Microsoft 365 Admin Roles Explained: Global, User, Exchange, and More

TL;DR: Use the Global Administrator role only when you have to — it has unlimited access. For routine work, pick the most narrowly-scoped role that fits the task: User Administrator for user management, License Administrator for licensing, Exchange Administrator for email, SharePoint Administrator for SharePoint, Conditional Access Administrator for CA policies. Microsoft Entra ID has 100+ built-in roles; you’ll use about a dozen.

Microsoft 365 administration runs on Microsoft Entra ID’s role-based access control (RBAC). The role you assign to an admin determines what they can read, write, and do. Picking the right one — and not just defaulting to Global Administrator — is the single biggest control over the blast radius of a compromised admin account.

What this does

Each role grants a defined set of permissions — specific operations the holder can perform. When a user signs in to an admin portal, Microsoft Entra ID checks their role assignments and decides which features and data are visible and editable.

Microsoft publishes the full role permissions reference at https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference. There are 100+ built-in roles plus the option to create custom ones. For most tenants, you’ll use about 12 of them regularly.

The principle of least privilege

Assign the least permissive role that lets the person do their job.

Why it matters:

  1. Compromise blast radius. A compromised User Administrator can reset passwords for non-admins. A compromised Global Administrator can do anything in the tenant.
  2. Insider risk. Mistakes are constrained by role — a Helpdesk Administrator can’t accidentally delete the tenant’s only domain.
  3. Compliance and audit. Auditors look at who has what role. Fewer Global Administrators is a stronger story.
  4. Privileged Identity Management (PIM). With Microsoft Entra ID P2, admins can be made eligible for a role and activate it just-in-time with approval and time limits.

The Microsoft Entra docs include a least privileged roles by task page — bookmark it. When a colleague says “I need access to do X,” look it up there.

The roles you’ll actually use

Roles for user and identity management

Role What they can do Use it when
Global Administrator Everything in every Microsoft admin portal. Tenant setup, emergency access, and operations no other role allows. Limit to 2-5 admins.
User Administrator Create/edit/delete non-privileged users, reset their passwords, assign limited admin roles, manage groups. Day-to-day onboarding and offboarding work.
Password Administrator Reset passwords for non-admin users only. Tier-1 helpdesk staff.
Privileged Authentication Administrator Reset passwords and manage MFA for any user, including Global Administrators. The role that can rescue a locked-out Global Admin. Have one.
License Administrator Assign, remove, and reclaim user licenses. Cannot create users. Licensing operations team.
Helpdesk Administrator Reset non-admin passwords, manage service tickets. Tier-1 support.
Groups Administrator Create/manage Microsoft 365 groups and security groups. Identity governance work.

Roles for security and Conditional Access

Role What they can do Use it when
Security Administrator Manage security defaults, defender settings, alerts, security reports. Security operations team.
Conditional Access Administrator Create and manage Conditional Access policies. The team that owns CA — typically separate from broader security.
Authentication Administrator Manage authentication methods, force MFA re-registration for non-admins. Helpdesk staff who handle MFA resets.
Security Reader Read-only access to security data and reports. Auditors, compliance reviewers.

Roles for Microsoft 365 services

Role Scope
Exchange Administrator Exchange Online — mailboxes, mail flow, anti-spam, message trace
Exchange Recipient Administrator Exchange Online — recipients only (no policy changes)
SharePoint Administrator SharePoint Online and OneDrive — sites, sharing, storage
Teams Administrator Microsoft Teams — teams, channels, calling, meeting policies
Intune Administrator Microsoft Intune — endpoint and app management
Power Platform Administrator Power Platform — environments, DLP, capacity
Compliance Administrator Microsoft Purview — DLP, retention, eDiscovery
Compliance Data Administrator Like Compliance Administrator but limited to compliance data, not configuration

Read-only roles

Role What they can read
Global Reader Same visibility as Global Administrator, no write. Use this for executive reviews and audits.
Reports Reader Usage and adoption reports.
Message Center Reader Service health and message center notifications.

How to assign a role

You can assign roles in two places: the Microsoft 365 admin center (a subset of roles) or the Microsoft Entra admin center (the full set, plus governance features).

From the Microsoft 365 admin center

  1. Sign in to https://admin.microsoft.com as a Global Administrator or Privileged Role Administrator.
  2. Go to Users > Active users.
  3. Select the user.
  4. In the flyout, under Roles, select Manage roles.
  5. Pick the role(s); select Save changes.

Or, role-centric:

  1. Go to Roles > Role assignments.
  2. Pick the role; select Add users or Add groups.
  3. Add the assignees; select Add.

From the Microsoft Entra admin center

For roles that don’t appear in the Microsoft 365 admin center, or for Privileged Identity Management:

  1. Sign in to https://entra.microsoft.com as a Privileged Role Administrator.
  2. Go to Identity > Roles & admins > Roles & admins.
  3. Pick the role.
  4. Select Add assignments > pick the user or group > select Add.
  5. For PIM (P2 only), choose Eligible instead of Active to make the assignment just-in-time.

Security guardrails for admin accounts

  • Limit Global Administrators to 2-5. Microsoft recommends ≤ 5.
  • Have at least 2 break-glass accounts. Cloud-only, MFA-excluded with offline-stored long passwords. Monitor sign-ins.
  • Require MFA on every admin account. Conditional Access policy or security defaults.
  • No daily-driver Global Admin. Day-to-day work with a regular account; activate Global Administrator only when needed (PIM if you have P2).
  • Separate identity for admin work. Many organizations create a separate firstname.admin@contoso.com account for elevated work and use it only when admin tasks require it.
  • Audit role assignments quarterly. Run Export admin list from Roles in the admin center; review whether each assignment is still warranted.

PowerShell

To list all admin role assignments in your tenant:

Connect-MgGraph -Scopes "RoleManagement.Read.Directory"

Get-MgRoleManagementDirectoryRoleAssignment -All |
  ForEach-Object {
    [PSCustomObject]@{
      Role = (Get-MgDirectoryRole -DirectoryRoleId $_.RoleDefinitionId).DisplayName
      User = (Get-MgUser -UserId $_.PrincipalId).UserPrincipalName
    }
  } | Format-Table -AutoSize

To assign a role:

$role = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'User Administrator'"
$user = Get-MgUser -Filter "userPrincipalName eq 'alex@contoso.com'"

New-MgRoleManagementDirectoryRoleAssignment `
  -PrincipalId      $user.Id `
  -RoleDefinitionId $role.Id `
  -DirectoryScopeId "/"

Notes and gotchas

  • Global Administrator is not the only “godlike” role. Privileged Authentication Administrator can reset Global Admin passwords. Privileged Role Administrator can grant any role. Treat these with the same care as Global Admin.
  • Admin role assignments don’t always require licensing. Most roles are free to assign. But Privileged Identity Management (just-in-time activation, approval workflows, time-bound access) needs Microsoft Entra ID P2.
  • Role-assignable groups. To put a role on a group rather than a user, the group must be created as role-assignable at creation time — you can’t toggle it later.
  • Custom roles exist but require Microsoft Entra ID P1 and are scoped narrowly. Most tenants don’t need them; the built-ins are nearly always sufficient.
  • Administrative units scope a role to a subset of the directory (e.g., User Administrator only over the Marketing OU). Useful in large tenants; needs P1.
  • Compare roles in the admin center: select up to three roles in Roles > Role assignments and use the Compare roles action to see permission differences side by side.
  • Subset of roles in Microsoft 365 admin center. The M365 admin center surfaces a curated list; the full set lives in the Microsoft Entra admin center. If a role isn’t where you expect, look in the other portal.

Related guides