Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Getting started with Office 365 Delegated Administration

Problem

After participating in a number of Office 365 projects it gets cumbersome to manage lots of Office 365 accounts. Furthermore some people still seem to have the habit of using shared admin accounts which, in combination with password expiry, is annoying to deal with. Fortunately there is solution for that: the “Delegated Administration” feature. This feature basically allows a consultant to use his account in the Office 365 tenant of his employer for administering customer’s tenants.

I never got this particular feature to work in the previous wave of Office 365 so I was eager to use this functionality in the first couple of “wave fifteen” O365 projects.

Solution

Prerequisites

First of all you need to have the (Global) admin of your own company assign your account with permissions for delegated administration of customer tenants. They can do this in the properties of your account if you’re a Microsoft Cloud Partner.

Note: the screenshot below is in Dutch but it basically shows that I have no permissions on the tenant of my employer (first pair of radio buttons) and full admin permissions to request our customers for delegated permissions (last pair of radio buttons).

clip_image002

Web interface

Now, after logging in to Xylos’ Office 365 tenant, you can see (besides that I don’t have any user license assigned for the moment) that there a partner tab appears:

clip_image004

This tab provides an option to send, in addition to trial and purchase offers, requests for delegated administration

clip_image006

You need to copy the content of the “popup” to a mail yourselves. This way your customer will receive a “personal” mail rather than auto generated one which might get neglected.

clip_image008

The customer that receives the e-mail obviously needs to click the link and approve the request

clip_image010

Your customer can find delegated admins in a separate page of the “users and groups” section in his portal.

clip_image012

After finalizing the project he might want to “break” the delegated permissions. This can be done by checking the box besides the appropriate entry to activate a card with the well-known dumpster icon.

clip_image014

You’re all set to start administering your customer, you can use the “find and assist” option on the partner tab to do so

clip_image016

Next you need to search for the tenant or domain name of the customer in question

clip_image018

If they do not exist or the customer did not (yet) accept your request for delegated admin rights you will get a “user name or domain not found” notification.

clip_image020

If you’re lucky the result will resemble the screenshot below:

clip_image022

As you can see there are three options available to you

clip_image024

Let’s try some right to left reading

First of al there is “Show all administrators”

clip_image026

In the middle we can “Create Service Request” for our customer

clip_image028

Last but not least “Administer on behalf of” takes us straight to the dashboard of your customers O365 tenant. From there we have a access to all the other aspect of the O365 tenant administration

clip_image030

How nice ;-)

Note the difference in the presence of a “partner” tab when administering your client. Hitting is takes you back to your own tenant.

clip_image032

clip_image034

PowerShell

Managing thousands of users in a web interface, e.g. to assign licenses, does not fit my definition of “fun”. PowerShell is much more up to the job. And yes we can also use our delegated admin to do so.

As usual; import the msonline powershell moduleclip_image036

Connect to the online services using your own O365 account. (The “get” of the credentials was done using some function I wrote myselves)

clip_image038

Now if you execute cmdlets you will run them in your own tenant. To administer a customer you need a unique identifier; the “TenantID”. You can find it using the get-msolpartnercontract cmdlet (there are most probably additional ways to do so).

clip_image040

Then you can pass the GUID you obtained as a parameter to most (if not all) “MSOL” cmdlets:

clip_image042

Without that parameter the result looks slightly different. However, there’s no way you can see what tenant the result is for. A couple hours of decent sleep seems advisable ;-)

clip_image044

One happy cloud admin,

Koen

(crosspost from http://blog.xylos.com/2013/06/getting-started-with-office-365-delegated-administration/)


Posted 07-25-2013 12:34 by Koen Vermoesen

Comments

Julie T Motamedi wrote Julie T Motamedi
on 11-20-2014 5:08

Getting started with Office 365 Delegated Administration - Office 365 - Pro-Exchange,Lync & Office 365