Delegated Administration: How to Save Time and Money Managing SaaS Applications

Post Date: 05/26/2023
feature image

As the world increasingly relies on Software-as-a-Service (SaaS) platforms to scale businesses, IT teams take the central role in driving businesses toward digital transformation goals. 

The complexity of the cloud requires strenuous effort from administrators just to manage their environment – not to mention the nitty-gritty details of their everyday business tasks – while keeping security in place. Beyond this, there is immense pressure for IT teams to save time and money in scaling SaaS management as IT budgets change priorities. 

How can administrators enable IT agility without sacrificing security to scale and maximize their SaaS investments? Two words: delegated administration. 

What is Delegated Administration?

One of the most straightforward solutions to streamline your SaaS management is delegated administration – assigning specific people in your organization to complete admin tasks. Sounds easy? Not quite.  

As an administrator in your cloud workspace, you get access to controls and security settings that can affect critical business data and processes. So, while you can simply ask people to complete tasks for you, you’re also risking the chance of giving overprivileged access that may introduce risks to your environment. 

delegated-administration-saas-management

The key, then, is to find the right people for the task and maintain control over what access you give them as they accomplish their assignments.  

The Challenges of Delegated Administration in Microsoft 365 

In Microsoft 365, global administrators can assign admin roles to other users to help manage the vast network of workspaces in the Microsoft environment. Once given an admin role, a user will have specific permissions to do tasks in the Microsoft 365 admin center.  

For example, a user can be assigned to add/remove other users, another user may be responsible for assigning licenses, and others are delegated to be service administrators and look after Microsoft services such as Exchange, SharePoint, Teams, etc. 

Microsoft’s native capability of assigning role admins, however, has its limitations that may hinder efficiency and threaten security in enabling delegated administration in your Microsoft environment: 

1. Role admin assignments are manual

Adding an administrator role to users requires you to either find the users and assign them the roles individually or go to the role and assign multiple users. If you plan to use most of Microsoft’s admin roles, it will take a long time to appoint these roles (or delete permissions) to your users.  

2. Some admin roles may be overprivileged.  

While the Microsoft 365 admin center already offers a long list of admin roles, some of these roles still possess more permissions than you’d want your users to have access to. For example, service administrators get full admin rights to their assigned service. Teams administrators have full access to the Microsoft Teams admin center, the same access an Exchange service administrator has over your Exchange admin center in your entire tenant. 

For organizations increasingly adopting Power Platform, this challenge complicates how securely you can scale the platform. Once you have your Power Platform admin team, each administrator will have full rights and access to your Power Platform environment across tenants, creating vulnerabilities to your security best practices. 

transform-and-optimize-power-platform-webinar-avepoint

This lack of granularity makes some consider whether giving admin roles to specific users is worth it or if it’s better to lock access (and keep the work) to the central IT team.

3. Microsoft admin center lacks audit trails of admin activities. 

Once you’ve given admin role access to your users, there’s no easy way of finding out what they do with their access. You can get your audit logs, but that means you need to sort through every single thing that’s happened in your entire tenant to look for admin actions specifically.  

You lose complete control over your admin roles without visibility over your admin activities. You cannot remediate quickly should issues arise, such as a malicious user taking advantage of their admin rights to gain access to business-critical data. 

How to Enable Effective and Secure Delegated Administration  

To reap the benefits of delegated administration without setting security aside, you need control and visibility over the admin roles you assign to your users. With AvePoint EnPower, you can tailor admin permissions to your needs while having insights into the activities of all other admins. This way, you’re enabling efficiency in how your team manages your Microsoft 365 environment and keeping security on top of your list. 

AvePoint EnPower empowers an efficient and secure delegated administration strategy with these capabilities: 

Streamline admin delegation 

In a single dashboard, organizations can tailor and align admin permissions across their Microsoft 365 tenant/s by breaking down permissions and setting IT admins’ access by service, function, or scope. You can set admin roles depending on the business unit, region, or by the application they’re assigned to manage. 

delegated-administration-permissions-entrust

Grant granular admin permissions

With an automated content scope combined with Role-Based Access Controls, only the proper permissions to complete their tasks – such as resetting user passwords, creating security groups, or deleting resource mailboxes – can be assigned to the right user. 

granular-permissions-delegated-administration-entrust

Enable extra granularity for your Microsoft 365 admin roles. Instead of giving full admin rights to the entire service tenant, you can break down permissions even for service administrators by allowing only a set of permissions to do specific tasks in the service admin center. For example, a SharePoint administrator can create and manage sites for groups but cannot add/remove external users to do those groups.  

Centralize visibility and control

Have complete control over all the admin activity in your entire tenant/s with a centralized insights dashboard. Easily monitor the activities of all your admins in a single pane, track any risks or malicious activities, and quickly remediate permissions when needed.   

secure-delegated-administration-entrust-admin-audit

Delegate Administration the AvePoint Way

With streamlined, granular, and secure delegated administration, you can rest assured that daily admin tasks are completed successfully so you can focus on scaling your SaaS management and achieving business goals. 

Effective delegated administration provides IT administrators the time to look beyond daily requirements and start optimizing operations.

Ready to scale your SaaS adoption and maximize your Microsoft 365 and Power Platform investments? You don’t need to sacrifice security for agility – do more with AvePoint EnPower. Learn more about AvePoint EnPower today.

SaaS-Management

Sherian Batallones is a Content Marketing Specialist at AvePoint, covering AvePoint and Microsoft solutions, including SaaS management, governance, backup, and data management. She believes organizations can scale their cloud management, collaboration, and security by finding the right digital transformation technology and partner.

View all posts by Sherian Batallones
Share this blog

Subscribe to our blog