Understanding Key Admin Roles in Microsoft 365 Admin Center

Global Administrators can view Directory Activity logs and elevate their access to manage all Microsoft Azure subscriptions and management groups. Global Administrators have access to all administrative features in Microsoft Entra ID, and services using Microsoft Entra identities. Only admins can access the admin center and assign administrator roles to a particular user in the Microsoft 365 Admin Center.

The blog post discusses the key admin roles in Microsoft 365 admin center, permissions based on administrator roles, and steps to assign admin roles.

Key Takeaways:

  • Different administrator roles are available in the Microsoft 365 admin center.
  • Users with global admin role can access all administrative features in Microsoft Entra ID.
  • Challenges in delegating admin responsibilities: Over-permissioned and orphaned accounts, inactive admin accounts, etc.

What Are the Different Administrator Roles Available in the Microsoft 365 Admin Center?

Different administrator roles available in the Microsoft 365 admin center include:

  • AI Administrator
  • AI Reader
  • Application Administrator
  • Billing Administrator
  • Exchange Administrator
  • Fabric Administrator
  • Global Administrator
  • Global Reader
  • Groups Administrator
  • Helpdesk Administrator
  • License Administrator
  • Message Center Privacy Reader
  • Message Center Reader
  • Microsoft Graph Data Connect Administrator

With the above, admin roles in Microsoft 365 include

  • Migration Administrator
  • Office Apps Administrator
  • Organizational Messages Approver
  • Organizational Messages Writer
  • Password Administrator
  • People Administrator
  • Power Platform Administrator
  • Reports Reader
  • Search Administrator
  • Security Administrator
  • Security Reader
  • Service Support Administrator
  • SharePoint Administrator
  • SharePoint Advanced Management Administrator
  • Teams Administrator
  • User Administrator
  • User Experience Success Manager
  • Viva Glint Tenant Administrator

Permissions On Admin Roles and Group Type in the Microsoft 365 Administrator Center

Permissions based on administrator roles and group type in the Microsoft 365 admin center:

Permissions On Admin Roles and Group Type in the Admin Center

Image Courtesy – Microsoft

What are the Responsibilities of a Global Administrator?

Global Administrators can view Directory Activity logs and elevate their access to manage all Microsoft Azure subscriptions and management groups. Global Administrators have access to all administrative features in Microsoft Entra ID, and services using Microsoft Entra identities.

Global Administrators can reset passwords for any user, other administrators. They can manage purchasing the organization’s subscriptions and products, reset passwords for all users, add and manage domains, and unblock another Global Administrator.

A Global Administrator can’t remove their own Global Administrator assignment. This limitation is to prevent a situation where an organization has zero Global Administrators.

How to Assign Administrator Roles in the Microsoft 365 Admin Center?

Step 1: Go to the Microsoft 365 Admin Center

Visiting the Microsoft 365 Admin Center

Visit the Microsoft 365 admin center and sign in. Note that only admins can access the admin center.

Step 2: Select Users > Active users

Selecting Active Users

Now, select Users > Active users from the left pane.

Step 3: Select the User Account

Selecting the User account

Select the user account for the person who you want to make an administrator.

Challenges In Managing Microsoft 365 Admin Roles

While delegating admin responsibilities, there are a few challenges: While assigning admin roles in Microsoft 365, there are few common challenges:

  • Over-permissioned Accounts: Users can have broader permission access than they need. This can leave unnecessary privileges in place.
  • Orphaned Admin Accounts: Orphaned admin accounts can pose a challenge even if the people had changed roles or left from projects. Manually revoking orphaned accounts creates offboarding risks. Using orphaned admin accounts leads to license waste.
  • Limited Visibility into SharePoint Permissions: When permissions are broken at the site, library, or item level, it can be harder to track. You will have very little exposure on who has access to what permissions which further makes the audit very challenging.
  • Inactive Admin Accounts: Inactive Microsoft 365 users can increase your subscription costs and increase chances of cyber-attack. Identifying inactive users in Microsoft 365 is necessary for reducing subscription costs and tightening overall security.

How CloudFuze Manage Helps

Our solution, CloudFuze Manage, automates the identification of idle and inactive user accounts across your Microsoft 365 tenant and helps you maintain accurate user data records for audit purposes.

You can centralize user onboarding and offboarding workflows, automate the deprovisioning of orphaned user accounts, and gain full visibility using CloudFuze Manage. With this, you can get a complete overview of admin role assignments, permission sprawl, and account activity across Microsoft 365.

Final Thoughts

For ensuring a complete control, businesses should be aware of assigned user permissions, account activity, orphaned access, and admin role sprawl. Every unmanaged area is a blind spot.

CloudFuze Manage closes all gaps and equips IT teams with complete visibility and governance. Identify and remediate content sprawl, oversharing, risky external sharing, public links, etc., across your Microsoft 365 ecosystem using our SaaS and AI governance platform.

Want to see CloudFuze Manage in action? Book your free demo here!

Frequently Asked Questions

1. What is an administrator role in Microsoft 365?

An administrator role is a predefined set of permissions that lets a user perform tasks like adding users, assigning licenses, or configuring services.

2. What are some of the most common admin roles besides Global Admin?

Some of the most common admin roles besides Global Admin include SharePoint Administrator, Teams Administrator, User Administrator and Security Administrator.

3. What can a Global Administrator do?

Global Administrators can view Directory Activity logs and elevate their access to manage all Microsoft Azure subscriptions and management groups. Global Administrators can get full access to all Microsoft Azure resources using their respective Microsoft Entra tenant.

4. What’s the difference between a Global Administrator and a Global Reader?

The Global Reader offers visibility without edit rights. The Global Reader role can view all settings and reports in the Microsoft 365 admin center but cannot edit any settings, which provides a balance between access and control. It’s a good choice when full Global Administrator powers aren’t needed.

About the Author: Bhavani Asok

Bhavani Asok at CloudFuze aligns her technical content writing expertise with all-things cloud migration to help businesses make strategic decisions in their cloud migration journey.