We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click accept.

A Breakdown of Microsoft 365 Admin Roles & Responsibilities (Previously Office 365 Admin Roles)

Updated: January 29, 2021

In a more recent blog post, we talk about how to access Office 365 Security and Compliance Center and a set of new roles that can be used while managing permissions from a tenant security/compliance angle.

Best Practices and How to Access Office 365 Security and Compliance Center

Original Post: July 1, 2020

Office 365 is now Microsoft 365

Many times, I have been asked questions on the various administrator roles and responsibilities of Microsoft 365 (M365) which prompted me to write this blog. If your organization is new to Microsoft 365 or has already been using a Microsoft 365 (Office 365) tenant for some time, it is always critical to spend time reviewing the various admin portal access available. Microsoft has been providing several different roles to target various M365 workloads to help prevent intentional or unintentional internal breaches. Here is a comprehensive list of roles that are available to you within Microsoft 365 along with best practices and recommendations based on my vast experience. If you are currently in the process of migrating to Microsoft 365, you will need to make sure you have the right admin memberships in place prior to going live.

Admin role Who should be assigned this role?
Exchange Admin Assign the Exchange admin role to users who need to view and manage your user’s email mailboxes, Microsoft 365 groups and Exchange Online.

Exchange admins can also:

  • Recover deleted items in a user’s mailbox
  • Configure Archiving and Deletion Polices
  • Configure Anti-Spam protection
  • Set up “Send As” and “Send on Behalf” delegates
Global Admin Assign the Global admin role to users who need global access to most management features and data across Microsoft online services.

Only global admins can:

  • Reset passwords for all users
  • Add and manage domains

Note: The person who signed up for Microsoft online services automatically becomes a Global admin.

Pro tip: Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins.

Global Reader Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin cannot edit any settings. This role can be good when performing an audit.
Groups Admin Assign the groups admin role to users who need to manage all groups’ settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal.

Groups admins can:

  • Create, edit, delete, and restore Microsoft 365 groups
  • Create and update group creation, expiration, and naming policies
  • Create, edit, delete, and restore Azure Active Directory security groups
Helpdesk Admin Assign the Helpdesk admin role to users who need to do the following:

  • Reset passwords
  • Force users to sign out
  • Manage service requests
  • Monitor service health

Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.

Office Apps Admin Assign the Office Apps admin role to users who need to do the following:

  • Use the Office cloud policy service to create and manage cloud-based policies for Office
  • Create and manage service requests
  • Manage the What’s New content that users see in their Office apps
  • Monitor service health
Service Admin Assign the Service admin role as an additional role to admins or users whose role does not include the following, but they still need to do the following:

  • Open and manage service requests
  • View and share message center posts
SharePoint Admin Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center.

SharePoint admins can also:

  • Create and delete sites
  • Manage site collections and global SharePoint settings

Note: Users assigned to this role will have access to all content.

Teams Service Admin Assign the Teams service admin role to users who need to access and manage the Teams admin center.

Teams service admins can also:

  • Manage meetings
  • Manage conference bridges
  • Manage all org-wide settings, including federation, Teams upgrade, and Teams client settings

Note: Users assigned to this role will have access to all content.

User Admin Assign the User admin role to users who need to do the following for all users:

  • Add users and groups
  • Assign licenses
  • Manage most users properties
  • Create and manage user views
  • Update password expiration policies
  • Manage service requests
  • Monitor service health

The user admin can also do the following actions for users who aren’t admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader:

  • Manage usernames
  • Delete and restore users
  • Reset passwords
  • Force users to sign out
  • Update (FIDO) device keys

Advanced/Granular Roles and Permissions

Additionally, if you are part of a larger organization, you should be looking into admin roles with reduced access (using Role-Based Access Control – RBAC), which are only available for both Exchange Online and Microsoft Teams. As your IT department grows larger, you will find these roles useful when dedicating some IT admins to specific areas of Microsoft 365 as you work through best securing your corporate data in your tenant.
Exchange Online
In Exchange Online, there are several built-in role groups that can be used for specific tasks within the service (e.g Compliance work, Troubleshooting, Configuration, etc…)
Based on my experience, these are some of the common roles that get assigned:

  • Help Desk Role to have admins manage user mailbox settings while being prevented from making changes to mail flow.
  • Compliance Role for security admins so they can perform audit log search.
Whether you’re ready to onboard to the M365 tenant or have already rolled it out, we can help you identify and assign roles, provide recommendations and best practices. Please contact a member of Withum’s Digital and Technology Transformation team to speak with a consultant today.

Microsoft Teams

In Teams, the following “sub-roles” are available in addition to the Teams Service Administrator:

Admin role Who should be assigned this role?
Teams Communication Administrator Manage calling and meetings features within the Teams service.
Teams Communications Support Engineer Troubleshoot communications issues within Teams by using advanced tools. The Engineer can access Call Analytics with full PII information and advanced statistics
Teams Communications Support Specialist Troubleshoot communications issues within Teams by using basic tools. The Specialist cannot get PPI information nor advanced statistics when using Call Analytics. Data is anonymized.

Compare Admin Roles

Pro Tip: Given the large number of roles and tasks available to admins in Microsoft 365, it may be challenging sometimes to find out what role to grant for an admin who will performing a specific duty. Microsoft 365 has a built-in tool which helps you compare roles and determine which ones should be used for which administrator. You can access the Roles menu in the Admin Portal: https://admin.microsoft.com/AdminPortal/Home#/rbac/directory, select three roles and click “Compare Roles”

Key Best Practices

Here are some guidelines to help you implement admin roles in Microsoft 365:

  • Small Business
    • Have 2-4 Global Administrators in the tenant and reduce/limit usage of secondary admin roles
    • Make sure to enable Multi-Factor on all Global Admins except for one – break glass account
    • Create a break glass account directly in the cloud (not synced) with a complex password and store its password in a Password Manager. Make sure not to enable MFA on that account. It should only be used in the event of an outage with MFA.
  • Larger Organizations
    • In addition to the 2-4 Global Administrators, segment other IT administrators into multiple other admin roles
    • Make sure to segment only when necessary, as a deep segmentation may hinder IT admins from performing all their required tasks.

In my next blog, I will talk about different types of roles to manage a Microsoft 365 tenant from a Security and Compliance point of view as opposed to this current blog post which described the more traditional Service-based admin roles.

In conclusion, as the saying goes, with great power comes great responsibility. Take the time to review and compare the roles and assign the right people for the tasks.

Digital and Technology Transformation

Previous Post
Next Post
Article Sidebar Logo Need help with Admin Roles? Contact Our Team


Get news updates and event information from Withum