Sfb Admin Delegation

%3CLINGO-SUB%20id%3D%22lingo-sub-236591%22%20slang%3D%22en-US%22%3ESfb%20Admin%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-236591%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%20all%2C%3C%2FP%3E%3CP%3EWas%20after%20some%20advice%20here...%20We%20have%20lvl2%20team%20that%20provision%20our%20Sfb%20users%20(Sfb%20Online)%2C%20assign%20phone%20numbers%2C%20licensing%20etc.%26nbsp%3B%20Currently%20they%20have%20the%20Sfb%20Administrator%20Role%20assigned%20to%20perform%20these%20functions.%26nbsp%3B%20For%20me%20this%20is%20way%20too%20much%20access%20and%20I%20need%20to%20delegate%20it%20to%20the%20correct%20access%20(least%20priv).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20perform%20the%20following%20commands%20from%20powershell%20-%20Set-Csuser%20%2F%20Get-CsOnlineUser%20%2F%20Set-CsUserPstnSettings%20%2F%20Grants-CsTennantDialPlan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20done%20some%20searching%20around%20Azure%20Custom%20roles%20but%20nothing%20specifically%20for%20a%20custom%20Sfb%20role%20in%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20I've%20got%20all%20the%20info%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3ERyan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-236591%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESfb%20Admin%20Delegation%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237899%22%20slang%3D%22en-US%22%3ERe%3A%20Sfb%20Admin%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237899%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alexander%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply%2C%20sounds%20like%20we're%20in%20the%20same%20boat.%26nbsp%3B%20We%20went%20from%20On-Prem%20Sfb%20and%20now%20dealing%20with%20Sfb%20Online..%20well%20now%20Teams%20%26amp%3B%20Skype%2C%20I%20really%20hope%20there%20is%20some%20granularity%20for%20RBAC%20shortly%2C%20I've%20asked%20my%20TAM%20for%20a%20timeline%20(which%20I%20will%20post%20here)%20as%20there%20seems%20as%20a%20bunch%20of%20customers%20are%20after%20this%20not%20only%20for%20compliance%20but%26nbsp%3Bto%20apply%26nbsp%3Bleast%20privilege%20to%20our%20support%20staff.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%20this%20link%20with%20alot%20of%20people%20requesting%20RBAC%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F273493-office-365-admin%2Fsuggestions%2F32204950-allow-global-admin-to-create-custom-o365-managemen%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F273493-office-365-admin%2Fsuggestions%2F32204950-allow-global-admin-to-create-custom-o365-managemen%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3ERyan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237892%22%20slang%3D%22en-US%22%3ERe%3A%20Sfb%20Admin%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237892%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ryan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20this%20is%20a%20frustration%20which%20many%20large%20organizations%20have%20known%20all%20too%20well.%20These%20types%20of%20organizations%20(including%20the%20one%20I%20work%20for)%20have%20tiered%20levels%20of%20support%2C%20each%20with%20different%20support%20responsibilities.%20While%20we%20have%20had%20no%20trouble%20creating%20the%20RBAC%20permissions%20for%20the%20different%20support%20tiers%20in%20our%20on%20prem%20environment%20using%20Skype%20for%20Business%20Server%202015%2C%20the%20same%20type%20of%20granular%20permissions%20do%20not%20currently%20exist%20in%20Skype%20for%20Business%20Online%2C%20so%20the%20only%20options%20are%20to%20grant%20the%20full%20%22Skype%20for%20Business%20administrator%22%20role%20to%20those%20lower%20support%20tiers%2C%20which%20we%20are%20also%20not%20comfortable%20doing%2C%20as%20there%20are%20tenant-level%20settings%20within%20the%20portal%20which%20I%20am%20not%20comfortable%20with%20them%20seeing%2C%20or%20to%20not%20grant%20them%20any%20permissions%2C%20thereby%20forcing%20the%20top-tier%20support%20team%20to%20perform%20functions%20as%20mundane%20as%20assigning%20phone%20numbers.%3CBR%20%2F%3E%3CBR%20%2F%3ERBAC%20permissions%20for%20Skype%20for%20Business%20Online%20has%20been%20a%20request%20from%20many%20within%20the%20community%20for%20quite%20some%20time.%20With%20the%20upgrade%20and%20consolidation%20of%20the%20Skype%20for%20Business%20Admin%20Center%20into%20the%20Teams%20%26amp%3B%20Skype%20Admin%20Center%2C%20I%20am%20sincerely%20hoping%20we%20will%20eventually%20see%20the%20implementation%20of%20proper%20RBAC%20permissions%20as%20well.%20This%20is%20something%20which%20has%20been%20available%20in%20Exchange%20Online%20for%20years%20already%2C%20but%20has%20just%20not%20come%20to%20Skype%20for%20Business%20Online%20yet.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20was%20understandable%20when%20the%20Skype%20for%20Business%20Admin%20Center%20had%20just%20a%20few%20tenant-level%20permissions%20available%20for%20configuration%2C%20but%20with%20phone%20number%20provisioning%20now%20there%20as%20well%2C%20our%20organization%20of%20over%2030%2C000%20users%20cannot%20easily%20be%20managed%20by%20a%20team%20of%205%20top-tier%20support%20staff%20responsible%20for%20Skype%20for%20Business%20if%20they%20need%20to%20also%20spend%20the%20time%20to%20assign%20phone%20numbers%20all%20day%20long.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

hi all,

Was after some advice here... We have lvl2 team that provision our Sfb users (Sfb Online), assign phone numbers, licensing etc.  Currently they have the Sfb Administrator Role assigned to perform these functions.  For me this is way too much access and I need to delegate it to the correct access (least priv).

 

They perform the following commands from powershell - Set-Csuser / Get-CsOnlineUser / Set-CsUserPstnSettings / Grants-CsTennantDialPlan

 

I have done some searching around Azure Custom roles but nothing specifically for a custom Sfb role in Azure.

 

Hope I've got all the info there.

 

Cheers

Ryan

2 Replies

Hi Ryan,

 

Unfortunately, this is a frustration which many large organizations have known all too well. These types of organizations (including the one I work for) have tiered levels of support, each with different support responsibilities. While we have had no trouble creating the RBAC permissions for the different support tiers in our on prem environment using Skype for Business Server 2015, the same type of granular permissions do not currently exist in Skype for Business Online, so the only options are to grant the full "Skype for Business administrator" role to those lower support tiers, which we are also not comfortable doing, as there are tenant-level settings within the portal which I am not comfortable with them seeing, or to not grant them any permissions, thereby forcing the top-tier support team to perform functions as mundane as assigning phone numbers.

RBAC permissions for Skype for Business Online has been a request from many within the community for quite some time. With the upgrade and consolidation of the Skype for Business Admin Center into the Teams & Skype Admin Center, I am sincerely hoping we will eventually see the implementation of proper RBAC permissions as well. This is something which has been available in Exchange Online for years already, but has just not come to Skype for Business Online yet.

This was understandable when the Skype for Business Admin Center had just a few tenant-level permissions available for configuration, but with phone number provisioning now there as well, our organization of over 30,000 users cannot easily be managed by a team of 5 top-tier support staff responsible for Skype for Business if they need to also spend the time to assign phone numbers all day long.

Hi Alexander,

 

Thanks for the reply, sounds like we're in the same boat.  We went from On-Prem Sfb and now dealing with Sfb Online.. well now Teams & Skype, I really hope there is some granularity for RBAC shortly, I've asked my TAM for a timeline (which I will post here) as there seems as a bunch of customers are after this not only for compliance but to apply least privilege to our support staff.

 

I found this link with alot of people requesting RBAC

https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/32204950-allow-global-adm...

 

Cheers

Ryan