Use service admin roles to manage your tenant
To help you administer environments and settings for Microsoft Power Platform, you can assign users to manage at the tenant level without having to assign the more powerful Microsoft 365 global admin privilege.
There are two Power Platform related service admin roles you can assign to provide a high level of admin management.
Note
These (and other) admin roles only apply to what you can do in the Power Platform admin center. For example, Dynamics 365 Finance and Dynamics 365 Supply Chain Management are currently not managed in the Power Platform admin center.
Dynamics 365 administrator
The Dynamics 365 admin can:
- Sign in to and manage multiple environments. If an environment uses a security group, a service admin would need to be added to the security group in order to manage that environment. Not assigning to an in place security group essentially locks these admins out of any admin management.
- Perform admin functions in Microsoft Power Platform because they have the System Administrator role.
Power Platform administrator
Users with the Power Platform admin role can:
- Sign in to and manage multiple environments. Power Platform admins are not affected by security group membership and can manage environments even if not added to an environment's security group.
- Perform admin functions in Microsoft Power Platform because they have the System Administrator role.
Both service admin roles cannot do functions restricted to the Microsoft 365 global admin such as manage user accounts, manage subscriptions, access settings for Microsoft 365 apps like Microsoft Exchange or Microsoft SharePoint.
Assign a service admin role to a user
Follow these steps to assign a service admin role.
Note
When the Dynamics 365 administrator role is granted to a user in Azure Active Directory (Azure AD), they will get the System Administrator role in environments as well. When the Dynamics 365 administrator role is removed in Azure AD, user synchronization doesn't remove the System Administrator role. So, even though this user is no longer a Dynamics 365 administrator in Azure AD, they still remain a system administrator in the tenant and will be able to see all environments. We recommend manually removing the System Administrator role in all environments as soon as the role is removed from Azure AD.
To opt-out of automatic license-based user roles, see Opt-out of automatic license-based user roles management.
Sign in to the Microsoft 365 admin center as a global admin.
Go to Users > Active users and select a user.
Under Account > Roles select Manage roles.
Select to expand Show all by category.
Under Collaboration select either Dynamics 365 administrator or Power Platform administrator.
Select Save changes.
Note
If you are using the Azure AD Privileged Identity Management (PIM) time-based role activation to manage your service admin roles, the service administrator permission is NOT removed from the environment when the time-based role activation expires.
Service Admin roles must be assigned directly to users, as inheriting from security groups is not fully supported.
Service administrator permission matrix
The following matrix shows what management is possible with the various service admin roles compared to the Microsoft 365 global admin role.
| Microsoft 365 Global admin |
Power Platform admin |
Dynamics 365 admin |
Power BI admin |
|
|---|---|---|---|---|
| POWER PLATFORM | ||||
| Environments | ||||
| Full access1 | Yes | Yes | Yes2 | No |
| Create | Yes | Yes | Yes2 | No |
| Delete | Yes | Yes | Yes2 | No |
| Backup and restore | Yes | Yes | Yes2 | No |
| Copy | Yes | Yes | Yes2 | No |
| Ability to exclude access from selected environments (using security groups) | No | No | Yes | Yes |
| Analytics | ||||
| Capacity | Yes | Yes | Yes2 | No |
| Capacity allocation (Power Apps per app plans, Power Automate, AI Builder, and Portal) | Yes | Yes | Yes2 | No |
| Microsoft Dataverse | Yes | Yes | Yes2 | No |
| Power Automate | Yes | Yes | Yes2 | No |
| Power Apps | Yes | Yes | Yes2 | No |
| Help + support | ||||
| Create and access support requests | Yes | Yes | Yes2 | No |
| Data integration | ||||
| Create new project and connection set | Yes | Yes | Yes2 | No |
| Data gateways | ||||
| View gateways | Yes | Yes | Yes2 | No |
| Data policies | ||||
| View and manage tenant policies | Yes | Yes | Yes2 | No |
| View and manage environment policies | Yes | Yes | Yes2 | No |
| POWER BI | ||||
| Manage the Power BI tenant | Yes | Yes | No | Yes |
| Acquire and assign Power BI licenses | Yes | No | No | No |
| MICROSOFT 365 | ||||
| Create users | Yes | No | No | No |
| Add security roles | Yes | No | No | No |
| Add licenses | Yes | No | No | No |
1Equivalent permission level to a System Administrator. Has full permission to customize or administer the environment, including creating, modifying, and assigning security roles. Can view all data in the environment - if the user has a suitable license.
2If a security group is assigned to the environment and the user with this role added to the security group
See also
Feedback
Submit and view feedback for