As a rule of thumb (not to mention for improving your Secure Score), you should limit the number of people who have the “global admin” role in your organization. Microsoft recommends fewer than 5 global admins. That makes it important to get to know the other roles available and assign the least permissive role (a phrase you’ll see frequently if seeking certifications) rather than blanket roles that often include more permissions than what are necessary (or secure).
Global admins can assign other admin roles, purchase additional products and subscriptions, reset all (including each others’) passwords, and manage absolutely everything in your tenant. So of course you can see why we’d want to restrict how many are working with these capabilities simultaneously.
You may end up assigning five different, non-global admin roles to a user instead of the single global admin role, but your security will be improved significantly.
There are a couple places to assign admin roles: the Azure AD portal, and the M365 admin center. My goal with this post is to consolidate and simplify information on the roles, including which are only available in Azure. I’ve combined information from:
- Production tenant locations
Those marked with * are only available to assign from Azure AD. All others are in both the M365 admin center AND the Azure portal.
Note: Most role descriptions are copied directly from the resources listed above as of date of publish and are subject to change. Always check Microsoft documentation prior to making significant decisions.
Full access to enterprise applications, application registrations, and application proxy settings.
Create application registrations and consent to app access on their own behalf.
Can require users to re-register authentication for non-password credentials, like MFA.
Can manage Azure DevOps organization policy and settings.
Manages labels for the Azure Information Protection policy, manages protection templates, and activates protection.
Can create and manage all aspects of user flows.
Can create and manage the attribute schema available to all user flows.
Can manage secrets for federation and encryption in the Identity Experience Framework.
Can create and manage trust framework policies in the Identity Experience Framework.
Makes purchases, manages subscriptions, manages service requests, and monitors service health.
Full access to enterprise applications and application registrations. No application proxy.
Full access to manage devices in Azure AD.
Manages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps.
Can create and manage compliance content.
Manages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy.
Manages Customer Lockbox requests, can turn Customer Lockbox on or off.
Can access and manage Desktop management tools and services.
Can read basic directory information. Commonly used to grant directory read access to applications and guests.
Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.
Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.
Full access to Exchange Online, creates and manages groups, manages service requests, and monitors service health.
Configure identity providers for use in direct federation.
Has unlimited access to all management features and most data in all admin centers.
Has read-only access to all management features and most data in all admin centers.
Creates groups and manages all groups settings across admin centers.
Manages Azure Active Directory B2B guest user invitations.
Resets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.
Full access to Intune, manages users and devices to associate policies, creates and manages groups.
Full access to all Kaizala management features and data, manages service requests.
Assigns and removes licenses from users and edits their usage location.
Access to data privacy messages in Message center, gets email notifications.
Reads and shares regular messages in Message center, gets weekly email digests, has read-only access to users, groups, domains, and subscriptions.
Manages cloud-based policies for Office and the What’s New content that users see in their Office apps.
Can reset passwords for non-administrators and Password administrators.
Full access to Power BI management tasks, manages service requests, and monitors service health.
Full access to Microsoft Dynamics 365, PowerApps, data loss prevention policies, and Microsoft Flow.
Allowed to view, set and reset authentication method information for any user (admin or non-admin).
Manages role assignments and all access control features of Privileged Identity Management.
Reads usage reporting data from the reports dashboard, PowerBI adoption content pack, sign-in reports, and Microsoft Graph reporting API.
Full access to Microsoft Search, assigns the Search admin and Search editor roles, manages editorial content, monitors service health, and creates service requests.
Can only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations.
Can read security information and reports, and manage configuration in Azure AD and Office 365.
Can create and manage security events.
Can read security information and reports in Azure AD and Office 365.
Creates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.
Full access to SharePoint Online, manages Office 365 groups, manages service requests, and monitors service health.
Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health.
Full access to Teams & Skype admin center, manages Office 365 groups and service requests, and monitors service health.
Can manage calling and meetings features within the Microsoft Teams service. Assigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics.
Reads call record details for all call participants to troubleshoot communication issues.
Reads user call details only for a specific user to troubleshoot communication issues.
The default role assigned to all users. No admin center access.
Assign admin roles (single or bulk) in M365 admin center
To assign admin roles to a user or multiple users via the M365 admin center:
- Go to the M365 admin center
- Select Active users from under Users
- Select the user(s) to whom you’re assigning an admin role and select “Manage roles” from the menu
- Select the role(s) to assign selected user(s) and click Save
Assign admin roles in bulk in Azure AD
To assign the same role(s) to multiple users:
- Sign in to Azure AD
- Select Roles and administrators from the left
- Select the role you want to assign
- Click Add assignments. Search for or find those you want to add and select each. When finished, click Add.
View/edit assigned roles in Azure AD for an individual
To review a single user’s current roles, or assign more, follow these steps:
- Sign in to Azure AD
- Find and select the user for whom you want to review admin role(s)
- Select “Assigned roles”
- Here you’ll see current assignments and can Add or remove assignments