Delegating Admin Capabilities for Office 365
This blog entry is a continuation of our series on improving administration efficiencies in Office 365. This topic covers the management of multi-tenant environments for companies that have grown through mergers and acquisitions over the past several years. For administrators at those types of organizations, I know this blog entry will be eye-opening to ways they can reduce their time spent performing admin tasks. This capability is also very helpful for managed services partners who perform the admin tasks for multiple organizations with a centralized support group.
Monitoring Multi-Tenant Environments
The free administration tools for Office 365 deployments are designed around a centralized management model for a single tenant. With the admin center provided by Microsoft, there is no way to merge different tenants from a management perspective so that administrators can monitor, report, and manage user accounts across multiple tenants. Luckily, the folks at CoreView saw this gap and included it in their award-winning management software: CoreView. With CoreView, you can combine different tenants and segment your users into new groupings, or virtual tenants, for more efficient management. Once you have those segments configured, you can grant a subset of actions to administrators who will ONLY be able to monitor and manage that subset of users. This way, administrators can use single sign-on to monitor and manage their assigned user community, even though they might be deployed on different tenants.
Let’s look at an example in which you want to view all licenses across the different tenants that you manage. These types of converged reports are easily configurable within the CoreView toolset (see screenshot below).
Viewing Multi-Tenant Licensing Report
You can also toggle between the different tenants to view different usage patterns. The example below shows the Spam & Malware traffic report sorted by date range. From the drop-down menu, an administrator can choose from the available tenants that they manage to identify different traffic patterns.
Switching Between Tenants to View Spam and Malware Reports
Grouping Multi-Tenant Users and Assigning Regional Administration
To enable regional or departmental administration for a subset of multi-tenant user accounts, you will first need to segment those specific users into a new group. This feature provides simple drop-down menus to choose which tenants to include first and create user filters based on specific attributes that users have in their account information. In the example below, a new group called “Italy Sales” is created, and the selection filter to delegate what users will be included has “Country = Italy” and “Department = Sales” (as shown in the two screenshots below).
In effect, all Italian employees in the sales organization, but on different Office 365 tenants, are segmented into a specific virtual-tenant grouping that can be assigned to a regional administrator to monitor and manage. That administrator will ONLY be able to perform account update actions and view activities and reports for that segment of users.
New Multi-Tenant User Grouping with Tenant Selection Menu
New Multi-Tenant User Grouping with Selection Filter Menu
The final step is to create the specific set of permissions, or entitlements, that you want to assign to that regional administrator. To do this within CoreView, you just need to go back to the management menu and choose “Manage Permissions.” From there, you can create a new permission template, assign a remote admin with a controlled set of administration actions, and specify a set of reports they will be able to view. The next time that admin logs into their CoreView portal, they will be able to view ONLY that group of users delegated to them and perform ONLY the actions assigned.
There you have it. No native Office 365 administrator rights need to be assigned within the different tenants, so there is no way for a regional administrator to log into the Office 365 portal and make changes directly within a specific tenant or via PowerShell. This ensures that your multi-tenant user community is secure and you can distribute and configure the administration capabilities for your complex, multi-tenant Office 365 environment how you want.
If you are interested in finding out more about our CoreView solution and how it can cut your administration time in half, please visit our overview page online or sign up for a free trial at http://www.coreview.com/free-trial.