Delegate admin roles to partners

Completed

If an organization doesn't have in-house administrators, it can outsource its Microsoft 365 administration to a Microsoft partner. For example, Adventure Works Cycles is regional bicycle distributor that doesn't need specialized IT administration roles. As such, it decided to rely on a Microsoft partner to provide IT administrative functionality.

Outsourcing administration to a Microsoft partner is referred to in Microsoft 365 as delegated administration. A partner initiates delegated administration by sending an email message to an organization, requesting permission to act as an administrator on their behalf.

To accept the delegated administration offer, the organization should complete the following steps:

  1. Open the email message from the partner and read the terms of the offer.
  2. Select the link to authorize the agreement, which displays an authorization page in Microsoft 365.
  3. Under Delegated administration, select Yes to authorize the partner to be the organization's delegated administrator.
  4. If the delegated administration offer came with a trial subscription or a purchase offer, create the trial or subscription tenant account.

To view the delegated administrators, the organization should complete the following steps:

  1. In the Microsoft 365 admin center, on the Active users page, select Filter on the menu bar.
  2. In the drop-down list that appears, select any of the assigned roles.

If you don't have a delegated administrator, the message on that page will state, “There are no delegated administrators associated with your account.”

Administrator roles set by partners

When you delegate administration to a partner, they can specify administration roles to users they create on the organization's behalf. The partner can assign these roles to support agents in their own organization or to users in the customer's organization. However, when you delegate administration to a partner, you restrict them to the following two roles:

  • Full Administration
    • Users assigned the Full Administration role have extensive administrative privileges within the delegated organization.
    • They have broad access to manage various aspects of the organization's Microsoft 365 environment, including user accounts, licenses, domains, and services.
    • Full Administration users can create and manage other users, including assigning roles and permissions to them.
    • They have the ability to manage security settings, such as configuring password policies and security features.
    • Full Administration users can manage Microsoft 365 subscriptions, including purchasing and assigning licenses.
    • They can access and modify Exchange Online settings, including email and mailbox management.
    • Full Administration users also have access to the organization's data and can manage SharePoint Online sites and files.
  • Limited Administration
    • Users assigned the Limited Administration role have restricted administrative privileges.
    • While they have some administrative capabilities, they have limited access and permissions compared to Full Administration users.
    • Limited Administration users can manage user accounts, including creating and modifying them.
    • They can reset passwords for users and manage user group memberships.
    • Limited Administration users have access to service health and support information.
    • They can view and manage support tickets related to the organization's Microsoft 365 services.
    • Limited Administration users don't have access to more sensitive settings and configurations, such as managing domains, subscriptions, or security settings.

Important

Organizations should carefully consider the level of trust and access they grant when delegating administration to a partner. They should review and clearly communicate the roles and responsibilities of the partner's users and ensure that the assigned roles align with their security and compliance requirements.

Microsoft recommends the following best practices to ensure delegated administrators correctly manage the Microsoft 365 administrator roles:

  • Carefully plan administrator roles by creating a matrix to distribute roles based on the organization’s operational model.
  • Document and audit administration roles and their privileges.
  • Ensure that you keep administration roles up to date by changing or removing roles as needed.
  • Ensure that you receive management approval for your final administration role design.

Tip

Keep in mind that the specific permissions and capabilities of these roles may be subject to updates and changes by Microsoft. As such, Microsoft recommends that you to refer to the official Microsoft documentation or consult with your Microsoft 365 partner for the most up-to-date information.