{
	"id": "518333f7-11fa-484b-8906-0b3303363ff8",
	"created_at": "2026-04-06T00:22:30.714829Z",
	"updated_at": "2026-04-10T03:20:05.928871Z",
	"deleted_at": null,
	"sha1_hash": "1514de96e0193f33c516d31feaecf7c94e07e241",
	"title": "About administrator roles in the Microsoft 365 admin center - Microsoft 365 admin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102992,
	"plain_text": "About administrator roles in the Microsoft 365 admin center -\r\nMicrosoft 365 admin\r\nBy denisebmsft\r\nArchived: 2026-04-05 20:23:59 UTC\r\nCheck out Microsoft 365 small business help on YouTube. These resources are especially helpful for\r\nsmall business admins who are new to Microsoft 365.\r\nIn order to perform tasks, such as adding users, assigning licenses, or configuring services, you must be assigned\r\nan administrator role in Microsoft 365 for business. Your Microsoft 365 or Office 365 subscription comes with a\r\nset of administrator roles that can be assigned in the Microsoft 365 admin center. Each administrator role maps to\r\ncommon business functions and enables people in your organization to do specific tasks in the admin centers. This\r\narticle provides an overview of administrator roles, security guidelines to keep in mind, and links to related\r\ncontent.\r\nWatch: What is an admin?\r\nCheck out this video and others on our YouTube channel.\r\n1. Go to the Microsoft 365 admin center and sign in. If you can access the Microsoft 365 admin center, you're\r\nan administrator, and you can proceed to the next step.\r\n2. In the left navigation pane, select Users \u003e Active users. (Or, go directly to the Active users page.)\r\n3. Select the user account for the person who you want to make an administrator. The user's details appear in\r\nthe right dialog box.\r\nBefore you begin\r\nThe Microsoft 365 admin center lets you manage Microsoft Entra roles and Microsoft Intune roles. However,\r\nthese roles are a subset of the roles available in the Microsoft Entra admin center and the Microsoft Intune admin\r\ncenter.\r\nFor the full list of detailed Microsoft Entra role descriptions you can manage in the Microsoft 365 admin\r\ncenter, see Administrator role permissions in Microsoft Entra built-in roles.\r\nFor the full list of detailed Intune role descriptions you can manage in the Microsoft 365 admin center, see\r\nRole-based access control (RBAC) with Microsoft Intune.\r\nFor more information on assigning roles in the Microsoft 365 admin center, see Assign admin roles.\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 1 of 10\n\nSecurity guidelines for assigning roles\r\nBecause administrators have access to sensitive data and files, we recommend that you follow these guidelines to\r\nkeep your organization's data more secure.\r\nRecommendation Why it's important\r\nHave as few global\r\nadministrators as\r\npossible\r\nGlobal Administrators have almost unlimited access to your organization's settings\r\nand most of its data. We recommend you limit the number of Global\r\nAdministrators as much as possible. A Global Administrator could inadvertently\r\nlock their account and require a password reset. Either another Global\r\nAdministrator or a Privileged Authentication Administrator can reset a Global\r\nAdministrator's password. Therefore, we recommend you have at least a Privileged\r\nAuthentication administrator in the event a Global Administrator is locked out of\r\ntheir account.\r\nAssign the least\r\npermissive role\r\nAssigning the least permissive role means giving administrators only the access\r\nthey need to get the job done. For example, if you want someone to reset user\r\npasswords you shouldn't assign the unlimited global administrator role; instead,\r\nyou should assign a limited administrator role, like Password Administrator or\r\nHelpdesk Administrator. See Least privileged roles by task in Microsoft Entra ID.\r\nRequire multifactor\r\nauthentication (MFA)\r\nfor administrators\r\nIt's a good idea to require MFA for all of your users, especially administrators.\r\nMFA makes users use a second method of identification to verify their identity.\r\nAdministrators can have access to user data, such as their name, email address,\r\nlocation, and so on. If you require MFA, even if the administrator's password gets\r\ncompromised, the password alone isn't sufficient to sign in without another method\r\nof identification.\r\nWhen you turn on MFA, the next time the user signs in, they'll need to provide an\r\nalternate email address and phone number for account recovery.\r\nSet up multifactor authentication\r\nIf you get a message in the Microsoft 365 admin center that you don't have permissions to edit a setting or page,\r\nit's because you're assigned to a role that doesn't have that permission. In this case, take one or more of the\r\nfollowing actions:\r\nTalk to another administrator to assign you the correct permissions.\r\nLearn more about how administrator roles are assigned. See Assign administrator roles.\r\nContact support for Microsoft 365 for business.\r\nCommonly used Microsoft 365 admin center roles\r\nTo view administrator roles, follow these steps:\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 2 of 10\n\n1. In the Microsoft 365 admin center, go to Role assignments.\r\n2. Select any role to open its detail pane.\r\n3. Select the Permissions tab to view the detailed list of what administrators assigned that role have\r\npermissions to do.\r\n4. Select the Assigned or Assigned admins tab to add users to roles.\r\nTo view the full list of roles, go to the bottom of the list and select Show all by Category. For detailed\r\ninformation, including the cmdlets associated with a role, see Microsoft Entra built-in roles.\r\nAdministrator roles and who should be assigned\r\nThe following table lists administrator roles and information about who should be assigned these roles. To see the\r\nfull list of roles, visit Microsoft Entra built-in roles.\r\nAdministrator\r\nrole\r\nWho should be assigned this role?\r\nAI Administrator\r\nAssign the AI Administrator role to users who need to do the following tasks:\r\n- Allow users to install an app or install an app for users in the organization if the app\r\ndoesn't require permission\r\n- Read and configure Azure and Microsoft 365 service health dashboards\r\n- View usage reports, adoption insights, and organizational insight\r\n- Create and manage support tickets in Azure and the Microsoft 365 admin center\r\nBilling\r\nAdministrator\r\nAssign the Billing Administrator role to users who make purchases, manage\r\nsubscriptions \u0026 service requests, and monitor service health. Billing administrators can\r\nalso:\r\n- Manage all aspects of billing\r\n- Create and manage support tickets in the Azure portal\r\nExchange\r\nAdministrator\r\nAssign the Exchange Administrator role to users who need to view and manage your\r\nuser's email mailboxes, Microsoft 365 Groups, and Exchange Online. Exchange\r\nAdministrators can also:\r\n- Recover deleted items in a user's mailbox\r\n- Set up \"Send As\" and \"Send on behalf\" delegates\r\nFabric\r\nAdministrator\r\nAssign the Fabric Administrator role to users who need to do the following tasks:\r\n- Manage all admin features for Microsoft Fabric and Power BI\r\n- Report on usage and performance\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 3 of 10\n\nAdministrator\r\nrole\r\nWho should be assigned this role?\r\n- Review and manage auditing\r\nGlobal\r\nAdministrator\r\nGlobal Administrators can:\r\n- Manage purchasing of your organization's subscriptions and products\r\n- Reset passwords for all users\r\n- Add and manage domains\r\n- Unblock another global admin\r\nThe person who purchased a subscription for your organization and signed up for\r\nMicrosoft online services is a global administrator automatically. Additionally, only\r\nglobal administrators can view and manage subscriptions purchased through a Partner.\r\nGlobal Reader\r\nAssign the Global Reader role to users who need to view administrator features and\r\nsettings in admin centers that the global administrator can view. The global reader can't\r\nedit any settings.\r\nFor subscriptions purchased through a partner, the Global Reader role isn't available.\r\nGroups\r\nAdministrator\r\nAssign the Groups Administrator role to users who need to manage all groups settings\r\nacross admin centers, including the Microsoft 365 admin center and Microsoft Entra\r\nadmin center. Groups Administrators can:\r\n- Create, edit, delete, and restore Microsoft 365 Groups\r\n- Create and update group creation, expiration, and naming policies\r\n- Create, edit, delete, and restore Microsoft Entra security groups\r\nAlso see Manage who can create Microsoft 365 Groups.\r\nHelpdesk\r\nAdministrator\r\nAssign the Helpdesk Administrator role to users who need to do the following tasks:\r\n- Reset passwords\r\n- Force users to sign out\r\n- Manage service requests\r\n- Monitor service health\r\nThe Helpdesk admin can only help users who aren't administrator users and users who\r\nare assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message\r\nCenter reader, and Reports reader.\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 4 of 10\n\nAdministrator\r\nrole\r\nWho should be assigned this role?\r\nLicense\r\nAdministrator\r\nAssign the License Administrator role to users who need to assign and remove licenses\r\nfrom users and edit their usage location. License administrators can also:\r\n- Reprocess license assignments for group-based licensing\r\n- Assign product licenses to groups for group-based licensing\r\nMessage Center\r\nPrivacy Reader\r\nAssign the Message Center Privacy Reader role to users who need to read privacy and\r\nsecurity messages and updates in the Microsoft 365 Message Center. Message Center\r\nprivacy readers might get email notifications related to data privacy, depending on their\r\npreferences, and they can unsubscribe using Message Center preferences. Only Global\r\nAdministrators and Message Center Privacy Readers can read data privacy messages.\r\nThis role has no permission to view, create, or manage service requests. Message\r\nCenter privacy readers can also:\r\n- Monitor all notifications in the Message Center, including data privacy messages\r\n- View groups, domains, and subscriptions\r\nMessage Center\r\nReader\r\nAssign the Message Center Reader role to users who need to do the following tasks:\r\n- Monitor Message Center notifications\r\n- Get weekly email digests of Message Center posts and updates\r\n- Share Message Center posts\r\n- Have read-only access to Microsoft Entra services, such as users and groups\r\nMicrosoft Graph\r\nData Connect\r\nAdministrator\r\nAssign the Microsoft Graph Data Connect Administrator role to users who need to do\r\nthe following tasks:\r\n- Access the full set of administrative capabilities of Microsoft Graph Data Connect\r\n- Manage Microsoft Graph Data Connect settings in a tenant\r\n- Enable or disable the Microsoft Graph Data Connect service\r\n- Configure dataset workload selections in Microsoft Graph Data Connect\r\n- Configure cross-tenant data movement settings in Microsoft Graph Data Connect\r\n- View, approve, or deny application authorization requests for Microsoft Graph Data\r\nConnect\r\n- View, create, update, or delete application registrations for Microsoft Graph Data\r\nConnect\r\nMigration\r\nAdministrator\r\nAssign the Microsoft 365 Migration Administrator role to users who need to do the\r\nfollowing tasks:\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 5 of 10\n\nAdministrator\r\nrole\r\nWho should be assigned this role?\r\n- Use Migration Manager in the Microsoft 365 admin center to manage content\r\nmigration to Microsoft 365, including Microsoft Teams, OneDrive, and SharePoint\r\nsites, from various sources such as Google Drive, Dropbox, and Box.\r\n- Select migration sources, create migration inventories (such as Google Drive user\r\nlists), schedule and execute migrations, and download reports.\r\n- Create new SharePoint sites if the destination sites don't already exist, create\r\nSharePoint lists under the SharePoint admin sites, and create and update items in\r\nSharePoint lists.\r\n- Manage migration project settings and migration lifecycle for tasks and manage\r\npermission mappings from source to destination.\r\nWith this role, you can only migrate from Google Drive, Box, Dropbox, and Egnyte.\r\nThis role doesn't allow you to migrate from file share sources from the SharePoint\r\nadmin center. Use the SharePoint admin to migrate from file share sources.\r\nOffice Apps\r\nAdministrator\r\nAssign the Office Apps Administrator role to users who need to do the following tasks:\r\n- Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based\r\npolicies.\r\n- Create and manage service requests\r\n- Manage the What's New content that users see in their apps in Microsoft 365\r\n- Monitor service health\r\n- Manage Office Scripts settings\r\nOrganizational\r\nMessages\r\nApprover\r\nAssign the Organizational Messages Approver role to users who need to review,\r\napprove, or reject new organizational messages for delivery in the Microsoft 365 admin\r\ncenter before they're sent to users through Microsoft product surfaces.\r\nOrganizational\r\nMessages Writer\r\nAssign the Organizational Messages Writer role to users who need to write, publish,\r\nmanage, and review the organizational messages for end-users through Microsoft\r\nproduct surfaces.\r\nPassword\r\nAdministrator\r\nAssign the Password Administrator role to a user who needs to reset passwords for\r\nusers.\r\nPeople\r\nAdministrator\r\nAssign the People Administrator role to users who need to do the following tasks:\r\n- Update profile photos for all users including administrators\r\n- Update people settings for all users (pronouns, name pronunciation, and profile card\r\nsettings)\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 6 of 10\n\nAdministrator\r\nrole\r\nWho should be assigned this role?\r\nPower Platform\r\nAdministrator\r\nAssign the Power Platform Administrator role to users who need to do the following\r\ntasks:\r\n- Manage all admin features for Power Apps, Power Automate, Power BI, Microsoft\r\nFabric, and Microsoft Purview Data Loss Prevention\r\n- Create and manage service requests\r\n- Monitor service health\r\nReports Reader\r\nAssign the Reports Reader role to users who need to do the following tasks:\r\n- View usage data and the activity reports in the Microsoft 365 admin center\r\n- Get access to the Power BI adoption content pack\r\n- Get access to sign-in reports and activity in Microsoft Entra ID\r\n- View data returned by Microsoft Graph reporting API\r\nSearch\r\nAdministrator\r\nAssign the Search Administrator role to users who need to create and manage search\r\nresult content and define query settings for improved search results within the\r\norganization. The Search admin manages the Microsoft search configuration and can\r\nperform all the content-management tasks that a Search editor can.\r\nService Support\r\nAdministrator\r\nAssign the Service Support Administrator role as another role to administrators or users\r\nwho need to do the following tasks in addition to their usual admin role:\r\n- Open and manage service requests\r\n- View and share Message Center posts\r\n- Monitor service health\r\nSharePoint\r\nAdministrator\r\nAssign the SharePoint Administrator role to users who need to access and manage the\r\nSharePoint admin center. SharePoint Administrators can also:\r\n- Create and delete sites\r\n- Manage site collections and global SharePoint settings\r\nTeams\r\nAdministrator\r\nAssign the Teams Administrator role to users who need to access and manage the\r\nTeams admin center. A Teams Administrator can also:\r\n- Manage meetings\r\n- Manage conference bridges\r\n- Manage all org-wide settings, including federation, teams upgrade, and teams client\r\nsettings\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 7 of 10\n\nAdministrator\r\nrole\r\nWho should be assigned this role?\r\nUser Administrator\r\nAssign the User Administrator role to users who need to do the following tasks:\r\n- Create, disable, or enable user accounts\r\n- Add users and groups\r\n- Assign licenses\r\n- Manage most users properties\r\n- Create and manage user views\r\n- Update password expiration policies\r\n- Manage service requests\r\n- Monitor service health\r\n- Update (FIDO) device keys\r\nUser Experience\r\nSuccess Manager\r\nAssign the User Experience Success Manager role to users who need to access\r\nExperience Insights, Adoption Score, and the Message Center in the Microsoft 365\r\nadmin center. This role includes the permissions of the Usage Summary Reports\r\nReader role.\r\nViva Glint Tenant\r\nAdministrator\r\nAssign the Viva Glint Tenant Administrator role to users who manage the Viva Glint\r\napp. See Assign Viva Glint Tenant and Service Administrators.\r\nAlso see Check admin roles in your organization.\r\nPermissions based on administrator roles and Group type in the Microsoft 365\r\nadministrator center\r\nAdministrator\r\nMicrosoft 365\r\nGroups\r\nSecurity Groups\r\nDistribution\r\nGroups\r\nMail Enabled\r\nSecurity\r\nGroups\r\nGlobal\r\nAdministrator\r\nCreate, Read,\r\nUpdate, Delete\r\nCreate, Read, Update,\r\nDelete\r\nCreate, Read,\r\nUpdate, Delete\r\nCreate, Read,\r\nUpdate, Delete\r\nGlobal Reader Read Read Read Read\r\nUser Administrator\r\nCreate, Read,\r\nUpdate, Delete\r\n(Can't update\r\nExchange Online\r\nproperties)\r\nCreate, Read, Update,\r\nDelete\r\nRead Read\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 8 of 10\n\nAdministrator\r\nMicrosoft 365\r\nGroups\r\nSecurity Groups\r\nDistribution\r\nGroups\r\nMail Enabled\r\nSecurity\r\nGroups\r\nExchange\r\nAdministrator\r\nCreate, Read,\r\nUpdate, Delete\r\nRead, Update (only\r\ngroups they own),\r\nDelete (only groups they\r\nown)\r\nCreate, Read,\r\nUpdate, Delete\r\nCreate, Read,\r\nUpdate, Delete\r\nTeams\r\nAdministrator\r\nCreate, Read,\r\nUpdate, Delete\r\n(Can't update\r\nExchange Online\r\nproperties)\r\nCreate, Read, Update,\r\nDelete (only groups they\r\nown)\r\nRead Read\r\nSharePoint\r\nAdministrator\r\nCreate, Read,\r\nUpdate, Delete\r\n(Can't update\r\nExchange Online\r\nproperties)\r\nCreate, Read, Update,\r\nDelete -only groups they\r\nown\r\nRead Read\r\nBilling\r\nAdministrator\r\nRead Read Read Read\r\nService Support\r\nAdministrator\r\nRead Read Read Read\r\nGroups\r\nAdministrator\r\nCreate, Read,\r\nUpdate, Delete\r\n(Can't update\r\nExchange Online\r\nproperties)\r\nCreate, Read, Update,\r\nDelete\r\nRead Read\r\nAI administrator Read Read Read Read\r\nDelegated administration for Microsoft Partners\r\nIf you're working with a Microsoft partner, you can assign them administrator roles. They, in turn, can assign users\r\nin your company, or their company, administrator roles. You might want to assign administrator roles to partners if\r\nthey're setting up and managing your online organization for you.\r\nA partner can assign these roles:\r\nAdmin Agent Privileges equivalent to a global administrator, except for managing multifactor\r\nauthentication through the Partner Center.\r\nHelpdesk Agent Privileges equivalent to a helpdesk admin.\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 9 of 10\n\nBefore the partner can assign these roles to users, you must add the partner as a delegated administrator to your\r\naccount. The partner has to be an authorized partner. The partner sends you an email to ask you if you want to give\r\nthem permission to act as a delegated admin. For instructions, see Authorize or remove partner relationships.\r\nVolume licensing roles\r\nVolume licensing (VL) agreement administrators access their volume licenses in the Microsoft 365 admin center.\r\nVL Administrators don't have permissions to any other admin center information or functionality outside\r\nthe VL section.\r\nGlobal administrators don't assign any VL roles and don't need to assign any administrator role to a VL\r\nAdministrator for them to be able to access the VL agreement.\r\nGlobal administrators don't have access to VL information or functionality in the admin center, unless\r\nthey're assigned to a VL role by a VL Administrator.\r\nFor more information, see Manage volume licensing user roles or contact the Volume Licensing Support team.\r\nRelated content\r\nGet support for Microsoft 365 for business\r\nReset passwords in Microsoft 365 for business\r\nAssign administrator roles\r\nCheck administrator roles in your organization\r\nManage user authentication methods for Microsoft Entra multifactor authentication\r\nMicrosoft Entra roles in the Microsoft 365 administrator center\r\nActivity reports in the Microsoft 365 admin center\r\nExchange Online administrator role\r\nSource: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nhttps://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide"
	],
	"report_names": [
		"about-admin-roles?view=o365-worldwide"
	],
	"threat_actors": [],
	"ts_created_at": 1775434950,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1514de96e0193f33c516d31feaecf7c94e07e241.pdf",
		"text": "https://archive.orkl.eu/1514de96e0193f33c516d31feaecf7c94e07e241.txt",
		"img": "https://archive.orkl.eu/1514de96e0193f33c516d31feaecf7c94e07e241.jpg"
	}
}