Delegate collaboration management without over-privileging anyone.
Five built-in roles — from End-User to Global Admin — give every person in Teams exactly the scope their job needs, so business teams move fast without over-privileging anyone.
If only IT can manage everything, the business waits.
When the only way to delegate a task is to grant broad admin rights, accounts accumulate access they rarely use and never lose. Each one widens the blast radius of a mistake or a compromise, and turns every access review into a fire drill. But if too many people get broad permissions, risk increases. The right model is delegated control with clear scope — and an audit trail that proves it.
Routine work demands elevated rights, so the list of privileged accounts only ever grows.
One over-privileged account is one mistake or breach away from affecting the whole tenant.
Template authoring, integration config and maintenance collapse into a single all-powerful role.
Without clear role boundaries, proving who can do what becomes guesswork at audit time.
Least-privilege access — built into the role model.
nBold's roles are designed so that delegation no longer means escalation. Give each role exactly the access its job requires — template authoring, integration configuration, bulk operations, or full administration — and keep everything else out of reach.
Each role exposes only the actions its holder needs — template authoring, integration config, cleanup or full administration. Nothing more.
Routine maintenance no longer requires Global Admin. Delegate bulk operations and tenant upkeep to the Teams Service Admin role instead.
Authoring templates, wiring CRM integrations and running cleanups are distinct responsibilities — held by distinct people, not one over-privileged account.
Privileged actions are logged against the role that performed them, so access reviews and compliance checks have a record to work from.
Five roles, cleanly separated.
Each role draws from a defined set of capabilities. Assign the ones that match the work — roles are additive, so a person can hold more than one without inheriting full administration. Privileged actions are logged against the role that performed them, so access reviews have a record to work from.
| nBold role | What it can do | Scope | Typical user |
|---|---|---|---|
| End-User | Requests and uses workspaces provisioned from approved templates. | Self-service only | Regular employee |
| Catalog Manager | Creates and manages workspace templates and the catalog they appear in. | Templates & catalog | Template author / digital workplace lead |
| Integration Manager | Configures nFlow integrations that connect business systems to Microsoft Teams. | Integrations | RevOps / integration owner |
| Teams Service Admin | Runs bulk operations and tenant maintenance — without Global Admin rights. | Bulk ops & maintenance | IT helpdesk / tenant admin |
| Global Admin | Full administrative control across nBold configuration, roles and governance. | Everything | IT leadership |
nBold acts on your Microsoft 365 tenant through the Microsoft Graph API, under a service account you control. ISO 27001 certified and SOC 2 Type II certified.
How least-privilege plays out in practice.
A workable model is not about locking everyone out — it is about giving each group precisely the reach its work calls for, and stopping there. Business owners manage their templates and processes without IT involvement. IT handles governance, lifecycle, and bulk operations without exposing tenant-wide admin credentials.
Most people are End-Users
The majority of your organization only ever requests and uses workspaces. They never touch templates, integrations or governance — and they do not need to.
Delegate authoring and integration
Hand template creation to Catalog Managers and CRM-to-Teams automation to Integration Managers. Each gets a focused role scoped to that work alone.
Delegate maintenance without Global Admin
Give helpdesk and tenant-admin staff the Teams Service Admin role so they can run bulk cleanups and routine upkeep — without elevating them to Global Admin.
Reserve full administration
Keep Global Admin for the few in IT leadership who genuinely need tenant-wide control. The blast radius of any single account stays small.
Part of the wider governance model.
Roles decide who can act. Governance defines the guardrails they act within. Security guarantees where that action runs — inside your tenant, via the Microsoft Graph API, under controls you own. Together they let IT delegate confidently without losing oversight.
Governance
Naming, labels, membership, approvals, and lifecycle — the guardrails each role operates within, applied per template across the estate.
Explore GovernanceSecurity
Runs through the Microsoft Graph API under a service account you control. ISO 27001 and SOC 2 Type II certified.
Explore SecurityBulk operations
Filter and act across the estate — delegated to Teams Service Admins, not Global Admins, with every action in the audit trail.
Explore Bulk operationsFrequently asked questions
What roles does nBold support?
nBold supports five delegated roles: End-User, Catalog Manager, Integration Manager, Teams Service Admin, and Global Admin. Each is scoped to the work it covers — template authoring, integration configuration, bulk operations and maintenance, or full administration — so the right people can move quickly without over-privileging anyone.
Why delegate administration rather than use one admin account?
Delegation lets business owners manage their templates and processes without IT handling every update. It also reduces risk — template authors get Catalog Manager, helpdesk staff get Teams Service Admin for cleanups, and full Global Admin reach stays reserved for the few who genuinely need it.
Does RBAC help compliance?
Yes. Least-privilege access reduces the blast radius of any single account, and every privileged action — bulk operations, template changes, integration configuration — is logged against the role that performed it. That record supports access reviews, change management, and compliance reporting. nBold is ISO 27001 certified and SOC 2 Type II certified.
How do nBold roles relate to Microsoft 365 and Entra ID roles?
nBold roles control what a person can do inside nBold — request workspaces, manage templates, configure integrations, run bulk operations. They sit alongside your existing Microsoft 365 and Entra ID roles rather than replacing them, and every action still executes through the Microsoft Graph API under permissions you control.
Can one person hold more than one role?
Roles are additive. A person who both authors templates and configures nFlow integrations can hold the Catalog Manager and Integration Manager roles together, while still being kept out of tenant-wide administration.
Delegated control without over-privileging anyone.
See how nBold maps every collaboration responsibility to a scoped role — so IT can delegate confidently, compliance reviews have a clear audit trail, and Global Admin access stays rare.