Delegate365 is an easy-to-use, web-based portal for delegated user and license management in Microsoft Office 365.
In addition, in order to better utilize IT department resources, Delegate365 enables to automate tasks such as auditing, auto-assigning licenses and policies, and reporting.

Many large companies using one Office 365 tenant have the need to delegate and audit their Office 365 users, licenses and groups. In order to better utilize IT department resources, they may seek to automate tasks such as creating new users, managing self-service password reset, auto-assigning licenses, and reporting.
This is where our solution Delegate365 comes in. We have developed this Software-as-a-Service product to fill the gap to enable the delegation of user roles and responsibilities within one organization.
In the Microsoft Office 365 Online portal global administrators can use roles for privileged users to execute special tasks like user and group management. In fact such users can administer all users or all licenses. That´s ok for small companies and associations. In medium to large organizations, it´s necessary to ensure that administrators or business office managers can administer only their own units.
In Delegate365, instead of using standard roles, the portal administrators can define any number of Organizational Units (OU's) and who shall administer a unit and what licenses a unit can use. The business administrators can manage their own users and create their own global distribution lists and execute much more delegated operations. Delegate365 simplifies all this tasks and works as new standard portal with advanced management features.

Typical customers of Delegate365 are larger businesses, companies with some departments or locations, franchisers, educational facilities, schooling, clubs, associations and every group who use one single Microsoft Office 365 and want to use delegated administrators for managing only their own units.
There are a lot of scenarios where the delegation of user management makes sense. IT-departments can be relieved, central administration only needs to define the business managers and the organizational units. From that on, the administrators can manage their own units in an easy-to-use web-portal: Delegate365

Yes. If you want to test Delegate365 please fill out the form at the end of this website or contact us. We will provide a test scenario for 20 days free of charge.

Delegate365 works with a layer on top of Microsoft Office 365. All operations are directly made in Microsoft Azure Active Directory.
The delegation uses organizational units (OU´s) where there´s defined which administrator can manage which units, which domains and which licenses. So, Microsoft Office 365 knows nothing about the additional management layer. All users are simple Microsoft Office 365 users with no special roles.
That´s why you, of course, can also manage domains, groups, users and distribution lists in the Microsoft Office 365 online portal or via PowerShell as well as directly in Delegate365. New objects have to be assigned in Delegate365 by the portal administrator(s) to be visible for the delegated admins.
The idea is that the Delegate365 portal replaces the Microsoft Office 365 online portal for all daily tasks as user and license management.
Technically, Delegate365 is based completely on Microsoft Azure and runs fully in the Microsoft cloud.

Yes, Delegate365 supports ADFS and AAD Connect (formerly known as DirSync) scenarios in the same way as the Office 365 portal. In Delegate365 synced domains and users are visible and group and license memberships are manageable. In Delegate365 the administrator can assign users to groups and change the Office 365 licenses but cannot modify the user object itself because it´s managed in a local federated Active Directory. Microsoft Azure Active Directory handles federated objects differently, so these objects are no "full managable" objects which can be read but not changed.
With Azure Active Directory Premium and AAD Connect with WriteBack functionality, objects can be changed online and committed to the local AD. Delegate365 will support that scenario as well.

Absolutely! Since Office 365 uses Azure Active Directory it´s no difference for Delegate365 to manage all data. Office 365 specific features like licenses, user aliases or distribution list management are hidden or not functional in that case.

Well, in the Microsoft Office 365 role concept there´s no delegation built in. Delegate365 fills that gap and offers an easy-to-use list where each object belongs to an organizational unit (OU). This is a simple string where a portal administrator can define any number of units, like locations, departments or any other logical information. Each administrator can manage any number of OU´s. Each user belongs to one OU. So the concept is simple and it´s exactly defined which user can be administered by which administrator.

Yes. Simple edit a user and change his OU.
Example: Admin Anne is responsible for the OU´s Berlin and London. She changes the OU of user John from Berlin to London.
Admin Paul is responsible for the OU London. Now he is able to edit user John, because he now is assigned to OU London.
Both admins now can administer user John since both can see the overlapping OU London.

Yes! With Delegate365 you get informal or enforced license quotas, license restrictions for specific administrator if needed, friendly license names, auto-assignment of licenses and current and history statistics of licenses used in your tenant per Organizational Unit! There's a workflow for license ordering included as well. License management, license quotas, reporting of license usage and automation are key features of Delegate365.

Yes, absoluteley. A switch Enforce quota controls if defined licenses quotas are informal or enforced.
Example: If the OU London has a license quota of 10 and Enforce is set to ON, the scope admins only can use 10 licenses - and not more. If a new 11.th user is created, this user cannot get an Office 365 license for that plan. Of course the license can be removed from another user and given to the new user, but the admin only has this 10 licenses available.
If the Enforce flag ist not set to OFF, the license quote is informational and admins can use more licenses than they have available in their OU.
Anyway, if OU´s need more licenses, they can start the simple workflow in Delegate365 for requesting more licenses from the license admin or the portal admin. Most customers use enforced license quotas and license restrictions to allow only a set of specific licenses for OU's.

Yes. If you create, edit or delete users in Delegate365, all changes are made directly in Microsoft Azure Active Directory.
If you create users in the Microsoft Office 365 online portal, they have no OU, because Microsoft Office 365 doesn´t know anything about the organizational units in Delegate365. So only the Delegate365 portal administrator sees these users and can assign them to OU´s for further delegated administration. See the next topic about this procedure.

If there are existing users in Microsoft Office 365 or users are created without Delegate365 directly in the Microsoft Office 365 online portal, these users are by default not visible for Delegate365-administrators. The portal administrator uses a list "assign OU" where he can see all users without OU. There he can filter and mass assign some or all users to one OU.
Users with OU disappear from this list. Optional, as a feature, there can be rules activated that users with specific properties set, f.e. with filled out location property, can be automatically set to the corresponding OU.
Administrators then can see the new users if they are in one of their OU´s.

Yes! With Delegate365 we added an User Self Password Reset (SPR) feature. If the admin had deposited a notification for the specific user (email or SMS), the user can perform a self password reset. When resetting the password the user can decide if he wants to receive the necessary security-code via email or SMS. Then he receives the code and gets a temporary password on the Delegate365-website. With that he can login and now has to change the password to his own, individual password.
This function simplifies the administrative effort when users can use this reset on their own. This feature is integrated in Delegate365. So IT departements have no need to buy Azure Premium licenses just for their users to perform self service password reset. Use Delegate365!

Yes. You need to have an Office365 tenant and a global admin to bind your tenant to your Delegate365 instance.
If you do not have an Office 365 tenant, you can create a new tenant here and use that as demo tenant in Delegate365.

You can find our prices for the small packages starting with 250 users in the prices page. For packages with more than 1,000 users, pls. contact us for a quote. All prices are in USD or EURO excluding VAT. Errors and omissions excepted.
The prices include hosting on Microsoft Azure and all upgrades for the time of the Delegate365 contract duration.

No, not now. The current version is designed that each customer gets its own Delegate365 instance. This means, each customer gets his own portal and database in his desired region. Maybe we plan to offer a Multi-Tenant solution for smaller instances in near future if there´s a demand for such scenarios.

In Delegate365 we cache only the most necessary data for delivering a good user experience. All operations are executed directly against the Office 365 services and consumed from the Microsoft APIs. Delegate365 stores your data where you decide: In a Microsoft Azure datacenter of your choice, see Azure Regions. So you decide where your data is stored!

No. In Delegate365 we cache the necessary data directly from Azure Active Directory (AAD). We can store as many objects as the AAD can handle. Delegate365 can work with many thousand users rapidly and loads all data asynchronous on demand from it´s cache. Delegate365 is built for large amounts of data and allows quick and easy access to all data.

Some actions as for example, requesting licenses or resetting passwords, can trigger a notification. The admins define if and how notifications are sent. By default notifications are sent as email with Office 365.

If you are a scope or portal administrator in Delegate365 and your users list does not show the expected users, there are three things to check: First, run a SyncOp to ensure that Delegate365 operates with the latest data. Secondly, the portal admin of Delegate365 may not have assigned the corresponding domains for your admin account. Thirdly, the users may not be assigned to your OU. The user list shows all users with a) the same OU as the admin and b) where the user's domain (the users UPN) is also assigned to the scope admin. Both conditions must apply. So maybe, the assignment of the domains or to the OU is missing. Please contact your portal admin to check these assignments. If this is done, all users must instantly show up in your users list. Refresh the users list if necessary.

Delegate365 confirms saving an object with a green box (OK) in the bottom right corner if the operation was successful or with a red box if an error occurred. So, for example, when setting an alias for an existing user, a message as follows can occur:
Execution exception: Cannot process argument transformation on parameter 'EmailAddresses'. Error: "The value 'SMTP:john.doe@contoso.com' is already present in the collection."
Such a message is returned from Office 365 if a desired condition is not valid. Delegate365 loops through such errors to inform the admin that there was an error and the operation could not be completed. In this sample, the email address 'SMTP:john.doe@contoso.com' is already present in a (another) mailbox as primary email address (SMTP is in upper case). So the admin needs to use another email alias - or remove the old email address to make it reusable again in the Office 365 tenant.

The licensing in Delegate365 works per user who shall be managed with the solution. In Delegate365 we count all users which are visible in the users list and shall be managed in Delegate365. For more info, please see the licensing article.

Yes. Portal Admins can remove the permission to manage mailboxes for each Scope Administrator in the administration / manage administrator's menu. If the Scope Admins cannot access the Mailbox settings, they cannot set permissions and therefore are not able to assign permissions to themselves or other users. This is a common scenario and Delegate365 enables control for this feature to specific administrators.

No, not directly. Since Delegate365 is for the management of objects and not for working with data (as mailbox content), we recommend to set "Full Access" mailbox permissions in Delegate365 for the desired mailboxes. Then use an email client as Outlook to export data from that mailbox. Another option to access mailbox content, is to use eDiscovery. eDiscovery is usually used as evidence in legal cases or to set a mailbox on hold. With eDiscovery, Admins can search content over the Office 365 tenant, but you cannot export mailbox content into a PST file.

If the SyncOp throws errors, the most common reason is that the defined Exchange Admin is no longer valid. When checking the details of a SyncOp you will see a message similar as
Connecting to remote server ps.outlook.com failed with the following error message: Access Denied
In that case renew the Exchange administrator credentials and test them in Delegate365. There exists a button for checking if the credentials work in the administration menu. The wait or rerun the SyncOp manually to see if the SyncOp works again.

With Delegate365 version 6, the logfiles are persisted in Azure storage and can be easily exported. Also, the logfile format has changed so that the audit logs can directly be used with the Delegate365 Power BI dashboard for custom visualization.

We align with Microsoft Online Services and offer Delegate365 with a fixed term for the first year. After the first year the service can be cancelled quarterly.

The activation of Delegate365 can happen instantly. The provisioning just needs a manual approval and usually takes about 1 work day. Than the Delegate365-portal is available and can be used for delegations and automations.

If you want to buy Delegate365 please buy it online at http://delegate365.com/prices or contact us via email. We send you a custom link for paying the fee for the first year with PayPal or credit cards.

Of course, anytime. The amount of users defines the price of Delegate365. Please contact use for an upgrade. This can be done anytime and usually lasts for the remaining time of the initial service agreement.

Delegate365 is offered as Software-as-a-Services (SaaS) solution. This means, Delegate365 runs completely in the Microsoft cloud. Customers do not have to install anything on their servers or clients. Delegate365 is accessed by a web browser from anywhere. Updates and fixes are automatically provided by the producer. Updates for customers are being announced vie email and in the blog before the update is deployed.

Yes, we do. Please contact us with your requirements. We will send you a quote for support services.

Yes, we offer a partner program for resellers of Delegate365. If you are representing an IT company Delegate365 might be of value for you and your customers. Please contact us if you plan to act as reseller or as partner. We just ask for a mutual NDA. Please contact us for further information.

If your test scenario has expired after 20 days, and you want to continue to evaluate please contact us. We can provide a new test scenario for you or extend an existing scenario. For using Delegate365 in a production environment, we recommend to use a new, fresh Delegate365 instance.

No. When the Delegate365 demo expires, there is no impact on your Office 365 tenant, no worries. The Delegate365 setup only creates a Service Principal Name (SPN) in the AAD for accessing it. This SPN expires after one year, that’s Microsoft’s default for every SPN and can be deleted manually anytime. All Delegate365 specific data is stored in an encrypted SQL Azure database and Azure storage which is automatically deleted after the trial ends.

Delegate365 is a product of atwork-it.com We are Microsoft Gold Certified partner since more than a decade and we are specialized in developing business solutions to address these issues with Microsoft Office 365 and Microsoft Azure. You can find more information at our website atwork-it.com.

Delegate365 is constantly developed and new features are coming almost each month. Please see our Changelog or our blog for the latest information and new features. The Changelog can also be consumed as RSS feed. Also, you can find new functions directly in the Delegate365 portal in the Notification Center. Additionally. see the roadmap in the Delegate365 website.