5. Admin
roles
Role Description
Global administrator Accesses all administrative features in the Office 365 suite of services in
your plan, including Skype for Business. By default the person who signs
up to buy Office 365 becomes a global admin.
Global admins are the only admins who can assign other admin roles. You
can have more than one global admin in your organization. As a best
practice we recommend that only a few people in your company have this
role. It reduces the risk to your business.
Billing administrator Makes purchases, manages subscriptions, manages support tickets, and
monitors service health.
License administrator Adds, removes, and updates license assignments for users, groups (using
group based licensing), and manages the usage location of users.
People in this role can't purchase or manage subscriptions, create or
manage groups, or create or manage users beyond the usage location.
Password administrator Resets passwords, manages support tickets, and monitors service health.
Password admins are limited to resetting passwords for users.
Reports reader Can view all the activity reports in the Office 365 admin center and any
reports exposed through the reporting APIs.
6. Admin
roles
Role Description
Message Center reader Monitors changes to the service and can view all posts to the Message
center in Office 365 and share Message center posts with others through
email. Users assigned this role also have read-only access to some admin
center resources, such as users, groups, domains, and subscriptions
Service administrator Opens support tickets with Microsoft, and views the service dashboard
and message center. They have "view only" permissions except for
opening support tickets and reading them.
Tip: People who are assigned to the Exchange Online, SharePoint Online,
and Skype for Business admin roles should also be assigned to the Service
admin role. This way they can see important information in the Office 365
admin center, such as the health of the service, and change and release
notifications.
User management
administrator
Resets passwords, monitors service health, adds and deletes user
accounts, manages support tickets, adds and removes members from
Office 365 groups. The user management admin can't delete a global
admin, create other admin roles, or reset passwords for global, billing,
Exchange, SharePoint, Compliance and Skype for Business admins.
Someone with BOTH the Exchange admin role and the user management
role can create and manage Office 365 groups in the Office 365 admin
center.
7. Application
Admin Roles
Role Description
Exchange administrator Manages mailboxes and anti-spam policies for your business, using
the Exchange admin center. Can view all the activity reports in the
Office 365 admin center.
Someone with BOTH the Exchange admin role and the user
management role can create and manage Office 365 groups in the
Office 365 admin center.
SharePoint administrator Manages file storage for your organization in SharePoint Online and
OneDrive. They do this in the SharePoint admin center. They can
also assign other people to be site collection administrators and
term store administrators.
Permissions assigned to SharePoint sites are completely separate
from the Office 365 global admin role. You can be a global admin
without access to a SharePoint site if you weren't added to it or
didn't create the site.
People in this role can also can view all the activity reports in the
Office 365 admin center.
8. Application
Admin Roles
Role Description
Skype for Business admin Configures Skype for Business for your organization and can view all
the activity reports in the Office 365 admin center.
Teams service admin Can manage all aspects of Microsoft Teams except license
assignment. This includes phone number inventory and
assignment, call policies, messaging, meetings, and the teams
themselves. Can also manage Office 365 groups.
Teams communications admin Can manage calling and meeting features of Microsoft Teams,
including phone number assignments and meeting policies. They
can also use call analytics tools to troubleshoot issues.
Teams communications
support engineer
Can troubleshoot communication issues in Teams using call
analytics tools, and can view full call record information for all
participants involved.
Teams communications
support specialist
Can troubleshoot communication issues in Teams using call
analytics tools, and can view call record information for the specific
user being searched for.
9. Security and
Compliance
Admin Roles
Role Description
Compliance Administrator Members can manage settings for device management, data loss
prevention, reports, and preservation.
eDiscovery Manager Members can perform searches and place holds on mailboxes,
SharePoint Online sites, and OneDrive for Business locations.
Members can also create and manage eDiscovery cases, add and
remove members to a case, create and edit Content Searches
associated with a case, and access case data in Office 365
Advanced eDiscovery.
An eDiscovery Administrator is a member of the eDiscovery
Manager role group who has been assigned additional permissions.
In addition to the tasks that an eDiscovery Manager can perform,
an eDiscovery Administrator can:
• View all eDiscovery cases in the organization.
• Manage any eDiscovery case after they add themself as a
member of the case.
10. Security and
Compliance
Admin Roles
Role Description
Organization Management Members can control permissions for accessing features in the
Security & Compliance Center, and also manage settings for device
management, data loss prevention, reports, and preservation.
Note that in order for a user who is not a global administrator to
see the list of devices managed by MDM for Office 365 and
perform actions on these devices, such as retiring a device from
MDM for Office 365, the user must be an Exchange administrator.
Office 365 global admins are automatically added as members of
this role group.
Records Management Members can manage and dispose record content.
Reviewer Members can only view the list of cases on the eDiscovery cases
page in the Security & Compliance Center. They can't create, open,
or manage an eDiscovery case. The primary purpose of this role
group is to allow members to view and access case data in
Advanced eDiscovery.
This role group has the most restrictive eDiscovery-related
permissions.
11. Security and
Compliance
Admin Roles
Role Description
Security Administrator Membership in this role group is synchronized across services and
managed centrally. This role group is not manageable through the
administrator portals. Members of this role group may include
cross-service administrators, as well as external partner groups and
Microsoft Support. By default, this group may not be assigned any
roles. However, it will be a member of the Security Administrators
role groups and will inherit the capabilities of that role group.
All of the read-only permissions of the Security reader role, plus a
number of additional administrative permissions for the same
services: Azure Information Protection, Identity Protection Center,
Privileged Identity Management, Monitor Office 365 Service
Health, and Office 365 Security & Compliance Center.
Supervisory Review Members can create and manage the policies that define which
communications are subject to review in an organization.
12. Security and
Compliance
Admin Roles
Role Description
Service Assurance User Members can access the Service assurance section in the Office
365 Security & Compliance Center. Service assurance provides
reports and documents that describe Microsoft's security practices
for customer data that's stored in Office 365. It also provides
independent third-party audit reports on Office 365.
Security Reader Members have read-only access to a number of security features of
Identity Protection Center, Privileged Identity Management,
Monitor Office 365 Service Health, and Office 365 Security &
Compliance Center.
Membership in this role group is synchronized across services and
managed centrally. This role group is not manageable through the
administrator portals. Members of this role group may include
cross-service administrators, as well as external partner groups and
Microsoft Support. By default, this group may not be assigned any
roles. However, it will be a member of the Security Reader role
groups and will inherit the capabilities of that role group.