Grant Permissions to Perform Office 365 Management Tasks
Using Adaxes, you can delegate Office 365 management tasks to users. In this tutorial, you will learn how to allow users to activate and deactivate accounts in Office 365, as well as assign and revoke Office 365 licenses. To allow such operations, you need to create a Security Role that grants permissions to modify Office 365 properties of user accounts.
In order to add permissions to the new Role, click Add.
Select the User object type.
In the right-hand portion of the dialog, select the permissions you want to grant:
To have full control over Office 365 accounts, users need to be able to modify all Office 365 properties. To grant such permission, select the Write Office 365 Properties permission in the Allow column.
If you want to restrict users to perform specific operations only, you need to grant the permission to modify the Office 365 property that corresponds to the operation you need. The following table shows which operation corresponds to which permission:
Operation Permission Activate account, set location Write 'Office 365 Location' property Assign / Revoke licenses Write 'Office 365 Licenses' property Allow / block access to Office 365 Write 'Office 365 Sign-In Blocked' property
To grant permissions for the operation you need:
- Check the Show all properties option located under the Property-specific permissions list.
- Type Office 365 in the filter edit box to filter out permissions unrelated to Office 365.
- Select the Allow column for the necessary permission. For example, if you want to allow modifying Office 365 licenses assigned to users, check the Write 'Office 365 Licenses' Property permission in the Allow column.
When done, click OK and Next.
To allow a specific user or group to manage Office 365 accounts, select it in the Assign to list.To quickly find a user or group, type its name in the search field and click the button.
To allow managers to manage Office 365 accounts of their subordinates, select Manager. A user's manager is specified in the Manager property of the user's Active Directory account.
If you change the manager for a user, the previous manager will lose, and the new manager will gain the rights granted by the role.
To allow users to manage their own Office 365 accounts, select Self.To have more control on Office 365 accounts managed by users themselves, you can configure a Business Rule that will automatically request an approval when users modify their Office 365 accounts.
In the Role Activity Scope dialog that opens, you need to select where the specified users will be able to perform the operations allowed by the Security Role.
You can select the following items:
All Objects - select to allow the operations on Office 365 accounts of all users in all domains managed by Adaxes.
Domain - select a domain to allow the operations on Office 365 accounts of users located in the selected domain. When you select a domain, the Assignment Options dialog appears.
The only applicable option here is All objects in this Domain. It means that the permissions granted by the role will be applied to all users in the selected domain. Click OK.
OU or Container - select an Organizational Unit or container to allow the operations on users located in the selected OU. If you select an OU, specify the assignment scope in the Assignment Options dialog.
By default, the permissions of the role will be effective for all users in the OU at any nesting level. To grant permissions for the direct children of the OU only, check Immediate child objects only.
When done, click OK.
Group - select a group to allow the operations on Office 365 accounts of users who are members of the group. If you select a group, specify the assignment scope in the Assignment Options dialog.
By default, the permissions of the role will be effective for all members of the group, including members of the nested groups. To grant permissions for the direct members only, check Direct members only.
When done, click OK.
Business Unit - select a Business Unit to allow the operations on Office 365 accounts of users who are members of the selected Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.
When you select a Business Unit, the Assignment Options dialog appears.
In this case, the only applicable option is Members of this Business Unit. It means that the permissions will be applied to all members of the selected Business Unit. Click OK.
Select the object you need and click Add. When finished, click OK.