Delegating Teams Administration with Administrative Units

Chris Stegh
Chris Stegh

CTO & VP of Strategy

Background and Problem Statement 

In large organizations such as multinational corporations, managing communication systems across diverse regions and departments is complex. Traditionally, phone systems were managed locally to allow for tailored decisions about local telecom providers and budgets. Regional or campus teams managed their own specific systems. 

In a shared Microsoft 365 tenant environment, Teams Phone settings have been managed tenant-wide. This often meant that administrators had to be granted control over all regions, subsidiaries, or departments, leading to potential control and security concerns. 

Imagine a large corporation where the phone systems in EMEA (Europe, Middle East, and Africa) are managed by a different team than those in APAC (Asia-Pacific) or the Americas. Such scenarios highlight the need for a more granular and flexible administrative approach. 

Expanding Administrative Units (AUs) 

To address this challenge, Microsoft has been slowly improving the use of Administrative Units (AUs). Now global administrators can delegate administration to specific subsets of users based on attributes such as department, location, or business unit. This capability enhances management flexibility and security by ensuring that administrators only have control over their designated areas. 

Use Cases and Value 

The introduction of AUs brings several valuable use cases and benefits: 

  • Granular Control: Administrators can now manage specific regions, departments, or business units without having access to the entire organization’s settings. This reduces the risk of unauthorized changes and enhances security. 
  • Improved Efficiency: By delegating administrative tasks to the appropriate teams, organizations can streamline their operations and reduce the administrative burden on global admins. 
  • Tailored Management: Regional or campus teams can make decisions that best suit their specific needs, such as choosing local telecom providers, without impacting other regions or departments. 

Role-Based Access Control (RBAC) and Roles 

With the rollout of AUs, global admins will be able to assign specific roles to manage only the users and groups within their designated AU. Here are the roles and their capabilities: 

Role Capabilities
- Teams Administrator Full control over Teams settings and policies within the AU.
- Teams Device Administrator Manage Teams devices (phones and room video systems), including configuration and updates.
-Teams Communication Administrator Oversee communication settings, including messaging and meetings.
-Teams Communication Support Engineer Provide advanced support for communication issues, including troubleshooting and diagnostics.
-Teams Communication Support Specialist Offer basic support for communication issues, focusing on user assistance.
-Teams Telephony Administrator Manage telephony settings, including PSTN (Public Switched Telephone Network) configurations and call quality.

Preparing to Employ AUs  

This capability will appear automatically in September, with no admin action required beforehand to enable it.  

However, there is much planning to consider about who should get which controls. Generally, Zero Trust calls for least privileged access, and considering all the options even within an AU, there are decisions for large, siloed organizations to make.  

The table summarizes the main considerations and actions: 

Consideration Action
- Which attributes to use to group admins into AUs? You can use any Entra ID attribute or extension attribute to create AUs. For example, you can use department, location, business unit, etc. Choose the attributes that best reflect your organization’s structure and management needs.
For instance, admins of Campus #1 should be assigned to users in the AU associated with Campus #1 (likely determined by an Entra attribute such as Location).
- How many AUs do you need and what are their names? Each AU must have a unique name and a description. You can use descriptive names that indicate the scope and purpose of each AU. There are limits to the number of AUs in a tenant.
-Who are the admins for each AU and what are their roles? You can assign one or more admins to each AU and grant them specific roles. There are limits to the number of AUs a person can join.
-What are the Teams settings and policies for each AU? You can apply different Teams settings and policies to each AU to control the features and capabilities of Teams for the users in that AU. For example, you can enable or disable chat, calling, meetings, phones or room systems, and access settings and policies for each AU.
-How will you monitor and audit the activities of each AU? You can use the Teams admin center and PowerShell cmdlets to view and manage the AUs in your tenant. You can also use the Microsoft 365 audit log to track the actions performed by the admins and users in each AU.

Summary 

Large organizations who have different administrators handling different locations, campuses, or departments have wondered, “Should I give administrator A in campus A access to controls over campus B-Z as well?” Now, decentralized organizations can divide/conquer administrative duties, without having to overprovision their admins. 

Imagine a phone expert in Asia having control over phone updates and the telecom connectivity settings for South America. Or more concerning, a person in the manufacturing division having control over settings of the C-Suite  

The expansion of Administrative Units in Microsoft Teams represents a significant enhancement in the way large organizations can manage their communication systems. By providing more granular control and tailored management options, AUs will help break down an important barrier to Teams adoption.

This service is rolling out in commercial tenants at this time. GCC and EDU tenants will likely follow, although no timeline has been shared.  

Have Questions or Need Help with Microsoft Teams?

Contact our team of experts today!