Decentralising User Management with Controlled Access Across a Global Organisation
Enabling regional IT teams to manage users locally while maintaining central governance, visibility, and security across Active Directory and Microsoft 365.
Non-profit sector. Client details have been anonymised, but the scenario reflects a real engagement.
Snapshot
- Industry: Non-profit / Charity
- Organisation size: Approximately 7,000 users
- Environment: Active Directory and Microsoft 365
- Challenge: Centralised bottlenecks and excessive privileged access across regions
- Solution: Delegated administration using a secure, role-based web portal with Adaxes
- Outcome: Regional autonomy with improved security and reduced privileged access
The Situation
The organisation operates across multiple countries, each supported by local IT teams responsible for managing users.
User management was either handled centrally—creating bottlenecks—or required granting elevated permissions to regional teams, increasing security risk. There was no structured way to balance local control with global governance.
The Challenge
- Need for regional IT teams to manage their own users
- Over-reliance on central IT creating delays
- Excessive privileged Active Directory permissions across regions
- Lack of controlled visibility between countries
- No consistent approach to managing Microsoft 365 resources
Why Change Was Needed
The organisation needed to empower regional IT teams without compromising security.
Granting full Active Directory permissions was not sustainable, while centralised management alone could not scale effectively across multiple countries.
A structured model was required to enable controlled delegation, ensuring each region could manage its own users without impacting others.
The Approach
Armstrong worked with the organisation to design a delegated administration model aligned to Active Directory and Microsoft 365.
- Designing a web-based management portal for regional IT teams
- Restricting visibility based on country and organisational structure
- Defining role-based access for safe delegation
- Implementing central oversight for head office
- Extending management to Microsoft 365 services
The focus was on enabling local autonomy while maintaining consistent control and governance.
The Engagement
Armstrong worked with the organisation to replace direct Active Directory access with a controlled, role-based model for user and group management.
The engagement focused on enabling regional IT teams to operate independently within defined boundaries, removing the need for elevated permissions while maintaining full oversight at a central level.
This created a scalable operating model that supports global growth without increasing risk or complexity.
The Solution
A secure, web-based management platform was implemented using Adaxes, providing controlled delegation across all regions.
- Role-based web portal for regional IT teams
- Visibility restricted to users and groups within each region
- Ability to create, modify, and deprovision users locally
- Management of Microsoft 365 licences and Teams groups
- Centralised control of Microsoft Teams group creation
- Head office portal with full visibility across all regions
- Removal of native Active Directory privileged permissions
What This Replaced
- Centralised IT bottlenecks for user management
- Broad privileged access within Active Directory
- Lack of visibility control between regions
- Inconsistent management of Microsoft 365 resources
How It Works in Practice
User and group management is now decentralised but fully controlled through a structured platform.
- Regional IT teams only see and manage their own users
- User lifecycle tasks are handled locally through defined workflows
- Microsoft 365 licences and Teams groups are managed through the portal
- Head office maintains full visibility and oversight
- All changes are performed without direct Active Directory access
The Outcome
The organisation achieved a balance between regional autonomy and central governance, improving both efficiency and security.
- Regional IT teams empowered to manage their own users
- Reduced workload on central IT
- Significant reduction in privileged Active Directory access
- Improved security through controlled delegation
- Consistent management of users, groups, and Microsoft 365 services
- A scalable model for global operations
Key Takeaways
- Delegation enables scalability in global organisations
- Visibility control is essential in multi-region environments
- Removing native AD permissions significantly improves security
- Central governance can coexist with regional autonomy
- A single platform simplifies identity and access management
