Limiting 365 Admin Access

%3CLINGO-SUB%20id%3D%22lingo-sub-2270599%22%20slang%3D%22en-US%22%3ELimiting%20365%20Admin%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2270599%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20we%20grant%20system%20admin%20access%20within%20the%20365%20console%20to%20only%20specific%20domains%20and%20sites%3F%20Where%20can%20I%20read%20more%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2270599%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi,

 

Can we grant system admin access within the 365 console to only specific domains and sites? Where can I read more on this?

 

Thanks

2 Replies
No, not really. You can limit *some* functionality by leveraging the Administrative units feature: https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
They are however only supported in the M365 AC/Azure AD blade and don't allow all actions/roles. For some of the other admin endpoints you can use workload-specific controls (such as the RBAC model in Exchange), but if you need a robust solution, your best bet is a third-party "portal replacement" type of product.
I work at a company with thousands of employees across to globe. All countries have their own domain name (company.us; company.de; company.tw, etc) They are split up in AD and I only have access to US and handful of other countries. Surely 365 is able to limit access in the same way?
Thanks.