Share via


About administrator roles in the Microsoft 365 admin center

Check out Microsoft 365 small business help on YouTube.

Your Microsoft 365 or Office 365 subscription comes with a set of administrator roles that you can assign to users in your organization in the Microsoft 365 admin center. Each administrator role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers.

Important

Microsoft recommends that you use roles with the fewest permissions, and that you limit the number of users who have administrative permissions.

Watch: What is an admin?

Check out this video and others on our YouTube channel.

  1. Go to the Microsoft 365 admin center and sign in. If you can access the Microsoft 365 admin center, you're an administrator, and you can proceed to the next step.

  2. In the left navigation pane, select Users > Active users.

  3. Select the user account for the person who you want to make an administrator. The user's details appear in the right dialog box.

Before you begin

The Microsoft 365 admin center lets you manage Microsoft Entra roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Microsoft Entra admin center and the Microsoft Intune admin center.

For more information on assigning roles in the Microsoft 365 admin center, see Assign admin roles.

Security guidelines for assigning roles

Because administrators have access to sensitive data and files, we recommend that you follow these guidelines to keep your organization's data more secure.

Recommendation Why it's important
Have as few global administrators as possible Global Administrators have almost unlimited access to your organization's settings and most of its data. We recommend you limit the number of Global Administrators as much as possible. A Global Administrator could inadvertently lock their account and require a password reset. Either another Global Administrator or a Privileged Authentication Administrator can reset a Global Administrator's password. Therefore, we recommend you have at least a Privileged Authentication administrator in the event a Global Administrator is locked out of their account.
Assign the least permissive role Assigning the least permissive role means giving administrators only the access they need to get the job done. For example, if you want someone to reset user passwords you shouldn't assign the unlimited global administrator role; instead, you should assign a limited administrator role, like Password Administrator or Helpdesk Administrator.
Require multifactor authentication (MFA) for administrators It's a good idea to require MFA for all of your users, especially administrators. MFA makes users use a second method of identification to verify their identity. Administrators can have access to user data, such as their name, email address, location, and so on. If you require MFA, even if the administrator's password gets compromised, the password alone isn't sufficient to sign in without an additional method of identification.

When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery.
Set up multifactor authentication

If you get a message in the Microsoft 365 admin center that you don't have permissions to edit a setting or page, it's because you're assigned to a role that doesn't have that permission. In this case, take one of more of the following actions:

Commonly used Microsoft 365 admin center roles

To view administrator roles, follow these steps:

  1. In the Microsoft 365 admin center, go to Role assignments.

  2. Select any role to open its detail pane.

  3. Select the Permissions tab to view the detailed list of what administrators assigned that role have permissions to do.

  4. Select the Assigned or Assigned admins tab to add users to roles.

    To view the full list of roles, go to the bottom of the list and select Show all by Category. For detailed information, including the cmdlets associated with a role, see Microsoft Entra built-in roles.

Administrator roles and who should be assigned

The following table lists administrator roles and information about who should be assigned these roles.

Administrator role Who should be assigned this role?
AI administrator Assign the AI Administrator role to users who need to do the following tasks:
• Allow users to install an app or install an app for users in the organization if the app doesn't require permission
• Read and configure Azure and Microsoft 365 service health dashboards
• View usage reports, adoption insights, and organizational insight
• Create and manage support tickets in Azure and the Microsoft 365 admin center

Note: The AI Administrator role is currently limited. For full administrative capabilities, it's recommended using the Global Administrator role until the AI Administrator role is fully functional. We're continuously expanding support for more functionalities to enhance the AI Administrator role.
Billing administrator Assign the Billing administrator role to users who make purchases, manage subscriptions and service requests, and monitor service health. Billing administrators can't assign licenses; If a Billing administrator is also a License or User administrator, visit Licenses to assign licenses.

Billing administrators also can:
• Manage all aspects of billing
• Create and manage support tickets in the Azure portal

Exchange admin Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 Groups, and Exchange Online.

Exchange administrators can also:
• Recover deleted items in a user's mailbox
• Set up "Send As" and "Send on behalf" delegates
Fabric admin Assign the Fabric admin role to users who need to do the following tasks:
• Manage all admin features for Microsoft Fabric and Power BI
• Report on usage and performance
• Review and manage auditing
Global admin Giving too many users global access is a security risk and we recommend that you have as few global administrators as possible.

Only global administrators can:
• Reset passwords for all users
• Add and manage domains
• Unblock another global admin

The person who signed up for Microsoft online services automatically becomes a Global admin. Additionally, only Global administrators can view and manage subscriptions purchased through a Partner.
Global reader Assign the global reader role to users who need to view administrator features and settings in admin centers that the global administrator can view. The global reader can't edit any settings.

For subscriptions purchased through a partner, global reader role isn't available.
Graph data connect administrator Assign the Graph data connect admin role to users who need to do the following tasks:
• Access the full set of administrative capabilities of Microsoft Graph Data Connect
• Manage Microsoft Graph Data Connect settings in a tenant
• Enable or disable the Microsoft Graph Data Connect service
• Configure dataset workload selections in Microsoft Graph Data Connect
• Configure cross-tenant data movement settings in Microsoft Graph Data Connect
• View, approve, or deny application authorization requests for Microsoft Graph Data Connect
• View, create, update, or delete application registrations for Microsoft Graph Data Connect
Groups administrator Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Microsoft Entra admin center.

Groups administrators can:
• Create, edit, delete, and restore Microsoft 365 groups
• Create and update group creation, expiration, and naming policies
• Create, edit, delete, and restore Microsoft Entra security groups
Helpdesk administrator Assign the Helpdesk admin role to users who need to do the following:
• Reset passwords
• Force users to sign out
• Manage service requests
• Monitor service health

The Helpdesk admin can only help users who aren't administrator users and users who are assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.
License administrator Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location.

License administrators also can:
• Reprocess license assignments for group-based licensing
• Assign product licenses to groups for group-based licensing
Message center privacy reader Assign the Message center privacy reader role to users who need to read privacy and security messages and updates in the Microsoft 365 Message center. Message center privacy readers might get email notifications related to data privacy, depending on their preferences, and they can unsubscribe using Message center preferences. Only global administrators and Message center privacy readers can read data privacy messages. This role has no permission to view, create, or manage service requests.

Message center privacy readers can also:
• Monitor all notifications in the Message Center, including data privacy messages
• View groups, domains, and subscriptions
Message center reader Assign the Message center reader role to users who need to do the following tasks:
• Monitor message center notifications
• Get weekly email digests of message center posts and updates
• Share message center posts
• Have read-only access to Microsoft Entra services, such as users and groups
Migration administrator Assign the Microsoft 365 Migration Administrator role to users who need to do the following tasks:
• Use Migration Manager in the Microsoft 365 admin center to manage content migration to Microsoft 365, including Microsoft Teams, OneDrive, and SharePoint sites, from various sources such as Google Drive, Dropbox, and Box.
• Select migration sources, create migration inventories (such as Google Drive user lists), schedule and execute migrations, and download reports.
• Create new SharePoint sites if the destination sites don't already exist, create SharePoint lists under the SharePoint admin sites, and create and update items in SharePoint lists.
• Manage migration project settings and migration lifecycle for tasks and manage permission mappings from source to destination.

With this role, you can only migrate from Google Drive, Box, Dropbox, and Egnyte. This role doesn't allow you to migrate from file share sources from the SharePoint admin center. Use the SharePoint admin to migrate from file share sources.
Office Apps admin Assign the Office Apps admin role to users who need to do the following tasks:
• Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies.
• Create and manage service requests
• Manage the What's New content that users see in their apps in Microsoft 365
• Monitor service health
• Manage Office Scripts settings
Organizational Message Writer Assign the Organizational Message Writer role to users who need to write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces.
Organizational Messages Approver Assign the Organizational Messages Approver role to users who need to review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they're sent to users through Microsoft product surfaces.
Password administrator Assign the Password admin role to a user who needs to reset passwords for users who aren't administrators and Password Administrators.
People administrator Assign the People administrator role to users who need to do the following tasks:
• Update profile photos for all users including administrators
• Update people settings for all users (pronouns, name pronunciation, and profile card settings)
Power Platform administrator Assign the Power Platform admin role to users who need to do the following tasks:
• Manage all admin features for Power Apps, Power Automate, Power BI, Microsoft Fabric, and Microsoft Purview Data Loss Prevention
• Create and manage service requests
• Monitor service health
Reports reader Assign the Reports reader role to users who need to do the following tasks:
• View usage data and the activity reports in the Microsoft 365 admin center
• Get access to the Power BI adoption content pack
• Get access to sign-in reports and activity in Microsoft Entra ID
• View data returned by Microsoft Graph reporting API
Search administrator Assign the Search admin role to users who need to create and manage search result content and define query settings for improved search results within the organization. The Search admin manages the Microsoft search configuration and can perform all the content-management tasks that a Search editor can.
Service Support administrator Assign the Service Support admin role as another role to administrators or users who need to do the following tasks in addition to their usual admin role:
• Open and manage service requests
• View and share message center posts
• Monitor service health
SharePoint administrator Assign the SharePoint admin role to users who need to access and manage the SharePoint admin center.

SharePoint administrators can also:
• Create and delete sites
• Manage site collections and global SharePoint settings
Teams administrator Assign the Teams administrator role to users who need to access and manage the Teams admin center.

Teams administrator can also:
• Manage meetings
• Manage conference bridges
• Manage all org-wide settings, including federation, teams upgrade, and teams client settings
User administrator Assign the User admin role to users who need to do the following tasks for all users:
• Add users and groups
• Assign licenses
• Manage most users properties
• Create and manage user views
• Update password expiration policies
• Manage service requests
• Monitor service health

The user admin can also do the following actions for users who aren't administrators and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader:
• Manage usernames
• Delete and restore users
• Reset passwords
• Force users to sign out
• Update (FIDO) device keys
User Experience Success Manager Assign the User Experience Success Manager role to users who need to access Experience Insights, Adoption Score, and the Message Center in the Microsoft 365 admin center. This role includes the permissions of the Usage Summary Reports Reader role.

Permissions based on administrator roles and Group type in the Microsoft 365 admin center

Administrator Role Microsoft 365 Groups Security Groups Distribution Groups Mail Enabled Security Groups
Global administrator Create, Read, Update, Delete Create, Read, Update, Delete Create, Read, Update, Delete Create, Read, Update, Delete
Global reader Read Read Read Read
User administrator Create, Read, Update, Delete, Can't update EXO properties Create, Read, Update, Delete Read Read
Exchange administrator Create, Read, Update, Delete Read, Update - only groups they own, Delete - only groups they own Create, Read, Update, Delete Create, Read, Update, Delete
Teams administrator Create, Read, Update, Delete, Can't update EXO properties Create, Read, Update, Delete - only groups they own Read Read
SharePoint administrator Create, Read, Update, Delete, Can't update EXO properties Create, Read, Update, Delete -only groups they own Read Read
Billing administrator Read Read Read Read
Service administrator Read Read Read Read
Group administrator Create, Read, Update, Delete, Can't update EXO properties Create, Read, Update, Delete Read Read
AI administrator Read Read Read Read

Delegated administration for Microsoft Partners

If you're working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in your company, or their company, admin roles. You might want to assign admin roles to partners if they're setting up and managing your online organization for you.

A partner can assign these roles:

  • Admin Agent Privileges equivalent to a global admin, except for managing multifactor authentication through the Partner Center.

  • Helpdesk Agent Privileges equivalent to a helpdesk admin.

Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. The partner has to be an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see Authorize or remove partner relationships.

Volume licensing roles

Volume licensing (VL) agreement administrators access their volume licenses in the Microsoft 365 admin center.

  • VL Administrators don't have permissions to any other admin center information or functionality outside the VL section.
  • Global administrators don't assign any VL roles and don't need to assign any admin role to a VL Administrator for them to be able to access the VL agreement.
  • Global administrators don't have access to VL information or functionality in the admin center, unless they're assigned a VL role by a VL Administrator.

For more information, see Manage volume licensing user roles or contact the Volume Licensing Support team.

Assign admin roles

Microsoft Entra roles in the Microsoft 365 admin center

Activity reports in the Microsoft 365 admin center

Exchange Online admin role