Delegate365 is an easy-to-use, web-based portal for delegated user and license management in Microsoft Office 365.
In addition, in order to better utilize IT department resources, Delegate365 enables you to automate tasks such as auditing, auto-assigning licenses and policies, and reporting.

Many large companies using one Office 365 tenant want to delegate and audit their Office 365 users, licenses and groups. In order to better utilize IT department resources, they may seek to automate tasks such as creating new users, managing self-service password reset, auto-assigning licenses, and reporting.
Delegate365 fills this need. The Delegate365 Software-as-a-Service product allows you to delegate user roles and responsibilities within one organization.
In the Microsoft Office 365 Online portal, global administrators can use roles for privileged users to execute special tasks like user and group management. In fact, such users can administer all users or all licenses. That´s ok for small companies and associations. In medium to large organizations, it´s necessary to ensure that administrators or business office managers can administer only their own units.
In Delegate365, instead of using standard roles, the portal administrators can define any number of Organizational Units (OUs) and who shall administer a unit and what licenses a unit can use. The business administrators can manage their own users and create their own global distribution lists and execute much more delegated operations. Delegate365 simplifies these tasks and works as a new standard portal with advanced management features.

Typical customers of Delegate365 are larger businesses, companies with some departments or locations, franchises, educational facilities, schools, clubs, associations and groups who share one single Microsoft Office 365 tenant and want to use delegated administrators for managing only their own units.
There are many scenarios where the delegation of user management makes sense. IT departments can be relieved of basic tasks; central administration only needs to define the business managers and the organizational units. From that point on, the administrators can manage their own units in an easy-to-use web portal: Delegate365.

Yes. Please fill out the form at the end of this page or contact us. We will provide a test scenario for 20 days free of charge.

Delegate365 works as a layer on top of Microsoft Office 365. All operations are directly made in Microsoft Azure Active Directory.
The delegation uses organizational units (OUs) where you’ve previously defined which administrator can manage specific units, domains and licenses. Microsoft Office 365 knows nothing about the additional management layer. All users are simply Microsoft Office 365 users with no special roles.
You can also manage domains, groups, users and distribution lists in the Microsoft Office 365 online portal or via PowerShell as well as directly in Delegate365. New objects must first be assigned in Delegate365 by the portal administrator to be visible for the delegated admins.
The idea is that the Delegate365 portal replaces the Microsoft Office 365 online portal for all daily tasks concerning user and license management.
Technically, Delegate365 is based completely on Microsoft Azure and runs fully in the Microsoft cloud.

Yes. Delegate365 supports ADFS and AAD Connect (formerly known as DirSync) scenarios in the same way as the Office 365 portal. In Delegate365, synced domains and users are visible and group and license memberships are manageable. Using Delegate365, an administrator can assign users to groups and change the Office 365 licenses but cannot modify the user object itself because it´s managed in a local federated Active Directory. Microsoft Azure Active Directory handles federated objects differently, so these objects are not "full manageable" objects; they can be read but not changed.
With Azure Active Directory Premium and AAD Connect with WriteBack functionality, objects can be changed online and committed to the local AD. Delegate365 will support that scenario as well.

Absolutely! Since Office 365 uses Azure Active Directory, Delegate365 can manage all data. Office 365-specific features like licenses, user aliases or distribution list management are hidden or not functional in that case.

In the Microsoft Office 365 role concept, there´s no delegation built in. Delegate365 fills that gap and offers an easy-to-use list where each object belongs to an organizational unit (OU). This is a simple string where a portal administrator can define any number of units, like locations, departments or any other logical information. Each administrator can manage any number of OUs. Each user belongs to one OU. So, the concept is simple and it´s exactly defined which user can be administered by which administrator.

Yes. Simply edit a user and change their OU.
Example: Admin Anne is responsible for the OU´s Berlin and London. She changes the OU of user John from Berlin to London.
Admin Paul is responsible for the OU London. Now he is able to edit user John, because he now is assigned to OU London.
Both admins now can administer user John both can see the overlapping OU London.

Yes! With Delegate365 you get informal or enforced license quotas, license restrictions for a specific administrator if needed, friendly license names, auto-assignment of licenses and current and history statistics of licenses used in your tenant per organizational unit! There's a workflow for license ordering included as well. License management, license quotas, reporting of license usage and automation are key features of Delegate365.

Yes, absoluteley. A switch Enforce quota controls if defined licenses quotas are informal or enforced.
Example: If the OU London has a license quota of 10 and Enforce is set to ON, the scope administrators only can use 10 licenses - and not more. If a new 11th user is created, this user cannot get an Office 365 license for that plan. Of course, the license can be removed from another user and given to the new user, but the admin only has this 10 licenses available.
If the Enforce flag ist not set to OFF, the license quote is informational and admins can use more licenses than they have available in their OU.
Anyway, if OUs need more licenses, they can start a simple workflow in Delegate365 for requesting more licenses from the license admin or the portal admin. Most customers use enforced license quotas and license restrictions to allow only a set of specific licenses for OUs.

Yes. If you create, edit or delete users in Delegate365, all changes are made directly in Microsoft Azure Active Directory.
If you create users in the Microsoft Office 365 online portal, they have no OU, because Microsoft Office 365 doesn´t know anything about the organizational units in Delegate365. So only the Delegate365 portal administrator sees these users and can assign them to OUs for further delegated administration. See the next topic about this procedure.

If there are existing users in Microsoft Office 365 or users are created without Delegate365 directly in the Microsoft Office 365 online portal, these users are, by default, not visible to Delegate365 administrators. The portal administrator uses a list named "assign OU" where they can see all users without OU. There they can filter and mass assign some or all users to one OU.
As you would expect, users who have been assigned to an OU disappear from this list. Another feature of Delegate365 is that you can have rules activated for users with specific properties set. For example, users with a specific location property can be automatically set to the corresponding OU.
Administrators then can see the new users if they are in one of their OUs.

Yes! With Delegate365 we added a User Self Password Reset (SPR) feature. If the admin had deposited a notification for the specific user (email or SMS), the user can perform a self-password reset. When resetting the password, the user can decide if they want to receive the necessary security code via email or SMS. Then they receive the code and get a temporary password on the Delegate365 website. With that they can login and then change the password to their own individual password.
Allowing users to reset their passwords simplifies administrative effort. This feature is integrated in Delegate365. IT departments have no need to buy Azure Premium licenses just for their users to perform self-service password resets. Use Delegate365!

Yes. You need to have an Office365 tenant and a global admin to bind your tenant to your Delegate365 instance.
If you do not have an Office 365 tenant, you can create a new tenant here and use that as your demo tenant in Delegate365. and use that as demo tenant in Delegate365.

You’ll find prices on our prices page. Delegate365 is priced based on the number of users to be managed. For packages with more than 1,000 users, please contact us for a quote. All prices are in USD or EURO excluding VAT. Errors and omissions excepted. The prices include hosting on Microsoft Azure and all upgrades for the time of the Delegate365 contract duration. You can find our prices for the small packages in the prices page. For packages with more than 1,000 users, pls. contact us for a quote. All prices are in USD or EURO excluding VAT. Errors and omissions excepted.
The prices include hosting on Microsoft Azure and all upgrades for the time of the Delegate365 contract duration.

No, not now. The current version is designed so that each customer gets their own Delegate365 instance. This means each customer gets his own portal and database in their desired region. If there is enough demand, we may offer a multi-tenant solution for smaller instances.

Delegate365 caches only the minimum data required for delivering a good user experience. All operations are executed directly against Office 365 services and consumed from the Microsoft APIs. Delegate365 stores your data where you decide: In a Microsoft Azure datacenter of your choice, see Azure Regions. You decide where your data is stored!

No. Delegate365 caches the necessary data directly from Azure Active Directory (AAD). We can store as many objects as AAD can handle. Delegate365 can work with many thousands of users rapidly and loads all data asynchronously on demand from its cache. Delegate365 is built for large amounts of data and allows quick and easy access to all data.

Some actions such as requesting licenses or resetting passwords can trigger a notification. The admins define if and how notifications are sent. By default, notifications are sent as email with Office 365.

If you are a scope or portal administrator in Delegate365 and your users list does not show the expected users, there are three things to check:

  • First, run a SyncOp to ensure that Delegate365 operates with the latest data.
  • Second, the portal admin of Delegate365 may not have assigned the corresponding domains for your admin account.
  • Third, the users may not be assigned to your OU.

The user list shows all users with a) the same OU as the admin, and b) where the user's domain (the user’s UPN) is also assigned to the scope admin. Both conditions must apply. So maybe the assignment of the domains or to the OU is missing. Please contact your portal admin to check these assignments. If this is done, all users must instantly show up in your users list. Refresh the users list if necessary.

Delegate365 confirms saving an object with a green box (OK) in the bottom right corner if the operation was successful or with a red box if an error occurred. So, for example, when setting an alias for an existing user, a message similar to this one can occur:
Execution exception: Cannot process argument transformation on parameter 'EmailAddresses'. Error: "The value 'SMTP:john.doe@contoso.com' is already present in the collection."
Office 365 returns this message if a desired condition is not valid. Delegate365 loops through such errors to inform the admin that there was an error and the operation could not be completed. In this sample, the email address 'SMTP:john.doe@contoso.com' is already present in a (another) mailbox as primary email address (SMTP is in upper case). So, the admin needs to use another email alias or remove the old email address to make it reusable again in the Office 365 tenant.

Delegate365 software is licensed per user who shall be managed with the solution. We count all users who are visible in the users list to be managed in Delegate365. For more information, please see the licensing article.

Yes. Portal administrators can remove the permission to manage mailboxes for each scope administrator in the Administration | Manage administrator's menu. If the scope administrators cannot access the mailbox settings, they cannot set permissions and therefore are not able to assign permissions to themselves or other users. This is a common scenario and Delegate365 enables control for this feature to specific administrators.

No, not directly. Since Delegate365 is for the management of objects and not for working with data (as mailbox content), we recommend that you set "Full Access" mailbox permissions in Delegate365 for the desired mailboxes. Then use an email client such as Outlook to export data from that mailbox. Another option to access mailbox content is to use eDiscovery. eDiscovery is usually used as evidence in legal cases or to set a mailbox on hold. With eDiscovery, administrators can search content over the Office 365 tenant, but they cannot export mailbox content into a PST file.

If the SyncOp throws errors, the most common reason is that the defined Exchange administrator is no longer valid. When checking the details of a SyncOp, you may see a message similar to this one:
Connecting to remote server ps.outlook.com failed with the following error message: Access Denied
In this case, renew the Exchange administrator credentials and test them in Delegate365 using the button for checking if the credentials work in the administration menu. Then wait or rerun the SyncOp manually to see if the SyncOp works again.

With Delegate365 version 6, the logfiles are persisted in Azure storage and can be easily exported. Also, the logfile format has changed so that the audit logs can be used directly with the Delegate365 Power BI dashboard for custom visualization.

We align with Microsoft Online Services and offer Delegate365 with a fixed term for the first year. After the first year, the service can be cancelled quarterly.

The activation of Delegate365 can happen instantly. The provisioning just needs a manual approval and usually takes about one work day. Then the Delegate365-portal is available and can be used for delegations and automations.

If you want to buy Delegate365, please buy it online at http://delegate365.com/prices or contact us via email. We can send you a custom link for paying the fee for the first year with PayPal or credit cards.

Yes, anytime. The number of users to be managed defines the price of Delegate365. Please contact us for an upgrade. This can be done any time and usually lasts for the remaining time of the initial service agreement.

Delegate365 is offered as Software-as-a-Services (SaaS) solution. This means that Delegate365 runs completely in the Microsoft cloud. Customers do not have to install anything on their servers or clients. Administrators can access Delegate365 using a web browser from anywhere. Updates and fixes are automatically provided by the producer. Updates for customers will be announced vie email and in our blog before the update is deployed.

Yes, we do. Please contact us with your requirements. We will send you a quote for support services.

Yes, we offer a partner program for resellers of Delegate365. If you represent an IT company, Delegate365 might be of value for you and your customers. Please contact us if you want to act as reseller or as partner. We just ask for a mutual NDA. Please contact us for further information.

If your test scenario has expired after 20 days and you want to continue to evaluate, please contact us. We can provide a new test scenario for you or extend an existing scenario. For using Delegate365 in a production environment, we recommend that you use a new, fresh Delegate365 instance.

No. When the Delegate365 demo expires, there is no impact on your Office 365 tenant, no worries. The Delegate365 setup only creates a Service Principal Name (SPN) in the AAD for accessing it. This SPN expires after one year, that’s Microsoft’s default for every SPN, and it can be deleted manually anytime. All Delegate365-specific data is stored in an encrypted SQL Azure database and Azure storage which is automatically deleted after the trial ends.

Delegate365 is a product of atwork-it.com, a Microsoft Gold Certified partner for more than a decade. We specialize in developing business solutions to address issues with Microsoft Office 365 and Microsoft Azure. You can find more information at our website,atwork-it.com.

We add new features to Delegate365 almost each month. Please see our a href="/changelog">Changelog or our blog or our blog for the latest information and new features. The Changelog can also be consumed as an RSS feed. Also, you can find new functions in the Delegate365 portal in the Notification Center. Additionally, see the roadmap in the Delegate365 website.