Office 365 admin roles

By using Office 365 we have a new horizon of opportunities and features we can go with. In the other hand we also need to think/talk about roles for managing our new horizon. Office 365 is coming with a bulk of new admin roles, which we can assign to our users in our organization. Microsoft has created this admin roles in a way, that it makes easy for us, to assign the right roles to the right users. Each admin role maps to common business functions and gives people in our organization permissions to the specific tasks in our Office 365 admin center.

 

In the first step we will have a look, where we can configure the admin roles in Office 365:

When we login to our Office 365 portal, we go to the Admin center > User > Active users > and here we browse for the user we want to modify the admin roles.

After marking the user we want to edit, it appears on the right side in our browser the “Setcard” of our user. Here we see all information about the user which are synced to the Cloud. Now let us click by Roles on edit, and we will get the following overview:

As we can see by this specific user, he has no admin roles assigned on Office 365. To do that we have three options:

The first option is the default one, that means that this specific user has no administrative permissions. If we have a look on the second option, we see the global administrator. If a user has this role, we will be an admin for all possible roles in Office 365. By personal recommendation to this role is, that, depended on the company size, we don’t have users with this role on his user account. A global admin can be a dedicated personal admin user account which we are not using for our daily business.

The most common option for assigning admin role to user is third option: Customized administrator. If we look deeper on this option we will see the following options:

As we can see, there are a bulk of possible options. So, which we have to use? What all the shown options means?

To understand each of the possible options, I have created the table below:

Global

Administrator

Accesses all administrative features in the Office 365 suite of services in our plan, including Skype for Business. By default the person who signs up to buy Office 365 becomes a global admin. Global admins are the only admins who can assign other admin roles. We can have more than one global admin in our organization. As a best practice I recommend that only a few people in our company have this role. It reduces the risk to our business.

 

Tip: Make sure everyone who is a global admin in our organization has a mobile phone number and alternate email address in their contact info.

Billing

Administrator

Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Exchange

Administrator

Manages mailboxes and anti-spam policies for our business, using the Exchange admin center.
SharePoint

Administrator

Manages the document storage for our business on SharePoint Online. They do this in the SharePoint admin center. They can also assign other people to be Site Collection administrators and Term Store administrators. Permissions assigned to SharePoint sites are completely separate from the Office 365 global admin role. We can be a global admin without access to a SharePoint site if we weren’t added to it or didn’t create the site.

People in this role can also can view all the activity reports in the Office 365 admin center.

Password

Administrator

Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users.
Skype for Buissnes

Administrator

Configures Skype for Business for our organization and can view all the activity reports in the Office 365 admin center.
Compliance

Administrator

Manages security and compliance policies for our organization. Compliance admins have permission to the Office 365 admin center, Security and Compliance Center, Exchange Online Admin Center and the Azure AD Admin Portal.

They also have access to view reports, manage service requests in the Office 365 admin center.

Service

Administrator

Opens support requests with Microsoft, and views the service dashboard and message center. They have “view only” permissions except for opening support tickets and reading them.

 

Tip: People who are assigned to the Exchange Online, SharePoint Online, and Skype for Business admin roles should also be assigned to the Service admin role. This way they can see important information in the Office 365 admin center, such as the health of the service, and change and release notifications.

User management

Administrator

Resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for global, billing, Exchange, SharePoint, Compliance and Skype for Business admins.
Dynamics 365

(online)

When a person is assigned to the Office 365 global administrator role, they are automatically assigned to the System Administrator security role in Dynamics 365 (online).

 

A person assigned to the System Administrator security role in Dynamics 365 can assign other people to Dynamics 365 security roles. With the System Administrator security role, we can manage all aspects of Dynamics 365.

Dynamics 365 service

Administrator

Use this new role to assign users to manage Dynamics 365 at the tenant level without having to assign the more powerful Office 365 global admin privileges. A Dynamics 365 service admin can sign in to the Dynamics 365 admin center to manage instances. A person with this role cannot do functions restricted to the Office 365 global admin such as manage user accounts, manage subscriptions, access settings for Office 365 apps like Exchange or SharePoint.
Power BI

Administrator

A person assigned to the Power BI admin role will have access to Office 365 Power BI usage metrics. They’ll also be able to control your organization’s usage of Power BI features.

 

 

Summary:

As you can see, there are many administrator roles we can us. As I have written in the beginning of this article, I recommend you, to use dedicated accounts for global admin accounts. I also recommend you that all admins has a mobile number and an alternative email address in their contact info.

 

 


Leave a Reply

Your email address will not be published. Required fields are marked *