Topics Map > Administrators

Microsoft 365 - Maintaining Domain Administrator Access

This document explains how to maintain the list of IT staff who have access to the domain administration tools provided by the Productivity & Collaborative Solutions team.

As a UW-Madison Office 365 Domain Administrator it is your responsibility to maintain the list of people who are able to access the Domain Delegated Administration tools available in the Wisc Account Administration portal. These tools allow administrators to create and delete service and resource accounts in Office 365 and add or remove alias email addresses. Access to these tools should be limited to IT staff who have a complete understanding of Office 365 and how the accounts they create are being used.

Access to Domain Administration tools is determined by membership in a Manifest group that is specific to each domain. For example, if your domain is doit.wisc.edu then the path to the manifest group that determines access is uw:app:uac:role:domain:doit.wisc.edu.

When a new domain is created the corresponding manifest group will contain at least one member, usually the person who requested the domain. Once you receive access to your new domain manifest group you will need to take an active role in maintaining the membership of your group. 

Not familiar with Manifest?

Manifest is a service provided and supported by the Identity and Access Management team (IAM). If you have never used the Manifest service there are a couple of knowledgebase articles maintained by IAM that you should read:

Manifest - Getting Started
Manifest - Manage Group Members

Initially it is fine to simply add people (NetIDs) to the Manifest group that you were provided with when you received access to your domain (e.g. uw:app:uac:role:domain:doit.wisc.edu). We do recommend that you use your own Manifest Group to manage your domain administrators. See the next section.

Using your own Manifest group

For better control over your team’s access to Domain Administration tools, we recommend that you replace individual NetIDs in the domain Manifest group (e.g. uw:app:uac:role:domain:doit.wisc.edu) with a Manifest group that you have full control over.

If you or your team doesn’t already use Manifest, you will need to request a Manifest Folder of your own. Once you have a Manifest folder you can create Manifest groups that your team can own and maintain. 

Manifest - Request a Manifest Folder
Manifest - Create a Group
Manifest - Manage Group Members

Once you have your own Manifest group you can add it as a member of the domain Manifest group (e.g. uw:app:uac:role:domain:doit.wisc.edu). 

See Also


Keywords:
office365 o365 m365 microsoft email domain admin administrator account manifest
Doc ID:
149625
Owned by:
O365 S. in Microsoft 365
Created:
2025-04-04
Updated:
2025-04-10
Sites:
DoIT Help Desk, Microsoft 365, Wisc Account Admin