- Article
Check out Microsoft 365 small business help on YouTube.
Microsoft 365 or Office 365 subscription comes with a set of admin roles that you can assign to users in your organization using the Microsoft 365 admin center. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers.
Tip
If you need help with the steps in this topic, consider working with a Microsoft small business specialist. With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
Watch: What is an admin?
Check out this video and others on our YouTube channel.
- While signed into Microsoft 365, select the app launcher. If you see the Admin button, then you're an admin.
- Select Admin to go to the Microsoft 365 admin center.
- In the left navigation pane, select Users > Active users.
- Select the person who you want to make an admin. The user's details appear in the right dialog box.
Before you begin
The Microsoft 365 admin center lets you manage Azure AD roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center.
For the full list of detailed Azure AD role descriptions you can manage in the Microsoft 365 admin center, check out Administrator role permissions in the Azure AD built-in roles topic.
For the full list of detailed Intune role descriptions you can manage in the Microsoft 365 admin center, check out Role-based access control (RBAC) with Microsoft Intune.
For more information on assigning roles in the Microsoft 365 admin center, see Assign admin roles.
Security guidelines for assigning roles
Because admins have access to sensitive data and files, we recommend that you follow these guidelines to keep your organization's data more secure.
| Recommendation | Why is this important? |
|---|---|
| Have 2 to 4 Global Admins | Global Admins have almost unlimited access to your organization's settings and most of its data. We recommend you limit the number of Global Admins as much as possible. A Global Admin may inadvertently lock their account and require a password reset. Either another Global Admin or a Privileged Authentication Admin can reset a Global Admin's password. Therefore, we recommend you have at least either one more Global Admin or a Privileged Authentication Admin in the event a Global Admin locks their account. |
| Assign the least permissive role | Assigning the least permissive role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. |
| Require multi-factor authentication for admins | It's actually a good idea to require MFA for all of your users, but admins should definitely be required to use MFA to sign in. MFA makes users use a second method of identification to verify their identity. Admins can have access to much of customer and employee data. If you require MFA, even if the admin's password gets compromised, the password is useless without the second method of identification. When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery. |
If you get a message in the admin center that you don't have permissions to edit a setting or page, it's because you're assigned a role that doesn't have that permission.
Commonly used Microsoft 365 admin center roles
In the Microsoft 365 admin center, you can go to Role assignments, and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned that role have permissions to do. Select the Assigned or Assigned admins tab to add users to roles.
You'll probably only need to assign the following roles in your organization. By default, we first show roles that most organizations use. If you can't find a role, go to the bottom of the list and select Show all by Category. (For detailed information, including the cmdlets associated with a role, see Azure AD built-in roles.)
| Admin role | Who should be assigned this role? |
|---|---|
| Billing admin | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. Billing admins also can: |
| Exchange admin | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. Exchange admins can also: |
| Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. Giving too many users global access is a security risk and we recommend that you have between two and four Global admins. Only global admins can: Note: The person who signed up for Microsoft online services automatically becomes a Global admin. |
| Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. |
| Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. Groups admins can: |
| Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following: - Reset passwords - Force users to sign out - Manage service requests - Monitor service health Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
| License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. License admins also can: |
| Message center privacy reader | Assign the Message center privacy reader role to users who need to read privacy and security messages and updates in the Microsoft 365 Message center. Message center privacy readers may get email notifications related to data privacy, depending on their preferences, and they can unsubscribe using Message center preferences. Only global administrators and Message center privacy readers can read data privacy messages. This role has no permission to view, create, or manage service requests. Message center privacy readers can also: |
| Message center reader | Assign the Message center reader role to users who need to do the following: - Monitor message center notifications - Get weekly email digests of message center posts and updates - Share message center posts - Have read-only access to Azure AD services, such as users and groups |
| Office Apps admin | Assign the Office Apps admin role to users who need to do the following: - Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies. - Create and manage service requests - Manage the What's New content that users see in their Microsoft 365 apps - Monitor service health |
| Organizational Message Writer | Assign the Organizational Message Writer role to users who need to write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. |
| Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
| Power Platform admin | Assign the Power Platform admin role to users who need to do the following: - Manage all admin features for Power Apps, Power Automate, and Microsoft Purview Data Loss Prevention - Create and manage service requests - Monitor service health |
| Reports reader | Assign the Reports reader role to users who need to do the following: - View usage data and the activity reports in the Microsoft 365 admin center - Get access to the Power BI adoption content pack - Get access to sign-in reports and activity in Azure AD - View data returned by Microsoft Graph reporting API |
| Service Support admin | Assign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role: - Open and manage service requests - View and share message center posts - Monitor service health |
| SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. SharePoint admins can also: |
| Teams administrator | Assign the Teams administrator role to users who need to access and manage the Teams admin center. Teams administrator can also: |
| User admin | Assign the User admin role to users who need to do the following for all users: - Add users and groups - Assign licenses - Manage most users properties - Create and manage user views - Update password expiration policies - Manage service requests - Monitor service health The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: |
| User Experience Success Manager | Assign the User Experience Success Manager role to users who need to access Experience Insights, Adoption Score, and the Message Center in the Microsoft 365 admin center. This role includes the permissions of the Usage Summary Reports Reader role. |
Permissions based on Admin role and Group type in M365 Admin page
| Admin Role | M365 Groups | Security Groups | Distribution Groups | Mail Enabled Security Groups |
|---|---|---|---|---|
| Global admin | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
| Global reader | Read | Read | Read | Read |
| User admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete | Read | Read |
| Exchange admin | Create, Read, Update, Delete | Create, Read, Update, Delete - only groups they own | Create, Read, Update, Delete | Create, Read, Update, Delete |
| Teams admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete - only groups they own | Read | Read |
| SharePoint admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete -only groups they own | Read | Read |
| Billing admin | Read | Read | Read | Read |
| Skype admin | Read | Read | Read | Read |
| Service admin | Read | Read | Read | Read |
| Group admin | Create, Read, Update, Delete, Can't update EXO properties | Create, Read, Update, Delete | Read | Read |
Delegated administration for Microsoft Partners
If you're working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in your company, or their company, admin roles. You may want to assign admin roles to partners if they're setting up and managing your online organization for you.
A partner can assign these roles:
Admin Agent Privileges equivalent to a global admin, except for managing multi-factor authentication through the Partner Center.
Helpdesk Agent Privileges equivalent to a helpdesk admin.
Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. The partner has to be an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see Authorize or remove partner relationships.
Volume licensing roles
Permissions to volume licensing information in Microsoft 365 admin center are controlled by the VL Agreement Administrators in Volume Licensing Service Center (VLSC), even for VL roles that predominantly use functionality in the Microsoft 365 admin center rather than VLSC.
Some volume licensing (VL) functionality is now available in Microsoft 365 admin center in a new volume licensing blade visible only to volume licensing users only.
Volume licensing users see no other Microsoft 365 admin center information or functionality.
Microsoft 365 admin center Global Admins have no role in assigning VL user permissions and do not need to assign any admin permissions to VL users for them to see the volume licensing blade.
Volume licensing users must first register on the Volume Licensing Service Center (VLSC), where all roles and permissions for volume licensing functions is managed.
For more information about volume licensing in Microsoft 365 admin center, go to Frequently Asked Questions for the Volume Licensing Service Center or contact the Volume Licensing Service team.
(Video) OFFICE 365 ADMINISTRATION
Related content
Assign admin roles (article)
Azure AD roles in the Microsoft 365 admin center (article)
Activity reports in the Microsoft 365 admin center (article)
Exchange Online admin role (article)
Feedback
Submit and view feedback for
This product This page
FAQs
What are the commonly used Microsoft 365 Admin Center roles? ›
- Exchange admin. Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups and Exchange Online. ...
- Global admin. ...
- Global reader. ...
- Helpdesk admin. ...
- Service admin. ...
- SharePoint admin. ...
- Teams service admin. ...
- User admin.
The Microsoft 365 admin center lets you manage Azure AD roles and Microsoft Intune roles.
Which administrator role has access to all administrative features in the Office 365 services? ›Global administrator
Accesses all administrative features in the Office 365 suite of services in your plan, including Skype for Business. By default, the person who signs up to buy Office 365 becomes a global admin. Global admins are the only admins who can assign other admin roles.
The job role of an administrator involves the following duties: Preparing, organising and storing information in paper and digital form. Dealing with queries on the phone and by email. Greeting visitors at reception. Managing diaries, scheduling meetings and booking rooms.
What is the role of user management admin? ›User Management Admin
View organizational units. Create and delete user accounts. * Rename users and change passwords.
Office 365 Administrator salary in India ranges between ₹ 2.8 Lakhs to ₹ 11.5 Lakhs with an average annual salary of ₹ 5.6 Lakhs. Salary estimates are based on 484 latest salaries received from Office 365 Administrators.
What is the difference between user administrator and global administrator? ›Global Administrator – manage access to all the administrative features in Azure AD. User Administrator – create and manage different types of users and groups in Azure.
What can Windows Admin Center be used for? ›Windows Admin Center gives you full control over all aspects of your server infrastructure and is particularly useful for managing servers on private networks that are not connected to the Internet. Windows Admin Center is the modern evolution of "in-box" management tools, like Server Manager and MMC.
How can you manage user accounts in Office 365? ›You can manage user accounts in the Microsoft 365 admin center, PowerShell, in Active Directory Domain Services (AD DS), or in the Azure Active Directory (Azure AD) admin portal. As soon as you purchase Microsoft 365, the Microsoft 365 admin center and PowerShell can be used to manage accounts.
What are admin roles and permissions? ›A role is a collection of permissions that administrators assign to users or user groups. A role consists of a name, a description, permissions, and a scope. Administrators can constrain the scope of a role by making permissions apply to assets of specific types, classifications, or owners.
What access does an administrator have? ›
An administrator is someone who can make changes on a computer that will affect other users of the computer. Administrators can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts.
What are the 5 roles of administrator? ›In order to effectively perform their responsibilities, administrators must fill the roles of leader, mentor, manager, decider, and builder. These five roles are interdependent and synergistic as they impact one another and gain in value as proficiency develops in one of the other roles.
What are the 4 types of administrator? ›- Network Administrators. Network administrators manage the entire network infrastructure of an organization. ...
- Database Administrators. ...
- Server/Web Administrators. ...
- Security Systems Administrators.
- Planning. Before starting a project, you must make a plan. ...
- Organizing. ...
- Managing resources. ...
- Directing. ...
- Controlling. ...
- Budgeting.
- Read the instructions on the Become the admin page and then choose Yes, I want to be the admin. ...
- Choose Verify and follow the steps to prove that you own or manage the domain name associated with the Office 365 service.
Microsoft 365 Global Admins, Power Platform Admins, or Dynamics 365 Admins will need a license added in order to be assigned Read-Write permission in the Access Mode. See Assign Microsoft 365 licenses to users.
Is office admin a good career? ›A career in office administration can provide many job opportunities across a variety of industries. Office administration is an essential aspect of business, ensuring organisation and effective management.
What are the two types of administrator? ›- Technical administrator.
- Business administrator.
- Administrators.
- Domain Admins.
- Schema Admins.
- Enterprise Admins.
If you require additional controls for user accounts with an administrator role, you must use separate accounts. By using separate accounts, you ensure that specific security policies can be scoped to only the administrator accounts.
What is the difference between Windows admin and system account? ›
An administrator account is similar to a standard account but with some additional privileges. These privileges allow you to manage system files or do anything without requiring confirmation. With an administrator account, you can also access all those files that other users own on the same computer.
What is System Center vs Admin Center? ›System Center lets you see the status of all the systems in your environment, while Windows Admin Center lets you drill down into a specific server to manage or troubleshoot it with more granular tools.
What is the difference between Windows local admin and system? ›The main difference between the Administrator and SYSTEM is that Administrator is an actual account (for example, it has a password) whereas SYSTEM is not. (Properly speaking, SYSTEM is a "security principal".)
What is Office 365 admin account? ›The Microsoft Office 365 Admin Center is the web-based portal administrators use to manage user accounts and configuration settings for the Office 365 subscription services, including Exchange Online and SharePoint Online.
Which Office 365 role has the highest permissions and can manage the roles of other user accounts? ›The global administrator role provides the highest level of permissions for the Office 365 account. The global administrator can access and manage all administrative features.
What is Microsoft 365 user Account Control? ›User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system.
What powers does an administrator have? ›to manage the company's affairs as set out in the Administrator's Proposals document. to act quickly and efficiently. to act with reasonable care and skill of an ordinary skilled and careful insolvency practitioner. to take reasonable care to obtain the best price obtainable for the company assets.
What is the difference between user account and admin account? ›Answer. Administrators have the highest level of access to an account. If you want to be one for an account, you can reach out to the Admin of the account. A general user will have limited access to the account as per the permissions given by the Admin.
Does administrative user have access to the database? ›The Administrator user account bypasses all access rights checks. Use this account only when necessary; for example, if no other users can log in, or if other users cannot access part of the database. Use the Administrator user account carefully: Be careful about who can access the account.
What do most Microsoft Office programs have this in common? ›Microsoft Office is a suite of programs that includes Word, Excel, PowerPoint, Access, Publisher, and OneNote. All of these programs share common features, such as the ribbon bar, command tabs, smart tags, screen tips, and help.
What can teams Admin Center be used for? ›
Using the Microsoft Teams admin center, you can create teams and policies, add or remove users, manage teams, view usage information, and export reports.
What are the three 3 main components applications of Microsoft Office? ›The three major Microsoft Office pieces include the word processor (Word), the spreadsheet (Excel) and the visual presentation tool (PowerPoint.)
What are 4 programs in Microsoft Office? ›- Excel.
- Microsoft Teams.
- Word.
- OneDrive.
- OneNote.
- Outlook.
- PowerPoint.
- Project.
It contains a word processor (Word), a spreadsheet program (Excel) and a presentation program (PowerPoint), an email client (Outlook), a database management system (Access), and a desktop publishing app (Publisher). Office is produced in several versions targeted towards different end-users and computing environments.
What is the difference between user admin and global admin? ›Global Administrator – manage access to all the administrative features in Azure AD. User Administrator – create and manage different types of users and groups in Azure.
Can Office 365 admin see my local files? ›For your last question about “Is it safe to use word, excel, and PowerPoint (only these three applications) for personal use using a company provided office 365 account”, as we mentioned above, if you just save files on the local, the other users and admin cannot see the files you saved on the local, it is safe.
What is the purpose of Windows Admin Center? ›Windows Admin Center gives you full control over all aspects of your server infrastructure and is particularly useful for managing servers on private networks that are not connected to the Internet. Windows Admin Center is the modern evolution of "in-box" management tools, like Server Manager and MMC.
What is the difference between Windows Admin Center and System Center? ›System Center lets you see the status of all the systems in your environment, while Windows Admin Center lets you drill down into a specific server to manage or troubleshoot it with more granular tools.
What is the benefit of Windows Admin Center? ›- Server management. They can manage servers and server roles, including Active Directory, Hyper-V and Storage Spaces Direct. ...
- Virtual machine management. ...
- Storage management. ...
- Performance monitoring. ...
- Event logging. ...
- Remote desktop. ...
- PowerShell management. ...
- Azure integration.