If you're just setting up your Office 365 or Microsoft 365 subscription, one of the steps towards completion will be to assign admin roles. Admin roles gives the people in your organization permissions to handle certain tasks in the admin center and control elements of your subscription.
Along with yourself, Microsoft recommends for you to set at least 2 to 4 global admins. There are also other roles too, including Helpdesk admin, Office Apps admin, and more. In our latest Microsoft 365/Office 365 guide, we'll take a look a some of these roles, and explain what they mean for you.
Some notes on roles
Before getting into anything, we just want to mention a couple of notes. Admins in Microsoft 365 and Office 365 have access to sensitive data, so it's recommended that you follow some guidelines to keep your data secure. Of note is the fact that you should only have 2 to 4 global admins.
According to Microsoft, this is because only another global admin can reset a global admin's password, so having more than one will avoid account lockout. It's also worth noting that since the global admin has access to all of the settings for Office 365, you should not have more than 4 to keep your account safe. Other tips can be seen below.
- Always assign the least permissive role: You'll want to do this when you want to give admins the access to stuff they only need to get the job done. An example is giving someone a limited admin role instead of a global admin role if they need to access passwords for users.
- Require multi-factor authentication for admins: To keep an account of a user who has admin privileges out of the wrong hands, you should use multi-factor authentication on their accounts. This verifies their identity, which is especially important because some admins will have access to sensitive data.
To change roles in Office 365 and Microsoft 365 you'll have to visit the Microsoft 365 admin center. Once you are there, you can click Roles in the sidebar. This will show you a list of roles, and a brief explanation of what each one does. You can edit the roles by clicking the downward-facing dots and then choosing Assign admins and then clicking the Add button followed by the user's name.
The most commonly assigned roles
The list of roles in the Microsoft 365 admin center is quite long, but we will be discussing the most common ones first. These include Global, Exchange, Groups, and Helpdesk. In the admin center, you'll see these as show suggested roles.
The Global admin is for the person you want to give the most privileges. Anyone with this role will have access to management features and data across Microsoft 365. They also have access to reset passwords for all users and add and manage domains. The person who signed up for Microsoft services automatically becomes a Global admin.
Next up, there's the Exchange admin. This role can be assigned to users who need to view and manage users' email mailboxes, Office 365 groups, or Exchange Online. If you want to have a user help someone recover deleted items in a mailbox, or set up "Send As" or "Send on behalf" delegates, this is the role for them.
Third, there's the Groups admin. This role lets a person manage all group settings across Microsoft 365. They'll be able to create, edit, delete, and restore Office 365 groups. They also can create and update group creation, expiration, and naming policies.
Also on the list is the Helpdesk admin. This role will allow a person to help users reset passwords, force users to sign out, manage service requests, or monitor service health. Just keep in mind that the Helpdesk admin can only help non-admin users and users assigned as Directory reader, Guest inviter, Helpdesk admin, Message center reader, or Reports reader.
Some of the other roles can be seen below. These include Office Apps, Service, SharePoint, Teams service, and User. We've included a summary of these below.
- Office Apps admin: Best assigned for users who need to use the Office Cloud Policy service, Create or Manage Office service requests, manage what's new content in Office or manage service health.
- Service admin: Best assigned as an additional role to admins or users whose role involves opening and managing service requests, or view and share message center posts.
- SharePoint admin: Best assigned to users who need to access and manage the SharePoint Online admin center, create and delete sites or manage site collections and global SharePoint settings.
- Teams service admin: Best assigned for users who need to access and manage the Teams admin center. Users with the privilege can manage meetings, manage conference bridges, manage all org-wide settings, including federation, teams upgrade, and teams client settings.
- User admin: The user admin role is for users who need to assign licenses, add users and groups, manage user properties, create and manage user views, update password expiration values, or manage service requests.
Again, these are the most common admin roles. These cover most of the day-to-day operations in Microsoft 365. Our next section takes a look at some of the other roles you might come across.
When looking through the Microsoft 365 admin center, you can click the Show all roles button to show additional roles. You also can use a search bar at the top to find a more specific role, if needed. There is even a filter option to help you separate out the roles between collaboration, devices, global, identity, or security. This is where you might find some of the other roles which we discuss below.
- Application admin: A user with this role will have full access to enterprise applications, application registrations, and application proxy settings.
- Authentication admin: Can require users to re-register authentication for non-password credentials
- Billing admin: A user that can make purchases, manages subscriptions, manages service requests, and monitors service health.
- License admin: Allows users to Assigns and removes licenses from users and edits their usage location.
- Security admin: Gives users the option to control the organization's security. The user can also manage security policies, review security analytics and reports and monitor the threat landscape.
Again, the roles we've discussed here are not ALL the roles you can assign in Microsoft 365 or Office 365. These are just some of the most commonly assigned roles. You can check the full list here at Microsoft, under the All Roles section for more information.
One step in setting up your subscription
Setting up admin roles in Microsoft 365/Office 365 is just one step in setting up your subscription. There are still many other things you can do on the road ahead. Setting up Outlook, Teams are just some other steps you can take. We'll be diving deeper into that later, so be sure to keep tuned to OnMSFT for all your Microsoft 365 news and information.