Nova ‘Delegation & Policy Control’ Technical Review: How to manage Office 365
This article refers to our former reporting, security, and management products. We have now integrated these products into Nova, an all-new Office 365 management platform. Find out more
This is an excerpt from an independent review of Autopilot by Microsoft MVP Dominik Hoefling. We will be releasing sections on the blog over the coming weeks, but if you would like to read the entire review, you can download it here.
Global Admin rights, and the admin role headache
Azure Active Directory and Office 365 come with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives your users permissions to do specific tasks in the Office 365 Admin Center and Windows PowerShell. Features like role-based access, delegation of administrative permissions, and automated configuration management are only available at a very high level in the standard Office 365 toolkit.
The default admin roles can cause headaches. This is especially true for large organizations, universities with multiple brands, or decentralized administration within single or multiple Office 365 tenants. While the delegation of permissions in Exchange Online works very well with Role Based Access Control (RBAC), other applications and services are hard to manage at a granular level. For example, license management or helpdesk services for different countries, brands, and organizations. In these organizations, only a subset of administrative users are allowed to edit properties based on their region or brand.
Another extremely common problem is that the administrator of a specific brand or country should only be allowed to see the users in that brand or region. While this is possible with Azure Administrative Units (currently still in preview), it is complex to configure, and only a small subset of administrative permissions are available. More information about Azure Administrative Units can be found here.
Role Based Access Control in Exchange Online can be configured to delegate administrative permissions on nearly every available task or cmdlet for Exchange Online. But compliance regulations might not allow those Exchange administrators to see every recipient outside their administrative area, or check message trace logs for every recipient, etc. More information about RBAC in Exchange Online can be found here
This is where delegated administration tools come into play. Created by Quadrotech, Autopilot is a SaaS application running on the Microsoft Azure Service Fabric that brings the familiar ideas of hierarchical on-premises Active Directory Organization Units and Group Policy Objects to an Office 365 tenant. Autopilot acts as a proxy to both the on-premises environment as well as the cloud environment. Organizations can reduce the administrative burden of managing an Office 365 tenant by assigning roles and responsibilities to selected users such as Helpdesk Operators, country-level Administrators, or even to end users. Tenant Global Administrators are relieved of the need to perform day-to-day operations across the entire tenant, and can dedicate themselves to more important responsibilities, like managing change within the tenant or rolling out a new application, like Teams or Planner. You can also create additional “Virtual OUs” where you can also define delegated administration.
An organization can also apply Configuration Policies to an Organizational Unit to automatically keep your users compliant against the baseline that you configure for the OU.
The Setup Process
The first time you access the Autopilot SaaS application, you’ll need to log in with an Office 365 Global Administrator account. Autopilot will then create your account and link it with your organization. The installation is very simple, and straightforward. This account is used by Autopilot to approve the necessary rights for the application and that account will be stored so it can be used to proxy the administrative requests to Office 365.
Supported browser are Microsoft Edge, Google Chrome and Mozilla Firefox. Microsoft Internet Explorer is currently not supported but will follow in the future.
The Autopilot Dashboard
After the initial setup process, you can log in with any Global Administrator account to configure Autopilot for your organization. The dashboard gives you a user-friendly view which allows an administrator to quickly manage their AD objects both in the cloud and on-premises.
There are some basic tasks during the initial setup, like retrieve all users, mailboxes, mailbox permission, Groups, licenses, etc. to save these data sets in the applications’ database. This is required to cache the initial data from your Office 365 tenant to get the overview in Autopilot. More details about this process will be covered in the ‘Jobs’ section of this product review.
Once Autopilot has gathered all information from your tenant, the dashboard will look similar to the figure below.
Figure 1: Autopilot Dashboard
As an Office 365 administrator, you will find your way around the Autopilot dashboard quickly because it has a menu structure and schema that’s like the Office 365 Admin Center.
Get Your Tenants Connected
During the initial configuration of the Autopilot SaaS application, your Office 365 tenant will be automatically added to it. This depends on the Global Administrator account you have used, in case you have a single tenant or multiple tenants. And that’s the clue – you can add as many Office 365 tenants as you want to the same Autopilot application. The processes for the configuration are always the same basic steps: first, sign in with a Global Administrator account and approve the necessary permissions to the application, that’s all.
Figure 2: Connect Multiple Office 365 Tenants
This is a huge benefit, especially for large companies or universities who have multiple Office 365 tenants to manage. The delegated administrators have a single Autopilot instance and can manage their users in different tenants. Also, you can specify which delegated administrator can manage which Office 365 tenant or only a subset of users within a tenant.
Add and Manage Admin Roles
One of the first configuration steps is to configure admin roles in Autopilot. Admin roles are designed to manage and configure the specific settings within the Autopilot application. There are four built-in admin roles available:
- Admin: this role has all available administrative rights in Autopilot
- Auth policy admin: this role can manage and configure all Authorization Policies in Autopilot
- Config policy admin: this role can manage and configure all Configuration Policies in Autopilot
- Organization unit admin: this role can manage and configure all Organizational Units in Autopilot
Figure 3: Admin Roles
These roles can be used by administrators to delegate additional admin roles to other application owners that are responsible for the Autopilot configuration for all, or only a subset of, connected tenants and/or tenant groups. Tenant groups represent the top-level OU structure, the underlying OUs will be covered in the next section.
Watch out for the next installment of this series, which will look at how to create and use tenant groups, organizational units, virtual OUs, and policies in Autopilot. Want to read the full review? Fill in your email address below and we’ll send you the review.