Demystifying Microsoft 365 admin roles in Azure AD and the M365 admin center

As a rule of thumb (not to mention for improving your Secure Score), you should limit the number of people who have the “global admin” role in your organization. Microsoft recommends fewer than 5 global admins. That makes it important to get to know the other roles available and assign the least permissive role (a phrase you’ll see frequently if seeking certifications) rather than blanket roles that often include more permissions than what are necessary (or secure).

Global admins can assign other admin roles, purchase additional products and subscriptions, reset all (including each others’) passwords, and manage absolutely everything in your tenant. So of course you can see why we’d want to restrict how many are working with these capabilities simultaneously.

You may end up assigning five different, non-global admin roles to a user instead of the single global admin role, but your security will be improved significantly.

There are a couple places to assign admin roles: the Azure AD portal, and the M365 admin center. My goal with this post is to consolidate and simplify information on the roles, including which are only available in Azure. I’ve combined information from:

Those marked with * are only available to assign from Azure AD. All others are in both the M365 admin center AND the Azure portal.

Note: Most role descriptions are copied directly from the resources listed above as of date of publish and are subject to change. Always check Microsoft documentation prior to making significant decisions. 

Available roles

Full access to enterprise applications, application registrations, and application proxy settings.

> Read more about this role on docs.microsoft.com

Create application registrations and consent to app access on their own behalf.

> Read more about this role on docs.microsoft.com

Can require users to re-register authentication for non-password credentials, like MFA.

> Read more about this role on docs.microsoft.com

Can manage Azure DevOps organization policy and settings.

> Read more about this role on docs.microsoft.com

Manages labels for the Azure Information Protection policy, manages protection templates, and activates protection.

> Read more about this role on docs.microsoft.com

Can create and manage all aspects of user flows.

> Read more about this role on docs.microsoft.com

Can create and manage the attribute schema available to all user flows.

> Read more about this role on docs.microsoft.com

Can manage secrets for federation and encryption in the Identity Experience Framework.

> Read more about this role on docs.microsoft.com

Can create and manage trust framework policies in the Identity Experience Framework.

> Read more about this role on docs.microsoft.com

Makes purchases, manages subscriptions, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to enterprise applications and application registrations. No application proxy.

> Read more about this role on docs.microsoft.com

Manages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps.

> Read more about this role on docs.microsoft.com

Manages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy.

> Read more about this role on docs.microsoft.com

Manages Customer Lockbox requests, can turn Customer Lockbox on or off.

> Read more about this role on docs.microsoft.com

Can access and manage Desktop management tools and services.

> Read more about this role on docs.microsoft.com

Can read basic directory information. Commonly used to grant directory read access to applications and guests.

> Read more about this role on docs.microsoft.com

Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

> Read more about this role on docs.microsoft.com

This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.

> Read more about this role on docs.microsoft.com

Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.

> Read more about this role on docs.microsoft.com

Full access to Exchange Online, creates and manages groups, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Configure identity providers for use in direct federation.

> Read more about this role on docs.microsoft.com

Has unlimited access to all management features and most data in all admin centers.

> Read more about this role on docs.microsoft.com

Has read-only access to all management features and most data in all admin centers.

> Read more about this role on docs.microsoft.com

Creates groups and manages all groups settings across admin centers.

> Read more about this role on docs.microsoft.com

Manages Azure Active Directory B2B guest user invitations.

> Read more about this role on docs.microsoft.com

Resets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to Intune, manages users and devices to associate policies, creates and manages groups.

> Read more about this role on docs.microsoft.com

Full access to all Kaizala management features and data, manages service requests.

> Read more about this role on docs.microsoft.com

Assigns and removes licenses from users and edits their usage location.

> Read more about this role on docs.microsoft.com

Access to data privacy messages in Message center, gets email notifications.

> Read more about this role on docs.microsoft.com

Reads and shares regular messages in Message center, gets weekly email digests, has read-only access to users, groups, domains, and subscriptions.

> Read more about this role on docs.microsoft.com

Manages cloud-based policies for Office and the What’s New content that users see in their Office apps.

> Read more about this role on docs.microsoft.com

Can reset passwords for non-administrators and Password administrators.

> Read more about this role on docs.microsoft.com

Full access to Power BI management tasks, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to Microsoft Dynamics 365, PowerApps, data loss prevention policies, and Microsoft Flow.

> Read more about this role on docs.microsoft.com

Allowed to view, set and reset authentication method information for any user (admin or non-admin).

> Read more about this role on docs.microsoft.com

Manages role assignments and all access control features of Privileged Identity Management.

> Read more about this role on docs.microsoft.com

Reads usage reporting data from the reports dashboard, PowerBI adoption content pack, sign-in reports, and Microsoft Graph reporting API.

> Read more about this role on docs.microsoft.com

Full access to Microsoft Search, assigns the Search admin and Search editor roles, manages editorial content, monitors service health, and creates service requests.

> Read more about this role on docs.microsoft.com

Can only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations.

> Read more about this role on docs.microsoft.com

Can read security information and reports, and manage configuration in Azure AD and Office 365.

> Read more about this role on docs.microsoft.com

Can read security information and reports in Azure AD and Office 365.

> Read more about this role on docs.microsoft.com

Creates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to SharePoint Online, manages Office 365 groups, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

 

Full access to Teams & Skype admin center, manages Office 365 groups and service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Can manage calling and meetings features within the Microsoft Teams service. Assigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics.

> Read more about this role on docs.microsoft.com

Reads call record details for all call participants to troubleshoot communication issues.

> Read more about this role on docs.microsoft.com

Reads user call details only for a specific user to troubleshoot communication issues.

> Read more about this role on docs.microsoft.com

The default role assigned to all users. No admin center access.

Resets user passwords, creates and manages users and groups, including filters, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Not finding a perfect fit? You can create CUSTOM admin roles in Azure AD if you have Azure AD Premium Plan 1.

Assign admin roles (single or bulk) in M365 admin center

To assign admin roles to a user or multiple users via the M365 admin center:

  1. Go to the M365 admin center
  2. Select Active users from under Users
  3. Select the user(s) to whom you’re assigning an admin role and select “Manage roles” from the menu



  4. Select the role(s) to assign selected user(s) and click Save

Assign admin roles in bulk in Azure AD

To assign the same role(s) to multiple users:

  1.  Sign in to Azure AD
  2. Select Roles and administrators from the left

  3.  Select the role you want to assign



  4. Click Add assignments. Search for or find those you want to add and select each. When finished, click Add.

View/edit assigned roles in Azure AD for an individual

To review a single user’s current roles, or assign more, follow these steps:

  1. Sign in to Azure AD
  2. Find and select the user for whom you want to review admin role(s)
  3. Select “Assigned roles”

  4.  Here you’ll see current assignments and can Add or remove assignments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.