Assigning administrator roles

  • Article

 

Depending on the size of your company, you may want to designate several administrators who serve different functions. Administrators have access to features in the admin center and, depending on their role, admins can create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things.

Watch the video (2:45) about assigning or removing an administrator role for an existing user.

The following administrator roles are available:

  • Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

    Note

    If you did not purchase Microsoft Office 365 for enterprises from Microsoft, you will not be able to make billing changes and therefore will not have the billing administrator role available to you. For billing issues, contact the administrator at the company where you purchased your subscription.

  • Global administrator: Has access to all administrative features. The person who signs up to purchase Office 365 becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

  • Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

  • Service administrator: Manages service requests and monitors service health.

    Note

    To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to the user in Office 365.

  • User management administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

This topic describes administrator roles for Office 365. For information about administrator roles and permissions for other services in Office 365 such as Microsoft Exchange Online, SharePoint Online, and Lync Online, see the wiki article Permissions in Office 365 FAQ.

What do you want to do?

  • View administrator permissions by role

  • Assign or remove administrator roles for an existing user

  • Assign or remove administrator roles for multiple users

View administrator permissions by role

The following table shows the administrator roles and their associated permissions.

Permission Billing administrator Global administrator Password administrator Service administrator User management administrator

View company and user information

Yes

Yes

Yes

Yes

Yes

Manage support tickets

Yes

Yes

Yes

Yes

Yes

Reset user passwords

No

Yes

Yes

No

Yes; with limitations. He or she cannot reset passwords for billing, global, and service administrators.

Perform billing and purchasing operations

Yes

Yes

No

No

No

Create and manage user views

No

Yes

No

No

Yes

Create, edit, and delete users and groups, and manage user licenses

No

Yes

No

No

Yes; with limitations. He or she cannot delete a global administrator or create other administrators.

Manage domains

No

Yes

No

No

No

Manage company information

No

Yes

No

No

No

Delegate administrative roles to others

No

Yes

No

No

No

Use directory synchronization

No

Yes

No

No

No

Assign or remove administrator roles for an existing user

Use this procedure to change the administrator role of an existing user.

Important

Administrators who forget their passwords can use the password self-reset process to regain access to their accounts. To use this feature, include both a mobile phone number that can receive a text message and an alternate email address that isn’t connected to the Office 365 subscription.

Use the following steps to assign or remove permissions for an existing user.

  1. In the header, click Admin.

  2. In the left pane, under Management, click Users.

    Note

    If this information doesn’t match what you’re seeing, you may be using Office 365 after the service upgrade. Try Assigning admin roles to find the information that applies to you.
    Am I using Office 365 after the service upgrade?

  3. On the Users page, select the check box next to the name of the user whose administrator role you want to change, and then click Edit.

  4. Click the Settings tab. Under Assign role, select No to remove permissions or Yes to grant permissions. If you select Yes, select the appropriate role from the list, and then provide additional information on the Settings tab and on the Details tab as explained in the next two steps.

  5. In the Alternate email address box, type an email address that is not connected to Office 365. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account even if the user cannot access Office 365.

    Note

    If you don’t want to receive product-related communications at your alternate email address, change your contact preferences on the My profile page. For more information, see Change your contact preferences.

  6. Click the Details tab. Under Additional details, in the Mobile phone box, type the number of a mobile phone—including the country code—that can receive a text (SMS) message, if the user has one. This phone number is also used to reset your administrator password.

    Note

    You need a mobile phone capable of receiving text messages for password reset only if one or both of the following applies to you:

    • Your organization has a custom domain that you’ve set up to use with Office 365.

    • Your Office 365 account is synchronized through directory synchronization.

  7. When you have finished, click Save.

Note

For partner companies that are certified to provide delegated administration, additional features are available. In addition to setting administrative access for your own company, you can also set administrative access for companies you support. There are two types of administrative access that can be assigned to your support agents:

  • Full administration: this role has privileges equivalent to those for the global administrator role.

  • Limited administration: this role has privileges equivalent to those for the password administrator role.

This additional capability is available when you add or edit users, as well as when you bulk edit groups of users.

Assign or remove administrator permissions for multiple users

Use the following instructions to assign or remove permissions for multiple existing users.

Note

You cannot assign administrator permissions during the process of adding multiple users using bulk import.

  1. In the header, click Admin.

  2. In the left pane, under Management, click Users.

  3. On the Users page, select the check box next to the names of the users that you want to assign administrator permissions to or remove administrator permissions from, and then click Edit.

  4. On the Details page, click Next.

  5. On the Settings page, under Assign role, select No to remove permissions or Yes to grant permissions. If you select Yes, select the appropriate role from the list. When you have finished, click Next.

  6. On the Assign licenses page, click Submit.

  7. On the Results page, review your results. When you have completed your review, click Finish.

See Also

About administering your account
Create or edit users

Understanding Role Based Access Control