Forum Discussion

Iron Contributor

Aug 15, 2016

Best Practices O365 Admin Roles

For large Enterprises, what's the recommendation for assigning Admin Roles within O365 (Global Admin, Billing Administrator, SharePoint Administrator, etc) -- do you assign individual names as Admini...

admin

Guarino Nicola

Copper Contributor

Aug 10, 2017

Hi,

very intersting topic and replies.

WE are a tenant of 100 users and we have 3 global admins, with separate admin accounts.

Things work pretty much fine (including MFA), we have an issue though with 2 things:

1) Granularity of admin roles managed in Office 365 vs managed in Azure AD, there seem to be some little tiny differences that can prevent admin to their job.

2) Licenses: in principle an Admin needs no license, but ther are some actions that you can't perform with an adequate license (in Exchange Online or Intune).

We can sort point 1, but I am quite upset with point 2.

I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.

If you have any, and want to share, feel free!

Nicola

Paul Cunningham

Iron Contributor

Aug 24, 2017

Guarino Nicola wrote:

I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.

Sounds like they were referring to the feature called Privileged Identity Management, which can temporarily elevant permissions based on specific conditions and approvals.

Deleted
Oct 25, 2017
Is this what you are referring to?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-configure
- VasilMichev
  MVP
  Oct 25, 2017
  That's the one, and is even better now compared to 3 months ago :)