Central admin work
Coordinate users, groups, licenses, billing, domains, support, reports, organization settings, service health, and Message center review from one controlled queue.
Turn service health, Message center, user and license work, admin roles, support cases, reports, and tenant changes into an accountable operating cadence with named owners, evidence, escalation criteria, and rollback discipline.
The Microsoft 365 admin center centralizes common tenant tasks, but Exchange, Teams, SharePoint, Intune, Entra, Defender, and Purview retain workload-specific administration. This runbook governs recurring work that begins in the central portal and then routes specialized changes to the correct owner and admin center.
Use this runbook when administrators need a repeatable cadence, ticket evidence, escalation thresholds, and handoff rules. Use the Microsoft 365 Services, Security, and Management Resource Center to choose the right workload guide, service, assessment, or architecture path.
Coordinate users, groups, licenses, billing, domains, support, reports, organization settings, service health, and Message center review from one controlled queue.
Route mail flow to Exchange, collaboration changes to Teams or SharePoint, devices to Intune, identity controls to Entra, and information governance to Purview.
Preserve the request, approver, before state, change result, validation evidence, exception, communication, and next review date in the system of record.
A runbook should name the role required for each action instead of treating Global Administrator as the default. Microsoft recommends limiting Global Administrator assignments and using narrower administrative roles wherever possible.
Use read-only roles for review, evidence collection, dashboards, and reporting. Global Reader, Reports Reader, and Usage Summary Reports Reader can support oversight without granting broad change authority.
Assign service-health visibility and support responsibilities without expanding access to unrelated tenant configuration. Document who can open cases, communicate status, and close incidents.
Give change coordinators access to announcements, weekly digests, and sharing workflows. Privacy messages require the separate Message Center Privacy Reader capability.
Separate identity lifecycle, subscription, purchasing, group ownership, and license-assignment duties. Link each privileged action to an approved ticket and business owner.
Keep emergency access accounts outside normal administration, test them on schedule, alert on their use, and route their maintenance through the Microsoft 365 Emergency Access Account Security Guide.
The cadence below prevents every portal item from becoming an emergency while keeping incidents, tenant-impacting changes, access decisions, and license waste visible to the right owner.
| Operational area | Primary role or owner | Minimum cadence | Evidence to retain | Escalate when |
|---|---|---|---|---|
| Service health | Service Support Administrator or Global Reader | Daily and during incidents | Incident ID, affected service, timeline, impact, workaround, status messages | Critical workflow is affected, the workaround fails, or Microsoft status conflicts with local evidence |
| Message center | Message Center Reader plus change owner | At least weekly | Post ID, rollout window, affected users, required action, pilot and communication plan | A default change affects security, data handling, support, integration, or compliance obligations |
| Users and groups | User Administrator or Groups Administrator | Ticket-driven | Request, approval, identity attributes, group memberships, completion and validation | Privileged access, sensitive data, legal hold, executive account, or unresolved ownership is involved |
| Licenses | License Administrator and business owner | Ticket-driven with monthly reconciliation | Assigned plan, business justification, feature dependency, cost center, exception date | The requested feature needs a higher plan, removal could affect retention, or spend exceeds approved variance |
| Administrative roles | Privileged Role Administrator or authorized identity team | Per change with weekly review | Role, scope, justification, approver, duration, activation evidence, removal date | Global Administrator is requested, standing access is proposed, or separation of duties cannot be maintained |
| Support cases | Named support coordinator | Daily until closure | Case number, severity, diagnostic data provided, timestamps, commitments, resolution and lessons learned | Response objectives are missed, business impact grows, or sensitive evidence needs controlled transfer |
| Reports and adoption | Reports Reader and service owner | Monthly | Reporting period, export time, privacy setting, license baseline, trend explanation and action | Usage changes materially, data is delayed or incomplete, or a recommendation conflicts with business requirements |
Identify the workload, business owner, affected population, security sensitivity, license prerequisite, dependencies, and required administrator role. Reject requests without accountable ownership.
Export or record current settings, assignments, memberships, screenshots, timestamps, related policies, and the restoration path before making a change.
Trace identity, mail, Teams, SharePoint, devices, applications, guest access, data protection, support, and automation dependencies. Define explicit stop criteria.
Use test accounts and a representative pilot group. Include remote users, executives, mobile platforms, shared resources, help desk workflows, and business-critical applications when relevant.
Confirm the requested result and the absence of material side effects. Record sign-in, mail, file, meeting, device, alert, report, or application evidence appropriate to the change.
Update the configuration record, notify stakeholders, schedule the next review, expire temporary access, attach evidence, and document residual risk or follow-up work.
Screenshots show appearance but may omit assignments, inheritance, policy scope, or hidden dependencies. Preserve exports, Graph/API evidence, ticket data, and workload-specific configuration records whenever the platform supports them.
Service health notices describe Microsoft’s current understanding. Your organization still needs local validation, affected-user analysis, workaround testing, and communication tailored to the business process.
The evidence package should let another qualified administrator understand who requested the work, what changed, why it was approved, how it was validated, and how to reverse or re-evaluate it.
Do not preserve sensitive exports indefinitely by default. Define access, storage, encryption, retention, disposal, and evidence-request procedures with legal, compliance, records, privacy, and security stakeholders.
For incident triage and planned service changes, continue with the Microsoft 365 Service Health and Message Center Review Guide. License requests should follow the License Assignment Governance Guide, while joiner and mover requests belong in the Microsoft 365 User Provisioning Workflow.
Administrative privilege needs their own control record. The Microsoft 365 Admin Role Security Guide addresses role selection, standing access, emergency recovery, and review evidence.
Use the Microsoft 365 Admin Center Security Review Tool for an initial gap check. It provides guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal review.
When leadership needs an independent Microsoft 365 security review, consider OC Security Audit’s Microsoft 365 Security Audit.
Ali Hassani is a CISO, cybersecurity and IT consultant, and infrastructure leader with 25+ years of experience. His certifications include CISSP, CCISO, CCNP, CCNA, MCSE, MCSA Security, MCITP, MCP, and MCTS.
Microsoft changes admin-center navigation, capabilities, licensing, and release timing. Validate production procedures against current tenant behavior and Microsoft documentation before relying on a saved path or screenshot.
Review it daily and whenever users report a possible cloud-service issue. During an active incident, record Microsoft’s incident ID, local impact, workaround results, user communication, and the next review time.
No. Microsoft recommends limiting Global Administrator assignments and using the least-permissive role that can complete the task. Read-only reporting, Message center, support, user, license, groups, and billing responsibilities can use narrower roles.
Filter posts by service, rollout timing, affected audience, required action, platform, and compliance impact. Assign an owner and due date to relevant changes, then document the pilot, communication, validation, and exception decision.
Usage data is an input, not the entire decision. Confirm reporting delay, privacy settings, role permissions, workload dependencies, retention, shared-resource needs, leave status, and business ownership before removing a license.
Retain the request, approver, administrator role, before state, scope, dependencies, pilot population, validation results, communications, after state, rollback result, residual risk, and next review date.
No. It supports recurring operations and evidence discipline. A professional security audit independently evaluates configuration risk, control effectiveness, compliance readiness, and remediation priorities.
IT Perfection helps organizations in Irvine, Orange County, Los Angeles County, and Southern California manage Microsoft 365 administration, support, documentation, monitoring, licensing, and controlled improvement.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.