Delegate365 allows the separation of a single Microsoft 365 tenant with the OU concept. Every admin only sees and manages his own objects. Group OU´s allow administrators to add users from other organizational units to their managed groups without having access to manage those users. Until now, when using Group OUs, the domains had to be added to the administrators. That has now been changed with this version.
Note: Article Delegate365 changelog version 8.0-Group OU's also describes the basic concept of Group OU´s in Delegate365. This article describes the modification that the user´s domain must no longer be assigned to an administrator.
A typical scenario
To demonstrate that, let´s have a look a the following scenario:
- A M365 tenant has two domains: atwork.fun and M365x193702.onmicrosoft.com.
- User Admin manages OU´s Seattle and New York, and has both domains assigned.
- User Adele manages OU New York only, and has domain M365x193702.onmicrosoft.com assigned.
So, Adele can manage only her users and groups assigned to New York.
The goal is that Adele can add or remove users from another OU - from Seattle - to her groups. For this purpose there is the concept of the Group OUs. We can assign Seattle as Group OU to Adele as here.
In the panel, we select Seattle and click Save.
New in this version: Note that Adele has only the M365x193702.onmicrosoft.com assigned.
Test users and their OU´s and domains
The admin sees Seattle and New York. In Seattle, we see two users with two different domains assigned:
Test the Group OU´s
User Adele can manage New York… in her users list, she sees the three users AlexW, BiancaP and NestorW with the domain M365x193702.onmicrosoft.com (but not Ringo or Paul…).
With the assigned Group OU Seattle, she should now be able to add users from Seattle to her groups! So, let´s check it by going to a group…
…and edit the group to add more members like here. The people picker shows corresponding names from all entitled OU´s.
As we see, the Group OU allows Adele to add users from Seattle to her own groups!
The important (new) part here is, that Adele sees ALL users of the assigned Group OU´s regardless of the user´s domain.
It is worth mentioning here - in contrast to above - that Adele only sees users from her assigned OU´s if the user´s domain name is in the list of her assigned domains as before. Adele is able to add only "her" three users she sees in her users list above. If there are users assigned to New York, but with a different domain name (@atwork.fun in our sample), she would not see them in the people picker.
As result, we see that Adele ha successfully added AlexW, Ringo and Paul to her group Project Apple. To identify objects easily, Delegate365 shows the OU of the users in brackets.
When clicking the Save button and confirming the message, these users are added as members to that group.
As we have seen, Group OU´s allow to see users from other OU´s to be able to add them to your own groups, regardless of the user´s domain. Before, the domain also had to be assigned to the administrators. Now, no domain assignment is required any longer.
We think, this makes sense, because admins shall not be able to manage users with domains they shall not be able to use for their own objects. This sample shows the new behavior available with Delegate365 v9.2 (along with many other new features). Stay tuned!