Today’s IT administrators have a number of responsibilities, particularly when it comes to the upkeep and management of Active Directory. As a result, many enterprises and organizations have sought to utilize Delegated Administration (a concept we’ll explain in more detail below) in an effort to boost efficiency and take some pressure off of administrative teams. That said, too much administrative delegation — particularly with a data-rich tool like Active Directory — can lead to a decreased security and increased risk, making your organization more susceptible to cyber-attacks. If you’re looking for ways to reduce administrative delegation in Active Directory and thus mitigate this risk (while simultaneously reducing your admin team’s workload), you’ve come to the right place.
Before diving into our top tips and tricks, though, let’s start with some basic definitions.
What Is Active Directory? For the uninitiated, Active Directory, or AD, is a Microsoft directory service designed for Windows networks and included with most Windows operating systems. In essence, Active Directory helps administrators find the information they need by organizing details about user accounts, devices, etc. We like to think of it as the IT equivalent of a guest list at a nightclub (dictating which users are let in, who has a seat in the VIP section, and so on).
What Is Delegated Administration? Broadly speaking, Delegated Administration refers to how Role-Based Access Control is used to decentralize administrative functions through the delegation of tasks and duties. For partners and resellers, Microsoft says, “Delegated Administration allows you to manage Microsoft 365 as if you were an admin within that organization.”
What Is Role-Based Access Control? Role-Based Access Control, or RBAC, restricts network access to select, authorized users. In Microsoft’s words, “RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization.”
Make sense? Perfect. Now that we’ve covered the basics, should we tackle reducing delegation in Active Directory and protecting your network? Let’s do it.
First things first: You need to establish a set of administrative groups or roles and assign them tasks and responsibilities accordingly.
With CoreView, you can slice, dice, and segment users any way you like — by location, business unit, department, etc. Once those groups are identified, you can segment them using Virtual Tenants (also known as tenant virtualization — which, ahem, CoreView helped pioneer). By breaking your organization into these bite-sized groups, you can easily restrict what users can see, do, and act on — preventing delegation from getting out of hand and alleviating potential risk.
Least Privilege Access is your best friend.
In cyber security, the principle of least privilege basically dictates that a user should be given the lowest levels of access, or permissions, needed to do their job. Applying this principle to delegation in Azure Active Directory is critical, as AAD includes a number of high-level administrative roles including Global Admin with access to a wealth of information and control. Strive to limit assignment to these roles to a select few administrators (e.g. only those responsible for the overall health of Azure Active Directory), then delegate significantly reduced rights and privileges to other users, or “operators,” from there.
To achieve this, we recommend adopting a functionally-based RBAC model. Though the Microsoft 365 Admin Center doesn’t offer this level of granular control to administrators, CoreView does — enter Functional Access Control, or FAC. We like to call it “the path to least privilege nirvana,” as our Functional Access Control tool allows you to check off the functions you want to grant, rather than assigning broad roles.
In the theme of protecting privileged groups, Microsoft offers a handful of recommendations and configuration options to limit delegation in Active Directory, thus preventing high-level account credentials from being forwarded to other computers, services, and users in a network.
One option is enabling ‘Account is sensitive and cannot be delegated’ — a feature that’s easy to switch on for a service or Local System account. Once this feature is set, an account’s credentials can’t be reused or distributed, thus limiting the scope of potential attacks.
Again, high-level administrative roles within Azure Active Directory are among the most powerful in an organization — the Crown Jewels of IT administration, so to speak. For this reason, it’s imperative that they are not only protected by extensive security features but also monitored and audited regularly.
As Microsoft frames it, “Accounts in these roles should be among the most guarded in an organization. Extra security precautions should be taken to ensure that they are not abused or compromised. Monitoring and auditing of membership in those roles should be performed. When possible, use of custom groups with delegated privileges can provide a more secure solution.”
Microsoft has 80+ admin roles and many permissions that are configurable. Despite this, large organizations still struggle to delegate "just enough" to admins. That’s because Microsoft’s admin roles are either too powerful or too restrictive.
As a consequence, IT teams are overwhelmed by ticket escalations, leading to unacceptable time-to-resolution for critical IT tasks.
Overcome these issues with CoreView. With our custom roles technology, you can create and delegate custom admin roles in Entra in just a few clicks.
See how to create custom roles in Entra with CoreView.
Learn how we can help you streamline administrative delegation and protect your organization with a personalized CoreView demo today.
