How to use the Workload-specific roles for delegated administration of Office 365

Many customers would like to reduce the number of Office 365 Global Admins to a small handful, while granting service specific admin roles to designated administrators.

Workload-specific admin roles began rolling out on June 11th, 2015 and provide more flexibility to organizations that want to structure admin access to Exchange Admin Center, SharePoint Admin Center, and Skype for Business Admin Center. For example, an Exchange admin will no longer require Office 365 global admin rights to manage Exchange Online. You can now give your SharePoint admin the ability to manage SharePoint site collections without giving them rights over your Exchange environment.

I’m going to grant John Doe the Limited Admin role of Exchange Administrator.

image

In addition to being an Exchange Administrator, John will also have the ability to perform six tasks in the Office 365 Admin portal:

  • View organization and user information
  • Manage support tickets
  • View users and roles
  • View user licenses
  • View service health and message center posts
  • Manage reporting

Limiting Access to Executive Mailboxes

Now, let’s assume a company wants to grant Exchange Administrators access to all mailboxes except a group of VIP users. In this case, you should not grant the user the limited role of Exchange Administrator, because that would give them too much access (Organizational Administration – the highest rights within Exchange). Instead of granting them rights within the Office 365 Admin Portal, you should instead create a role in the Exchange Admin center such as “View-Only Organization Management” and then grant them full mailbox access on all users except for the VIP users. This script could be scheduled to run as a scheduled task so that these limited admins would be granted access to new employees (or you would update the new employee onboarding account creation process to grant these admins full mailbox access to the new employees).

For these limited admins, they will not logon to the Office 365 Admin center (portal.office.com) but instead they will logon directly to the Exchange Online Control Panel at https://outlook.office365.com/ecp