Delegated Administration has a broad use in computing. For this sake, it means how Role-Based Access Control (RBAC) is used to decentralize the administrative function through delegation of these admin duties. This replaces a centralized IT administrative model which no longer suits today’s enterprise landscape.
At the same time, delegating these tasks out to others without carefully managing permissions is a special kind of security nightmare. Delegated permissions should encompass two complementary concepts, delegating the IT function so it can be done by someone else, and assigning limited rights, which is where RBAC comes in. The end goal is a concept called Least Privilege Access – assigning the least number of permissions required for the delegated administrator to complete tasks.
Adding to RBAC, you also want to limit the visibility of the delegated admins. If they shouldn’t be managing it, they shouldn’t be able to see it.
Organizations using Microsoft 365 with a single tenant that contains multiple departments, remote locations, sister companies, and different agencies have complex environments to support and manage. Most of them want to delegate administration rights so IT groups can manage their business units independently — but stop short of giving out full Global Admin Rights to regional, local, or specialized IT admins.
There are 6 key reasons to use delegated administration for Microsoft 365:
Unfortunately, Microsoft 365 administration is too often a blunt object, with admins laden with global credentials or assigned broad overly powerful, and insecure roles. That is why so many M365 shops turn to SaaS Management Platforms like CoreView.
Delegated Administration is vital to M365 security. CISA (Cybersecurity and Infrastructure Security Agency) in its Alert AA20-120A encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their M365 transition and for better security.
In particular, CISA recommends: “Protecting Global Admins from compromise and use the principle of ‘Least Privilege.”
The Least Privilege answer comes in several forms, with several labels. Role-Based Access Control (RBAC), as the name indicates, focuses on roles – and here Microsoft pre-defines these roles which reduces IT flexibility. Nevertheless, RBAC – is a form and foundation of Delegated Administration.
As you can see by the focus of this guide, there is another term that speaks to the granularity and control of M365 admin rights – the aforementioned Delegated Administration. This approach has been broadly applied and speaks to the decentralization of IT administrative authority which RBAC provides – albeit in a limited fashion.
“As an organization grows, it can be difficult to keep track of which users have specific admin roles. If an employee has administrator rights they shouldn’t, your organization can be more susceptible to security breaches,” Microsoft cautions. Microsoft advises that M365 shops have only 2-4 Global Admins for just this reason.
These M365 Delegated Administration functions are aimed at CSPs and other partners looking to access client tenants. The Microsoft partner community has found these M365 delegated administration functions too constrictive. “Permissions granted by delegated admin are too far-reaching, do not allow for fine-grained access, and even the ability to audit use is unclear or non-existent,” a partner community post argued.
Microsoft 365 Delegated Administration has a range of limitations. For instance, you can only delegate technician’s default roles in Microsoft 365, such as password administrator, Exchange administrator, Skype for Business administrator, etc. You can’t customize those roles based on your needs.
Microsoft is positioning delegated administration only for partners or vendors helping on managing the tenant — because they don’t have true, granular delegated administration built into Microsoft 365.
The set of administrative roles provided by Microsoft for a Microsoft 365 deployment are designed around a centralized management model. Within the native M365 Admin Center, there is no way to set up regional management rights for administrators who ONLY want to monitor and manage their local business unit or geographical site users. For large enterprises or companies that are split into multi-tenant Microsoft 365 environments, there are complex administration requirements to support their deployments. What if they want to delegate admin tasks to different countries, business units, or office locations? What if they want to enable help desk engineers to perform ONLY simple admin tasks on their regional users?
Let’s assume 30% of M365 tasks currently handled by central IT can be delegated to other operators, even power M365 users that work in local company departments. These tasks could include help desk requests, password resets, Microsoft Teams configuration, or provisioning new employees. This simple change could save a 10,000-seat organization with 5 central IT admins 2880 hours (about 4 months) a year in the time spent. That represents either $270,000 a year in pure savings or 240 hours (about 1 and a half weeks) per month freed for central IT to do other things.
Before granting administrative access, IT should know precisely what is being given. That access should be granular and based on the actions they are taking and the function they are trying to perform — not just a role. You do not want to simply grant Exchange admin rights, which can change mail routing when all the person needs to do is create a mailbox. Nor do you want to give them Microsoft Teams admin rights, which can delete Microsoft Teams channels, if the person only needs to create Team channels.
These admin limitations based on functions offer true Least Privilege Access. Roles are a Band-Aid on the Least Privilege problem, and Functional Access Control is the solution that we’ve all been looking for.
The first step to enable regional administration for a subset of users in Microsoft 365 is to segment common users into a group, what we at CoreView call a Virtual Tenant. For instance, a new Virtual Tenant called “Italy Sales” can be created and the selection filter to delegate what users will be included has “Country = Italy” and “Department = Sales.” In effect, this segments all Italian employees in the sales organization into a specific grouping that can be assigned to a regional administrator to monitor and manage. This administrator will ONLY be able to perform account updates and view activities and reports for that list of users.
Now that regional administrators are in place, you can create the specific set of permissions, or entitlements, that you want to assign to a regional administrator. Once you have assigned a list of users to the membership of a Virtual Tenant (i.e., by Country and Department) and assigned a specific admin to be restricted by the scope of that Virtual Tenant, you have controlled the list of users that the admin can monitor.
In addition, once you have assigned a remote administrator to a specific permission record and selected what reports they can view and actions they can perform (i.e., manage passwords), you have effectively delegated remote admin rights and access control within Microsoft 365. When that regional administrator now logs into the CoreView portal, they will only be able to make changes to the users you’ve granted them access to and will only be able to perform the admin actions that you’ve specifically assigned.
Since there are no native Microsoft 365 administrator rights needed within the tenant for these regional admins, there is no way for them to log onto the M365 portal and make any changes directly within the tenant or via PowerShell. With CoreView, a service account performs all the actions requested through the UI. So, your overall user community is secure, and you can distribute and delegate the administration for your M365 environment how you want.
Microsoft Teams is an area where Virtual Tenants help because you can delegate the monitoring of Microsoft Teams usage to someone in the Virtual Tenant without giving them access to the global M365 tenant. Additionally, all of our reports can be filtered by any attribute in Active Directory. So, even if you don’t have Virtual Tenants defined, you can still run a Microsoft Teams usage report for everyone in Italy, for example.
RBAC and even Virtual Tenants can allow you to build a set of permissions that you can then delegate to a user who would be assigned to manage a given License Pool. These RBAC permissions also allow you to specify what reports or data the delegate can see, as well as what administrative capabilities you would like to grant.
Once you have delegated access to manage a License Pool, the delegate can then assign or revoke licenses, produce various license reports as well as manage license and chargeback costs – but only for the licenses and quantities that are assigned to that delegate’s business unit. This prevents someone from unintentionally using licenses that belong to another business unit or consuming more licenses than they are allotted.
Hiring sprees and acquisitions make IT jobs miserable as they struggle to create and provision new user accounts. But what if HR, who handles the hiring anyway, could do this work as well? With Delegated Administration and workflows that make provisioning easy, they can.
Gartner estimates that 20-50 percent of all help desk calls are for password resets, while Forrester researchers have calculated the cost of a single password reset to be $70. Delegate this function out, and the time and soft cost savings can add up quickly.
In fact, account lockouts and password problems are among the most common help desk issues. Delegation means central IT is less taxed, and problems are taken care of more quickly.
Delegating M365 admin responsibilities to those closest to the end-users results in less micromanaging from the central office, and greater M365 uptime across the organization.
CoreView was architected and designed from the ground up to enable distributed organizations with the flexibility to delegate and distribute administration tasks, assign license pools, and provide total visibility into all aspects of Microsoft 365. This Delegated Administration is available to in-house IT, as well as partners and solution providers such as Managed Service Providers (MSPs).
With CoreView, you can segment your users pretty much any way you like—by location, business unit, department, and more. Once you have those user groups configured, you can grant a specific set of admin permissions to administrators who will ONLY be able to view and manage that specific subset of users. It’s that easy.
Failing to implement a strong “Least Privilege Principle” is not only against CISA recommendation but can lead to compliance problems with ISO, SOC, GDPR, and other industry security standards, where access should be limited as much as possible. Microsoft is not the end game here — CoreView overcomes the limits of Delegated Administration and improves security.
By delegating tasks formerly done by M365 Global Admins, your IT staff saves myriad man-hours that can be taken as pure savings or devoted to more strategic tasks and projects.