Microsoft 365 admin roles define service-level permissions inside workloads such as Exchange, SharePoint, Teams, and Microsoft Purview, alongside Microsoft Entra ID directory roles that govern identity and tenant-wide administration.
Microsoft 365 admin roles are permission sets that determine what an administrator can see, change, delegate, or audit across the tenant. The important distinction is scope. A role may apply across the whole directory, only inside one Microsoft 365 service, or only to a defined administrative boundary such as an administrative unit.
Updated for 2026: Microsoft now uses the name Microsoft Entra ID for the identity service many administrators still refer to as Azure Active Directory or Azure AD. Older documentation, scripts, and internal runbooks may still use the Azure AD name, but role planning should use the current Microsoft Entra terminology to avoid confusion during audits and handovers.
Administrative access in Microsoft 365 is powerful because identity, collaboration, messaging, endpoint management, security operations, and compliance controls are closely connected. A user with the wrong standing role may be able to reset passwords, change sharing settings, alter retention policies, or grant further access without enough oversight.
The most reliable way to think about admin access is as a three-layer model. Microsoft Entra ID directory roles govern identity and directory-wide settings. Microsoft 365 workload admin roles govern service administration in products such as Exchange Online, SharePoint, Teams, Microsoft Defender, and Microsoft Purview. Application-scoped roles and role groups then provide more specific permissions inside some workloads, especially in security and compliance tools.
This layered model prevents a common mistake: assigning a tenant-wide role because a person needs to perform a service-specific task. For example, a SharePoint service owner who manages external sharing does not automatically need Global Administrator rights. An auditor who needs visibility across configuration may be better served with Global Reader than with an active administrator role. A compliance lead who runs content searches may need Microsoft Purview role group membership rather than broad identity administration.
Microsoft Entra ID roles sit closest to identity. Global Administrator, Privileged Role Administrator, User Administrator, Groups Administrator, Authentication Administrator, and Global Reader are examples of directory roles. These roles affect tenant-level identity operations such as managing users, resetting passwords, configuring authentication methods, viewing directory settings, and assigning other roles.
Workload admin roles sit closer to the service. Exchange Administrator, SharePoint Administrator, Teams Administrator, Intune Administrator, Security Administrator, and Compliance Administrator are examples. They are used when someone owns a service configuration area and does not need full directory control.
App-scoped roles and role groups are more granular. Microsoft Purview uses role groups for activities such as eDiscovery, retention management, communication compliance, and audit. Exchange has role-based access controls for messaging administration. Microsoft Defender and Intune also have their own permission models. In practice, larger tenants often combine these models, which is why role documentation must state both the assigned role and the administrative task it supports.
A useful decision rule is simple: use tenant-wide Microsoft Entra ID roles for identity and directory settings, use workload roles for service configuration, and use the narrowest supported app role when the task belongs inside a specific admin portal. Privileged Identity Management should be used for elevation where available, rather than leaving powerful roles permanently active.
The following table summarises common roles by practical use. It is not a substitute for the authoritative permissions lists in Microsoft Learn, because Microsoft updates role definitions over time, but it gives administrators a working model for everyday delegation.
| Role | Primary scope | Typical tasks | Risky permissions to understand | Least-privilege guidance |
|---|---|---|---|---|
| Global Administrator | Tenant-wide directory and services | Tenant setup, emergency recovery, high-level configuration, role assignment | Can change critical settings and grant broad access | Keep standing use extremely limited; protect with MFA, monitoring, and Privileged Identity Management where possible |
| Privileged Role Administrator | Role management in Microsoft Entra ID | Assigning and managing directory roles | Can elevate others into powerful roles | Restrict to identity governance owners and monitor role assignment activity |
| User Administrator | Users and some groups | Creating users, restoring deleted users, resetting passwords for permitted accounts | Password reset rights can affect account takeover risk | Use for helpdesk and identity operations teams rather than Global Administrator |
| Global Reader | Read-only tenant visibility | Audit support, configuration review, security assessment preparation | May expose sensitive configuration information | Prefer for auditors and reviewers who do not need to change settings |
| Exchange Administrator | Exchange Online | Mailbox settings, transport rules, mail flow, shared mailboxes | Mail flow changes can affect business communication and data exposure | Use for messaging service owners; avoid adding directory-wide roles unless required |
| SharePoint Administrator | SharePoint and OneDrive | Site settings, external sharing, storage, OneDrive administration | External sharing changes can expose documents outside the organisation | Combine with clear sharing policies and periodic review of tenant-level settings |
| Teams Administrator | Microsoft Teams | Teams policies, meetings, messaging, app settings | Policy changes can affect communication controls and app access | Use for collaboration owners without granting broader identity control |
| Security Administrator | Security portals and controls | Security configuration, alerts, security policies depending on service licensing | May alter controls that affect detection and response | Separate from routine user administration where possible |
| Compliance Administrator or Purview role groups | Microsoft Purview | Retention, eDiscovery, audit, compliance workflows | Can access sensitive compliance data depending on role group membership | Assign task-specific Purview role groups for eDiscovery and retention rather than broad tenant roles |
Scope defines where a role applies. Some roles apply across the whole tenant. Others apply inside a workload. Microsoft Entra administrative units can narrow some directory role assignments to a subset of users, groups, or devices, which is useful for regional IT teams, subsidiaries, schools, departments, and business units that need autonomy without full tenant-wide authority.
For example, a regional helpdesk may need to reset passwords only for users in its country or business unit. Assigning User Administrator across the tenant would give that team unnecessary reach. Assigning the role scoped to an administrative unit can reduce blast radius while still allowing the team to work independently.
Group-based role assignment can also simplify operations where supported. Rather than assigning a role to many individual administrators, an identity team can assign the role to a controlled group and manage membership through an approval process. This is easier to review, easier to remove during role changes, and less likely to leave forgotten access behind after reorganisations.
In practice, administrative units and group-based role assignment are most valuable when they are backed by naming standards and ownership. A role group named for a function, region, and environment is easier to review than a generic admin group. Production and test roles should remain separate, because mixing them makes it harder to prove who can affect live services.
Role assignments can be made through the Microsoft 365 admin center, the Microsoft Entra admin center, and workload-specific portals such as Exchange admin center, Teams admin center, SharePoint admin center, Microsoft Intune admin center, and Microsoft Purview. The right portal depends on the type of role being assigned.
The Microsoft 365 admin center is often the starting point for common admin roles, users, groups, billing, service health, and basic tenant administration. A practical navigation guide to the admin center can help teams standardise how administrators find the right settings, but the permission model should still be documented separately from the user interface, because Microsoft can reorganise portals without changing the underlying governance requirement.
When documenting role assignment in an internal runbook, screenshots are useful if they are treated as evidence aids rather than the source of truth. A screenshot of the role assignment page should show the selected role, assignment type, scope, and approval note, with user names, email addresses, tenant identifiers, and recovery accounts redacted. A second screenshot of a Privileged Identity Management activation should show the activation duration, justification field, and approval status. Screenshots that expose real administrators or tenant details should not be reused in training material.
Least privilege means granting the minimum access needed for a defined operational task, for the shortest reasonable time, with enough logging to reconstruct what happened. In Microsoft 365, this usually means limiting standing Global Administrator access, using Global Reader for review-only duties, assigning workload roles for service owners, and using Privileged Identity Management for time-bound elevation.
Break-glass accounts still matter. A tenant should maintain at least two emergency access accounts that are protected, monitored, and excluded from policies that could accidentally lock out every administrator. These accounts should not be used for routine administration. Their purpose is resilience during identity outages, conditional access misconfiguration, MFA disruption, or an incident that affects normal privileged accounts.
Privileged Identity Management adds a governance layer for eligible roles. Administrators can activate a role when needed, provide a justification, meet MFA and approval requirements where configured, and return to a lower-privilege state after the activation window ends. This reduces the exposure created by standing administrative rights and creates a stronger audit trail for sensitive work.
Access reviews complete the loop. Large tenants should review privileged role assignments on a regular cadence, with quarterly reviews a practical baseline for many organisations. Reviewers should confirm that each administrator still needs the role, that production and test access remain separate, that workload administrators do not hold unnecessary directory-wide roles, and that former project access has been removed after migrations or organisational changes.
Role design becomes clearer when it is mapped to day-to-day operations. Restoring a deleted user usually belongs with a User Administrator or another identity operations role, depending on the account type and scope. Resetting passwords for standard users should not require Global Administrator access unless the organisation has designed its support model poorly.
External sharing configuration belongs primarily with SharePoint administration because SharePoint and OneDrive govern much of the file-sharing experience across Microsoft 365. A collaboration owner may also need to coordinate with Teams administration, because Teams uses SharePoint for files, but the sharing control itself is often rooted in SharePoint and OneDrive settings.
Risky sign-in investigation belongs closer to security and identity roles. Security Reader may be enough for some monitoring duties, while Security Administrator or identity-specific privileges may be required for remediation. The important point is to separate investigation, remediation, and role assignment duties where the organisation is large enough to support that separation.
Content search, eDiscovery, retention labels, retention policies, audit, and many compliance workflows belong in Microsoft Purview. These permissions should be planned carefully because they may expose sensitive mailbox, file, or investigation data. Compliance teams often need Microsoft Purview role group membership rather than broad Microsoft 365 tenant administration. Readers who need role depth in this area should use Microsoft Learn guidance for Purview permissions rather than assuming that a general admin role is the right fit.
The Unified Audit Log is an important source for reviewing administrative activity across Microsoft 365 workloads. It can help show who assigned a role, changed a policy, updated sharing settings, performed eDiscovery actions, or modified security configuration. Audit data is most useful when the organisation knows which activities it expects to review and who is responsible for reviewing them.
Role assignment changes deserve particular attention. Adding a Global Administrator, Privileged Role Administrator, Compliance Administrator, or powerful workload role should be visible to the identity and security teams. Where possible, alerts should be configured for high-risk role assignments, emergency account use, and changes to privileged access governance settings.
Post-migration reviews are often overlooked. After mergers, tenant consolidations, mail migrations, endpoint projects, or security tooling rollouts, temporary admin roles may remain in place longer than intended. A role review after major projects is one of the simplest ways to remove unnecessary access before it becomes normalised.
The first mistake is treating every admin role as interchangeable. A person who can manage mailboxes, retention settings, or Teams policies may still have no legitimate reason to reset privileged user passwords or assign directory roles. Conflating workload administration with identity administration is one of the fastest paths to over-privileged accounts.
The second mistake is leaving powerful roles permanently assigned because it is convenient. Standing Global Administrator access increases the impact of phishing, token theft, endpoint compromise, and human error. Even when a small IT team needs broad capability, Privileged Identity Management, separate emergency accounts, and careful monitoring provide a stronger operating model than routine daily use of the most powerful role.
The third mistake is failing to document why access exists. A role assignment without an owner, purpose, expiry expectation, or review date is difficult to defend during an audit and difficult to remove during an incident. Administrative access should be tied to a job function, not merely to a person’s seniority or historical involvement in a project.
Role governance is partly a security discipline and partly an operational skill. Administrators need to understand identity, workload boundaries, conditional access, audit logging, and service-specific admin portals well enough to choose the narrowest effective role. Teams that are formalising this knowledge can use structured Microsoft learning alongside internal runbooks, especially where endpoint, identity, and Microsoft 365 administration overlap.
For hands-on development, Readynez includes Microsoft training options such as the Microsoft 365 Endpoint Administrator MD-102 course, broader Microsoft training courses, unlimited Microsoft training, and a contact route for organisations planning a role-based skills programme.
Administrators should use Microsoft Learn as the authoritative source for exact role permissions and current product behaviour. Relevant Microsoft Learn areas include Microsoft Entra ID built-in roles, Microsoft 365 admin roles, Privileged Identity Management, administrative units, Microsoft Purview permissions, Exchange role-based access control, and the Unified Audit Log.
Internal documentation should record the organisation’s own decisions on top of those references. That documentation should explain which roles are approved for each function, which roles require Privileged Identity Management, which roles can be scoped to administrative units, who approves role changes, and how emergency access accounts are monitored.
Global Administrator is a tenant-wide role with broad control across Microsoft 365 and Microsoft Entra ID. A workload administrator, such as Exchange Administrator or SharePoint Administrator, manages a specific service area and is usually the safer choice when the person does not need directory-wide control.
Auditors and reviewers usually need visibility rather than change permissions. Global Reader or workload-specific reader roles are often more appropriate than active administrator roles, depending on what the audit requires.
Some Microsoft Entra ID roles can be scoped through administrative units, allowing an administrator to manage only a defined set of users, groups, or devices. This is useful for regional helpdesks, departments, subsidiaries, and delegated support teams.
eDiscovery and retention are usually handled through Microsoft Purview permissions and role groups. A general Microsoft 365 administrator role should not be assumed to be the correct assignment for compliance work.
A quarterly access review is a practical baseline for many larger tenants, with additional reviews after migrations, reorganisations, incidents, and major projects. The review should confirm that each role still has a valid owner, purpose, and scope.
Microsoft 365 administration works best when role assignments reflect real responsibilities. Identity administrators should manage identity, workload owners should manage their services, compliance teams should use Purview permissions for compliance workflows, and auditors should receive read-only access unless a change task is clearly required.
The key takeaway is that admin access should be designed, not accumulated. A safer model uses narrow roles, administrative units where they fit, Privileged Identity Management for elevation, emergency accounts for resilience, and regular reviews to remove access that no longer belongs.
Get Unlimited access to ALL the LIVE Instructor-led Microsoft courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?