Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Roles and permissions in Microsoft Engage Center support collaboration between customers and Microsoft while helping protect access to sensitive data and features.
Access to workspaces, experiences, and information is managed through predefined roles, each with a specific set of permissions that determine what users can see and do within Engage Center.
Some roles are automatically assigned based on a customer’s Microsoft Support agreement to ensure essential access is available as soon as users sign in. These roles are called system-assigned roles. Other roles are assigned by workspace administrators to provide additional capabilities based on a user’s responsibilities.
To help you understand how access is granted and managed, the sections below describe the two types of roles used in Engage Center.
System-assigned roles
The following table lists the system-assigned roles available in Microsoft Engage Center, including each role’s description and whether it is assigned to a Microsoft employee or a user from the customer organization.
Important
Microsoft users are unable to open support cases on behalf of their customers.
CSAMs can’t add or remove general users. They can only add administrators—either in a Rollup workspace or by using Manage Workspaces to assign Managed Administrators to child support services workspaces in multi‑workspace scenarios.
| Role | User origin | Definition |
|---|---|---|
| Customer Support Manager (CSM) | Customer | Owns an organization’s Enterprise Support Agreement, serves as an administrator of an Engage Center workspace and has permission to create, view, and manage support cases. Note: The CSM role is only assigned to the first workspace that is created when a customer purchases a support agreement. Any additional workspace that is created will not have the CSM role. |
| Managed Administrator (Rollup-assigned) | Customer | Administrator role that is inherited from a rollup workspace. This role grants full administrative access to the workspace but is managed only at the rollup level and cannot be modified directly within the workspace. |
| Customer Success Account Manager (CSAM) | Microsoft | Grants limited administrative capabilities and read‑only access to most workspace resources to support customer engagement and support operations CSAMs can’t add or remove general users. They can only add administrators—either in a Rollup workspace or by using Manage Workspaces to assign Managed Administrators to child support services workspaces in multi‑workspace scenarios. |
| Incident Manager (IM) | Microsoft | Grants access to incident‑related resources and read access across relevant workspace content to support incident coordination |
Managed Administrator (Rollup-assigned)
The Managed Administrator is a system-assigned role used in environments with rollup and child workspaces.
What it does
- Grants full administrator access to a child workspace
How it is managed
- Managed only from the rollup workspace
- Cannot be added or removed from User Management within a child workspace
- To update these administrators, use Manage Workspaces in the rollup workspace
How it works with other roles
- A user can have multiple roles:
- A Managed Administrator role (from the rollup), and
- A locally assigned Support User role (added in the workspace)
- To fully remove a user’s admin access, they must be removed:
- From the rollup workspace, and
- From any locally assigned roles, if applicable
Key behavior
- Managed Administrators behave the same as regular Administrators in terms of permissions
- The only difference is where the role is controlled (rollup vs. workspace)
General user roles
The following table shows the assignable roles in Microsoft Engage Center and their descriptions.
| Role | Description |
|---|---|
| Administrator | Grants full access to manage all aspects of the workspace. Note: Administrators do not get the ability to create cases without also having the Support User role Note: There are some capabilities that are limited to Microsoft employees that are not available to the Administrator. |
| Assessment User | Grants access to the assessment page. |
| Contract Manager | View summary and detailed usage information for services purchased under the agreement. |
| Learning Manager | Grants management of learning content and access to learning content. |
| Learning User | Grants access to learning content. |
| Mirp Manager | - Can attest solutions. - Can add tenants and use the MIRP toggle button to enable or disable them. - Can add contacts - Has full oversight of DMIRP workflows. |
| Mirp Viewer | - Can create and edit solutions. - Can toggle tennants on and off. - Can't add tenants. - Can't attest solutions. - Can't add contacts. |
| Problem Manager | Provides access to support Cases for case details in addition to Support Insights. |
| Reporting User | Grants access to support Insights reporting and support case analytics. |
| Shared Files User | Grants access to shared files. |
| Support User | Grants permission to create, view, and manage support cases. |
| User Access Administrator | Lets you manage user and group access. |
Role permissions
Each role in Microsoft Engage Center has a defined set of permissions that determine what actions a user can perform and which workspace features they can access. You can view an individual’s permissions in the User Management section of Engage Center, where assigned roles and effective permissions are displayed.