Learn more about Office 365 permissions in our blog post “How to Control Roles in the Microsoft 365 Admin Center!“
How To Delegate Office 365 Administration Within A Global Tenant
A well administrated Office 365 environment is going to make an organization much more productive than a poorly managed one.
That means users need to be able to manage access to their sites according to their governance policies and share documents with the least amount of friction possible.
To accomplish that, Office 365 admins are necessary to help manage their organization’s:
- Audit settings
- Content types and records policies
- Information sharing boundaries
- And much more!
However, the way Office 365 is architected can make it challenging for large or diverse organizations to create the right team of admins with the right mix of permissions for effectively managing digital workspaces (Groups, Teams, SharePoint sites, etc).
Essentially, organizations must choose between giving their users levels of access that hinder admins’ abilities to manage them OR you get admins involved in these processes which means they now have access to ALL scopes in Office 365.
Global Administration Explained
Microsoft’s advice and preference is for its customers to have a SINGLE, CENTRAL tenant. This pertains even to customers that may have distinct divisions, geographies, or managed multiple SharePoint farms in the past (and is why they have added strong multi-geo capabilities).
This helps collaboration and prevents data silos. However, by softening the traditional barriers that existed from maintaining separate SharePoint servers on-premises, administration has now become an all or nothing proposition. There are no smaller containers within the tenant that can have their own administrators; you either have an Office 365 global admin or you don’t.
An IT manager that may have been charged with just administrating SharePoint 2016 for the North American marketing department of Contoso is suddenly given access to the company’s entire SharePoint Online environment including its Japanese, German and other divisions; there’s no role below SharePoint administrator built into Office 365.
Faced with this issue, organizations leveraging Office 365 typically have two options: 1) Reduce the number of global admins, or 2) Accept the potential risk that comes with giving admins too much power.
Both options have their faults; lowering your admin count means fewer people to manage your data while having competent people on the sidelines, and excessive, unmanaged risk is also unacceptable. For organizations that deal with sensitive information or deal with ITAR or similar stringent regulations, the second path may not even be an option.
So how do you manage your Office 365 administrator permissions so the right people have the right access and permissions to fulfill their job duties and more? Let me suggest three tips.Having trouble delegating O365 admin permissions? Check out this post: Click To Tweet
Tip 1: Regularly View and Audit Your Office 365 Admin Roles
There are several types of admin roles within Office 365, and it’s important to know what they are and how to view them.
To see the available roles in your Office 365 admin center, go to Roles > Roles, and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned to that role have permission to do.
You can also see a larger list here. But some of the most important to know are:
|Global Administrator||The global admin has unlimited access to organizational settings and data. Only a global administer can change another global administrator’s password.|
|Billing Administrator||The billing administrator manages purchases, subscriptions, and support tickets. They can also monitor service health.|
|Service Administrator||The service administrator is responsible for managing service requests with Microsoft relating to service issues. They also monitor the service dashboard and message center and can see important information in the Microsoft 365 admin center, such as the health of the service and change and release notifications. As a service administrator, they have view-only permissions on user configuration settings.|
|Password (Helpdesk) Administrator||The password administrator manages the resetting of user passwords. They can manage service requests and monitor service health|
|User Management Administrator||The user management administrator can reset passwords, monitor service health, add/delete user accounts, and manage service requests. They cannot delete or create new administrators.|
|Compliance Administrator||Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. Users can also manage all features within the Exchange admin center and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365|
|App administrators (SharePoint, Exchange, PowerBI, Skype, Dynamics 365, Teams)||Admins for these different Office 365 applications have reporting, settings configuration, content management, and permission management capabilities.|
|Search Administrator||Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Search Administrators can delegate the Search Administrators and Search Editor roles to users, and create and manage content like bookmarks, Q&As, and locations. Additionally, these users can view the message center, monitor service health, and create service requests.|
|Service Support Administrator||Users with this role can open support requests with Microsoft for Azure and Office 365 services and view the service dashboard and message center in the Azure portal and Microsoft 365 admin center.|
Admins can view who is in what role in the Office 365 admin center by navigating to Active Users under the USERS tab in the left sidebar. You can select a pre-built view to find your global administrators.
Users of AvePoint’s Cloud Management solution can also easily centrally manage Office 365 permissions and configuration tasks in bulk from a single pane of glass. An approval process can be layered on with the solution as well. Policy enforcer can also automatically revert changes made by admins and users that are out of policy.
Tip 2: Assign Admins The Least Permissive Role
All major risk frameworks and security standards have the principle of least permission. Essentially, you want to give someone the least amount of access and permission they need to get the job done.
So while it may be tempting to have a stable of global administrators to help with the workload, it’s a security threat and will cause issues if the organization undergoes audits for its security certifications or data regulations.
Microsoft advises having between two to four global administrators to prevent account lockout and keep data secure.
Once you have these policies in place, you may want to consider enforcing them in real-time by leveraging solutions that can help revert any unauthorized security setting or configuration changes made by users and admins alike.
Tip 3: Create Custom Admin Roles For Specific Workspaces in SharePoint, Office 365 Groups, and Microsoft Teams
Imagine being able to take your central Office 365 tenant and carve it up into separate, more manageable containers that can be administered at the division level without giving up access to the entire tenant.
While this functionality does not yet exist natively in Office 365, you can delegate Office 365 administration within your tenant with AvePoint Cloud Management. It provides the structure and security of isolated tenants but still allows you to leverage Office 365’s collaboration capabilities to the fullest.
Aside from the Cloud Management solution, learn more about Office 365 governance and permission management with AvePoint’s Cloud Governance.
This can be extremely helpful for government agencies or large organizations that can now allow IT users closer to the business or mission to help with permissions management, content management, and reporting for their division.
So for example, while the state government of California may be under a single Office 365 tenant, they could then create Office 365 admins in the Department of Transportation who just have access to those workspaces and data.
Want to learn more about why this works and how to get the most out of it? Are you interested in learning how to manage Office 365 users more effectively? Register for our upcoming webinar “Tailoring Microsoft Teams & Delegating Administration in Office 365” on August 7th for an hour-long deep dive.
Nice article John
It gave me a clear and quick guide on admin permissions.
Question. How would you suggest a multi national organisation go about change control measures across boundaries in the Office 365 suite?
For instance, there might be a change made in the O365 suite in a European country that could likely effect the USA under the same global tenancy. I would not assume this task to be done via a Global Admin role. These changes could then be deployed across the regions and cause havoc. The thing I’m interested in mostly or am trying to get answered here is what type of changes would be classified as GLOBAL changes across the tenancy? From what I have gathered speaking to our internal Techies is that its not always as straight forward to tell and this is where experienced analysts win hands down.
I come from a Service Delivery background hence my questions. We are trying to work out how to adopt a global governance policy and its proving to be difficult! 🙂
Appreciate any insights if you have any to share.