While assigning the right Microsoft 365 admin privileges can sometimes feel overwhelming, getting it wrong can have serious consequences. This article covers:

1. Global Administrator responsibilities
2. Billing Admin role
3. Exchange Administrator
4. SharePoint Admin responsibilities
5. Site Administrator role
6. Alternatives to custom roles in Microsoft 365

Let’s take a closer look at the Microsoft 365 admin roles.

Eight-time Microsoft MVP J. Peter Bruzzese details how third-party task management solutions can streamline and enhance Microsoft 365’s native admin center in this report.

Global Administrator responsibilities

The Global Administrator is the linchpin of the Microsoft 365 ecosystem. This role is automatically assigned to the person who sets up the Microsoft 365 tenant.

With nearly unlimited power, a Global Administrator can manage all aspects of the Microsoft 365 environment, including users, devices, resources, and licenses. This role has the authority to modify settings across all admin centers, create and manage users, assign other admin roles, reset passwords, and manage service requests, to name a few.

Despite the extensive powers, the Global Administrator has one notable limitation:  they cannot manage their own password. This inherent limitation is designed as a security measure to prevent potential misuse of the Global Administrator role.

Recommendations and alternatives for the Global Admin role

Oftentimes, companies fall into the trap of assigning the Global Administrator role too broadly, even giving it to 100 or more different employees. Given the extensive authority of the Global Administrator role, it is vital to use it judiciously.

1. Always assign a backup Global Admin to ensure continuous access to critical functionalities in case the primary Global Administrator is unavailable.
2. Consider assigning a Global Reader role when full Global Administrator powers aren't needed. The Global Reader role can view all settings and reports in the Microsoft 365 admin center but cannot edit any settings. This provides a balance between access and control.

Find and remove overprivileged admins to secure Microsoft 365 with the free Admin Permissions Reporting Tool for Microsoft 365.

Billing Administrator role

The Billing Administrator plays a crucial role in managing the financial aspects of the Microsoft 365 environment. Recognized as one of the top-tier admin roles by Microsoft Support, the Billing Administrator can open support tickets, make purchases, manage subscriptions and service requests, and monitor service health.

However, despite their financial responsibilities,Billing Administrators cannot fully see payment methods. Specifically, they cannot view anyone’s full credit card information. This limitation is a crucial security measure designed to protect sensitive financial information.

Alternatives for Billing Admins

Assigning the Billing Administrator role should be done carefully due to the financial implications. Consider assigning the Global Reader or a custom role to users instead to limit what a user can manage. This can be done via Azure Active Directory (AD). These roles provide adequate access for managing billing-related tasks without the potential risk associated with full billing admin privileges.

Need to identify all users with Microsoft admin roles? Get the free Admin Permissions Reporting Tool for Microsoft 365 to find and fix overprivileged admins.

Exchange Administrator

The Exchange Administrator role is pivotal to the smooth functioning of the Microsoft 365 ecosystem. Exchange is the backbone for Microsoft 365, SharePoint, Teams, and more. The Exchange Administrator has the power to access user mailboxes, manage Exchange Online settings, and perform tasks like setting up mail flow rules, managing malware filters, and configuring compliance features.

However, the power to access user mailboxes makes the Exchange Administrator role one that should not be assigned lightly. The potential for misuse of this access is a significant security concern.

Exchange Admin alternative

To mitigate potential security risks, consider assigning Exchange Admins the Service Support Administrator role. This role can see service health and release notifications, providing necessary oversight with out the extensive access that comes with the Exchange Administrator role.

Learn more about implementing a delegated administration strategy for Microsoft 365 here.

SharePoint Admin responsibilities

The SharePoint Administrator manages the SharePoint Online environment within the Microsoft 365 suite. They have access to the SharePoint Online (SPO) Admin center, all content, and the OneDrive Admin Center. Their responsibilities include creating and managing sites, managing site admins, managing sharing settings, managing Microsoft 365 groups, and managing site storage limits.

Global Administrators are also SharePoint Online administrators by default. While SharePoint Administrators can view user information, they cannot modify existing information. Only the Global Administrator has that capability, which is a built-in security measure to limit the potential misuse of admin privileges.

Recommended alternative to the SharePoint Admin role

Given the extensive access of the SharePoint Administrator role, organizations should carefully consider who needs full SharePoint Admin rights. One recommendation is to consider if a Teams Administrator role is sufficient for the user's needs.

Read how to manage SharePoint external sharing settings in the SharePoint Admin center here.

Site Administrator role

The Site Administrator, previously known as "Site Collection Owners", primarily manages sites within the Microsoft 365 environment. They have the power to manage permissions and restrict access where necessary, manage content types, site columns and templates for re-use in the sites, and update site structure based on content requirements.

Despite their control over sites, Site Administrators are limited in their access to the broader Microsoft 365 environment. They cannot access the Office 365 Admin portal and, thus, cannot see user information.

Grant least privileged access using the Site Admin role

The Site Administrator role can be a way to limit an admin’s powers. By providing them with the necessary access to manage sites without the broader access that comes with other admin roles, the Site Administrator role is a good example of how to implement the principle of least privilege, which is a key security best practice.

Additional Microsoft 365 Admin roles

There are at least 79 different Microsoft 365 admin roles available out of the box. These roles are typically grouped into broader categories (e.g. collaboration, devices, global, etc.). Here’s how Microsoft categorizes those roles: 

Collaboration roles

• Teams Service Administrator: Manages the Microsoft Teams service in Microsoft 365.
• SharePoint Administrator: Manages SharePoint Online service.
• Teams Communications Administrator: Manages calling and meetings features within Microsoft Teams.

Device roles

• Intune Administrator: Manages access to mobile devices, mobile applications, and PCs.
• Endpoint Security Manager: Manages security policy management features in Endpoint security.

Global roles

• Global Administrator: Has access to all administrative features.
• Global Reader: Has read-only access to all administrative features.

Identity roles

• Directory Writers: Can create and manage all aspects of groups.
• Identity Administrator: Manages identity-related features.
• Password Administrator: Manages password resets.

Read-only roles

• Report Reader: Has access to read-only activity reports.
• Security Reader: Has read-only access to all information in the Security & Compliance Center.

Security and Compliance roles

• Security Administrator: Manages security-related features.
• Compliance Administrator: Manages compliance-related features.
• Security Operator: Manages security incidents and alerts.

Other admin roles

• Power BI Administrator: Manages service settings within Power BI.
• Service Support Administrator: Opens support tickets and monitors service health.

Watch “A day in the life of a Microsoft 365admin:  it’s a labor of love” on-demand for more details on the different Microsoft 365 admin roles and their limitations.

Alternatives for granular role-based access control in Microsoft 365

Unfortunately, Microsoft 365 administrative tools can be simultaneously overly complicated and too blunt. While there are tools like custom roles, timed access, AD units and alerts available, setting those up can be difficult and time consuming.

Organizations that rely solely on the native tools can spend a lot of time figuring out which roles to assign to whom. That can result in some users having more power than they really need (which increases security risks) or employees without the proper access to do their jobs.

For example, if an employee with Exchange Admin privileges at a large financial institution decides to access the CEO’s email account and nothing stands in his way, the bank will be left to deal with the fallout of his actions. 

Or consider an organization with hundreds of departments and subsidiaries, each with a different vision of how they should operate. Those different perspectives can quickly complicate Microsoft 365 governance.

That is why so many organizations turn to Microsoft 365management platforms like CoreView to segment your users by location, business unit, department and more. With Coreview’s Virtual Tenants™, you can grant a specific set of admin permissions to administrators who will then only be able to view and manage that specific subset of users. Learn more about Virtual Tenants here.

Ciao!