I think that Office 365 and Azure is a great tool for consolidation separate environments. When a company had dispersed IT environment in different countries or when a company acquires another one.

What we need to think thoroughly through here is the admin permissions….

The old way or the new way?

The old way usually means that a user had a normal user account and a separate administrative account. That is good when for example working with a file share. It’s easy to work with a document and accidently move all other files to whatever if the user got to much rights. Logon a terminal server as a combined user and admin is also not a good idea.

When using Office 365 and its services it looks a bit different though. When working as a regular user you don’t have that context to mistakenly delete och bulk change things. The portals are making it obvious in witch context you are working in. A admin user doesn’t have to have a license except for administrating stuff include in EMS (Enterprise Mobility Suite). Let’s say you need to change settings for self-service password reset then you need a license for that user who is changing settings to make them visible.

Soy what am I saying? Don’t make separate administrator accounts, delegate administrative rights to the regular licensed user. The user in real life is the same user whether he/she is working in word or changing group memberships. Think of the user as an individual with some extra roles, licensed and always working as the regular user they are supporting.

Another advantages is that it’s one user to track and monitor, alerts and stuff are sent to the mailbox that the admin are using probably in the desktop, phone etc. The user can actually use al services when working with admin rights but not messing with others stuff.

As a global admin for the portal, Exchange online, Lync, SharePoint etc. you will not automatically get access to all mailboxes, OneDrives. The admin needs to perform a couple different actions to do before getting access, nothing that would happen by mistake.

Assumptions….

The customer in this case had some features and requirements that is affecting this delegation:

• Azure AD connect is in place
• The customer want to have administrators scoped to country
• The admins will get permissions based on AD group
• Office 365 license are set by using automatic scripts running on-prem.
• Usage location is set by same script above and based on Country attribute on the object in AD
• Exchange hybrid and ADFS is configured for the tenant.
• Remote mailbox is automatically created when adding license to users

The groups below are created in on-prem AD and is only managed by Domain Admins. Its mail-enabled universal groups and hidden from address book

Sec-Admin-Office365-UserManagement-Global

Sec-Admin-Office365-UserManagement-Sweden

Sec-Admin-Office365-UserManagement-Norway

Sec-Admin-Office365-UserManagement-Denmark

Sec-Admin-Office365-UserManagement-Finland

Sec-Admin-Office365-SharepointOnline-Sweden

Sec-Admin-Office365-SharepointOnline-Norway

Sec-Admin-Office365-SharepointOnline-Denmark

Sec-Admin-Office365-SharepointOnline-Finland

AD on-prem

Each country has its own Organizational unit I AD. The groups above have been delegated full control of objects within that OU. It has been done using the “Delegate Control…” wizard in ADUC.

Exchange Online

Let’s start with the service that actually lets you delegate, Exchange Online. We want the delegated administrator to be able to handle all mailboxes and resources for the country that the admin is responsible for. They should not be able to set permissions or change stuff on other mailboxes.

What we need to accomplish here is to create a write scope that scopes on country and that’s exactly what we going to use here. First we create the regular scope based on the attribute. Create a scope for each country:

 New-ManagementScope -RecipientRestrictionFilter {CO -eq 'Denmark'} -Name UserManagementScope-Denmark

Next we need to make the AD groups a Role Group in Exchange Online. We also assign the write scope and the role ‘Mail Recipients’. That role doesn’t give the permissions to create a mailbox. We don’t want that since this is automatically created by our User Management script.

New-RoleGroup -DisplayName "UserManagement-Denmark" -Name UserManagement-Denmark -CustomRecipientWriteScope UserManagementScope-Denmark -Roles 'Mail Recipients'

Since we have a hybrid solution we need to make sure that the delegated admins are creating the groups on the hybrid and not online. We will therefore user the built-in group ”Distribution Groups” as template and create a new one with removed permissions.

New-ManagementRole -Parent "Distribution Groups" -Name "Custom-Distribution Groups"

We remove the create and delete permissions for distribution group:

Remove-ManagementRoleEntry "Custom-Distribution GroupsNew-DistributionGroup"

Remove-ManagementRoleEntry "Custom-Distribution GroupsRemove-DistributionGroup"

And then we need to assign the “Custom-Distribution Groups” to the role Sec-Admin-Office365-UserManagement-Norway

New-ManagementRoleAssignment -Name "Denmark -Distribution Groups" -SecurityGroup UserManagement-Denmark -Role "Custom-Distribution Groups"

Make the synced AD group Sec-Admin-Office365-UserManagement-Norway a member to the role group:

Add-RoleGroupMember -Identity UserManagement-Denmark -Member Sec-Admin-Office365-UserManagement-Denmark

Add the user You want to be able to admin in Exchange Online to the group Sec-Admin-Office365-UserManagement-Denmark, wait for AD sync.

Next step is to delegate same admin permissions in the Exchange hybrid server

New-ManagementScope -RecipientRestrictionFilter {CO -eq 'Denmark'} -Name UserManagementScope-Denmark

New-RoleGroup -DisplayName "UserManagement-Denmark" -Name UserManagement-Denmark -CustomRecipientWriteScope UserManagementScope-Denmark -Roles 'Mail Recipients'

New-ManagementRoleAssignment -Name "Denmark-Distribution Groups" -SecurityGroup UserManagement-Denmark -Role " Distribution Groups"

Add-RoleGroupMember -Identity UserManagement-Denmark -Member Sec-Admin-Office365-UserManagement-Denmark

Office 365 Portal, Skype for Business Online

It is not possible today to create custom scopes in Office 365 portal or Skype for Business Online

Since we are syncing the users and groups with Azure AD Connect tool all user creation should be done on-prem. Since this controls the objects online and we are assigning licenses automatically based on AD groups. The delegated admins don’t need permissions on the portal.

When it comes to Skype the users will be enable as soon as they get their license, actually not much to administrate here.

Yammer

It is not possible to set synced groups or using powershell to automate setting users as admins in Yammer. Global admins in the portal are Yammer admins.

SharePoint Online

The global admin sets the group Sec-Admin-Office365-Sharepoint-Denmark to be owner on a site or subsite. After that the members of the country specific group can manage all design and permission delegating within that site.