As an admin, you want to make sure you give the necessary permissions to users depending on their roles and responsabilities, here is a chart that gives you details about the available roles and who should have these roles assigned:
| Admin role | Who should be assigned this role? |
|---|---|
| Billing admin | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. Billing admins also can: - Manage all aspects of billing - Create and manage support tickets in the Azure portal |
| Exchange admin | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. Exchange admins can also: - Recover deleted items in a user's mailbox - Set up "Send As" and "Send on behalf" delegates |
| Fabric admin | Assign the Fabric admin role to users who need to do the following: - Manage all admin features for Microsoft Fabric and Power BI - Report on usage and performance - Review and manage auditing |
| Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. Giving too many users global access is a security risk and we recommend that you have between two and four Global admins. Only global admins can: - Reset passwords for all users - Add and manage domains - Unblock another global admin Note: The person who signed up for Microsoft online services automatically becomes a Global admin. |
| Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. |
| Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Microsoft Entra admin center. Groups admins can: - Create, edit, delete, and restore Microsoft 365 groups - Create and update group creation, expiration, and naming policies - Create, edit, delete, and restore Microsoft Entra security groups |
| Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following: - Reset passwords - Force users to sign out - Manage service requests - Monitor service health Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
| License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. License admins also can: - Reprocess license assignments for group-based licensing - Assign product licenses to groups for group-based licensing |
| Message center privacy reader | Assign the Message center privacy reader role to users who need to read privacy and security messages and updates in the Microsoft 365 Message center. Message center privacy readers may get email notifications related to data privacy, depending on their preferences, and they can unsubscribe using Message center preferences. Only global administrators and Message center privacy readers can read data privacy messages. This role has no permission to view, create, or manage service requests. Message center privacy readers can also: - Monitor all notifications in the Message Center, including data privacy messages - View groups, domains, and subscriptions |
| Message center reader | Assign the Message center reader role to users who need to do the following: - Monitor message center notifications - Get weekly email digests of message center posts and updates - Share message center posts - Have read-only access to Microsoft Entra services, such as users and groups |
| Office Apps admin | Assign the Office Apps admin role to users who need to do the following: - Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies. - Create and manage service requests - Manage the What's New content that users see in their Microsoft 365 apps - Monitor service health |
| Organizational Message Writer | Assign the Organizational Message Writer role to users who need to write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. |
| Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
| Power Platform admin | Assign the Power Platform admin role to users who need to do the following: - Manage all admin features for Power Apps, Power Automate, Power BI, Microsoft Fabric, and Microsoft Purview Data Loss Prevention - Create and manage service requests - Monitor service health |
| Reports reader | Assign the Reports reader role to users who need to do the following: - View usage data and the activity reports in the Microsoft 365 admin center - Get access to the Power BI adoption content pack - Get access to sign-in reports and activity in Microsoft Entra ID - View data returned by Microsoft Graph reporting API |
| Search admin | Assign the Search admin role to users who need to create and manage search result content and define query settings for improved search results within the organization. The Search admin manages the Microsoft search configuration and can perform all the content-management tasks that a Search editor can. |
| Service Support admin | Assign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role: - Open and manage service requests - View and share message center posts - Monitor service health |
| SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. SharePoint admins can also: - Create and delete sites - Manage site collections and global SharePoint settings |
| Teams administrator | Assign the Teams administrator role to users who need to access and manage the Teams admin center. Teams administrator can also: - Manage meetings - Manage conference bridges - Manage all org-wide settings, including federation, teams upgrade, and teams client settings |
| User admin | Assign the User admin role to users who need to do the following for all users: - Add users and groups - Assign licenses - Manage most users properties - Create and manage user views - Update password expiration policies - Manage service requests - Monitor service health The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: - Manage usernames - Delete and restore users - Reset passwords - Force users to sign out - Update (FIDO) device keys |
| User Experience Success Manager | Assign the User Experience Success Manager role to users who need to access Experience Insights, Adoption Score, and the Message Center in the Microsoft 365 admin center. This role includes the permissions of the Usage Summary Reports Reader role. |
Permissions based on Admin role and Group type in M365 Admin page
| Admin Role | M365 Groups | Security Groups | Distribution Groups | Mail Enabled Security Groups |
|---|---|---|---|---|
| Global admin | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
| Global reader | Read | Read | Read | Read |
| User admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete | Read | Read |
| Exchange admin | Create, Read, Update, Delete | Create, Read, Update, Delete - only groups they own | Create, Read, Update, Delete | Create, Read, Update, Delete |
| Teams admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete - only groups they own | Read | Read |
| SharePoint admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete -only groups they own | Read | Read |
| Billing admin | Read | Read | Read | Read |
| Skype admin | Read | Read | Read | Read |
| Service admin | Read | Read | Read | Read |
| Group admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete | Read | Read |
Comments
0 comments
Please sign in to leave a comment.