Despite agencies’ continued efforts to align their security plans and Zero Trust Architecture (ZTA), something required per the Federal Government’s memo M-22-09, we have seen less progress in the execution of those strategies. This particularly holds true for large, centralized tenants that combine previously segregated departments and offices.
While security teams would like to implement a least-privileged model to meet ZTA standards, federal agencies that consolidated their departments and offices into a centralized platform like Microsoft 365 must make the tough decision. They can either grant each entity access to the entire tenant or lockdown admin rights and burden IT with managing every aspect of every department.
Fortunately, there is a third option. In this post, we will be discussing how you can leverage delegated administration across your cloud solution to combine the scope of content with role-based privilege to align your organization’s security framework with ZTA without adding additional work to IT.
The Benefits of Delegated Administration
The principle of least privilege, which limits all users to only the permissions necessary to do their job, is a core principle of ZTA because it enables agencies to meet ZTA’s “never trust” recommendation: if your employees only have access to what is necessary, the consequences of falling victim to compromised credentials, malicious insiders, or hackers are limited.
In a centralized administration, a least-privileged model places a significant strain and burden on your global admins, who may need to spend much of their day managing users, content, and access across your Microsoft 365 workspaces and applications to ensure only those with a need to know have access.
M365 provides a role-based administration model, enabling central IT to grant users who are not global admins some limited admin privileges such as the ability to manage license distribution, create a new resource mailbox, or reset a password.
To meet ZTA standards an agency should take the delegation of administration a step further and break down each administrator’s responsibility by services, scope, and function.
For example, many agencies work with government contractors who may add or remove staff from projects frequently. Traditionally, the central IT organization in charge of the tenant would be burdened with the responsibility of managing these personnel changes, creating users, managing licenses, and deleting old users. With delegated administration, these onboarding and offboarding duties can be distributed to the contractors’ staff, who are better suited for that responsibility.
Delegated administration can also serve as a security best practice, allowing whoever owns the information to manage their own data. This is particularly helpful for agencies working with sensitive data who are often mandated to only allow the team that owns the data to know it exists.
Pain Points of Native Delegated Administration
Historically, when most Federal agency work was done on-prem, “delegated administration” happened naturally. Many agencies had multiple server farms that were often owned by the individual departments and offices themselves, enabling each department to control its own collaboration structures, security policies, and governance procedures.
Today, as agencies migrate to the cloud and centralize all departments and offices into Microsoft 365, delegated administration requires more coordination to ensure its effectiveness and security.
There are native capabilities that allow you to segment who has access to what and delegate administrative tasks. For example, Microsoft 365 has service administration roles such as SharePoint admin and Exchange admin; these grant the user the ability to administer all of SharePoint across the entire tenant. Digging deeper, within SharePoint you can assign Site Collection Administrator access, which allows you to manually select individual site collections that belong in each user’s scope and grant administrative permissions.
While this is certainly better than global admins managing the content themselves, it is still a manual process for your IT team to determine who should manage what. They must identify the scope of content and align it with the privilege for each user. If a user’s site responsibilities were to change or get removed by another admin, they will need to be manually edited or added again. On top of that, you’ll need to manually track which site collections belong to who to ensure no one is overprivileged.
As you can see, not only is the assignment of administrators to the right scope of content incredibly manual, but you’ll also need a process to track when permissions are changed and reset them or run the risk that an administrator does not have the required access at the time they need it.
This process is incredibly labor-intensive, menial, and leaves too much room for errors. Duplicate these efforts across all content types, including SharePoint sites, Exchange mailboxes, Teams channels, and OneDrive folders, and it will quickly become your IT team’s entire job to manage permissions and access to content.
When you are working to implement ZTA through better permission management, native capabilities are simply not efficient or scalable for Federal agencies.
Streamlined and Secure Delegated Administration
AvePoint EnPower streamlines delegated administration by breaking down permissions, allowing agencies to tailor and align administration permissions across your M365 tenant to meet your operational and security needs.
By combining the standard Role-Based Access Controls approach with an automated definition of content scope, daily tasks like resetting a user’s password, setting up a new resource mailbox, or clearing out inactive SharePoint sites will only be accessible to admins who require it across the content in which is intended.
You choose how admin permissions are structured – by application, location, business unit, department, tiered IT support – whatever makes sense for your organization. The scope can be automated based on Azure Active Directory standard or custom columns, workspace naming conventions, or metadata stored in the workspace property bag.
AvePoint EnPower also expands on the granularity of a Service Administrator: rather than full admin rights across the Exchange service, an administrator could be given permission to create Exchange mailboxes but not delete them or put a litigation hold in place following a directive from the legal team. Another common scenario would be providing an administrator oversight into all Teams belonging to solely their agency.
AvePoint helps secure administration through centralized dashboards and activity reports, where you can monitor, track, and review all activity to confirm correct permissions have been granted. This also allows you to quickly identify and get to the root of why a job was unsuccessful or review in bulk to see if any trends need remediation.
The Bottom Line
Due to the complexity of working on the cloud, many organizations have locked down admin privileges to a select few, assuming this is the best way to safeguard their information. Unfortunately, this simply bogs down valuable resources with routine requests and tasks, overburdening IT and restricting scalability.
As agencies work to implement least-privilege models and ZTA, this problem will only grow as your IT team puts in overtime to manage users, content, and access and ensure your tenant is secure. With delegated administration, your central IT is still responsible for the overall governance policies and management of your tenant, but they can offload some of the menial or tedious tasks that do not threaten your agency’s security on trusted, responsible users in a controlled way.
While there is no single solution or technology that will allow you to meet the government’s mandated security standards, delegated administration is a useful first step that can help reduce risk, unburden IT, and secure your sensitive information.
Unite your security and IT teams with AvePoint EnPower. Schedule a demo for AvePoint EnPower today and discover how the right tools can easily secure your tenant and extend your IT workforce with simplified, delegated administration of Microsoft 365 content and security management. You can alsorequest a demo of our Zero Trust solution to make aligning with the federal mandate simple and seamless, and read more blog posts about Zero Trust. For even more, learn how to meet federal Zero Trust standards with Microsoft Sensitivity Labels in this webinar!
Subscribe to our Microsoft 365 Government Community call for more tips and tricks on how to utilize M365 as a federal agency.
Antoine Snow is a senior solutions manager at AvePoint, leading the Public Sector business unit. He has held various positions in IT over the past several years ranging from front-end web developer to Microsoft 365 Service Owner. In his current role, Antoine focuses on governance and adoption challenges plaguing the modern workplace and helping government organizations understand the components of a governance strategy and its implementation. Antoine's views on these topics can be found in various blog posts and has been the focus of one-to-one workshops.
I sell software, but my passion is to help translate the needs of the business into the capabilities of available technology. Over two decades in tech I have helped customers analyze collaboration solutions against actual mission needs in helping them select the best path based on their personal critical success factors. Per my training I’m a project manager (PMP), an engineer, an architect, and a designer; but ultimately, I’m a problem solver.