Explore the Microsoft 365 admin roles
A Microsoft 365 subscription comes with a set of admin roles that you can assign to users in your organization using the Microsoft 365 admin center. Each admin role maps to common business functions. They give people in your organization permissions to do specific tasks in the admin centers.
Note
The Microsoft 365 admin center lets you manage Microsoft Entra roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Microsoft Entra admin center and the Intune admin center.
Security guidelines for assigning roles
Because administrators have access to sensitive data and files, Microsoft recommends following these guidelines to keep your organization's data more secure.
| Recommendation | Why is this recommendation important? |
|---|---|
| Only establish two to four global administrators. | A Global administrator is the only user who can reset another Global administrator's password. As such, Microsoft recommends that you have at least two Global administrators in your organization in the event one of them experiences an account lockout. The Global administrator has almost unlimited access to your organization's settings and most of its data. As such, Microsoft also recommends that you don't have more than four Global administrators due to the security threat posed from having too many global admins. |
| Assign the least permissive role. | Assigning the least permissive role means giving administrators only the access they need to get the job done. For example, if you want someone to reset employee passwords, you shouldn't assign the unlimited Global administrator role. Instead, you should assign a limited administrator role, like Password administrator or Helpdesk administrator. This guideline helps keep your data secure. |
| Require multifactor authentication (MFA) for administrators. | It's a good idea to require MFA for all your users. However, Microsoft recommends that organizations require all their administrators use MFA to sign in. MFA makes users enter a second method of identification to verify they are who they say they are. Administrators can access customer and employee data. If you require MFA, then even if the admin's password gets compromised, the password is useless without the second form of identification. When you turn on MFA, the next time the user signs in, they must provide an alternate email address and phone number for account recovery. |
Users can receive a message in the admin center indicating they don't have permissions to edit a setting or page. The system sends this message because the user is assigned roles that don't have that permission.
Commonly used Microsoft 365 admin center roles
In the Microsoft 365 admin center, you can go to Role assignments, and then select any role to open its detail pane. To view the detailed list of tasks that a user assigned to that role can perform, select the Permissions tab. Select the Assigned or Assigned admins tab to add users to roles.
The page displays a list of common roles that most organizations use. The following table displays the roles most commonly assigned by an organization.
| Admin role (alphabetical order) | Who should be assigned this role? |
|---|---|
| Billing administrator | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. Billing admins also can: - Manage all aspects of billing. - Create and manage support tickets in the Microsoft Entra admin center. |
| Compliance administrator | Assign the Compliance admin role to users who are responsible for helping your organization: - Stay compliant with any regulatory requirements. - Manage eDiscovery cases. - Maintain data governance policies across Microsoft 365 locations, identities, and apps. - Monitor compliance-related policies across Microsoft 365 services. - Manage compliance alerts. - Perform legal and data investigations. - Manage Data Subject Requests. - View all Intune audit data. |
| Exchange administrator | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. The Exchange admin is also responsible for managing message flow in Microsoft 365. Exchange admins can also: - Recover deleted items in a user's mailbox. - Determine how long to retain deleted email before the system permanently deletes it. - Set up mailbox features such as the mailbox sharing policy, which determines how users can share calendar and contacts information with others outside of your organization. - Set up, Send As, and Send on Behalf delegates for someone's mailbox; for example, when an executive wants their assistant to have permission to send mail on the executive's behalf. - Create shared mailboxes so a group of people can monitor and send email from a common email address. - Set up anti-spam and malware filters for the organization. - Manage Microsoft 365 Groups. For users assigned the Exchange Administrator role, Microsoft recommends that you also assign them the Service Administrator role. This way they can see important information in the Microsoft 365 admin center. For example, the health of the Exchange Online service, and change and release notifications. |
| Global administrator | Assign the Global administrator role to users who need global access to most management features and data across Microsoft online services. Only Global admins can: - Reset passwords for all users, including other Global admins. - Add and manage domains. - Unblock another Global admin. The system automatically assigns the Global administrator role to the person who signed up for Microsoft 365 online services. |
| Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. |
| Groups administrator | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Microsoft Entra admin center. Groups admins can: - Create, edit, delete, and restore Microsoft 365 groups. - Create and update group creation, expiration, and naming policies. - Create, edit, and delete Microsoft Entra security groups. |
| Helpdesk administrator | Assign the Helpdesk admin role to users who must complete the following tasks: - Reset passwords. - Force users to sign out. - Manage service requests. - Monitor service health. The Helpdesk admin can only help nonadmin users and users assigned the following roles: - Directory reader - Guest inviter - Helpdesk admin - Message center reader - Reports reader |
| License administrator | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. License admins also can: - Reprocess license assignments for group-based licensing. - Assign product licenses to groups for group-based licensing. |
| Office Apps administrator | Assign the Office Apps admin role to users who must complete the following tasks: - Use the Office cloud policy service to create and manage cloud-based policies for Office. - Create and manage service requests. - Manage the What's New content that users see in their Office apps. - Monitor service health. |
| Password administrator | Assign the Password admin role to a user who needs to reset passwords for nonadministrators and Password Administrators. |
| Message center reader | Assign the Message center reader role to users who must complete the following tasks: - Monitor message center notifications. - Get weekly email digests of message center posts and updates - Share message center posts. - Have read-only access to Microsoft Entra services, such as users and groups. |
| Power Platform administrator | Assign the Power Platform admin role to users who must complete the following tasks: - Manage all admin features for Power Apps, Power Automate, and data loss prevention. - Create and manage service requests. - Monitor service health. |
| Reports reader | Assign the Reports reader role to users who must complete the following tasks: - View usage data and the activity reports in the Microsoft 365 admin center. - Get access to the Power BI adoption content pack. - Get access to sign-in reports and activity in Microsoft Entra ID. - View data returned by Microsoft Graph reporting API. |
| Security administrator | Assign the Security admin role to admins who control your organization's overall security. They do so by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. Security admins can also: - Manage security threats and alerts. - View reports. - Monitor and respond to suspicious security activity. - Assign roles. - Manage machine groups. - Configure endpoint threat detection and automated remediation. - View, investigate, and respond to alerts. - View machines/device inventory. - View user, device, enrollment, configuration, and application information in Intune. - Define the threshold and duration for lockouts when failed sign-in events happen. - Configure custom banned password list or on-premises password protection. |
| Service Support administrator | Assign the Service Support admin role as an extra role to admins or users who must complete the following tasks besides their usual admin role: - Open and manage service requests. - View and share message center posts. - Monitor service health. |
| SharePoint administrator | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. SharePoint admins can also: - Create and delete sites. - Manage site collections and global SharePoint settings. - Define the user profile policies and settings for the organization, including management of promoted sites. - Create Business Connectivity Services (BCS) connections to data sources that are outside the SharePoint Online site. - Manage records in place, which means that you can leave a document in its current location on a site, or store records in a specific archive. - Customize the search experience for users. - Configure SharePoint Online hybrid with an on-premises SharePoint Online site. - Use InfoPath Forms Services in SharePoint Online to deploy the organization's forms to its sites, enabling users to fill out these forms in a web browser. |
| Teams administrator | Assign the Teams administrator role to users who need to access and manage the Teams admin center. Teams administrator can also: - Manage and create Microsoft 365 groups. - Manage meetings. - Manage conference bridges. - Manage all org-wide settings, including federation, teams upgrade, and teams client settings. - Troubleshoot communication issues within Teams. |
| User administrator | Assign the User admin role to users who must complete the following tasks for all users: - Add users and groups. - Assign licenses. - Manage most users properties. - Create and manage user views. - Update password expiration policies. - Manage service requests. - Monitor service health. The user admin can also complete the following actions: - Manage usernames. - Delete and restore users. - Reset passwords. - Force users to sign out. - Update (FIDO) device keys. The user admin can complete these tasks for users who aren't admins and for users assigned the following roles: - Directory reader - Guest inviter - Helpdesk admin - Message center reader - Reports reader |
Tip
If you can't find a role in this list, go to the bottom of the list and select Show all by Category. This option sorts all available roles by category.
Additional reading. For more information, including the Windows PowerShell cmdlets associated with a role, see Microsoft Entra built-in roles.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”