How to Optimize and Delegate Administrator Access in Microsoft Teams

Post Date: 08/10/2020
feature image

This post is an excerpt from our latest ebook “Using and Tailoring Microsoft Teams for Your Organization.” Download for free today!

Read the other posts in our series below:

Microsoft’s original design for Microsoft 365 of one tenant per organization hit roadblocks fairly quickly, because multi-national and global organizations were unable to embrace this design due to widely different compliance mandates across the world for which a single tenant was unable to deliver.

Recent years have seen Microsoft introducing the new Multi-Geo option to divide a single global tenant into multiple logical components, and also other innovations to enable a tenant to be divided into smaller groups for eDiscovery (e.g. ComplianceBoundaries) and to meet ethical wall requirements (e.g. Information Barriers for Microsoft Teams).

microsoft teams

What hasn’t changed, however, is the inability to divide administrator controls below the level of a workload—such as SharePoint Online or Exchange Online—in order to provide delegated administration within the tenant.

For example in the past, an IT manager that may have been charged with just administrating SharePoint 2016 for the North American marketing department of Contoso is suddenly given access to the company’s entire SharePoint Online environment including its Japanese, German and other divisions; there’s no role below SharePoint administrator built into Microsoft 365.

Faced with this issue, organizations leveraging Microsoft 365 typically have two options:

  1. Reduce the number of global admins, or
  2. Accept the potential risk that comes with giving admins too much power

Both options have their faults; lowering your admin count means fewer people to manage your data while having competent people on the sidelines, and excessive, unmanaged risk is also unacceptable.

For organizations that deal with sensitive information or deal with ITAR or similar stringent regulations, the second path may not even be an option.

AvePoint’s delegated administration capabilities in Cloud Management for Microsoft 365 provides the answer, and as with users, makes it easy for administrators to do the right thing.

Imagine being able to take your central Microsoft 365 tenant and carve it up into separate, more manageable containers that can be administered at the division level without giving up access to the entire tenant. It provides the structure and security of isolated tenants but still allows you to leverage Microsoft 365’s collaboration capabilities to the fullest.

Have questions about delegating administrator access in Microsoft Teams? Check out this post: Click To Tweet

This can be extremely helpful for government agencies or large organizations who can now allow IT users closer to the business or mission to help with permissions management, content management, and reporting for their division.

So for example, while the state government of California may be under a single Microsoft 365 tenant, they could then create Microsoft 365 admins in the Department of Transportation who just have access to those workspaces and data.

Objects such as mailboxes, OneDrive repositories, Microsoft 365 Groups and more can be divided into separate logical groupings, based on properties or combinations of properties. For example, all objects with the departmental property of “sales” and the geography property of “United States” can be automatically allocated to a “US Sales” container, to which an IT administrator can be assigned.

He or she can carry out the administrative tasks for all objects in the container, but not for any objects outside of the container.

microsoft teams

Alternatively, all Exchange mailboxes with a custom property of “executive” can be assigned to an “Executives” container, and only the assigned administrator is able to provide administrative support to the executives of the organization.

This prevents just any administrator with the Exchange Administrator role in Microsoft 365—which gives access to all mailboxes by design from accessing the mailboxes of executives which will contain sensitive, confidential, and secret business information.

For more on information management in Microsoft Teams read the full ebook here.

Keep up with our Microsoft Teams resources by subscribing to our blog!

As the former Content Marketing Specialist for AvePoint, Brent led the strategy and direction of all AvePoint's blog properties.

View all posts by Brent Middleton

Subscribe to our blog