Use the service admin role to manage your tenant

Applies to Dynamics 365 for Customer Engagement apps version 9.x

To help you administer Dynamics 365 for Customer Engagement, you can assign users to manage Dynamics 365 for Customer Engagement at the tenant level without having to assign the more powerful Office 365 global admin privileges.

Users with the Dynamics 365 for Customer Engagement service admin role can:

  • Sign in to and manage multiple Dynamics 365 for Customer Engagement instances. If an instance uses a security group, a service administrator would need to be added to the security group in order to manage that instance.

  • Perform admin functions in Dynamics 365 for Customer Engagement because they have the Dynamics 365 for Customer Engagement system admin role. The service admin must be assigned a Dynamics 365 for Customer Engagement license.

A Dynamics 365 for Customer Engagement service admin cannot do functions restricted to the Office 365 global admin such as manage user accounts, manage subscriptions, access settings for Office 365 apps like Exchange or SharePoint.

Note

The Dynamics 365 for Customer Engagement service admin can manage instances of version 8.1 (Dynamics CRM Online 2016 Update 1) or later.

Dynamics 365 service admin

Here's a matrix of what's available with the various Office 365 roles.

Office 365 role / feature Backup & restore Sandbox copy Configure new instances Manage an instance Add Customer Engagement licenses Approve Customer Engagement emails1 Access support requests Access Service health Access Message center
Office 365 global admin Yes Yes Yes Yes Yes Yes Yes Yes Yes
Exchange admin n/a n/a n/a n/a n/a n/a n/a Yes Yes
Office 365 service admin No No No No No No Yes Yes Yes
Office 365 user No No No No No No No No No
Dynamics 365 service admin Yes Yes Yes Yes No Yes1 Yes Yes Yes

1To approve emails for Dynamics 365 for Customer Engagement apps (online), a Dynamics user requires the Approve Email Addresses for Users or Queues privilege and the Office 365 global admin role or the Dynamics 365 service administrator role. The Dynamics 365 service admin User Principal Name (UPN) must match the email address in Dynamics 365 for Customer Engagement. If the email address and the UPN are different then only an Office 365 global admin can approve the email address.

To approve emails for Dynamics 365 for Customer Engagement apps (on-premises), a Dynamics user requires the Approve Email Addresses for Users or Queues privilege. A system admin can assign the Approve Email Addresses for Users or Queues privilege to any security role and assign the security role to any user.

To manually assign the Approve Email Addresses for Users or Queues privilege to a security role:

  1. In Dynamics 365 for Customer Engagement, go to Settings > Security > Security Roles.
  2. Select a security role, and then select the Business Management tab.
  3. Under Miscellaneous Privileges, set the privilege level for Approve Email Addresses for Users or Queues.

See also

Manage Microsoft Dynamics 365 for Customer Engagement apps (online) instances
Manage subscriptions, licenses, and user accounts