Enterprises strongly prefer reserving their Microsoft Global Admin credentials only when necessary. Some certifications (i.e. SOC2) require a very strict control on who has access at the highest level in IT Systems.

Microsoft Global Admin credentials are required to complete the Enterprise Registration and Direct Routing setup and the optional Teams Application setup. However, delegated Microsoft credentials can be used for all day-to-day tasks, such as adding, managing, and deleting Users.

The Microsoft User with this delegated authority must have Teams Service Admin and Skype Admin rights.

In some Microsoft Enterprises, delegation is a conditional setting that needs to be configured in Azure Active Directory. The Global Admin grants conditional consent to a delegated admin to perform a certain task. Yes, it is time-consuming and a pain, but it is also a good security measure.

Here is a table of the capabilities of each level of Microsoft credential:

Instructions

1. Navigate to Microsoft Admin Center >>Active Users
   
2. Select a User (not the Global Admin) and then select Manage Roles
   
3. Select Admin center access as seen in the picture below
   
4. Select Teams Service admin
   
5. Select Skype for Business admin (you must select Show all by category dropdown to see this option), then select Save changes.
   

Once changes are saved, the Microsoft User with these credentials can add and Manage Users. The Microsoft User will look like this in the Roles assignment: