In this blog post, we will discuss about the roles available in the Microsoft 365 admin center and how to assign user roles in Microsoft 365 admin center.
A subscription comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers.
Because admins have access to sensitive data and files, we recommend that you follow these guidelines to keep the organization’s data more secure.
|Recommendation||Why is this important?|
|Have 2 to 4 global admins||Because only another global admin can reset a global admin’s password, we recommend that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org’s settings and most of the data, so we also recommend that you don’t have more than 4 global admins because that’s a security threat.|
|Assign the least permissive role||Assigning the least permissive role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you shouldn’t assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. This will help keep your data secure.|
|Require multi-factor authentication for admins||It’s a good idea to require MFA for all of your users, but admins should be required to use MFA to sign in. MFA makes users enter a second method of identification to verify they are who they say they are. Admins can have access to a lot of customer and employee data and if you require MFA, even if the admin’s password gets compromised, the password is useless without the second form of identification. |
When you turn on MFA, the next time the user signs in, they’ll need to provide an alternate email address and phone number for account recovery.
Set up multi-factor authentication
Roles available in the Microsoft 365 admin center
In the admin center, you can go to Roles, and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned that role to have permission to do.
You’ll probably only need to assign the following roles in your organization.
|Admin role||Who should be assigned this role?|
|Exchange admin||Assign the Exchange admin role to users who need to view and manage your user’s email mailboxes, Office 365 groups, and Exchange Online. |
Exchange admins can also:
– Recover deleted items in a user’s mailbox
– Set up “Send As” and “Send on behalf” delegates
|Global admin||Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. |
Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins.
Only global admins can:
– Reset passwords for all users
– Add and manage domains
Note: The person who signed up for Microsoft online services automatically becomes a Global admin.
|Global reader||Global reader |
Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can’t edit any settings.
|Groups admin||Assign the group admin role to users who need to manage all group settings across admin centers, including the Microsoft 365 Admin Center and Azure Active Directory portal. |
Groups admins can:
– Create, edit, delete, and restore Office 365 Groups
– Create and update group creation, expiration, and naming policies
– Create, edit, delete, and restore Azure Active Directory security, groups
|Helpdesk admin||Assign the Helpdesk admin role to users who need to do the following: |
– Reset passwords
– Force users to sign out
– Manage service requests
– Monitor service health
Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.
|Office Apps admin||Assign the Office Apps admin role to users who need to do the following: |
– Use the Office cloud policy service to create and manage cloud-based policies for Office
– Create and manage service requests
– Manage the What’s New content that users see in their Office apps
– Monitor service health
|Service admin||Assign the Service admin role as an additional role to admins or users whose role doesn’t include the following, but still need to do the following: |
– Open and manage service requests
– View and share message center posts
|SharePoint admin||Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. |
SharePoint admins can also:
– Create and delete sites
– Manage site collections and global SharePoint settings
|Teams admin||Assign the Teams admin role to users who need to access and manage the Teams admin center. |
Teams admins can also:
– Manage meetings
– Manage conference bridges
– Manage all org-wide settings, including federation, teams upgrade, and teams client settings
|User admin||Assign the User admin role to users who need to do the following for all users: |
– Add users and groups
– Assign licenses
– Manage most users properties
– Create and manage user views
– Update password expiration policies
– Manage service requests
– Monitor service health
The user admin can also do the following actions for users who aren’t admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader:
– Manage usernames
– Delete and restore users
– Reset passwords
– Force users to sign out
– Update (FIDO) device keys
Here’s a list of all the roles available in the Microsoft 365 admin center.
|Application admin||Full access to enterprise applications, application registrations, and application proxy settings.|
|Application developer||Create application registrations and consent to app access on their behalf.|
|Authentication admin||Can require users to re-register authentication for non-password credentials, like MFA.|
|Azure Information Protection admin||Manages labels for the Azure Information Protection policy, manages protection templates and activates protection.|
|Billing admin||Makes purchases, manages subscriptions, manages service requests, and monitors service health.|
|Cloud application admin||Full access to enterprise applications and application registrations. No application proxies.|
|Cloud device admin||Enables, disables, and deletes devices and can read Windows 10 BitLocker keys.|
|Compliance admin||Manages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps.|
|Compliance data admin||Keeps track of data, makes sure it’s protected, gets insights into issues, and helps mitigate risk.|
|Conditional Access admin||Manages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy.|
|Customer Lockbox access approver||Manages Customer Lockbox requests, can turn Customer Lockbox on or off.|
|Desktop Analytics admin||Can access and manage Desktop management tools and services.|
|Dynamics 365 admin||Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.|
|Exchange admin||Full access to Exchange Online, creates and manages groups, manages service requests, and monitors service health.|
|External identity provider admin||Configure identity providers for use in the direct federation.|
|Global admin||Has unlimited access to all management features and most data in all admin centers.|
|Global reader||Has read-only access to all management features and most data in admin centers. For a detailed description of access rights and limitations of this role, please see Administrator role permissions in Azure Active Directory.|
|Groups admin||Creates groups and manages all group settings across admin centers.|
|Guest inviter||Manages Azure Active Directory B2B guest user invitations.|
|Helpdesk admin||Resets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.|
|Intune admin||Full access to Intune, manages users and devices to associate policies, creates and manages groups.|
|Kaizala admin||Full access to all Kaizala management features and data, manages service requests.|
|License admin||Assigns and removes licenses from users and edits their usage location.|
|Message center privacy reader||Access to data privacy messages in the message center, gets email notifications.|
|Message Center reader||Reads and shares regular messages in Message center, gets weekly email digests, has read-only access to users, groups, domains, and subscriptions.|
|Office Apps admin||Manages cloud-based policies for Office and the What’s New content that users see in their Office apps.|
|Power BI admin||Full access to Power Bl management tasks, manages service requests, and monitors service health.|
|Power platform admin||Full access to Microsoft Dynamics 365, PowerApps, data loss prevention policies, and Microsoft Flow.|
|Privileged role admin||Manages role assignments and all access control features of Privileged Identity Management.|
|Reports reader||Reads usage reporting data from the report’s dashboard, Power BI adoption content pack, sign-in reports, and Microsoft Graph reporting API.|
|Search admin||Full access to Microsoft Search, assigns the Search admin and Search editor roles, manages editorial content, monitors service health, and creates service requests.|
|Search editor||Can only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations.|
|Security admin||Controls organization’s security, manages security policies, reviews security analytics and reports, monitors the threat landscape.|
|Security operator||Investigates and responds to security alerts, manages features in Identity Protection center, monitors service health.|
|Security reader||Read-only access to security features, sign-in reports, and audit logs.|
|Service support admin||Creates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.|
|SharePoint admin||Full access to SharePoint Online, manages Office 365 groups, manages service requests, and monitors service health.|
|Skype for Business admin||Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health.|
|Teams admin||Full access to Teams & Skype admin center, manages Office 365 groups and service requests, and monitors service health.|
|Teams communication manager||Assigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics.|
|Teams communication support engineer||Reads call record details for all call participants to troubleshoot communication issues.|
|Teams communication support specialist||Reads user call details only for a specific user to troubleshoot communication issues.|
|User admin||Resets user passwords, creates and manages users and groups, including filters, manages service requests, and monitors service health.|
If you’re the person who purchased your Microsoft business subscription, you are the global admin. This means you have unlimited control over the products in your subscriptions and you can access most data.
You can assign users to a role in 2 different ways:
- Go to the user’s details and Manage roles to assign a role to the user.
- Go to Roles and select the role, and then add multiple users to it.
Method 1: Assign a user to an admin role from Active users
Step 1: In the admin center, go to Users à Active users à Select User.
Step 2: In the flyout pane, next to Roles, select Manage roles.
Step 3: Select the admin role that you want to assign to the user. If you don’t see the role you’re looking for, select Show all at the bottom of the list. à Click on the Save Changes button.
Method 2: Assign admin roles to users using Roles
Step 1: In the admin center, go to Roles > Roles to view all of the admin roles available for your organization.
Step 2: Select the admin role that you want to assign the user to. Click on Roles à User Admin à Click Assigned Admins à Click on the Add button.
Step 3: Type the user’s display name or username, and then select the user from the list of suggestions. Select Save, and then the user will be added to the list of assigned admins.
Note: You can add multiple users before save.
Important Note: When you add new users, if you don’t assign them an admin role then they are in the user role and don’t have admin privileges to any of the Microsoft admin centers. But if you need help getting things done, you can assign an admin role to a user. For example, if you need someone to help reset passwords, you shouldn’t assign them the global admin role, you should assign them the password admin role. Having too many global admins, with unlimited access to your data and online business, is a security risk.
Cynoteck is a Microsoft Gold Partner and Power Platform Partner. With our knowledge across the Microsoft Stack we build solutions that best fit your needs. We help you identify and utilize your organizational data to the best which lets you make intelligent decisions for your growth.
Connect our team if you are interested in implementing Power Platform in your business