Multiple Admins for Exchange/O365 with rights to their own users only

I have a customer that would like to purchase the Exchange Online portion of O365 to use by approximately 1000 Independent agents of their company.  This would NOT be tied to any in-house domain, everything would be in the cloud.

Each of the 1000 agents would have an email address @XYZ-agent.com, however, the 1000 agents work for as many as 10 different companies.   My customer wants to know if there is a way to delegate administrative rights to all someone at each of those 10 companies so that they could add/delete/reset their own users without necessarily having rights to all of the users.

I know how to do this with OU permissions in an on-premise Exchange, but not sure how it is managed in the online version.

Can someone tell me if this is doable and point me in the right direction?

Thanks,
Tiff
mpTiffanyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Unfortunately no. if you make them an admin then they will be an admin for all domains and users in that o365 tenant.
0
Vasil Michev (MVP)Commented:
Although it's limited compared to on-premises, you still have some options. First and best option for your scenario is to use the Exchange RBAC model. As you will only be using Exchange anyway, you can set it admin roles with different scopes that only include recipients from particular "company". This article should get you started (not that only Recipient filter based scopes are available in ExO): https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx

Apart from that, you can use the so-called Administrative units in Office 365/Azure AD. They work in a similar fashion, and allow you to delegate someone admin permissions over a group of users. Start by reading this: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administrative-units-management

In either scenario, you should not be delegating Global admin permissions to any of the users, as GAs will be able to manage all users in the tenant.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.