Admin roles for Office 365

Office 365 is a premium Software as a Service (SaaS) offering from Microsoft; Microsoft has done an excellent job of formulating different roles for administrators. Depending on the subscription, you may not see some of the administrator roles. As of today ( July 2017), the following are the different types of roles available. The reason for the as of today is that, ever since its launch, Microsoft has been adding new services to Office 365 consistently.

Now let's look at the various administrator roles:

• Global administrator: This is the highest privileged role. The account you used to sign up for the Office 365 subscription gets this role automatically. The global administrator has access to all the administrative features in the Office 365 suite of services in your plan. For example: create, edit, delete users/groups, manage domains, and so on. To assign this role to other user accounts, you will need to use the global administrator account. Global administrators are the only admins who can assign other admin roles. As a best practice, you should have as few global administrators as possible.
• Billing administrator: Members of this role make the purchase, manage subscriptions, manage support tickets, and monitor service health. Members of this role do not have additional privileges in Exchange Online, SharePoint Online, or Skype for Business Online.
• Exchange administrator: Members of this role can manage mailboxes and anti-spam policies of your business using the Exchange admin center. It is recommended that, when you assign someone the Exchange admin role, you assign them to the service administrator role as well. This way, the Exchange administrator can see the important information in the Office 365 admin center, such as the health of the Exchange Online service, and change release notifications.
• SharePoint administrator: Members of this role manage SharePoint Online using the SharePoint admin center. Members of this role can assign other people as site collection administrators and term store administrators.
• Password administrator: This is a limited role, and members of this role can reset the passwords of nonprivileged users and other members of the password administrator role, manage service requests, and monitor service health.
• Skype for Business administrator: Members of this role can configure Skype for Business for your organization and view all activity reports in the Office 365 admin center.
• Compliance administrator: Members of this role manage security and compliance policies for your organization. Compliance admins have permissions for the Office 365 admin center, Security & Compliance Center, Exchange Online admin center, and the Azure AD admin portal.
• Service administrator: Members of this role openly support requests with Microsoft and view the service dashboard and message center. They have the View Only permissions except for opening support tickets and reading them. Users who are assigned to the Exchange Online, SharePoint Online, and Skype for Business admin roles should be assigned to the service admin role. This way, these users can see important information in the Office 365 admin center, for example, the health of the service, changes, and release information.
• User management administrator: Members of this role can reset a user's password, monitor service health, and manage (add/delete) some user accounts, groups, and service requests. Members of this role cannot delete a global admin, create other admin roles, or reset the passwords for global, billing, Exchange, SharePoint, compliance, and Skype for Business administrators.
• Power BI administrator: Members of this role will have access to the Office 365 Power BI usage metrics. They can control the organization's usage of Power BI features.
• Delegated administrator: Members of this role are users outside the organization who perform administrative tasks in your Office 365 tenant. To be the delegated administrator, the user needs to have an account in their organization's Office 365 tenant. If your company has multiple tenants or you are managing multiple tenants for your clients, instead of using the separate account for each Office 365 tenant, we can assign an account delegated administrator rights to other tenants. Using this approach, we can use a single account across multiple Office 365 tenants. The delegated administrator can have the following two permission levels:
  • Full administration: This delegated administrator has full rights as a global administrator
  • Limited administration: This delegated administrator has the same rights as a password administrator

Depending on the type of operation you would like to perform, your account needs to have the corresponding admin role assigned.

For example, if you would like to create a user account, your account needs to be a part of global administrator role or a user management administrator role. The general rule of permissions should be followed while assigning the user roles. You should always start with the least privileged role and elevate the role based on the operation the user would like to do. If the user is only going to change passwords, then it does not make sense to make that user the global admin. Instead, assign the user the password administrator role. We can use either Office 365 admin center or PowerShell to assign the admin roles.