting back-office staff, etc.).

To assign either “Admin agent” or “Helpdesk Agent” to one of our staff means that they have that same permission across a few hundred customers. There is no way to filter a staff member’s access to only one customer, or ideally a group of customers,” the partner concluded.

Doing Delegated Administration Right – The CoreView Way

If the roles provided by Microsoft are not precise enough to match your IT organizational model, you should look at CoreView. We enable you to create custom roles to assign to each operator – only assigning the rights they need for their function within your organization without being constrained by Microsoft’s pre-defined roles.

Microsoft is positioning delegated administration as being only for partners or vendors helping to manage the tenant itself because they don’t have true, granular delegated administration built into Microsoft Office 365.

In contrast, CoreView was architected and designed from the ground up to enable more distributed organizations with the flexibility to delegate and distribute administration tasks, assign license pools, and provide total visibility into all aspects of Microsoft 365. This delegated administration is available to in-house IT.

With CoreView, you can segment your users pretty much any way you like — by location, business unit, department, and more.

Once you have those user groups configured, you can grant a specific set of admin permissions to administrators who will only be able to view and manage that specific subset of users. It’s that easy.

Failing to implement a strong “Least Privilege Principle” is not only against CISA recommendations but can also lead to compliance problems with ISO, SOC, GDPR, and other industry security standards, where access should be limited as much as possible.

Microsoft is not the end game here — CoreView enhances the precision with which administrative privileges can be defined and assigned, and thus dramatically improves security.

Protect Your M365 Tenant With CoreView

Sign up for a personalized CoreView demo.

Get a personalized demo today

Created by M365 experts, for M365 experts.