Granular Roles-Based Access Control

Q: How does Callroute implement Granular access controls in Microsoft Teams?

In Callroute’s Orto platform, Security Groups must first be pre-created by the Orto service administrator to represent the access boundaries you want (e.g., USA, USA Execs, Sales).Users: Using Orto’s no-code wizard, you can build rules that automatically place Microsoft Teams users into these pre-created Security Groups. Rules can target:Entra ID attributes (e.g., country, department)Microsoft 365 group membership (e.g., “Sales”, “Executives”)If country = USA → place user into USA Security Group.If country = USA and department = Executive → place user into USA Execs Security Group.If member of 365 group = Sales → place user into Sales Security Group.Phone numbers: Orto service admins also assign phone numbers to Security Groups as a one-time setup task. This can be done directly in the Orto UI or, for large data sets, via spreadsheet import.Admins: Orto admins are then assigned to one or more Security Groups. When they log in, they only see and manage the Teams users and phone numbers belonging to those groups, and nothing else.This ensures access is tightly controlled, reflects your organisation’s structure, and adapts automatically as user attributes or group memberships change.

Delegate With Granular Roles-Based Access Control

Granular Roles-Based Access Control, part of Orto for Microsoft Teams, enables large organizations to delegate regional access to admins without losing central governance.

What Is Granular Roles-Based Access Control By Callroute?

Granular Roles-Based Access Control (RBAC) enables local IT teams to manage Teams user assignments, numbers, and policies strictly within their region or department. Using Granular RBAC, admin tasks can be decentralized while keeping compliance and governance centralized.

Compared to Roles-Based Access Control, Granular Roles-Based Access Control with Orto offers:

Greater flexibility in permission assignment
Improved security through least-privilege access
Enhanced delegation for specific teams or departments
Reduced administrative burden on IT
Better auditability and compliance reporting

Why Choose Orto For Microsoft Teams Granular RBAC?

Granular RBAC is included in Orto Pro plans, and can be managed quickly and easily using our portal.

Regional Delegation

Limit admin access for specific users & phone numbers.

Use Microsoft Attributes

365 groups or Entra data to associate membership.

Accelerated Operations

Enables local admins to handle tasks faster.

Compliance & Security

Eliminate the risk of admins modifying outside their remit.

How It Works

From your Orto dashboard:

No risk. No overreach. Just streamlined voice management at scale.

Granular RBAC That Scales With Your Business

Granular RBAC is tailor-made for the following types of businesses:

Multi-national enterprises requiring decentralized management of users.

Public sector organizations or bodies with strict access policies.

Organizations with multiple Teams tenants or regional support teams.

With Orto, you get a suite of voice automation tools that simplify and secure your Microsoft Teams Phone environment.

Granular RBAC is just one reason why Orto is the platform of choice for enterprises that take management of Teams Phone and security seriously.

Frequently Asked Questions

What is Granular Roles-Based Access Control (RBAC)?

Granular Roles-Based Access Control (RBAC) goes beyond traditional RBAC, which usually applies broad permissions across an entire platform. With Granular RBAC, organisations can assign very specific management access, down to individual Microsoft Teams users and phone numbers. This means you can control access by location, department, or geography.

For example, USA-based Orto admins can be restricted to only view and manage Teams users and phone numbers in the USA, without seeing data from other regions. Read more.

Why is Granular RBAC important for Microsoft Teams management?

Granular RBAC is important for Microsoft Teams management because it gives organisations precise control over who can manage what in Microsoft Teams. Instead of giving broad, platform-wide permissions, you can limit access to only the users, phone numbers, or locations an admin is responsible for. This improves security, reduces errors, and makes it easier to delegate day-to-day management without losing oversight.

How does Callroute implement Granular access controls in Microsoft Teams?

In Callroute’s Orto platform, Security Groups must first be pre-created by the Orto service administrator to represent the access boundaries you want (e.g., USA, USA Execs, Sales).

Users: Using Orto’s no-code wizard, you can build rules that automatically place Microsoft Teams users into these pre-created Security Groups. Rules can target:
- Entra ID attributes (e.g., country, department)
- Microsoft 365 group membership (e.g., “Sales”, “Executives”)
- If country = USA → place user into USA Security Group.
- If country = USA and department = Executive → place user into USA Execs Security Group.
- If member of 365 group = Sales → place user into Sales Security Group.
Phone numbers: Orto service admins also assign phone numbers to Security Groups as a one-time setup task. This can be done directly in the Orto UI or, for large data sets, via spreadsheet import.
Admins: Orto admins are then assigned to one or more Security Groups. When they log in, they only see and manage the Teams users and phone numbers belonging to those groups, and nothing else.

This ensures access is tightly controlled, reflects your organisation’s structure, and adapts automatically as user attributes or group memberships change.

Is granular roles-based access control compliant with security standards?

Yes, Orto’s granular RBAC is secured with Microsoft 365 SSO login, independently penetration tested by a third party, and delivered by an ISO 27001–accredited company.

Can I create custom roles with Callroute's Granular RBAC system?

Yes, Orto lets you assign custom roles to admin users within Security Groups, so each admin can have different permissions even if they manage the same set of users and numbers.

How does granular RBAC support service providers and MSPs?

For service providers and managed service providers (MSPs), the principle of granular RBAC is the same as it is for single organisations. Roles and permissions are tightly scoped so admins only see and manage what they should.

The difference is that MSPs can apply this across multiple customer tenants from within Orto. This provides:

A single pane of glass to manage multiple end customers.
Consistent, granular controls that align with each customer’s own Entra attributes, Microsoft 365 groups, and Orto Security Groups.
The ability to delegate customer-specific admin roles without exposing data or controls from other tenants.

Example scenario:
An MSP helpdesk engineer can be assigned read-only access to Customer A’s tenant, so they can troubleshoot without making changes, while a senior engineer can be given full admin rights across all tenants they support.

This means MSPs can securely and efficiently manage many customers from one platform, while maintaining the same tight access controls that Orto provides for individual organisations.

Is training required to use Granular RBAC in Callroute?

Granular RBAC in Orto has been designed to be simple and intuitive to use. Most admins can get started quickly with the help of our step-by-step videos that explain the basics.

If additional guidance is needed, Callroute provides a free support session with one of our engineers. This typically takes no longer than 30 minutes and will give you all the knowledge required to confidently manage roles, Security Groups, and permissions in Orto.

This ensures you can be up and running fast, without the need for extensive training.

Get Started Today

Speak to our experts at a time that suits you to learn more about how Callroute can simplify Teams management for your business.