Delegate MS Teams admin rights – Integrate helpdesk and local IT

Large companies with a central IT department often decide to leave the management of MS Teams exclusively in the hands of their Corporate IT. In doing so, they limit the ability of their local IT teams and help desks in the branch offices to act. Over time, such a centralized approach causes problems because it burdens central IT more than necessary and creates frustration on the part of users.

With my-IAM TeamSpace you gain delegation levels in MS Teams that decentralize and simplify administration many times over. Read on to learn how to delegate MS Teams admin rights in a meaningful way with my-IAM TeamSpace – without needing the Teams Admin Center.

Useful delegation of the Teams admin rights

It’s obvious: When central IT takes over all tasks related to MS Teams, it not only deals with configuration and administration, but also takes care of the daily problems and requests of all users. MS Teams is just one of many business applications. The larger the company, the more extensive the mountain of tasks.

The biggest shortcoming is that with a centralized approach, local IT staff at the sites lack the permissions to help on-site with day-to-day issues. They don’t have access to the Teams Admin Center or the Azure AD Portal.

Access to the Teams Admin Center is typically limited to IT administrators or a specialized IT department responsible for managing Microsoft Teams in the enterprise.

But in practice it means: If users can’t create teams themselves, they have to turn to central IT for help. We often hear that the local help desk can’t do anything when orphaned teams occur, for example. Unfortunately, the contacts in corporate IT are often not even known to the local employees. They then look for alternative ways because they are not getting anywhere with solving the problem. Please also read our article “Reactivating orphaned teams with my-IAM TeamSpac

We suggest delegating selected Teams tasks and executing them via my-IAM TeamSpace. Standard tasks can be well managed by the help desk to assist colleagues locally. With a secure delegation layer, the local IT teams are given permissions to perform important tasks – owithout the Teams Admin Center.

Discover TeamSpace

Different role concepts in MS Teams

Administrator roles

Limiting Teams to admin (Teams Admin Center) and users (members, owners) is often not sufficient. As a rule, at least one intermediate level is needed. The larger and more distributed an organization is, the more levels make sense. The role-based administration (RBAC) is the solution here. With a role concept, it is precisely defined which role is allowed to do what.

There are several built-in roles available in Microsoft Azure Administration. There are administrative roles directly for MS Teams, such as:

• Global administrator: the highest administrator role with full access to all functions and settings
• Teams administrator: this role has access to the management of teams, channels and meetings
• User administrator: a role that is used to manage user accounts, groups and licenses.
• Security administrator: a role that takes care of security policies, compliance and data protection

In addition, roles can be created individually.

Access to the Teams Admin Center is often restricted to the above “higher level roles” in the organization to ensure security and protection of data. Through these roles, permissions are given as to what a role owner may read, edit, and delete.

Built-in roles are available in Microsoft Azure.

Roles in the MS Teams app

There are also Teams roles, such as:

• Team owner: has control over the team and can manage members, settings and channels
• Member: has permissions to access channels, chats, files, and meetings
• Guest: has limited access rights only

While the team owner has the highest role in a team, they do not automatically have access to the Teams Admin Center.

To access the Teams administration, you need M365-level admin rights or at least access to the MS Teams Admin Center.

Local IT does not have access to Teams Admin Center

Now, in large companies there is not only central IT, but many business units with local site IT departments. These are responsible for on-site support, but have only limited authorizations. For example, they do not have access to the Teams Admin Center.

The problem for many organizations is that the administrative roles listed above have access to all groups and cannot be restricted to specific locations.

That’s why companies are choosing to restrict permissions as much as possible for security reasons – leaving their local IT departments out in the cold.

Is there a solution to better integrate the local IT?

Delegate Teams admin rights without access to the Admin Center – This is how it works

Delegation level for local site IT with my-IAM TeamSpace

With the cloud application my-IAM TeamSpace

• Servicedesks/Helpdesks
• IT coordinators
• Local IT staff at the business units
• other groups of people

access Teams management indirectly and can support local users directly.

Using a delegation layer, they perform tasks that normally require access to the Teams Admin Center. Secure templates are available that are configured in advance for each site. For this, an area role is created, which is only allowed to see and edit the site teams with limited authorization.

A help desk employee or local IT coordinator can create new teams using my-IAM TeamSpace:

The templates are set up in advance by categories and contain different visibility and security levels:

The special feature of TeamSpace templates is the option to select locations for which the team should be visible.

In the TeamSpace overview, the local IT administrator only sees the teams for which he is responsible or in which he himself is a member (location-independent):

Example of delegated Teams administration

In practice, a multi-level shared MS Teams administration with 3 or 4 levels of delegation might look like this:

1. Central IT: admin permissions in Teams Admin Center, full access via TeamSpace
2. Central servicedesk: comprehensive access to Teams via my-IAM TeamSpace (without Teams Admin Center)
3. Local IT / Helpdesk: access to teams of certain category and limited to the location
4. Key user / User: access to teams of specific departments at the site
5. Team member and owner: only access to teams themselves, adjust settings in the team if necessary

Depending on the requirements of a company, the intermediate levels are preconfigured to match the organizational structure.

Advantages of delegated MS Teams admin rights

Here again the most important advantages of delegated administration in summary:

• Distribute workload: Delegation is useful for distributing the workload to trained individuals who can perform standard IT-related tasks.
• Integrate local IT: The head office is sometimes too far away from the problems of the users on site. That’s why it makes sense to integrate the on-site IT more strongly.
• Respond quickly: Respond much faster to the problems of employees on the ground.
• Helping in the right place: Local IT teams work closely with employees and know the specific requirements of the departments.
• Ensure security: TeamSpace is a secure intermediate layer that eliminates the need to access the Teams Admin Center.

Contact us if you want to delegate the MS Teams administration to your local IT coordinators and help desks.

Contact us now