While assigning the right Microsoft 365 admin privileges can sometimes feel overwhelming, getting it wrong can have serious consequences. This article covers:
Let’s take a closer look at the Microsoft 365 admin roles.
Eight-time Microsoft MVP J. Peter Bruzzese details how third-party task management solutions can streamline and enhance Microsoft 365’s native admin center in this report.
The Global Administrator is the linchpin of the Microsoft 365 ecosystem. This role is automatically assigned to the person who sets up the Microsoft 365 tenant.
With nearly unlimited power, a Global Administrator can manage all aspects of the Microsoft 365 environment, including users, devices, resources, and licenses. This role has the authority to modify settings across all admin centers, create and manage users, assign other admin roles, reset passwords, and manage service requests, to name a few.
Despite the extensive powers, the Global Administrator has one notable limitation: they cannot manage their own password. This inherent limitation is designed as a security measure to prevent potential misuse of the Global Administrator role.
Oftentimes, companies fall into the trap of assigning the Global Administrator role too broadly, even giving it to 100 or more different employees. Given the extensive authority of the Global Administrator role, it is vital to use it judiciously.
Find and remove overprivileged admins to secure Microsoft 365 with the free Admin Permissions Reporting Tool for Microsoft 365.
The Billing Administrator plays a crucial role in managing the financial aspects of the Microsoft 365 environment. Recognized as one of the top-tier admin roles by Microsoft Support, the Billing Administrator can open support tickets, make purchases, manage subscriptions and service requests, and monitor service health.
However, despite their financial responsibilities,Billing Administrators cannot fully see payment methods. Specifically, they cannot view anyone’s full credit card information. This limitation is a crucial security measure designed to protect sensitive financial information.
Assigning the Billing Administrator role should be done carefully due to the financial implications. Consider assigning the Global Reader or a custom role to users instead to limit what a user can manage. This can be done via Azure Active Directory (AD). These roles provide adequate access for managing billing-related tasks without the potential risk associated with full billing admin privileges.
Need to identify all users with Microsoft admin roles? Get the free Admin Permissions Reporting Tool for Microsoft 365 to find and fix overprivileged admins.
The Exchange Administrator role is pivotal to the smooth functioning of the Microsoft 365 ecosystem. Exchange is the backbone for Microsoft 365, SharePoint, Teams, and more. The Exchange Administrator has the power to access user mailboxes, manage Exchange Online settings, and perform tasks like setting up mail flow rules, managing malware filters, and configuring compliance features.
However, the power to access user mailboxes makes the Exchange Administrator role one that should not be assigned lightly. The potential for misuse of this access is a significant security concern.
To mitigate potential security risks, consider assigning Exchange Admins the Service Support Administrator role. This role can see service health and release notifications, providing necessary oversight with out the extensive access that comes with the Exchange Administrator role.
Learn more about implementing a delegated administration strategy for Microsoft 365 here.
The SharePoint Administrator manages the SharePoint Online environment within the Microsoft 365 suite. They have access to the SharePoint Online (SPO) Admin center, all content, and the OneDrive Admin Center. Their responsibilities include creating and managing sites, managing site admins, managing sharing settings, managing Microsoft 365 groups, and managing site storage limits.
Global Administrators are also SharePoint Online administrators by default. While SharePoint Administrators can view user information, they cannot modify existing information. Only the Global Administrator has that capability, which is a built-in security measure to limit the potential misuse of admin privileges.
Given the extensive access of the SharePoint Administrator role, organizations should carefully consider who needs full SharePoint Admin rights. One recommendation is to consider if a Teams Administrator role is sufficient for the user's needs.
Read how to manage SharePoint external sharing settings in the SharePoint Admin center here.
The Site Administrator, previously known as "Site Collection Owners", primarily manages sites within the Microsoft 365 environment. They have the power to manage permissions and restrict access where necessary, manage content types, site columns and templates for re-use in the sites, and update site structure based on content requirements.
Despite their control over sites, Site Administrators are limited in their access to the broader Microsoft 365 environment. They cannot access the Office 365 Admin portal and, thus, cannot see user information.
The Site Administrator role can be a way to limit an admin’s powers. By providing them with the necessary access to manage sites without the broader access that comes with other admin roles, the Site Administrator role is a good example of how to implement the principle of least privilege, which is a key security best practice.
There are at least 79 different Microsoft 365 admin roles available out of the box. These roles are typically grouped into broader categories (e.g. collaboration, devices, global, etc.). Here’s how Microsoft categorizes those roles:
Collaboration roles
Device roles
Global roles
Identity roles
Read-only roles
Security and Compliance roles
Other admin roles
Watch “A day in the life of a Microsoft 365admin: it’s a labor of love” on-demand for more details on the different Microsoft 365 admin roles and their limitations.
Unfortunately, Microsoft 365 administrative tools can be simultaneously overly complicated and too blunt. While there are tools like custom roles, timed access, AD units and alerts available, setting those up can be difficult and time consuming.
Organizations that rely solely on the native tools can spend a lot of time figuring out which roles to assign to whom. That can result in some users having more power than they really need (which increases security risks) or employees without the proper access to do their jobs.
For example, if an employee with Exchange Admin privileges at a large financial institution decides to access the CEO’s email account and nothing stands in his way, the bank will be left to deal with the fallout of his actions.
That is why organizations turn to CoreView for custom role creation in Entra. With CoreView, you can:
See how CoreView’s custom role creation capabilities work.
Ciao!