Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 administrator roles

The Entra ID admin roles that gate Microsoft 365 administration — and how to assign them with least privilege.

Microsoft 365 administration is gated by Entra ID admin roles. There are over 100 built-in roles, plus the ability to define custom roles. Most organisations need only a handful, assigned thoughtfully.

The headline roles

Tenant-wide superuser

  • Global Administrator — full control over everything in the tenant. Every other role is a subset. Should be assigned to as few people as possible — Microsoft recommends fewer than five — and combined with PIM for just-in-time activation.

Identity

  • User Administrator — create/delete users, reset passwords, manage groups.
  • Helpdesk Administrator — reset passwords for non-admins; useful for service desk.
  • Authentication Administrator — manage authentication methods, MFA registrations.
  • Privileged Authentication Administrator — same as above plus for admin accounts.
  • Conditional Access Administrator — manage CA policies.
  • Security Administrator — manage security features broadly.
  • Privileged Role Administrator — assign and remove other admin roles.

Workload-specific

  • Exchange Administrator — full control of Exchange Online.
  • SharePoint Administrator — full control of SharePoint and OneDrive.
  • Teams Administrator — full control of Teams.
  • Intune Administrator — full control of Intune.
  • Power Platform Administrator — full control of Power Platform.
  • Application Administrator — manage enterprise applications and app registrations.
  • Cloud Application Administrator — like Application Administrator but without on-prem proxy connector control.

Compliance and security

  • Compliance Administrator — Purview policies.
  • Compliance Data Administrator — Purview content roles.
  • Security Operator — investigate alerts but not configure policies.
  • Security Reader — read-only across security tools.
  • Global Reader — read everything but change nothing. Underused.

Least-privilege assignment

The standard advice: assign the narrowest role that lets someone do their job.

  • A help desk that resets passwords needs Helpdesk Administrator, not Global Administrator.
  • A SharePoint owner managing sites needs SharePoint Administrator, not anything broader.
  • An exec who wants visibility into security but won't configure it gets Global Reader + Security Reader.

Global Administrator should never be a "convenience" assignment — it should be reserved for genuine tenant-wide work, with PIM enforcing time-bound activation.

Privileged Identity Management

PIM (covered in its own guide) turns every admin role into eligible rather than active. An admin requests activation when needed, with MFA, justification, and (optionally) approval. Expires automatically. PIM should cover every privileged role in a serious tenant.

Custom roles

For specialised needs, custom roles can grant a specific set of permissions. Use sparingly — custom roles are harder to audit than built-ins. Common use cases:

  • Service-desk role that resets passwords for specific user populations.
  • Department-scoped administrator that manages only their unit's users and groups.

Administrative units

Administrative Units (AUs) scope an admin role to a subset of the directory — for example, "Helpdesk Administrator for the EMEA AU only." Combined with PIM, this gives delegated administration without granting tenant-wide scope.

Auditing roles

Periodic review of role assignments is essential:

  • PIM access reviews automate recertification.
  • Permanent active assignments should be the exception, not the rule.
  • Service accounts with admin roles should have managed identities or workload identities, not user-style credentials.

A tenant with 50 Global Admins is one phish away from a serious incident. A tenant with 3 break-glass admins, 5 PIM-eligible Global Admins, and tightly scoped role assignments for everyone else is dramatically harder to compromise.