Microsoft Office 365 admin roles give users authorization to perform certain tasks in the Office 365 admin center. Only the global administrator can assign or modify an admin role, which grants the permissions required to control certain functions in Office 365.
Microsoft designed Office 365 admin roles to complement common business-related functions to make it clear which users are most appropriate for each role.
Considerations regarding Office 365 admin roles
The organization with the Office 365 subscription can assign Office 365 admin roles to more than one user. This allows several trusted individuals to share responsibilities and handle a greater volume or activity than might be possible for one administrator. A user can belong to more than one Office 365 admin role, which can be useful for smaller organizations or to let administrative groups to function more efficiently.
Office 365 supports the idea of delegated administration to allow Microsoft partners to receive roles to provide important services. A partner can also assign admin roles to individuals in the organization. Delegated administration requires the partner to be assigned as a delegated admin on the Office 365 account.
The admin roles for Office 365
- The global administrator role provides the highest level of permissions for the Office 365 account. The global administrator can access and manage all administrative features. There can be more than one global administrator configured for the account, but it is considered best practice to limit this number to reduce security vulnerabilities.
- The Exchange administrator role allows a user to manage mailboxes and content policies. Exchange administrators have access to the Exchange admin center and all activity reports produced by Office 365 admin center.
- The user management administrator role gives a user permission to execute basic tasks to assist the global administrator. User management administrators can reset passwords, check Office 365 service health, and add or remove general user accounts. The user management administrator role cannot delete global administrators, create other administrative roles, or reset passwords for other Office 365 admin roles.
- Password administrator role gives access to reset user passwords, file helpdesk tickets with Microsoft and check the health of Office 365 services.
- The SharePoint administrator role gives a user the rights to manage SharePoint behavior, such as storage and collaboration activities through the SharePoint admin center. SharePoint administrators have access all activity reports produced by Office 365 admin center. This role allows the user to assign other users to help with document organization as site collection administrators and retention experts as term store administrators.
- The compliance administrator role authorizes a user to manage security and compliance policies in Office 365. Compliance admins can perform tasks related to this role in the Office 365 admin center, Exchange Online admin center, the Azure Active Directory admin portal and the Security and the Office 365 Security & Compliance Center. Compliance admins can review and audit to validate compliance with policies. They have access to all activity reports and service requests produced by Office 365 admin center.
- The service administrator role gives a user rights to open and handle support requests with Microsoft related to Office 365 services. Service administrators have very limited permissions other than opening and reading support tickets. This role is often coupled with other administrative roles such as Exchange, SharePoint and others to let those administrators follow key details such as service health and new release notices.
- The billing administrator role grants similar capabilities as the service administrator role. Users in this role can purchase and change services, manage Office 365 subscriptions, manage support tickets and monitor service health.
- The Power BI administrator role gives a user permission to access and view Office 365 metrics to track usage and other business intelligence statistics. The user can also configure Power BI metrics collection.
- The Skype for Business administrator role allows the user to configure the Skype for Business as a communication and collaboration tool. The user has access to all activity reports and service requests produced by Office 365 admin center.
- Typically, a user assigned to the global administrator role in Office 365 will also have the Dynamics 365 system administrator role. Dynamics 365 is an online service for customer relationship management and enterprise resource planning. Dynamics 365 does not provide Office 365 services, but it can be used for user management on that platform when both services are used by the organization. The Dynamics 365 system administrator can assign other users to Dynamics 365 security roles involving subscriptions, licenses and user accounts. The Dynamics 365 system administrator can delegate other users as Dynamics 365 service administrators can assign management functions and bypass the need to apply Office 365 global administrator privileges; this protects Office 365 subscriptions from potential misuse.