User Management Admin Role

%3CLINGO-SUB%20id%3D%22lingo-sub-24756%22%20slang%3D%22en-US%22%3EUser%20Management%20Admin%20Role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-24756%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20description%20of%20the%20User%20Managment%20Admin%20role%20is%3A%20%26nbsp%3B%3CSPAN%3EResets%20passwords%2C%20monitors%20service%20health%2C%20and%20manages%20user%20accounts%2C%20and%20service%20requests.%20The%20user%20management%20admin%20can%E2%80%99t%20delete%20a%20global%20admin%2C%20create%20other%20admin%20roles%2C%20or%20reset%20passwords%20for%20billing%2C%20global%2C%20and%20service%20admins.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20more%20context%20around%20actions%20involved%20for%20'managing%20user%20accounts'.%20%26nbsp%3BWe%20have%20a%20service%20account%20with%20the%20Global%20Admin%20role%20that%20we%20use%20for%20managing%20users%20and%20licensing%20via%20PowerShell%3B%20and%20our%20app%20Admins%20are%20Service%20Admins%20and%20can%20monitor%20service%20health%20and%20the%20mssage%20center.%20%26nbsp%3BI'm%20not%20certain%20we%20need%20anyone%20assigned%20the%20User%20Mgmt%20role%2C%20just%20want%20clarification%20on%20specific%20actions%20inovled%20in%20'managing%20user%20accounts'%20to%20understand%20if%20we%20have%20scenarios%20internally%20where%20we'd%20want%20someone%20in%20that%20role%20vs%20using%20our%20Global%20Admin%20service%20account%20to%20manage%20user%20accounts%20via%20powershell.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-24756%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30832%22%20slang%3D%22en-US%22%3ERE%3A%20User%20Management%20Admin%20Role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30832%22%20slang%3D%22en-US%22%3EIf%20you%20need%20an%20O365%20management%20portal%20that%20offers%20a%20number%20of%20features%20beyond%20what%20the%20current%20Microsoft%20portal%20offers%20including%20advanced%20RBAC%20controls%20for%20your%20admins%2C%20reach%20out%20and%20we'll%20demo%20our%20platform%20-%20%3CA%20href%3D%22http%3A%2F%2Fwww.nuvolex.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.nuvolex.com%3C%2FA%3E.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-24865%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Management%20Admin%20Role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-24865%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20difference%20is%20that%20they%20cannot%20make%26nbsp%3B(some)%26nbsp%3Bchanges%20to%20any%20GA%20account%20(or%20elevate%20user%20accounts).%20So%20it's%20not%20that%20easy%20to%20abuse%20the%20role%20and%20it's%20more%20appropriate%20for%201st%2F2nd%20level%20support%20or%20for%20anyone%20doing%20some%20daily%20tasks%20in%20the%20portal%20or%20via%20PowerShell.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-24784%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Management%20Admin%20Role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-24784%22%20slang%3D%22en-US%22%3EOur%20company%20has%20designated%20individuals%20to%20manage%20users%20and%20licenses%20(we%20arent%20doing%20anything%20automated%20yet).%20Those%20individuals%20are%20User%20Management%20roles%2C%20but%20we%20dont%20give%20them%20Service%20Admin%20or%20Global%20Admin.%20IMO%2C%20the%20tools%20you%20have%20probably%20have%20eliminated%20the%20particular%20need%20for%20that%20role.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-24770%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Management%20Admin%20Role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-24770%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%2C%20what%20roles%20have%20others%20assigned%20their%20help%20desk%20or%20Tier%203%20people%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

The description of the User Managment Admin role is:  Resets passwords, monitors service health, and manages user accounts, and service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for billing, global, and service admins.

 

I'm looking for more context around actions involved for 'managing user accounts'.  We have a service account with the Global Admin role that we use for managing users and licensing via PowerShell; and our app Admins are Service Admins and can monitor service health and the mssage center.  I'm not certain we need anyone assigned the User Mgmt role, just want clarification on specific actions inovled in 'managing user accounts' to understand if we have scenarios internally where we'd want someone in that role vs using our Global Admin service account to manage user accounts via powershell.

4 Replies
Highlighted

Also, what roles have others assigned their help desk or Tier 3 people?

Highlighted
Our company has designated individuals to manage users and licenses (we arent doing anything automated yet). Those individuals are User Management roles, but we dont give them Service Admin or Global Admin. IMO, the tools you have probably have eliminated the particular need for that role.
Highlighted

The difference is that they cannot make (some) changes to any GA account (or elevate user accounts). So it's not that easy to abuse the role and it's more appropriate for 1st/2nd level support or for anyone doing some daily tasks in the portal or via PowerShell.

Highlighted
If you need an O365 management portal that offers a number of features beyond what the current Microsoft portal offers including advanced RBAC controls for your admins, reach out and we'll demo our platform - www.nuvolex.com.