What "delegation" actually means in Microsoft 365
In Microsoft's native model, "delegation" means assigning one of the built-in administrative roles to a user who isn't a Global Admin. The most relevant ones for everyday delegation:
- User Administrator — manage users (create, reset password, assign license, manage group membership)
- Helpdesk Administrator — narrower — reset passwords + manage some user properties for non-admins
- Custom RBAC roles via Microsoft Entra — granular permission picking
All three grant the permissions but also give the delegate full access to the Microsoft 365 Admin Center UI (or the Entra portal). Custom RBAC scopes the permissions but not the UI surface — the delegate still lands in a UI showing a thousand things they can't do (greyed out) plus everything they can.
Whether that's a problem depends entirely on who's doing the delegation. The tools below address it in different ways, ranked by suitability for the SMB / mid- market IT director use case.
Quick comparison
| Feature | Tool | Type | Designed for non-IT delegate? | Per-delegate audit | Pricing |
|---|---|---|---|---|---|
Native Admin Center + roles | M365 Admin Center | Built-in | No | Unified log; hard to filter per delegate | Free (included) |
UserDesk for M365 | UserDesk | Focused SaaS | Yes | Built-in per delegate | $79–149/mo per tenant |
ManageEngine M365 Manager Plus | M365 Manager Plus | Full mgmt suite | Partial | Yes | $29–66/mo (admin tier-priced) |
CoreView | CoreView | Enterprise gov. | Yes | Yes | Enterprise (quote) |
AdminDroid | AdminDroid | Reports + audit | Limited | Yes | $4/user/yr base |
JumpCloud M365 module | JumpCloud | IDM platform | Yes | Yes | $9/user/mo (with full IDM) |
Custom PowerShell scripts | PowerShell | DIY | No | Whatever you log | Free (your time) |
Table verified
The seven approaches in detail
Order reflects fit for the SMB / mid-market IT director use case — the most common reader of this page. For MSP-specific rankings, see best CIPP alternatives.
Microsoft 365 Admin Center + native roles
Free, official, and exactly enough — if you're the only one ever using it.
- Best for
- Solo IT teams who handle every M365 admin task themselves. No delegation needed = no tool needed.
- Pricing
- Free (included with every M365 plan).
What it is: Microsoft's built-in admin interface. Every M365 admin operation lives here. Native role assignments (Global Admin, User Administrator, Helpdesk Administrator, Exchange Admin, etc.) let you partition admin access.
Strengths:
- Free
- Complete — every M365 admin action lives here
- Officially supported by Microsoft
- No additional setup; it's already there
Where it falls short for delegation:
- Admin Center UI is designed for IT pros, not for HR / office managers
- Native roles like User Administrator grant permissions but also expose everything the role can't touch (greyed out but visible) — settings panels, billing, DNS, service health
- Per-delegate audit trail requires querying the unified audit log — not built into the admin center UI for individual delegate review
- Custom RBAC roles solve permission scoping but not UI surface
When this is enough: if you're a one- person IT team handling everything yourself, or if your delegate is technical enough that the broader Admin Center doesn't confuse them, this is genuinely the right call. Don't pay $79+/mo for a problem you don't have. Read the dedicated UserDesk vs Admin Center comparison for the longer take.
Pricing & feature info verified
UserDesk for M365
Focused delegation tool — scope-limited by design, built for non-IT staff.
- Best for
- SMB IT director or mid-market IT team who wants HR / office manager / team leads doing routine M365 work without Admin Center access.
- Pricing
- Starter $79/mo (up to 50 M365 users, 3 portal admins). Pro $149/mo (unlimited). Annual saves ~17%. 14-day free trial, no card.
What it is: a focused web portal for routine M365 work — user management, password resets, license assignment, group/Teams membership, account disable, shared mailbox conversion. Three role tiers (Admin / Member / Viewer). Scope is hard-limited by design: no Conditional Access, no Intune, no SSO settings, no org-wide settings exposed.
Strengths:
- 2-minute setup (admin consent + share portal link)
- Built-in per-delegate audit log
- Mobile-friendly (HR is often on a phone)
- No Global Admin handoff — delegated permissions only
- Onboarding templates pre-fill licenses + groups + dept
- Same feature surface on both plans; Pro just adds scale + priority support
Where it falls short:
- Doesn't replace Admin Center for IT's own use — you still need that
- No Conditional Access, Intune, or SSO management
- No deep reporting (use AdminDroid alongside for that)
- No multi-tenant view yet (only relevant for MSPs)
When to pick this: when you specifically want to delegate routine M365 work to someone whose job isn't IT. If you're trying to do every type of M365 admin from one tool, this isn't it — that's the Admin Center plus, for MSPs, CIPP.
Pricing & feature info verified
ManageEngine M365 Manager Plus
Mature commercial tool with broad coverage. Heavier UI than UserDesk; broader feature set.
- Best for
- Mid-market IT teams who want one tool for user management, license management, and reporting — and don't mind a more traditional admin UI.
- Pricing
- Standard $345/yr (~$29/mo) for 100 users + 3 admins. Professional $795/yr (~$66/mo) adds reports and security features. Enterprise above.
What it is: mature M365 management tool with hundreds of features. Strong on reporting. Includes delegation features but the UI is designed for IT pros, not non-IT delegates.
Strengths:
- Cheaper than UserDesk Starter at base tier
- Mature — they've been at this longer than most
- Strong canned reports (60+)
- On-prem option if your org requires it
Where it falls short:
- UI feels enterprisey — not built for non-IT delegates
- Per-admin pricing model gets expensive past 3-5 admins
- On-prem option adds maintenance burden if chosen
- Less focused on delegation specifically than UserDesk
When to pick this: when you want broad M365 management with strong reporting, and the delegates are IT- adjacent (helpdesk, service desk) rather than fully non-IT (HR). For pure non-IT delegation, UserDesk is more focused.
Pricing & feature info verified
CoreView
Enterprise governance platform. Overkill for SMB, the right answer at 1k+ seats.
- Best for
- Enterprises with 1,000+ M365 seats that need policy automation, virtual tenants, and deep governance.
- Pricing
- Enterprise (quote). Typical landed cost: $2–3 per managed M365 user per month at volume.
What it is: M365 governance platform built for enterprise. Unique concept: "virtual tenants" — scope a delegate's view to a specific OU or location, so they only see and manage their slice.
Strengths:
- Genuinely best-in-class enterprise governance
- Virtual tenants are powerful for large multi-region orgs
- Policy automation engine
- License optimization at scale
Where it falls short:
- Expensive — scales by seat count, not flat-per-tenant
- Long sales + implementation cycle
- Overbuilt for SMB and most mid-market orgs
When to pick this: at 1,000+ seats with specific governance + policy automation needs. Otherwise don't start the conversation.
Pricing & feature info verified
AdminDroid
Reports-first. Pair with a delegation tool — don't use it as one alone.
- Best for
- IT teams who want extensive M365 audit + reporting at very low cost. Pairs with native roles or UserDesk for the actual delegation.
- Pricing
- Reports module free for limited scope; full edition starts around $4/user/yr. Tiered by tenant size.
What it is: M365 reports + auditing platform. Hundreds of pre-built reports, search across audit logs, alerts on activity patterns.
Strengths:
- Very cheap (often the cheapest tool in any M365 list)
- Reports breadth is genuinely strong
- Free tier is real enough to use
Where it falls short:
- Limited management actions — primarily a reporting tool
- UI feels dated
- Not a delegation tool on its own
When to pick this: as a supplement, not a primary delegation tool. Pair with native roles + UserDesk for delegation; AdminDroid for the audit/reporting layer.
Pricing & feature info verified
JumpCloud (M365 module)
Identity platform first; M365 is one provisioning target. Right answer if you're already shopping for IDM.
- Best for
- Orgs that want a full identity directory (separate from Entra ID) with M365 provisioning included — typically replacing or augmenting Active Directory.
- Pricing
- JumpCloud Platform pricing is per-user, ~$9/user/mo for the most common bundle. M365 features are part of the full platform.
What it is: an identity platform (often positioned as "cloud Active Directory") that includes M365 user provisioning, SSO, MFA, device management. The M365 module specifically lets you create/manage users, assign licenses, manage groups.
Strengths:
- Full identity platform — not just M365 management
- Cross-platform (Windows, macOS, Linux device support)
- One identity directory across many SaaS tools
Where it falls short:
- You're buying full IDM — paying for M365 mgmt as a slice
- If you're happy with Entra ID as your directory, JumpCloud is overkill
- Per-user pricing scales differently than per-tenant tools
- Delegation UI is identity-platform-style, not non-IT-friendly
When to pick this: if you're shopping for a full identity platform anyway (replacing AD, adding cross-platform device mgmt). Don't buy JumpCloud just for M365 delegation.
Pricing & feature info verified
Custom PowerShell scripts
Total control. Zero delegation surface. The default for SMB IT folks who like scripting.
- Best for
- IT pros who handle everything themselves, prefer scripts to UIs, and don't need anyone else to do M365 work.
- Pricing
- Free (your time).
What it is: PowerShell modules (Microsoft.Graph, ExchangeOnlineManagement) that let you do every M365 admin operation from a script. Many SMB IT folks write small scripts for repetitive tasks — bulk user creation, offboarding workflows, license cleanup.
Strengths:
- Free
- Complete — anything the Graph API can do, you can script
- Repeatable + auditable (if you log properly)
- Power-user friendly
Where it falls short:
- Requires PowerShell skills — can't delegate to non-IT
- No UI for the delegate; they'd open a ticket asking you to run the script
- Breaks when MS deprecates modules (regular occurrence)
- No built-in audit; you have to log + store + search yourself
- Maintenance burden you forgot about until something fails
When to pick this: as your own tool for bulk operations, never as a delegation answer. If you're comparing PowerShell to UserDesk for delegation, you're comparing apples to oranges — see the dedicated PowerShell vs UI tool comparison (publishes 2026-07-02) for the longer take.
Pricing & feature info verified
Decision tree: which tool for your situation
Most common decision paths, distilled. Real situations differ; this gets you started.
- You handle every M365 admin task yourself, no delegation needed.
→ Native Admin Center is enough. Save the money. - You want HR / office manager / team lead doing password resets, new hires, license assignment.
→ UserDesk. Built for exactly this. $79/mo Starter, 14-day trial, no card. - You want broad M365 mgmt with strong reporting; delegates are IT-adjacent (helpdesk).
→ ManageEngine M365 Manager Plus. - Enterprise (1k+ seats) with governance + policy automation needs.
→ CoreView. - You're shopping for a full identity platform anyway (replacing AD, adding device mgmt).
→ JumpCloud (or Okta if enterprise-scale). - You're an MSP managing 5+ client tenants.
→ See best CIPP alternatives for MSPs. Different decision flow for MSP context.
Frequently asked questions
Q01What's the cheapest M365 delegation tool?
Native Admin Center + roles (free, included with M365). The catch: it gives the delegate access to the full Admin Center UI. AdminDroid is cheapest among third-party tools (~$4/user/yr) but it's reports-first, not delegation-first. UserDesk Starter is $79/mo per tenant, flat regardless of user count up to 50.
Q02Do I need a tool, or are native roles enough?
Depends on who's delegating. If your delegate is IT-fluent (helpdesk tech), native roles + Admin Center are usually fine. If your delegate is HR, an office manager, or a team lead, the Admin Center UI is too broad — they'll either get overwhelmed or accidentally misclick. That's when a focused tool earns its keep.
Q03What about Microsoft 365 Lighthouse?
Lighthouse is MSP-only — it's not designed for single-org delegation. If you're an MSP, see our best CIPP alternatives page where Lighthouse is covered. For single-org M365 delegation, Lighthouse isn't on the shortlist.
Q04Can I scope the M365 User Administrator role to specific departments or OUs?
With Custom RBAC roles in Microsoft Entra, yes — you can scope permissions to administrative units. The UI surface still shows the full Admin Center (just with permission errors where the delegate isn't allowed). It's the right answer when permission-level scoping is enough and you don't mind the broad UI. See /compare/user-administrator-role (publishes 2026-06-18) for the deep dive.
Q05What about Okta Workflows or Workato for M365 provisioning?
Both are excellent for orchestration — automating the new-hire workflow across many SaaS apps including M365. Different category: they're orchestration platforms, not delegation tools. The delegate doesn't log into Okta Workflows; an IT pro builds the workflow. UserDesk is the opposite — the delegate logs in directly. Many orgs use both.
Q06Which tool integrates with Intune?
If Intune management is the main need, you're shopping for a different category — ConfigMgr / Intune-focused tools, not M365 delegation tools. CoreView covers Intune policy at the governance layer. The tools on this page are scoped to user/group/license operations, not device management.
Try it
Free 14-day trial — no card
Connect your Microsoft 365 tenant in 2 minutes. Hand the portal to HR or your team leads. Cancel any time.
Free checklist
M365 Delegation Checklist
What to delegate, what to keep, and how to set it up without breaking your tenant.