Administrators at client organizations didn’t like to do it, partners asked for it anyway, and due to no alternatives, they were given O365 Global Administrator role. This of course in addition to being able to manage the CRM organization which they needed it for, they could also do anything else they wanted to do throughout the O365 system. Was this a problem? Not as long as the partner didn’t make it one, but it still made the client uncomfortable in some scenarios.
Well now that doesn’t need to happen any more. The O365 Team has just introduced the new Dynamics 365 Service Admin Role.
This “Customized administrator” role can be assigned to users in the Office 365 Admin center portal similar to existing customized administrator roles for Exchange, SharePoint and Skype for Business.
With this role, you can limit administrators to Dynamics 365 (online) service only
Here is the really good news for Clients – it won’t consume a license
Previously, to limit a user to Dynamics 365 only, a global administrator could assign a user with no administrator access, consume a Dynamics 365 license and then assign that user a system administrator security role in the desired Dynamics 365 instance(s). With Dynamics 365 service admin role, you are not required to consume a paid license if the admin will not be using the application (admin only) and there is no need to assign the role per instance.
How to lock it down properlty.
With this, you’ll have the ability to restrict a Dynamics 365 admin from accessing certain instance(s) through Security Groups which is not possible with Global admin role. To limit access, configure instance(s) with a security group, and include only users that you want to see those instance(s) in that security group. This restriction will also apply to Dynamics 365 administrators (but not Global admins).
Note: The role is available in all global geos as well as Dynamics 365 for Government customers. The Dynamics 365 Service Administrator role is compatible with instances that are version 8.1 and higher.