About Office 365 admin roles

Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions, and gives people in your organization permissions to do specific tasks in the Office 365 admin center.

Here are the available roles and what people assigned to them can do.

Tip

For a detailed list of what tasks each of these roles can and cannot do, and how they overlap with roles in other Microsoft services, see Administrator role permissions in Azure Active Directory.

Role
What they do in Office 365
Global admin Global administrator
Accesses all administrative features in the Office 365 suite of services in your plan, including Skype for Business. By default the person who signs up to buy Office 365 becomes a global admin.
Global admins are the only admins who can assign other admin roles, and only global admins can manage the accounts of other global admins. You can have more than one global admin in your organization. As a best practice we recommend that only a few people in your company have this role. It reduces the risk to your business.

Tip: Make sure everyone who is a global admin in your organization has a mobile phone number and alternate email address in their contact info. Check out Change your organization's address, technical contact email, and other information for more details.
Credit card Billing administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Customer Lockbox access approver
Customer Lockbox access approver
Manages Customer Lockbox requests in your organization. They receive email notifications for Customer Lockbox requests and can approve/deny requests from the Microsoft 365 Admin Center. They can also can turn on/off the Customer Lockbox feature.

Only global admins can reset the passwords of people assigned to this role.
Exchange Online Exchange administrator
Manages mailboxes and anti-spam policies for your business, using the Exchange admin center. Can view all the activity reports in the Office 365 admin center.

Someone with BOTH the Exchange admin role and the user management role can create and manage Office 365 groups in the Office 365 admin center.

To learn more, see About the Exchange Online admin role.
Credit card License administrator
Adds, removes, and updates license assignments for users, groups (using group based licensing), and manages the usage location of users.

People in this role can't purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location.
Key, permissions Helpdesk administrator (Password administrator)
Resets passwords, manages support tickets, and monitors service health. Helpdesk admins can't reset passwords for global admins. Only other global admins can do that.
Power BI administrator
A person assigned to the Power BI admin role will have access to Office 365 Power BI usage metrics. They'll also be able to control your organization's usage of Power BI features. For more information about administering Power BI, see Administering Power BI in your organization.
Reporting reader admin Reports reader
Can view all the activity reports in the Office 365 admin center and any reports exposed through the reporting APIs.
Message Center reader
Monitors changes to the service and can view all posts to the Message center in Office 365 and share Message center posts with others through email. Users assigned this role also have read-only access to some admin center resources, such as users, groups, domains, and subscriptions
Security and Compliance center roles
If you have an Office 365 E3 or E5 business subscription, it includes security and compliance tools. In that case, you have access to these additional roles: Compliance administrator, eDiscovery Manager, Organization management, Reviewer, Security Administrator, Security Reader, Service Assurance User, Supervisory Review.

To learn more about them, see Permissions in the Office 365 Security & Compliance Center.
Headset Service administrator
Opens support tickets with Microsoft, and views the service dashboard and message center. They have "view only" permissions except for opening support tickets and reading them.

Tip: People who are assigned to the Exchange Online, SharePoint Online, and Skype for Business admin roles should also be assigned to the Service admin role. This way they can see important information in the Office 365 admin center, such as the health of the service, and change and release notifications.
SharePoint admin SharePoint administrator
Manages file storage for your organization in SharePoint Online and OneDrive. They do this in the SharePoint admin center. They can also assign other people to be site collection administrators and term store administrators.

Permissions assigned to SharePoint sites are completely separate from the Office 365 global admin role. You can be a global admin without access to a SharePoint site if you weren't added to it or didn't create the site.

People in this role can also can view all the activity reports in the Office 365 admin center.

To learn more, see About the SharePoint admin role.
Skype for Business Online Skype for Business admin
Configures Skype for Business for your organization and can view all the activity reports in the Office 365 admin center.

To learn more, see About the Skype for Business admin role.
Teams service admin
Can manage all aspects of Microsoft Teams except license assignment. This includes policies for calling, messaging, and meetings; use of call analytics tools to troubleshoot telephony issues, and management of users and their telephony settings. They can also manage Office 365 Groups. To learn more, see Use Microsoft Teams admin roles to manage Teams.
Teams communications admin
Can manage calling and meeting features of Microsoft Teams, including phone number assignments and meeting policies. They can also use call analytics tools to troubleshoot issues. To learn more, see Use Microsoft Teams admin roles to manage Teams.
Teams communications support engineer
Can troubleshoot communication issues in Teams using call analytics tools, and can view full call record information for all participants involved. To learn more, see Use Microsoft Teams admin roles to manage Teams.
Teams communications support specialist
Can troubleshoot communication issues in Teams using call analytics tools, and can view call record information for the specific user being searched for. To learn more, see Use Microsoft Teams admin roles to manage Teams.
User User management administrator
Resets passwords, monitors service health, adds and deletes user accounts, manages support tickets, adds and removes members from Office 365 groups. The user management admin can't delete a global admin, create other admin roles, or reset passwords for global, billing, Exchange, SharePoint, Compliance and Skype for Business admins.

Someone with BOTH the Exchange admin role and the user management role can create and manage Office 365 groups in the Office 365 admin center.
Icon for Dynamics 365 Dynamics 365 (online)
When a person is assigned to the Office 365 global administrator role, they are automatically assigned to the System Administrator security role in Dynamics 365 (online).

A person assigned to the System Administrator security role in Dynamics 365 can assign other people to Dynamics 365 security roles. With the System Administrator security role, you can manage all aspects of Dynamics 365. To learn more, see Manage subscriptions, licenses, and user accounts.
Icon for Dynamics 365
Dynamics 365 service administrator
Use this new role to assign users to manage Dynamics 365 at the tenant level without having to assign the more powerful Office 365 global admin privileges. A Dynamics 365 service admin can sign in to the Dynamics 365 admin center to manage instances. A person with this role cannot do functions restricted to the Office 365 global admin such as manage user accounts, manage subscriptions, access settings for Office 365 apps like Exchange or SharePoint.

To learn more, see Use the Dynamics 365 service admin role to manage your tenant to learn more.

Need more details about what these roles can and cannot do?

For a detailed list of what tasks each of these roles can and cannot do, see Administrator role permissions in Azure Active Directory.

What about the Azure Active Directory roles?

If you have a large business, you'll want to set roles in Azure Active Directory, too. A user who is assigned an admin role will have the same permissions across all of the cloud services that your organization has subscribed to, regardless of whether you assign the role in the Office 365 admin center, or in the Azure classic portal, or by using the Azure AD module for Windows PowerShell.

For a list and description of all the Azure Active Directory roles, see Administrator role permissions in Azure Active Directory.

What can the Office 365 admin roles do in Exchange Online, SharePoint Online, and Skype for Business Online?

Certain admin roles in Office 365 have a corresponding role in Exchange Online, SharePoint Online, and Skype for Business Online. The table below describes how these Office 365 admin roles translate into roles in the different Office 365 services.

Office 365 admin role Translates to this in Exchange Online … Translates to this in SharePoint Online … Translates to this in Skype for Business Online..... Translates to this in the Security & Compliance Center...
global admin
Exchange Online admin
Company admin
SharePoint Online admin
Skype for Business admin
Security & Compliance Center admin (member of OrganizationManagement role group)
billing admin
N/A
N/A
N/A
N/A
helpdesk/password admin
Help Desk admin*
N/A
Help desk admin
N/A
service admin
N/A
N/A
N/A
N/A
user management admin
N/A
N/A
Skype for Business admin
N/A
Exchange administrator
Exchange Online admin
N/A
N/A
N/A
SharePoint administrator
N/A
SharePoint Online admin
N/A
N/A
Skype for Business administrator
N/A
N/A
Skype for Business admin
N/A
Compliance administrator
Organization Management
N/A
N/A
Compliance admin

*People with the helpdesk/password admin role can do the same tasks as people with the Exchange Help Desk role, however, they can't do message trace.

Delegated administration

If you're working with a Microsoft partner, you can assign them admin roles. They in turn can assign users in your company - or their company - admin roles. You might want them to do this, for example, if they are setting up and managing Office 365 for you.

A partner can assign these roles:

  • Full administration, which has privileges equivalent to a global admin.

  • Limited administration, which has privileges equivalent to a helpdesk/password admin.

Before the partner can assign these roles to users, you must add the partner as a delegated admin to your Office 365 account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see Authorize or remove partner relationships.

Assign admin roles in Office 365

Activity reports in the Office 365 admin center