11 Jul 2019 by Becci Velzian
Microsoft Inspire 2019: Our Tips and Tricks
Are you going to Microsoft Inspire 2019 in just a couple days? Then check out this blog with all our tips and tricks we’ve learned after years of attendance.
This is an excerpt from an independent review of Autopilot by Microsoft MVP Dominik Hoefling. We will be releasing sections on the blog over the coming weeks, but if you would like to read the entire review, you can download it here.
(Virtual) Organizational Units are the heart of a proven delegated administration tool. OUs are well-known for most administrators out there. The logical structure is the same as you’ll find in your on-premises Active Directory.
With Autopilot, you can create tenant groups and Organizational Units. Tenant groups are a top-level Organizational Unit that can contain multiple tenants, as you can see in the following figure:
Figure 4 shows how two different Office 365 tenants are grouped to one tenant group and their underlying OU structure:
You can design your tenant and OU structure in the way that best suits you. For example, you can design a completely new structure for your Office 365 tenants and admins, or you can also synchronize your on-premises Active Directory OU structure with the on-premises sync agent provided with Autopilot. If you have a well designed on-premises OU construction, it makes sense to synchronize it because most customers have a lot of (nested) OUs.
Autopilot allows you to manage and configure policies. It comes with two kinds of policies:
All details of every action and event will be captured and saved in its audit log so you can see exactly who made each change and when. More details on the audit log will be covered in the section “Audit Log”.
An important task for initial set up and ongoing management is configuring delegated admin permissions for either a user, a tenant group, or Organizational Unit so that delegated admins can perform their daily administrative tasks within Autopilot. Users can initiate management tasks and the internal policy engine of Autopilot determines if the user has the correct permissions to perform that action on the target user. Bulk actions can be applied to a set of users, or to an entire Organizational Unit.
As an admin, you can configure Authorization Policies for nearly every needed task. For example, the policy “QTPS2-Germany-UserManagement-Restricted” is assigned to the OU ‘Germany’ within the tenant group QTPS2.
Administrators can have the ability to configure Authorization Policy templates as well. Templates can be used for similar roles for different OUs or tenant groups, like help desk admins. The Default user policy setting will apply to all users in a tenant. The Self-service configuration allows the users to do actions in the container where the policy is applied. You can also apply the Is template setting if you would like to configure similar Authorization Policies for different containers.
The Assignment configuration lets you configure where the policy should be assigned to:
The most important part of this process is assigning specific rights to your delegated admins. Referred to as “actions”, these are specific permissions that you would like to assign to your Authorization Policy. I filtered the list of actions based on the “mailbox” keyword to see all relevant mailbox configuration settings that can be assigned to your policy.
Figure 6: Mailbox Authorization Policy Actions
These actions are daily administrative tasks like create, set, change, disable, and delete parameters:
In addition to this, there are Groups and Teams cmdlets like “Update Group” and “Add New Channel To Team”. As Autopilot was GA in the middle of 2018, there will be more features and actions constantly added in the future.
This delegated administration is a big win for organizations with multiple service desk or help desk departments. Not to mention, this feature enables each administrator to only to see and manage users they are allowed to. This kind of delegation is not possible within Azure and Office 365 today, nor with Role Based Access Control (RBAC).
To add to the granular management of the tool, you can configure which Active Directory property your delegated admins are allowed to read and edit.
In the third and final installment of this blog series, Dominik will be looking at creating Configuration policies, reviewing, scheduling, and tracking jobs, and using the audit log. If you would like to read the entire review now, you can download it below.