What Is Granular Roles-Based Access Control?

By Dominic Kent

Enterprise number and user management in the Teams Admin Center (TAC) means every Microsoft Teams admin has access to your entire Teams estate. That’s every user and every phone number in every region.

You’ve got departments, campuses, and locations all with different requirements and priorities. You’ve got constant requests for moves, adds, and changes. At any given time, John, who is the campus manager for a large university, has access to make any change he wishes – even if he has no knowledge of the campus or set of users or phone numbers within that campus.

What’s more, John’s got your entire Microsoft tenant to sift through and filter when he needs to make even the most basic change for a single user. So, as well as the potential for John to make changes to the wrong set of users, it’s easy for him to mistake James Smith in Liverpool when there’s also a James Smith in London.

As an admin, you need access to the users and numbers you are responsible for and nothing more. This might be geographical, departmental, or any other criteria that qualifies you to have access to a specific set of users. 

Only, when administering Teams, if you’re a Teams admin, you have access to everything. And, when everything includes thousands and thousands of users across multiple departments and locations, administering the admin becomes a full-time job. 

It doesn’t have to be this way. You can now make the conscious decision to lock down the access each admin has.

Enter: Microsoft Teams granular role-based access control with Callroute. 

What is Granular Roles-Based Access Control?

Roles-Based Access Control (RBAC) is pretty self-explanatory at the most basic level. You’re creating groups of admin roles for who has access to what; in list format.

Rather than your Teams Admin Center and entire Teams tenant being a complete free for all (where all admins have access to tinker with any location, team, department, or user), Granular RBAC will allow specific Callroute admins to access and manage specific groups of people within the organization.

For example, if you’re tasked with managing the users and numbers for a site in London, but have access to the users in New York, there’s a chance you could mistakenly make a change to a user or group of users. All it takes is a similar looking name or a phone number with the same number string and human error can kick in. 

That’s not a dig at your staff, either. Manual processes and changes account for the majority of provisioning errors, with some businesses able to save $500,000 per year through the introduction of auto-provisioning. 

Why is Granular Role-Based Access Control needed?

After speaking to a large portion of our customers and fellow Teams admins, it’s become clear that getting staff the right access in Teams tenants has become a real problem. 

Especially in large businesses, where you might have dedicated Teams admins or it’s a time-consuming part of an IT admin’s day, the amount of time lost simply getting to the right user, number range, or group of users is ridiculous. 

The simple change to granular RBAC is a real time-saver for admins presented with lists and lists of user information. 

In the cases of universities, for example, this means the person who looks after a particular faculty or campus will only be able to access and manage users of that faculty or campus rather than the entire university. 

So, if Harvard Business School, with its main campus in Cambridge, Massachusetts, also has a campus in Dubai, it can now section off the Dubai Teams admin to only have access to the campus they support. 

The result? More efficient Teams management and a dramatically reduced chance of making changes to users outside their scope. 

You may also like: How Universities Can Save $92,000 On Microsoft Teams Provisioning

Isn’t this just role-based access? 

Not quite. Callroute already supports Microsoft role-based access so you can limit what admins can change based on their role, department, or seniority. 

Granular RBAC adds the control to only manage those numbers and users for a defined set of users. Regardless of the job role or seniority, Tim Jones, who works in the New York campus and looks after all US sites now only has access to make changes to those users. 

With role-based access, Callroute enables the delegation of administrative tasks among multiple administrators. We offer a range of pre-defined user roles alongside custom roles you can tailor to your specific needs, defining granular permissions. 

How does Granular Roles-Based Access Control by Callroute work? 

Watch how Microsoft Teams Security Groups by Callroute works

Admins can create custom control roles and associate them with a security group, providing those users/admins with access to Granular Roles-Based Access-controlled resources. 

A group can be anything your business deems relevant: 

• Locations 
• Department 
• Exec level 
• Night shift 
• Anything you decide is right for your business 

That’s the beauty of it. There’s no restriction on what you can choose as the criteria (unlike role-based access). 

The granular RBAC might also be specific to phone numbers per region. If you only want certain Teams admins to make changes to number assignments, you can lock these down too. If your London site has niche requirements, deem it so that other admins outside of London can no longer make changes to your London numbers.

You can also use AD attributes to inform the RBAC. So, if users have specific text included, you can attribute them and add them into a group. 

Management of RBAC is possible via super admins. These super admins can drop users into groups that categorize them.

Use cases for Granular Roles-Based Access Control

There’s no black or white use case for Microsoft Teams granular RBAC. We’ve designed this so the customization and flexibility are there for anyone who needs it. 

Typically, we’re talking about large enterprises. Here are some examples of when granular RBAC provides enhanced productivity: 

• Multi-organization teams: When you’ve completed a merger or acquisition, it may still be pertinent for the original IT teams to look after their original company’s Teams tenant (or department or set of users depending on how/if you merge tenants). 
• Cross-support teams: Where there are different admins responsible for a subset of Teams users. For example, different geographies have niche requirements and require specialist knowledge about sets of users. 
• Universities: Multiple campuses mean different teams of users to administer by different IT admins. There’s little benefit in each admin having access to university-wide student accounts. 
• Government bodies: District councils may have to look after offices other than the one they’re based in. Role-based access here would restrict the ability to make swift changes to important users. Granular RBAC grants them access to anyone within their defined user base, regardless of location. 

You may also like: How Local Councils Can Save 77% Of Time & Cost On User Provisioning

A large London University, for example, has over 100 different departments. On average, each IT admin manages around six of these. With Granular RBAC, this University will have the ability for specific IT admins to have access to their six departments alone. 

This doesn’t just ensure the right people have access to the right users, but it also makes management of numbers and users more efficient. By reducing the number of users to search and filter within, admins save time and become more productive when making one-off changes. 

How to get Granular RBAC for Microsoft Teams management 

Delegating regional access for Microsoft Teams management doesn’t have to be complicated.

With Granular Roles-Based Access Control for Microsoft Teams by Callroute, you can delegate control with confidence, simplify your administration, and keep your Teams environment secure.

🔎 Want to learn more? Discover how Granular RBAC can transform your Teams management here.