Explore administrator roles in Microsoft 365
A Microsoft 365 subscription comes with a set of built-in administrator roles that you can assign to users in your organization using the Microsoft 365 admin center. Each admin role maps to common business functions. They give people in your organization permissions to do specific tasks in the admin centers. Organizations use administrator roles in Microsoft Entra ID to manage all products in Microsoft 365.
Note
The Microsoft 365 admin center lets you manage Microsoft Entra roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Microsoft Entra admin center and the Intune admin center.
Microsoft 365 uses a permission model referred to as Azure Role-Based Access Control (RBAC). The Azure RBAC model makes it easy to assign permissions to a user. In Microsoft 365, an administrator can assign each user a role that has predefined permissions assigned to it. So instead of assigning multiple permissions to a user, you assign them a role that has those permissions defined. This model makes permission management much more efficient and effective.
Microsoft 365 provides several predefined administrator roles, which provide permissions to do administrative tasks. As such, a Microsoft 365 administrator must carefully plan which users to assign to each role. It's important that you ensure those people are responsible and trustworthy. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Microsoft 365 admin center.
To manage permissions, you must either be a Global administrator or a member of the Organization Management role group. Specifically, the Role Management role allows users to view, create, and modify role groups in the Microsoft Defender portal. By default, the system assigns the Role Management role to the Organization Management role group.
Other online services have their own permission models. For example, Exchange Online uses a model similar to Azure RBAC to define administrator roles. However, it also uses a security model based on individual permissions for its mailboxes. SharePoint Online has its own security permission model based on security groups, permissions, and permission levels. This model enables administrators to assign individual permissions or groups of permissions to its resources, such as site collections, sites, and documents.
Security guidelines for assigning roles
Because administrators have access to sensitive data and files, Microsoft recommends following these guidelines to keep your organization's data more secure.
| Recommendation | Why is this recommendation important? |
|---|---|
| Only establish two to four global administrators. | A Global administrator is the only user who can reset another Global administrator's password. As such, Microsoft recommends that you have at least two Global administrators in your organization in the event one of them experiences an account lockout. The Global administrator has almost unlimited access to your organization's settings and most of its data. As such, Microsoft also recommends that you don't have more than four Global administrators due to the security threat posed from having too many global admins. |
| Assign the least permissive role. | Assigning the least permissive role means giving administrators only the access they need to get the job done. For example, if you want someone to reset employee passwords, you shouldn't assign the unlimited Global administrator role. Instead, you should assign a limited administrator role, like Password administrator or Helpdesk administrator. This guideline helps keep your data secure. |
| Require multifactor authentication (MFA) for administrators. | It's a good idea to require MFA for all your users. However, Microsoft recommends that organizations require all their administrators use MFA to sign in. MFA makes users enter a second method of identification to verify they are who they say they are. Administrators can access customer and employee data. If you require MFA, then even if the admin's password gets compromised, the password is useless without the second form of identification. When you turn on MFA, the next time the user signs in, they must provide an alternate email address and phone number for account recovery. |
Users can receive a message in the admin center indicating they don't have permissions to edit a setting or page. The system sends this message because the user is assigned roles that don't have that permission.
Commonly used Microsoft 365 admin center roles
In the Microsoft 365 admin center, you can go to Role assignments, and then select any role to open its detail pane. To view the detailed list of tasks that a user assigned to that role can perform, select the Permissions tab. Select the Assigned or Assigned admins tab to add users to roles.
The page displays a list of common roles that most organizations use. The following table displays the roles most commonly assigned by an organization.
| Admin role (alphabetical order) | Who should be assigned this role? |
|---|---|
| Billing administrator | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. Billing admins also can: - Manage all aspects of billing. - Create and manage support tickets in the Microsoft Entra admin center. |
| Compliance administrator | Assign the Compliance admin role to users who are responsible for helping your organization: - Stay compliant with any regulatory requirements. - Manage eDiscovery cases. - Maintain data governance policies across Microsoft 365 locations, identities, and apps. - Monitor compliance-related policies across Microsoft 365 services. - Manage compliance alerts. - Perform legal and data investigations. - Manage Data Subject Requests. - View all Intune audit data. |
| Exchange administrator | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. The Exchange admin is also responsible for managing message flow in Microsoft 365. Exchange admins can also: - Recover deleted items in a user's mailbox. - Determine how long to retain deleted email before the system permanently deletes it. - Set up mailbox features such as the mailbox sharing policy, which determines how users can share calendar and contacts information with others outside of your organization. - Set up, Send As, and Send on Behalf delegates for someone's mailbox; for example, when an executive wants their assistant to have permission to send mail on the executive's behalf. - Create shared mailboxes so a group of people can monitor and send email from a common email address. - Set up anti-spam and malware filters for the organization. - Manage Microsoft 365 Groups. For users assigned the Exchange Administrator role, Microsoft recommends that you also assign them the Service Administrator role. This way they can see important information in the Microsoft 365 admin center. For example, the health of the Exchange Online service, and change and release notifications. |
| Global administrator | Assign the Global administrator role to users who need access to all administrative features in Microsoft Entra ID, plus services that use Microsoft Entra identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Global Administrators can view Directory Activity logs. They can also elevate their access to manage all Azure subscriptions and management groups. This design allows Global Administrators to get full access to all Azure resources using the respective Microsoft Entra tenant. The person who signs up for Microsoft 365 online services in their Microsoft Entra organization is automatically assigned the Global Administrator role. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator can't remove their own Global Administrator assignment. This rule prevents a situation where an organization has zero Global Administrators. Only Global admins can: - Reset passwords for all users, including other Global admins. - Add and manage domains. - Unblock another Global admin. |
| Global reader | Assign the Global reader role to users who can read settings and administrative information across Microsoft 365 services, but who can't take management actions. Global Reader is the read-only counterpart to Global Administrator. Assign Global Reader instead of Global Administrator for planning, audits, or investigations. Use Global Reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global Reader works with the Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Microsoft 365 Defender portal, Microsoft Purview compliance portal, Azure portal, and Device Management admin center. Users with this role can't access the Purchase Services area in the Microsoft 365 admin center. |
| Groups administrator | Assign the Groups admin role to users who need to create/manage groups and its settings, such as naming and expiration policies. It's important to understand that assigning a user to this role gives them the ability to manage all groups in the organization across various workloads like Teams, SharePoint, Yammer, and Outlook. A Group[s admin can also manage the various groups settings across various admin portals, such as the Microsoft 365 admin center, Azure portal, and workload specific ones like Teams and SharePoint admin centers. Groups admins can: - Create, edit, delete, and restore Microsoft 365 groups. - Create and update group creation, expiration, and naming policies. - Create, edit, and delete Microsoft Entra security groups. |
| Helpdesk administrator | Assign the Helpdesk admin role to users who must change passwords, invalidate refresh tokens, create and manage support requests with Microsoft for Azure and Microsoft 365 services, and monitor service health. Invalidating a refresh token forces the user to sign in again. Whether a Helpdesk Administrator can reset a user's password and invalidate refresh tokens depends on the role the user is assigned. Users with this role can change passwords for people who might have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the password of a user might mean the ability to assume that user's identity and permissions. Helpdesk admins can also: - Reset passwords. - Force users to sign out. - Manage service requests. - Monitor service health. The Helpdesk admin can only help nonadmin users and users assigned the following roles: - Directory reader - Guest inviter - Helpdesk admin - Message center reader - Reports reader |
| License administrator | Assign the License admin role to users who must read, add, remove, and update license assignments on users and groups (using group-based licensing). This role can also manage the usage location on users. The role doesn't grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no access to view, create, or manage support tickets. License admins also can: - Reprocess license assignments for group-based licensing. - Assign product licenses to groups for group-based licensing. |
| Message center reader | Assign the Message center reader role to users who must monitor notifications and advisory health updates in the Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Microsoft 365. In Microsoft Entra ID, users assigned to this role have read-only access on Microsoft Entra services such as users and groups. This role has no access to view, create, or manage support tickets. |
| Office Apps administrator | Assign the Office Apps admin role to users who need to manage Microsoft 365 apps' cloud settings, cloud policies, self-service download management. This role also grants the ability to manage support tickets, monitor service health within the main admin center, and view the Office apps-related report. Users assigned to this role can also manage communication of new features in Office apps. Office Apps admins can also: - Use the Office cloud policy service to create and manage cloud-based policies for Office. - Create and manage service requests. - Manage the What's New content that users see in their Office apps. - Monitor service health. |
| Password administrator | Assign the Password admin role to a user who needs to reset passwords for nonadministrators and Password Administrators. Users with this role have limited ability to manage passwords. This role doesn't grant the ability to manage service requests or monitor service health. Whether a Password Administrator can reset a user's password depends on the role the user is assigned. For a list of the roles that a Password Administrator can reset passwords for, see Who can reset passwords. |
| Power Platform administrator | Assign the Power Platform admin role to users who must complete the following tasks: - Manage all admin features for Power Apps, Flows, and Data loss prevention policies. - Create and manage service requests. - Monitor service health. |
| Reports reader | Assign the Reports reader role to users who must view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Fabric and Power BI. This role also provides access to all sign-in logs, audit logs, and activity reports in Microsoft Entra ID and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets. Users who are assigned the Reports reader role can also: - View usage data and the activity reports in the Microsoft 365 admin center. - Get access to the Power BI adoption content pack. - Get access to sign-in reports and activity in Microsoft Entra ID. - View data returned by Microsoft Graph reporting API. |
| Security administrator | Assign the Security admin role to admins who control your organization's overall security. They do so by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview compliance portal. Security admins can also: - Manage security threats and alerts. - View reports. - Monitor and respond to suspicious security activity. - Assign roles. - Manage machine groups. - Configure endpoint threat detection and automated remediation. - View, investigate, and respond to alerts. - View machines/device inventory. - View user, device, enrollment, configuration, and application information in Intune. - Define the threshold and duration for lockouts when failed sign-in events happen. - Configure custom banned password list or on-premises password protection. |
| Service Support administrator | Assign the Service Support admin role to users who must create and manage support requests with Microsoft for Azure and Microsoft 365 services, and view the service dashboard and message center in the Azure portal and Microsoft 365 admin center. You should assign this role as an extra role to admins or users who must complete the following tasks besides their usual admin role: - Open and manage service requests. - View and share message center posts. - Monitor service health. |
| SharePoint administrator | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. Users with this role have global permissions within Microsoft SharePoint Online, when the service is present. They can also create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources. SharePoint admins can also: - Create and delete sites. - Manage site collections and global SharePoint settings. - Define the user profile policies and settings for the organization, including management of promoted sites. - Create Business Connectivity Services (BCS) connections to data sources that are outside the SharePoint Online site. - Manage records in place, which means that you can leave a document in its current location on a site, or store records in a specific archive. - Customize the search experience for users. - Configure SharePoint Online hybrid with an on-premises SharePoint Online site. - Use InfoPath Forms Services in SharePoint Online to deploy the organization's forms to its sites, enabling users to fill out these forms in a web browser. |
| Teams administrator | Assign the Teams administrator role to users who must manage all aspects of the Microsoft Teams workload through the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. These areas also include all management tools related to telephony, messaging, meetings, and the teams themselves. This role additionally grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. Teams administrator can also: - Manage and create Microsoft 365 groups. - Manage meetings. - Manage conference bridges. - Manage all org-wide settings, including federation, teams upgrade, and teams client settings. - Troubleshoot communication issues within Teams. |
| User administrator | Assign the User admin role to users who must complete the following tasks for all users: - Add users and groups. - Assign licenses. - Manage most users properties. - Create and manage user views. - Update password expiration policies. - Manage service requests. - Monitor service health. The user admin can also complete the following actions: - Manage usernames. - Delete and restore users. - Reset passwords. - Force users to sign out. - Update (FIDO) device keys. The user admin can complete these tasks for users who aren't admins and for users assigned the following roles: - Directory reader - Guest inviter - Helpdesk admin - Message center reader - Reports reader Users with this role can change passwords for people who might have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the password of a user might mean the ability to assume that user's identity and permissions. |
Tip
If you can't find a role in this list, go to the bottom of the list and select Show all by Category. This option sorts all available roles by category.
Additional reading. For more information, including the Windows PowerShell cmdlets associated with a role, see Microsoft Entra built-in roles.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”