Microsoft 365 admin roles explained

Admin roleWho should be assigned this role?
Billing admin
Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health.

Billing admins also can:
– Manage all aspects of billing
– Create and manage support tickets in the Azure portal
Exchange adminAssign the Exchange admin role to users who need to view and manage your user’s email mailboxes, Microsoft 365 groups, and Exchange Online.

Exchange admins can also:
– Recover deleted items in a user’s mailbox
– Set up “Send As” and “Send on behalf” delegates
Global adminAssign the Global admin role to users who need global access to most management features and data across Microsoft online services.

Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins.

Only global admins can:
– Reset passwords for all users
– Add and manage domains
– Unblock another global admin

Note: The person who signed up for Microsoft online services automatically becomes a Global admin.
Global readerAssign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can’t edit any settings.
Groups adminAssign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal.

Groups admins can:
– Create, edit, delete, and restore Microsoft 365 groups
– Create and update group creation, expiration, and naming policies
– Create, edit, delete, and restore Azure Active Directory security groups
Helpdesk adminAssign the Helpdesk admin role to users who need to do the following:
– Reset passwords
– Force users to sign out
– Manage service requests
– Monitor service health

Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.
License adminAssign the License admin role to users who need to assign and remove licenses from users and edit their usage location.

License admins also can:
– Reprocess license assignments for group-based licensing
– Assign product licenses to groups for group-based licensing
Office Apps adminAssign the Office Apps admin role to users who need to do the following:
– Use the Office cloud policy service to create and manage cloud-based policies for Office
– Create and manage service requests
– Manage the What’s New content that users see in their Office apps
– Monitor service health
Password adminAssign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators.
Message center readerAssign the Message center reader role to users who need to do the following:
– Monitor message center notifications
– Get weekly email digests of message center posts and updates
– Share message center posts
– Have read-only access to Azure AD services, such as users and groups
Power Platform adminAssign the Power Platform admin role to users who need to do the following:
– Manage all admin features for Power Apps, Power Automate, and Microsoft Purview Data Loss Prevention
– Create and manage service requests
– Monitor service health
Reports readerAssign the Reports reader role to users who need to do the following:
– View usage data and the activity reports in the Microsoft 365 admin center
– Get access to the Power BI adoption content pack
– Get access to sign-in reports and activity in Azure AD
– View data returned by Microsoft Graph reporting API
Service Support adminAssign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role:
– Open and manage service requests
– View and share message center posts
– Monitor service health
SharePoint adminAssign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center.

SharePoint admins can also:
– Create and delete sites
– Manage site collections and global SharePoint settings
Teams administratorAssign the Teams administrator role to users who need to access and manage the Teams admin center.

Teams administrator can also:
– Manage meetings
– Manage conference bridges
– Manage all org-wide settings, including federation, teams upgrade, and teams client settings
User adminAssign the User admin role to users who need to do the following for all users:
– Add users and groups
– Assign licenses
– Manage most users properties
– Create and manage user views
– Update password expiration policies
– Manage service requests
– Monitor service health

The user admin can also do the following actions for users who aren’t admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader:
– Manage usernames
– Delete and restore users
– Reset passwords
– Force users to sign out
– Update (FIDO) device keys

Source

Leave a Reply