How does Delegate365 work?

The delegation uses organizational units (OUs) that define which administrator can manage which OU, which domains and which licenses. The delegation is done in an level above Microsoft 365™. Every user in the organization can manage assigned objects without any role in Microsoft 365™.

Objects must only be assigned in Delegate365 by the portal administrators, or they can be assigned automatically (for example, by domain, group membership, or other user properties) to be visible for the delegated (scope) admins.

The Delegate365 portal replaces the Microsoft 365 Admin Center for all daily tasks and user, license and group management. Delegate365 is provided as Software-as-a-Service, updates are automatically done for you. There is no maintenance necessary. Technically, Delegate365 is completely running in the Microsoft Azure™ platform in a data center region of the customer´s choice.

Delegate365 features

Delegate365 allows to split a single Microsoft 365 tenant into smaller, manageable organizational units. Each Organizational Unit can use Delegate365 to manage itself within the defined scopes. Delegate365 supports delegation, automation and auditing.


Delegate365 provides controlled access for scope administrators to the following Microsoft 365 services, always restricted to the assigned permissions.

Microsoft service Delegate365 feature

Azure AD
  • Works with cloud and hybrid scenarios
  • Full management of users and user mailboxes
  • Manage self-service Password reset (also without license)
  • Reset user password
  • Set custom password policy
  • Manage M365 licenses
  • Manage user schema extension data
  • Manage membership in groups
  • Revoke sign in sessions
  • Set Multi Factor Authentication (MFA) for users
  • Manage user schema extension data
  • Manage Security Groups
  • Manage Microsoft 365 Groups including privacy, classification, email address, owners, members, and more
  • Import users with licenses to assign from a csv file
  • Restore deleted users

Licenses and Reports
  • Manage (only permitted) Microsoft 365 licenses and plans
  • License quotas
  • Self-defined license policies
  • License order management with various workflows (internal, approval, external)
  • Automatically assign licenses with OU membership
  • Automatically (un)assign licenses with rules
  • License name mapping
  • Custom Usage Locations
  • Allowed Usage Location assignments
  • Various licenses reports
  • Historical licenses reports
  • About 100 reports, only for the authorized scopes

  • Manage email address and aliases
  • Manage mailbox features (hide from address list, protocols and allowed features, litigation hold, etc.)
  • Set mailbox quotas
  • Manage mailbox forwarding
  • Set out of facility messages for a specific time
  • Manage Shared Mailboxes
  • Manage Resource Mailboxes
  • Set mailbox delegations (Send as, send on behalf, full access)
  • Set mailbox single item recovery
  • Manage membership in groups
  • Convert to shared mailbox and resource mailbox including block sign-in
  • Manage Distribution Groups
  • Manage Dynamics Groups
  • Manage Contacts
  • Check email addresses in the tenant
  • Run a message trace from and to allowed addresses including alias addresses (instantly and as a job)

  • Show a user´s OneDrive for Business shares with other users
  • Reports for active user details, files, storage and more

Microsoft Intune
  • Manage device owners
  • Manage device owners
  • Wipe device
  • Retire device
  • Sync device
  • Update device
  • Reboot device (Windows)
  • Clean device (Windows)
  • Reset pass code (iOS)
  • Remote lock device (iOs, Android)
  • Scan windows defender (Windows)
  • Update windows defender signatures (Windows)
  • Remove device
  • See unmanaged devices, compliance, last sign-in and more

  • Provision new SharePoint sites and manage existing SharePoint sites
  • Manage site properties, such as sharing
  • Manage permissions of assigned SharePoint sites

  • Delegate365 PowerShell module, available in the PowerShell Gallery for entitled admins
  • The Delegate365 PowerShell only allows access to the same organizational units as the administrator
  • Operations done in Delegate365 PowerShell are also logged
  • Documentation and sample scripts are available in the Delegate365 GitHub repository

Delegate365 special features
  • Show the tenant´s service health as overview and in details
  • Built-in support case feature
  • Define the tenant´s password policies
  • Fully GDPR compliant, including anonymization of historic log entries
  • All processes are logged from beginning to the current date (no 30 to 90 days storage limits)
  • Auditors can fully access the logs
  • Quick audits allow access for the last week to speed up log analytics
  • Logs can be visualized with Power BI and other tools
  • Message Center collects any errors for admins
  • Portal Admins can see error messages from the scope admins
  • Message center data holds data forever and can be processed with external tools if required
  • About 100 reports, only for the authorized scopes, see samples at the Delegate365 GitHub repository
  • Import users and automatically assign Microsoft 365 licenses from a csv file
  • Import OU´s from a csv file
  • Set default properties for user creation
  • Automatically (un)assign licenses to users with sync rules
  • Automatically create OU´s and assign users with a sync rule
  • Send automatic notifications about the admin´s controlled data
  • Custom rules for assigning objects from Microsoft 365 to Delegate365 OU´s
  • License rules for automatic and flexible license assignments for users based on groups
  • Order Delegate365 licenses directly

Delegate365 roadmap

We are constantly working on further developments and improvements of Delegate365 based on the feedback of customers and on the availability of Microsoft APIs. Here are current features we're working on right now.

Microsoft Service Delegate365 feature

  • Extended management of the Delegate365 schema extension for users
  • More reports (e.g. OU admins can see all assigned devices, Sign-in more than 30 days, etc.)
  • Register devices in AutoPilot for CSP customers
  • Support of Azure AD Administrative Units (AU´s)
  • New Setup supporting Multi Factor Authentication with a transparent load/save json configuration feature (coming this June)
  • Integration of Secure Score
  • Integration of Microsoft Information Protection

Power Platform
  • Overview of environments, Power Apps, Power Automate
  • Overview of Power BI workspaces

Microsoft Teams
  • Assign a telephone number to a user
  • Teams Calling Reports
  • Integration of more Teams features as soon as they are available in the Microsoft API

Microsoft Intune
  • Integration of more Intune features as soon as they are available in the Microsoft API

Microsoft Azure
  • Support for managing Resource Groups (tbd)
  • More features are in the backlog

Look and Feel

To get an impression how easy it is to use Delegate365, here are some screenshots of the main functions used in daily business.
Click an image to see it enlarge and view the short description.

Everything starts here.

The administrator logs in with the standard Microsoft Office 365™ login page. If the user is authenticated against Windows Azure™ Active Directory® the Delegate365 dashboard follows. If the user is authenticated, but no administrator user in Delegate365 the user only can change his password. The Active Directory objects are automatically synced in Delegate365.

The dashboard provides an overview of all objects the logged in user can administer. All user data comes directly from Microsoft Office 365™ and is presented in this summary page which is also the start page after the login.

The soul of management

This is the soul of management in Delegate365. The portal administrator defines any number of organizational units (OU) to create individual groups within the portal administration. Each administrator belongs to one or more OU´s. All user objects also belong to one OU. Objects can be moved from one OU to another OU with a mouse click.

This is the main part where administrators can manage all their users. Users can be created, edited and deleted. The search box delivers a user object while typing the name. Users can be assigned to Active Directory groups and licenses. Additional functions are password reset and Alias-addresses.

A new user can be created just by typing his name. Delegate365 creates a valid user principal name for the user. The administrator can only choose between domains, locations and OU´s where he is entitled. So business administrators can create only new users within their logical unit.

Mass import

When a couple of users need to be imported, the local administrator can download a sample file, fill in the data for example with Microsoft Excel® and upload it to the Delegate365 portal. Delegate365 will create users out of the import file and assign the Microsoft Office 365™ license in one step. If the file contains invalid data or the administrator wants to create users in another OU that he´s in, the import functions informs about the invalid data. So mass import is very easy, even for the local administrator.

The Sync function allows portal admins to synchronize all data from Azure Active Directory into D365 manually at any time. Additionally rules can be set for automated assignment of users depending on user properties into D365 OU´s.

Shared Mailboxes are an Exchange feature where many users can access a common mailbox (which does not need an Office 365 license), f.e. for departments or customer contact etc. Admins who are entitled to use this function now can easily manage Shared Mailboxes in D365.