Quest Nova provides granular Delegation and Policy Control for Microsoft 365, enabling you to assign pre-defined roles and responsibilities to specific users, such as help desk operators, country-level administrators, or end-users. Nova also includes policy-based automation for authorization, service configuration and license assignment.
This guide to help you get started with Delegation and Policy Control as a delegated administrator. This includes:
·overviews of the Manage and Manage Administration tabs
·examples of actions that can be completed by a delegated administrator
For a more in-depth guide on using Quest Nova, please click here to view the Nova technical documents. In the Quest Nova User Guide, you will see more information on:
·Custom PowerShell execution and delegation
·additional policy examples
·more actions for delegated administrators
It is recommended that you undertake Nova training before using the application to get a better understanding of the platform. To sign up to Nova learning, click here.
To access Delegation and Policy Control, you will need a subscription to Nova that includes support for management, and support will provision your organization during the on-boarding process.
Users of the Nova application can be assigned one or more roles. Each role provides functionality in the Nova application itself. Roles can be combined. The following is a list of the roles, and what they give access to:
Account Administrator
This gives access to be able to create and manage policies in Delegation and Policy Control. In addition, audit logs can be viewed to see how the policies have been used by delegated administrators. There are several other administrative functions which are shown in this screenshot:
Auth Policy Admin
This gives users the ability just to manage authorization policies within Nova. The option to get into Authorization Policies will be enabled in the Manage Administration menu.
Auth Policy administrators also have the ability to delegate certain subsets of custom PowerShell commands to selected users, which can be organized in an organization unit hierarchy. It is advised that Auth Policy Admins create dedicated organizational units exclusively for PowerShell scripts.
Autopilot Classic
This role is most appropriate to assign to a delegated administrator. This gives access to be able to perform allowed actions against users, mailboxes, groups, contacts and Microsoft Teams. What the user will be able to do is governed by the policies which are applied to them and were configured by someone with at least the Account Administrator role.
Config Policy Admin
This gives users the ability just to manage configuration policies within Nova. The option to get into Configuration Policies will be enabled in the Manage Administration menu.
IT Administrators
This gives a user the ability to use Nova, but restricts them from changing the configuration or security of Nova itself.
License Admin
This gives people the ability to create and maintain License Policies. The option will be available on the Manage Administration menu.
Organizational Unit Admin
This gives users the ability to maintain virtual organizational units. The Tenants option will be available on the Manage Administration menu.
System Administrator
This role gives access to the Tenant Management System, and does not give any direct access to the Nova application (unless it is combined with other roles).
Examples of combining roles
If a user needs to be able to create authorization policies, and perform actions on customer tenants (such as password resets, maintaining groups, adding Microsoft Teams etc.), then they should be assigned these roles:
·Account Administrator
·Autopilot Classic
If someone needs to be able to access reporting data, and perform actions on customer tenants (such as password resets, maintaining groups, adding Microsoft Teams, and so on) then they should be assigned these roles:
·Autopilot Classic
·Radar Classic
Granting Account Administrator
The following should be considered when assigning roles
·The Account Administrator roles does not work on it is own. It needs to be combined with the Autopilot Classic role.
An administrator can authorize others within the organization to have specific delegated administrative rights. This section describes some ways rights might be delegated within an organization.
Managing direct reports
For example, an administrator could give sales managers the ability to manage certain attributes and/or rights of the individual sales team members without any additional rights granted either on-premises or in Microsoft 365 for those sales managers. Here is how it looks:
Self service
An administrator might want to give certain users the ability to manage some of their own access or information. For example, some executives might be able to log in to Nova and grant themselves access to resources/information without calling the helpdesk to get access.
Similarly, you might configure a policy that enables all employees to use Nova to update some of their basic information (for example, their phone number and address). This is called the self service option, here is how it looks:
Delegated administration within an organizational unit
Finally, an administrator might want to set up someone within an organizational unit to manage access of others within that organizational unit. For example, you might have an organizational unit containing employees who work in a certain office location. You might assign administrative rights to the site manager or administrative assistant. It could look like this:
The Manage tab is accessible by administrators and delegated administrators to view and edit certain objects in their Microsoft 365 environment, including its:
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center