Summary
A Microsoft 365 subscription comes with a set of administrative roles that a Microsoft 365 administrator can assign to select users. Each admin role maps to common business functions. They give an organization's users permission to do specific tasks in the admin centers. This module provided a brief overview of the Microsoft 365 admin roles. In this unit, you learned how to use roles and role groups to control who can do what in your Microsoft 365 environment. You also learned how to delegate admin roles to partners, manage permissions using administrative units, manage SharePoint permissions to prevent oversharing of data, and elevate privileges using Privileged Identity Management.
This module examined the key aspects of the Microsoft 365 permission model, such as how roles are defined, assigned, and scoped, and how they differ from other types of permissions. You also learned how to manage roles for different Microsoft 365 services, such as Exchange Online, SharePoint Online, Teams, and Microsoft Entra ID. This training highlighted the best practices and security principles that organizations should follow when configuring administrative roles.
The module also explored the different types of administrator roles in Microsoft 365, including the key permissions assigned to each. You examined built-in roles such as the Global Administrator, Service Administrator, Billing Administrator, and User Management Administrator. You also learned how to delegate admin roles to external partners, such as Microsoft Partners or Cloud Solution Providers, and how to monitor and revoke their access.
You also learned how to create and manage role groups, which enable organizations to simplify the role assignment process and consistently apply role permission. Instead of assigning roles directly to users, you create a group and assign specific roles to the group. Members of the group inherit the roles assigned to the group. Finally, you learned how to use administrative units and Privileged Identity Management to limit the scope of role assignments and delegate permissions to specific segments of your organization, and to provide just-in-time and just-enough-access to sensitive resources.