How to Manage Microsoft Teams Users without Microsoft Global Admin Credentials
Enterprises strongly prefer to reserve their Microsoft Global Admin credentials for use only when necessary. Some certifications (i.e. SOC2) require a very strict control on who has access at the highest level in IT Systems.
Microsoft Global Admin credentials are REQUIRED to complete the Enterprise Registration and Direct Routing setup as well as the optional Teams Application setup. All day-to-day tasks - adding, managing and deleting Users - can be performed with delegated Microsoft credentials.
The Microsoft User with this delegated authority must have Teams Service Admin and Skype Admin rights.
In some Microsoft Enterprises delegation is a conditional setting that needs to be configured in Azure Active Directory in a process where the Global Admin grants a conditional consent to a delegated admin to a certain task. Time consuming and a pain in the ass, yes! Good security measure, also yes.
Here is a table of the capabilities of each level of Microsoft credential:
Microsoft Global Admin | Microsoft Teams Service Admin & Skype Admin (both) | |
Initial Enterprise Reg. | YES | NO |
Setup Direct Routing | YES | NO |
Setup/Manage PBX | YES | YES |
Setup/Manage TM Users | YES | YES |
Add/Delete Teams App | YES | NO |
Setup/Manage End User Portal | YES | YES |
Setup/Manage Feature Codes | YES | YES |
Instructions
Navigate to Microsoft Admin Center >>Active Users
2. Select a User (not the Global Admin) and then select Manage Roles
3. Select Admin center access as seen in the picture below
4. Select Teams Service admin
5. Select Skype for Business admin (you will need to select Show all by category dropdown to see this option) then select Save changes.
Once changes are saved the Microsoft User with these credentials will be able to Add and Manage Users. The Microsoft User will look like this in the Roles assignment:
