Get in touch with us!

Delegated administrators in Office 365

I think that Office 365 and Azure is a great tool for consolidation separate environments. When a company had dispersed IT environment in different countries or when a company acquires another one.

What we need to think thoroughly through here is the admin permissions….


The old way or the new way?

The old way usually means that a user had a normal user account and a separate administrative account. That is good when for example working with a file share. It’s easy to work with a document and accidently move all other files to whatever if the user got to much rights. Logon a terminal server as a combined user and admin is also not a good idea.

When using Office 365 and its services it looks a bit different though. When working as a regular user you don’t have that context to mistakenly delete och bulk change things. The portals are making it obvious in witch context you are working in. A admin user doesn’t have to have a license except for administrating stuff include in EMS (Enterprise Mobility Suite). Let’s say you need to change settings for self-service password reset then you need a license for that user who is changing settings to make them visible.

Soy what am I saying? Don’t make separate administrator accounts, delegate administrative rights to the regular licensed user. The user in real life is the same user whether he/she is working in word or changing group memberships. Think of the user as an individual with some extra roles, licensed and always working as the regular user they are supporting.

Another advantages is that it’s one user to track and monitor, alerts and stuff are sent to the mailbox that the admin are using probably in the desktop, phone etc. The user can actually use al services when working with admin rights but not messing with others stuff.

As a global admin for the portal, Exchange online, Lync, SharePoint etc. you will not automatically get access to all mailboxes, OneDrives. The admin needs to perform a couple different actions to do before getting access, nothing that would happen by mistake.



The customer in this case had some features and requirements that is affecting this delegation:

  • Azure AD connect is in place
  • The customer want to have administrators scoped to country
  • The admins will get permissions based on AD group
  • Office 365 license are set by using automatic scripts running on-prem.
  • Usage location is set by same script above and based on Country attribute on the object in AD
  • Exchange hybrid and ADFS is configured for the tenant.
  • Remote mailbox is automatically created when adding license to users

The groups below are created in on-prem AD and is only managed by Domain Admins. Its mail-enabled universal groups and hidden from address book












AD on-prem

Each country has its own Organizational unit I AD. The groups above have been delegated full control of objects within that OU. It has been done using the “Delegate Control…” wizard in ADUC.


Exchange Online

Let’s start with the service that actually lets you delegate, Exchange Online. We want the delegated administrator to be able to handle all mailboxes and resources for the country that the admin is responsible for. They should not be able to set permissions or change stuff on other mailboxes.

What we need to accomplish here is to create a write scope that scopes on country and that’s exactly what we going to use here. First we create the regular scope based on the attribute. Create a scope for each country:

 New-ManagementScope -RecipientRestrictionFilter {CO -eq 'Denmark'} -Name UserManagementScope-Denmark




Next we need to make the AD groups a Role Group in Exchange Online. We also assign the write scope and the role ‘Mail Recipients’. That role doesn’t give the permissions to create a mailbox. We don’t want that since this is automatically created by our User Management script.

New-RoleGroup -DisplayName "UserManagement-Denmark" -Name UserManagement-Denmark -CustomRecipientWriteScope UserManagementScope-Denmark -Roles 'Mail Recipients'



Since we have a hybrid solution we need to make sure that the delegated admins are creating the groups on the hybrid and not online. We will therefore user the built-in group ”Distribution Groups” as template and create a new one with removed permissions.

New-ManagementRole -Parent "Distribution Groups" -Name "Custom-Distribution Groups"






We remove the create and delete permissions for distribution group:

Remove-ManagementRoleEntry "Custom-Distribution GroupsNew-DistributionGroup"

Remove-ManagementRoleEntry "Custom-Distribution GroupsRemove-DistributionGroup"


And then we need to assign the “Custom-Distribution Groups” to the role Sec-Admin-Office365-UserManagement-Norway

New-ManagementRoleAssignment -Name "Denmark -Distribution Groups" -SecurityGroup UserManagement-Denmark -Role "Custom-Distribution Groups"



Make the synced AD group Sec-Admin-Office365-UserManagement-Norway a member to the role group:

Add-RoleGroupMember -Identity UserManagement-Denmark -Member Sec-Admin-Office365-UserManagement-Denmark



Add the user You want to be able to admin in Exchange Online to the group Sec-Admin-Office365-UserManagement-Denmark, wait for AD sync.


Next step is to delegate same admin permissions in the Exchange hybrid server

New-ManagementScope -RecipientRestrictionFilter {CO -eq 'Denmark'} -Name UserManagementScope-Denmark

New-RoleGroup -DisplayName "UserManagement-Denmark" -Name UserManagement-Denmark -CustomRecipientWriteScope UserManagementScope-Denmark -Roles 'Mail Recipients'

New-ManagementRoleAssignment -Name "Denmark-Distribution Groups" -SecurityGroup UserManagement-Denmark -Role " Distribution Groups"

Add-RoleGroupMember -Identity UserManagement-Denmark -Member Sec-Admin-Office365-UserManagement-Denmark




Office 365 Portal, Skype for Business Online

It is not possible today to create custom scopes in Office 365 portal or Skype for Business Online

Since we are syncing the users and groups with Azure AD Connect tool all user creation should be done on-prem. Since this controls the objects online and we are assigning licenses automatically based on AD groups. The delegated admins don’t need permissions on the portal.

When it comes to Skype the users will be enable as soon as they get their license, actually not much to administrate here.



It is not possible to set synced groups or using powershell to automate setting users as admins in Yammer. Global admins in the portal are Yammer admins.


SharePoint Online

The global admin sets the group Sec-Admin-Office365-Sharepoint-Denmark to be owner on a site or subsite. After that the members of the country specific group can manage all design and permission delegating within that site.


  1. Subdee

    Typo in remove managment role entry. It should look like this:

    Remove-ManagementRoleEntry “Custom-Distribution Groups\New-DistributionGroup”

    Remove-ManagementRoleEntry “Custom-Distribution Groups\Remove-DistributionGroup”

  2. The Greg

    next this is a great example, however all admins of any country can still see all the mailboxes in other countries they just can’t change them, so how would one set this up so that the Denmark admins only see the Denmark mailboxes?

    I understand that there is the business of regular and exclusive scopes, I just haven’t figured out how I would limit my delegated admins just to their scope, it seems counter intuitive I can keep them out but how do I keep them in, ha ha


Submit a Comment

Your email address will not be published. Required fields are marked *

Starkare tillsammans

Bolag inom både publik och offentlig sektor efterfrågar en alltmer kostnadseffektiv, platsoberoende och säker digital arbetsplats. Därför går nu Altitude 365 och Uclarity samman och bildar ett gemensamt specialistbolag.
Fortsätt på Altitude 365Kolla in Exobe

Altitude 365 + Uclarity – Årets Modern Work Partner!

Vinnaren är ett bra exempel på hur en “Born in the Cloud” ständigt förbättrar sitt erbjudande, arbetar nära och proaktivt med Microsoft för att hjälpa kunderna på deras digitaliseringsresa. Plus att vi på Microsoft verkligen ser fram mot den nya bolags-konstellationen (Altitude 365 + Uclarity) för ett “Starkare Tillsammans”.

Uclarity och Altitude 365 - Starkare tillsammans

Uclarity är specialister på digitala möten, telefoni, kontaktcenter och digitalt arbetssätt. Altitude 365 är specialister på säkerhet, mobilitet och hur bolag kan optimera resan till Microsoft365. Nu gör vi gemensam sak och bildar bolag tillsammans.

– Pandemin har tydliggjort behoven av en modern digital arbetsplats och vi har diskuterat ett samgående med Altitude 365 under en längre tid. Våra kunder har behov av specialistkompetens och tillsammans blir vi en ledande specialist inom Digital Workplace-området, säger Niklas Olsson Hellström, VD Uclarity AB.

Tommy Clark, Partner, Altitude 365, kommenterar:
– Inget bolag köper det andra utan båda bolagen får lika stora delar i det nya bolaget. Vår ledstjärna är att vi blir starkare tillsammans och att vi kan hjälpa våra kunder under hela deras resa.
Målet med sammanslagningen är att kunna hjälpa kunder med både teknik och effektiva arbetssätt.

– Det är då våra kunder får önskad effekt av sin investering i den digitala arbetsplatsen, säger Niklas Olsson Hellström.

Båda bolagen har svenska och internationella kunder från både privat och offentlig sektor. Sammanslagningen resulterar i en organisation på 50+ anställda baserade i Stockholm, Örebro och Göteborg.

För frågor, vänligen kontakta;
Tommy Clarke, Partner, Altitude 365 AB, 0703-593854,
Niklas Olsson Hellström, VD, Uclarity AB, 0734-198016,

Fortsätt på Altitude 365Kolla in Exobe