This article aims to help readers understand:
A few weeks ago, I had a conversation with Dean Gilau, well-known in the Microsoft 365 community for a massive implementation he did at a 9,000-employee, multi-national pharmaceutical company.
Before we got to the best practices, he really helped frame up the issues that are creating the need for delegated administration in Microsoft 365. First, let’s level set on what delegated administration even means:
Delegated administration allows organizations to assign specific administrative roles to individuals or groups based on their role without giving them full access to all administrative functions. In the context of Microsoft 365, this means users don’t need full admin rights to manage certain aspects of the Microsoft 365 environment (e.g., user accounts, groups, or SharePoint sites).
With that in mind, you can imagine that the adoption, complexity of deployments, coupled with the modern workforce that is distributed with ever-changing/evolving org structures...it’s getting real. Here’s more about those big drivers:
Microsoft 365 has gained widespread adoption, with organizations relying on its suite of productivity and collaboration tools. As the user base expands, the demand for effective user management and administrative control intensifies. Delegated administration allows organizations to scale their administrative processes while maintaining centralized oversight.
The continuous expansion of Microsoft 365's capabilities has resulted in complex and multifaceted environments. Organizations face challenges in managing user roles, permissions, and settings across various applications and services. Delegated administration addresses this complexity by providing a structured approach to efficiently manage administrative tasks within the ecosystem. And to add to this madness, different industries have specific compliance and operational requirements. Delegated administration offers the flexibility to tailor administrative roles and permissions to meet industry-specific needs, ensuring regulatory compliance and efficient management of Microsoft 365.
The shift towards remote work and the prevalence of distributed teams have highlighted the need for decentralized administration. Delegated administration enables organizations to delegate administrative responsibilities to different locations or departments, ensuring seamless management of Microsoft 365 regardless of physical proximity.
Organizations are adapting their structures to be more agile and responsive. Delegated administration aligns with these evolving structures, allowing organizations to distribute administrative responsibilities based on their unique requirements. This flexibility enables efficient collaboration, cross-functional workflows, and faster decision-making.
(For more information on Microsoft’s solution to delegated administration Administrative Units, read Achieve Microsoft 365 Tenant Segmentation with Azure AD (Entra ID) Administrative Units.)
Dean really had to work through some stuff when he was building out the customer site and has created a pretty simple set of takeaways that could help you avoid big issues along the way:
Establish well-defined administrative roles and responsibilities within your organization. Determine which tasks and permissions should be delegated to different teams or individuals based on their expertise and job requirements. Here are two pieces critical to making decisions about the roles/permissions:
Least privilege just means limiting user access rights to the bare minimum needed to perform their duties. If you stick to the notion of granting users the minimum level of permissions necessary to perform their designated tasks, you can decrease the risk of unauthorized access or accidental modifications. You can always make adjustments to up their access/permissions as they get more tasks/responsibilities/scope but revoking it after the fact can create a lot of internal tension.
This is just a fancy way of saying you should look at dividing critical tasks among multiple administrators. This helps prevent conflicts of interest and reduces the risk of fraudulent activities or unauthorized actions. For example, one administrator could be responsible for creating user accounts, while another assigns those accounts with the appropriate roles and privileges. This division ensures that no single individual holds too much power or control, reinforcing the system's security.
“How do I do that?” you ask? You can’t with Microsoft’s standard tenant but that’s where CoreView Virtual Tenant™ capability comes into play. With Virtual Tenants, you can slice up your existing tenant into very specific layers, based on teams, geos, campuses, etc. (See how Jefferson County Library uses them to manage 41+ libraries across 23 municipalities here.)
Put guardrails in place – there are basic auditing and monitoring features in Microsoft 365 that can help track administrative activities. However, selfishly, we see customers needing a lot more, which is why they use CoreView to continuously monitor and detect any suspicious or unauthorized changes.
Your organization is always changing, so is the Microsoft world, and heck, the world around that. This bucket contains two areas where you just need to really keep things fresh:
Conduct periodic reviews of user permissions to ensure they align with current job roles and responsibilities. Remove any unnecessary or outdated permissions to maintain a secure and streamlined environment.
Stay up to date with the latest features, security patches, and best practices recommended by Microsoft for delegated administration. Regularly review Microsoft's official documentation and announcements to ensure you're leveraging the most effective techniques. (Check out some of the latest updates here.)
Offer comprehensive AND RECURRING training to administrators on delegated administration best practices, security protocols, and compliance requirements. Maintain up-to-date documentation and resources to support administrators in their roles.
It really was such a great conversation, and there is a lot more meat behind each of these, including examples from Dean’s experiences. Check out the on-demand recording of the webinar here or click the image below.
NOW, how will you know you are doing it right?
Here are the five easy ways to determine if you are getting the greatest outcomes from your delegated admin strategy:
Delegating administrative tasks based on expertise and responsibility allows organizations to optimize resource allocation. By assigning specific administrative roles, organizations can reduce the burden on IT teams, avoid duplication of effort, and allocate resources more efficiently. This can lead to cost savings and improved operational efficiency.
Delegated administration contributes to a positive user experience by providing timely support and streamlined access to services. By assigning dedicated administrators to specific tasks, users receive faster assistance, efficient issue resolution, simplified processes, and improved satisfaction. This empowerment enhances employee productivity and engagement.
Organizations must adhere to various compliance and data privacy regulations, such as GDPR or HIPAA. Delegated administration provides a mechanism to enforce compliance by assigning specific roles and permissions, implementing audit trails, and ensuring proper access controls. This assists organizations in meeting regulatory requirements and demonstrating compliance during audits.
Data breaches and cybersecurity threats continue to pose significant risks to organizations. Delegated administration enables organizations to implement a least privilege model, ensuring that users have only the necessary permissions to perform their roles. This helps minimize the potential attack surface and enhances the overall security posture of Microsoft 365 environments.
Often, the pain of not giving the right permissions is that employees become frustrated. They can’t do their jobs, and often blame IT for being the bottleneck. When delegated administration is streamlined and effective, you’ll experience fewer employee complaints and escalations—leading to a happier workplace with higher job satisfaction and productivity.
If you are experiencing any of the issues I covered at the start, or you are hungering for results that look like the last bit, it's time to evaluate your delegated administration strategy.
With CoreView, users can offload up to 30% of IT tasks by delegating Microsoft 365 administration–while still maintaining full oversight and consistency. With CoreView, you can:
See CoreView’s custom role creation capabilities in action.