Admin roles in Office 365
Assign admin roles in Office 365 for business.
As the person who purchased your Office 365 business subscription, you are the global administrator. This means you have complete control over the Office 365 suite of products. To help you manage Office 365 for your business, you can assign users to administrator roles so they can perform tasks in the Office 365 admin center. For example, if you want help resetting passwords, you can assign someone to the Password administrator role.
Assign admin roles to a user in your business
1. Go to the Office 365 admin center.
2. In the Admin center, select Users.
3. On the Active users page, choose the user whose administrator role you want to change. The properties page for the user opens.
4. Next to Roles, choose Edit. If you don't see the Edit button, then you don't have global admin permissions and can't assign admin roles to other people. Ask a global admin in your business to assign roles for you. In a small business, the business owner (the person who purchased Office 365) is a global admin. In a large business, key people in the IT department are global admins.
5. Choose the Edit button next to Roles.
6. Choose Customized administrator to see a list of roles we've customized for you.
About Office 365 Admin Roles
Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions, and gives people in your organization permissions to do specific tasks in the Office 365 admin center.
| Administrator role | Who should be assigned this role? |
|---|---|
| AI administrator | Assign the AI Administrator role to users who need to do the following tasks: • Allow users to install an app or install an app for users in the organization if the app doesn't require permission • Read and configure Azure and Microsoft 365 service health dashboards • View usage reports, adoption insights, and organizational insight • Create and manage support tickets in Azure and the Microsoft 365 admin center Note: The AI Administrator role is currently limited. For full administrative capabilities, it's recommended using the Global Administrator role until the AI Administrator role is fully functional. We're continuously expanding support for more functionalities to enhance the AI Administrator role. |
| Billing administrator | Assign the Billing administrator role to users who make purchases,
manage subscriptions and service requests, and monitor service health.
Billing administrators can't assign licenses; If a Billing administrator
is also a License or User administrator, visit Licenses to assign licenses. Billing administrators also can: • Manage all aspects of billing • Create and manage support tickets in the Azure portal |
| Exchange admin | Assign the Exchange admin role to users who need to view and manage
your user's email mailboxes, Microsoft 365 Groups, and Exchange Online. Exchange administrators can also: • Recover deleted items in a user's mailbox • Set up "Send As" and "Send on behalf" delegates |
| Fabric admin | Assign the Fabric admin role to users who need to do the following tasks: • Manage all admin features for Microsoft Fabric and Power BI • Report on usage and performance • Review and manage auditing |
| Global administrator | Global administrators can: • Manage purchasing of your organization's subscriptions and products • Reset passwords for all users • Add and manage domains • Unblock another global admin The person who purchased a subscription for your organizataion and signed up for Microsoft online services is a global administrator automatically. Additionally, only global administrators can view and manage subscriptions purchased through a Partner. |
| Global reader | Assign the global reader role to users who need to view
administrator features and settings in admin centers that the global
administrator can view. The global reader can't edit any settings. For subscriptions purchased through a partner, global reader role isn't available. |
| Graph data connect administrator | Assign the Graph data connect admin role to users who need to do the following tasks: • Access the full set of administrative capabilities of Microsoft Graph Data Connect • Manage Microsoft Graph Data Connect settings in a tenant • Enable or disable the Microsoft Graph Data Connect service • Configure dataset workload selections in Microsoft Graph Data Connect • Configure cross-tenant data movement settings in Microsoft Graph Data Connect • View, approve, or deny application authorization requests for Microsoft Graph Data Connect • View, create, update, or delete application registrations for Microsoft Graph Data Connect |
| Groups administrator | Assign the groups admin role to users who need to manage all groups
settings across admin centers, including the Microsoft 365 admin center
and Microsoft Entra admin center. Groups administrators can: • Create, edit, delete, and restore Microsoft 365 groups • Create and update group creation, expiration, and naming policies • Create, edit, delete, and restore Microsoft Entra security groups |
| Helpdesk administrator | Assign the Helpdesk admin role to users who need to do the following: • Reset passwords • Force users to sign out • Manage service requests • Monitor service health The Helpdesk admin can only help users who aren't administrator users and users who are assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
| License administrator | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. License administrators also can: • Reprocess license assignments for group-based licensing • Assign product licenses to groups for group-based licensing |
| Message center privacy reader | Assign the Message center privacy reader role to users who need to
read privacy and security messages and updates in the Microsoft 365
Message center. Message center privacy readers might get email
notifications related to data privacy, depending on their preferences,
and they can unsubscribe using Message center preferences. Only global
administrators and Message center privacy readers can read data privacy
messages. This role has no permission to view, create, or manage service
requests. Message center privacy readers can also: • Monitor all notifications in the Message Center, including data privacy messages • View groups, domains, and subscriptions |
| Message center reader | Assign the Message center reader role to users who need to do the following tasks: • Monitor message center notifications • Get weekly email digests of message center posts and updates • Share message center posts • Have read-only access to Microsoft Entra services, such as users and groups |
| Migration administrator | Assign the Microsoft 365 Migration Administrator role to users who need to do the following tasks: • Use Migration Manager in the Microsoft 365 admin center to manage content migration to Microsoft 365, including Microsoft Teams, OneDrive, and SharePoint sites, from various sources such as Google Drive, Dropbox, and Box. • Select migration sources, create migration inventories (such as Google Drive user lists), schedule and execute migrations, and download reports. • Create new SharePoint sites if the destination sites don't already exist, create SharePoint lists under the SharePoint admin sites, and create and update items in SharePoint lists. • Manage migration project settings and migration lifecycle for tasks and manage permission mappings from source to destination. With this role, you can only migrate from Google Drive, Box, Dropbox, and Egnyte. This role doesn't allow you to migrate from file share sources from the SharePoint admin center. Use the SharePoint admin to migrate from file share sources. |
| Office Apps admin | Assign the Office Apps admin role to users who need to do the following tasks: • Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies. • Create and manage service requests • Manage the What's New content that users see in their apps in Microsoft 365 • Monitor service health • Manage Office Scripts settings |
| Organizational Message Writer | Assign the Organizational Message Writer role to users who need to write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. |
| Organizational Messages Approver | Assign the Organizational Messages Approver role to users who need to review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they're sent to users through Microsoft product surfaces. |
| Password administrator | Assign the Password admin role to a user who needs to reset passwords for users who aren't administrators and Password Administrators. |
| People administrator | Assign the People administrator role to users who need to do the following tasks: • Update profile photos for all users including administrators • Update people settings for all users (pronouns, name pronunciation, and profile card settings) |
| Power Platform administrator | Assign the Power Platform admin role to users who need to do the following tasks: • Manage all admin features for Power Apps, Power Automate, Power BI, Microsoft Fabric, and Microsoft Purview Data Loss Prevention • Create and manage service requests • Monitor service health |
| Reports reader | Assign the Reports reader role to users who need to do the following tasks: • View usage data and the activity reports in the Microsoft 365 admin center • Get access to the Power BI adoption content pack • Get access to sign-in reports and activity in Microsoft Entra ID • View data returned by Microsoft Graph reporting API |
| Search administrator | Assign the Search admin role to users who need to create and manage search result content and define query settings for improved search results within the organization. The Search admin manages the Microsoft search configuration and can perform all the content-management tasks that a Search editor can. |
| Service Support administrator | Assign the Service Support admin role as another role to
administrators or users who need to do the following tasks in addition
to their usual admin role: • Open and manage service requests • View and share message center posts • Monitor service health |
| SharePoint administrator | Assign the SharePoint admin role to users who need to access and manage the SharePoint admin center. SharePoint administrators can also: • Create and delete sites • Manage site collections and global SharePoint settings |
| Teams administrator | Assign the Teams administrator role to users who need to access and manage the Teams admin center. Teams administrator can also: • Manage meetings • Manage conference bridges • Manage all org-wide settings, including federation, teams upgrade, and teams client settings |
| User administrator | Assign the User admin role to users who need to do the following tasks for all users: • Add users and groups • Assign licenses • Manage most users properties • Create and manage user views • Update password expiration policies • Manage service requests • Monitor service health The user admin can also do the following actions for users who aren't administrators and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: • Manage usernames • Delete and restore users • Reset passwords • Force users to sign out • Update (FIDO) device keys |
| User Experience Success Manager | Assign the User Experience Success Manager role to users who need to access Experience Insights, Adoption Score, and the Message Center in the Microsoft 365 admin center. This role includes the permissions of the Usage Summary Reports Reader role. |
| Viva Glint Service Administrator | Assign the Viva Glint Service Administrator role to users who manage the Viva Glint app. See Assign Viva Glint Tenant and Service Administrators. |
Related Articles
Manage your users in Office 365
As an admin for Office 365, you can manage users in the Office 365 admin center preview. The people on your team each need a work or school account before they can sign in and access Office 365 for business. You can also remove users and reset your ...Set up Office 365 for business - Office 365
The basic Office 365 setup process, end-to-end The Office 365 setup wizard will guide you through the first step to add other people to your subscription and set up your domain. Then we show you what else you can do to get the most out of Office ...Setup e-mail forwarding as an Admin in the Office 365 Admin Center
To setup e-mail forwarding as an Administrator, please follow the instructions below: 1. In the admin center, go to the Users > Active users page. 2. Select the name of the user whose email you want to forward, then open the properties page. 3. On ...Software in the Microsoft 365 Admin Center
Requirements You must be a Global Administrator to do the steps in this article. For more information, see About admin roles. If there are multiple billing accounts, you must select the account that the product was purchased on. For more information, ...Create shared mailboxes in Office 365
Create shared mailboxes so a group of people can monitor and send email from a common email addresses, like info@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email appears to be from the shared mailbox, ...