Back to blog
·Christian

How to Safely Delegate Microsoft 365 User Management

microsoft-365securityuser-managementdelegation

Microsoft 365 admin center is powerful. It's also dangerous in the wrong hands. That's why most IT teams keep a tight grip on who can access it — and end up becoming a bottleneck for every new hire, password reset, and license change.

There's a middle ground. You can delegate routine user management tasks without giving away the keys to the kingdom.

The problem with the admin center

The M365 admin center wasn't designed for delegation. Its role system is improving, but in practice most organizations end up in one of two patterns:

Pattern 1: Everybody waits for IT. Only Global Admins can create users or reset passwords. IT becomes a ticket queue for tasks that take 30 seconds each but stack up into hours of lost productivity.

Pattern 2: Too many admins. Frustrated by the bottleneck, someone gives the HR manager a Global Admin role. Now they can create users — but they can also delete the entire tenant, modify security settings, or access any mailbox. The blast radius of a mistake is enormous.

Neither pattern is sustainable.

What safe delegation looks like

Safe delegation has three requirements:

Scoped permissions

Delegates should only be able to perform the specific tasks they need. An HR manager needs to create users, reset passwords, and assign licenses. They don't need to modify conditional access policies or manage Exchange connectors.

Role-based access

Not everyone needs the same level of access. A three-tier model works well for most organizations:

  • Admin — Full portal access, including settings and billing
  • Member — Can manage users, groups, and licenses
  • Viewer — Read-only access to the user list and audit log

Complete audit trail

Every action needs to be logged automatically. Who created this user? Who reset that password? Who removed a license at 2am on a Saturday? Without an audit trail, delegation becomes a liability.

How UserDesk implements this

UserDesk sits between your team and the Microsoft Graph API. It authenticates with Microsoft's standard OAuth flow — the same protocol used by the admin center itself — but exposes only the operations your delegates need.

What delegates can do:

  • Create and delete user accounts
  • Reset passwords (with auto-generated secure passwords)
  • Enable and disable sign-in
  • Assign and remove licenses
  • Manage Teams and group memberships
  • Use templates to standardize onboarding

What delegates cannot do:

  • Access the Azure portal or admin center
  • Modify security or compliance settings
  • Access other users' mailboxes or files
  • Change their own role or grant access to others

The audit log captures every action with the actor's identity, the target, a timestamp, and full metadata. It's immutable — entries can't be edited or deleted by anyone, including admins.

Getting started

Setup takes about two minutes. A Global Admin approves the app permissions once, and then anyone in the organization can sign in with their work account. The first person to sign in becomes the portal Admin and can start assigning roles immediately.

No agents to install. No infrastructure to manage. No VPN required.

See it in action: Try the interactive demo or start your 14-day free trial.

Get M365 management tips

Practical guides on delegation, security, and reducing IT overhead. No spam, unsubscribe anytime.

Try UserDesk free for 14 days

Connect your Microsoft 365 tenant in under 2 minutes. Let HR and office coordinators handle routine tasks — while IT focuses on what matters.

Start free trialTry the demo