Office 365 Workload-Specific Admin Roles
I was excited to see that workload-specific admin roles is rolling out to Office 365 tenants starting today. This feature gives the ability to assign workload-specific service administrator roles to your organizations IT administrators for Exchange Online, SharePoint Online and Skype for Business Online. For example, an Exchange admin will no longer require Office 365 global admin rights in order to manage Exchange Online.
An admin assigned to a workload-specific admin role would only have access to the relevant controls and settings associated with that workload. For example, the SharePoint Online administrator role provides that admin access to only SharePoint related controls and settings in the Office 365 Admin Center. The SharePoint Online admin can manage SharePoint site collections, configure SharePoint settings such as the organizations external sharing policy and access SharePoint Admin Center for additional SharePoint capabilities. However, the SharePoint Online admin will not have access to other Office 365 service controls and settings such as mailbox configuration, transport rules and other non-SharePoint related settings.
In addition, there is now more flexibility in assigning roles. If your IT administrator has multiple responsibilities (i.e. SharePoint Online and Skype for Business Online responsibilities but not Exchange Online), you can assign multiple roles to that administrator. You are no longer limited to only one role assignment per administrator.
To configure a workload-specific admin role (once this feature has been rolled out to your tenant), the global admin simply selects the user from the active user list, and clicks edit user roles > Limited Admin Role to display the list of all the admin roles. Then select the admin role(s) you want to assign and click Save.
I am excited about this new feature because it provides organizations with more options to improve compliance by limiting access to data to only those who need it.
For more info, see the blog post More control over data access with workload-specific admin roles.