As organizations grow, they inherently become more complex. To reduce some of the access management workload in these cases, organizations can leverage Azure Active Directory admin roles. Using these admin roles, organizations can assign the least possible privileges that users need to perform their jobs. In this lesson we're going to talk a little bit about how to plan for delegation in your organization. 

It can be difficult as an organization grows to keep track of what users have which permissions. That said, having employees running around with administrator rights that they shouldn't have leaves an organization susceptible to security breaches. When deciding how many administrators you need and how granular their permissions need to be, you should consider the size and complexity of your deployment. For example, small POC-level type deployments really only require maybe two or three administrators to do everything. In these environments, there's really no need for delegation. As such, you would typically create each administrator with the global administrator role. 

However, larger more complex deployments that involve more apps, resources and desktops, will often require more delegation to split up responsibilities. For example, some admins may function as privileged identity administrators while other admins may function as application administrators. The most complex deployments may require even more granular permissions. Additionally, these types of deployments may even require administrators with unconventional or hybrid-type roles. Regardless of how complex a deployment is, you can use the Azure AD portal to view the members of any role. This makes it easier to manage your deployment and to delegate permissions. 

When planning delegated admin rights, you should follow these steps that you see on your screen. Start by defining the roles that you need. Determine the Active Directory tasks that are carried out by administrators and how they map to specific roles. With your roles defined, decide how you need to delegate application administration. Doing so improves security and also reduces the potential for mistakes. Consider delegating application administrator roles instead of using Global Admin. For example, the Application Administrator role can be used to grant a user the ability to manage all applications in the directory. This includes app registrations, single sign-on settings, user and group assignments and licensing, Application Proxy settings, and consent. The Cloud Application Administrator role allows a user to perform the same functions as an Application Administrator, except that it doesn't grant access to Application Proxy settings. 

Out of the box, all users have the ability to create application registrations. However, you may want to instead selectively grant this ability by setting the "Users can register applications" option to "No" in the User settings, and then assigning the user that will manage registrations to the Application Developer role. To achieve fine-grained app access delegation, you can delegate ownership to individual enterprise applications. When delegating app ownership, that ownership is assigned on per-enterprise application basis via the Enterprise Applications blade. By delegating app ownership in this fashion, you can allow app owners to manage the enterprise applications that they own instead of placing the burden on one or two global admins. As part of your admin delegation planning and management, you should also de a coherent security plan. You can view an extensive guide that covers this at the URL that you see on your screen. 

To ensure you have access to your identity management store in the event an issue arises, be sure to create and configure emergency access accounts. You can read more about them at the URL that you see on your screen. You should also use the baseline access policy that is available by default to all Azure AD tenants to enforce multifactor authentication on all privileged Azure AD accounts. The Azure AD baseline policy should be used to protect the Global administrator, the SharePoint administrator, the Exchange administrator, the Conditional access administrator, and the Security administrator accounts. It's critical that these accounts be protected, because if they are compromised, an attacker can do serious damage. Because your admins won't need global admin rights for most day-to-day activities, you can have them temporarily elevate their accounts by activating their admin role assignments in Azure AD Privileged Identity Management on an as-needed basis. This limits the risk of an admin making an accidental change. 

By following these steps when delegating admin rights, you can improve security while making the life of your admins far easier.