Forum Discussion

sgee1760's avatar
sgee1760
Copper Contributor
Sep 20, 2024

365, Google, and Teacher Privileges.

I am a Microsoft 365 admin for our school district.  I would like to for a few of the teachers be granted the ability to add or delete student accounts without having any additional admin privileges. This would greatly assist our staff while ensuring security. We are a Google-based district using Chromebooks and MacBooks, but essential that our ICEV students have access to Microsoft 365 to meet their curriculum needs.  Are there any settings that would allow for this to happen?

microsoft 365
  • msftep's avatar
    msftep
    Copper Contributor
    Sep 22, 2024

    Hi sgee1760,

     

    Absolutely, you can delegate user management tasks to specific teachers without granting them full administrative privileges by using Administrative Units in Microsoft Entra ID (formerly Azure Active Directory). This allows you to assign limited administrative roles scoped to specific groups of users.

     

    Here's how you can set this up:

    1. Create an Administrative Unit (AU):

      • Sign in to the Microsoft Entra admin center.
      • Navigate to Administrative units on the left-hand menu.
      • Click on + New administrative unit.
      • Provide a name for the AU (e.g., "Student Accounts") and click Create.

    2. Add Student Accounts to the AU:

      • Select the newly created AU.
      • Go to Members > + Add members.
      • Add the student user accounts you want the teachers to manage.

    3. Assign Teachers to the AU with Specific Roles:

      • Within the AU, navigate to Roles and administrators.
      • Click on + Add assignments.
      • Choose a role like User Administrator or create a custom role with only the permissions you desire.
      • Select the teachers who will be assigned this role.

    Benefits of Using Administrative Units:

    • Scoped Permissions: Teachers will have administrative rights only over the users within the AU, preventing them from accessing or modifying accounts outside their scope.
    • Enhanced Security: Limits the potential for accidental changes to critical settings or accounts.
    • Operational Efficiency: Empowers teachers to manage student accounts directly, reducing the administrative burden on IT staff.

    Additional Considerations:

    • Custom Roles: If the built-in roles grant more permissions than you're comfortable with, consider creating a custom role with specific permissions like "User.Create" and "User.Delete".
    • Training: Ensure that the teachers understand their responsibilities and are trained on how to manage user accounts securely.
    • Audit Logging: Enable auditing to monitor the actions taken by users within the AU for compliance and security purposes.

    Feel free to reach out if you need any further guidance on configuring these settings!

     

    Best regards,
    msftep

Resources