Updated: January 29, 2021
Original Post: July 1, 2020
Office 365 is now Microsoft 365
Many times, I have been asked questions on the various administrator roles and responsibilities of Microsoft 365 (M365) which prompted me to write this blog. If your organization is new to Microsoft 365 or has already been using a Microsoft 365 (Office 365) tenant for some time, it is always critical to spend time reviewing the various admin portal access available. Microsoft has been providing several different roles to target various M365 workloads to help prevent intentional or unintentional internal breaches. Here is a comprehensive list of roles that are available to you within Microsoft 365 along with best practices and recommendations based on my vast experience. If you are currently in the process of migrating to Microsoft 365, you will need to make sure you have the right admin memberships in place prior to going live.
|Admin role||Who should be assigned to this role?|
|Exchange Admin||Assign the Exchange admin role to users who need to view and manage your user’s email mailboxes, Microsoft 365 groups and Exchange Online.
Exchange admins can also:
|Global Admin||Assign the Global admin role to users who need global access to most management features and data across Microsoft online services.
Only global admins can:
Note:The person who signed up for Microsoft online services automatically becomes a Global admin.
Pro tip: Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins.
|Global Reader||Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin cannot edit any settings. This role can be good when performing an audit.|
|Groups Admin||Assign the groups admin role to users who need to manage all groups’ settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal.
Groups admins can:
|Helpdesk Admin||Assign the Helpdesk admin role to users who need to do the following:
Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.
|Office Apps Admin||Assign the Office Apps admin role to users who need to do the following:
|Service Admin||Assign the Service admin role as an additional role to admins or users whose role does not include the following, but they still need to do the following:
|SharePoint Admin||Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center.
SharePoint admins can also:
Note: Users assigned to this role will have access to all content.
|Teams Service Admin||Assign the Teams service admin role to users who need to access and manage the Teams admin center.
Teams service admins can also:
Note: Users assigned to this role will have access to all content.
|User Admin||Assign the User admin role to users who need to do the following for all users:
The user admin can also do the following actions for users who aren’t admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader:
Advanced/Granular Roles and Permissions
Additionally, if you are part of a larger organization, you should be looking into admin roles with reduced access (using Role-Based Access Control – RBAC), which are only available for both Exchange Online and Microsoft Teams. As your IT department grows larger, you will find these roles useful when dedicating some IT admins to specific areas of Microsoft 365 as you work through best securing your corporate data in your tenant.
In Exchange Online, there are several built-in role groups that can be used for specific tasks within the service (e.g Compliance work, Troubleshooting, Configuration, etc…)
Based on my experience, these are some of the common roles that get assigned:
- Help Desk Role to have admins manage user mailbox settings while being prevented from making changes to mail flow.
- Compliance Role for security admins so they can perform audit log search.
contact a member of Withum’s Digital and Technology Transformation team to speak with a consultant today.
In Teams, the following “sub-roles” are available in addition to the Teams Service Administrator:
|Admin Role||Who should be assigned to this role?|
|Teams Communication Administrator||Manage calling and meetings features within the Teams service.|
|Teams Communications Support Engineer||Troubleshoot communications issues within Teams by using advanced tools. The Engineer can access Call Analytics with full PII information and advanced statistics|
|Teams Communications Support Specialist||Troubleshoot communications issues within Teams by using basic tools. The Specialist cannot get PPI information nor advanced statistics when using Call Analytics. Data is anonymized.|
Compare Admin Roles
Pro Tip: Given the large number of roles and tasks available to admins in Microsoft 365, it may be challenging sometimes to find out what role to grant for an admin who will performing a specific duty. Microsoft 365 has a built-in tool which helps you compare roles and determine which ones should be used for which administrator. You can access the Roles menu in the Admin Portal: https://admin.microsoft.com/AdminPortal/Home#/rbac/directory, select three roles and click “Compare Roles”
Key Best Practices
Here are some guidelines to help you implement admin roles in Microsoft 365:
- Small Business
- Have 2-4 Global Administrators in the tenant and reduce/limit usage of secondary admin roles
- Make sure to enable Multi-Factor on all Global Admins except for one – break glass account
- Create a break glass account directly in the cloud (not synced) with a complex password and store its password in a Password Manager. Make sure not to enable MFA on that account. It should only be used in the event of an outage with MFA.
- Larger Organizations
- In addition to the 2-4 Global Administrators, segment other IT administrators into multiple other admin roles
- Make sure to segment only when necessary, as a deep segmentation may hinder IT admins from performing all their required tasks.
In my next blog, I will talk about different types of roles to manage a Microsoft 365 tenant from a Security and Compliance point of view as opposed to this current blog post which described the more traditional Service-based admin roles.
In conclusion, as the saying goes, with great power comes great responsibility. Take the time to review and compare the roles and assign the right people for the tasks.