Tenant and identityBeginner25 min read

What Does Teams role Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

In Microsoft Teams, a role is a predefined set of permissions assigned to a user. Roles control whether someone can perform actions like creating new teams, managing channels, or adding external guests. There are three main roles: Owner, Member, and Guest. Owners have full control, Members can participate and create content, and Guests have limited access from outside the organization.

Commonly Confused With

Teams rolevsTeams Administrator

A Teams Administrator is a global role in the Microsoft 365 admin center that manages organization-wide Teams policies, settings, and compliance. A Team Owner is a role within a specific team that manages that team only. An Administrator can modify settings for all teams, while an Owner controls only their own team.

A Teams Administrator can set the policy that prevents all users from using GIFs, but only a team Owner can add or remove members from their specific team.

Teams rolevsGlobal Administrator

A Global Administrator has unrestricted access to all Microsoft 365 services, including Teams. They can access any team but are not automatically an Owner. A Team Owner has full control over one team only, not the entire tenant.

If a Global Admin wants to delete a team, they can, but they are not considered an Owner of that team in the team membership list unless added.

Teams rolevsSharePoint Site Permissions

Each team has an associated SharePoint site. The team Owner automatically becomes a Site Collection Admin on that SharePoint site. However, SharePoint permissions are separate and can be more granular. A user might have read-only access to a SharePoint document library but full Member access in the Teams channel.

A team Owner can create a SharePoint permission group that restricts access to a specific folder, but the Teams role itself does not control that level of detail.

Must Know for Exams

Teams roles are tested across several Microsoft certification exams, particularly those focused on Microsoft 365 administration and collaboration. For the MS-700 exam (Managing Microsoft Teams), the concept is a core objective. You must understand the default roles, how to assign them, and how to manage guest access. Questions often present a scenario where a user needs to perform a specific task, and you must determine the minimum role required. For example, “A user needs to add an external partner to a team. What role should they have?” The answer is Owner. You may also be asked to identify the correct way to prevent members from creating private channels, which involves owner-controlled team settings.

In the MS-900 exam (Microsoft 365 Fundamentals), Teams roles appear in the identity and access management domain. The focus is on broad understanding rather than deep configuration. You should know the three roles and the high-level differences. A typical question: “Which role in Microsoft Teams has the ability to delete the entire team?” The answer is Owner. Another common question is about guest access: “Which role can add a guest to a team?” The answer is Owner or Global Admin.

For the AZ-104 exam (Azure Administrator), Teams roles are not a primary focus but are supporting knowledge. You may encounter questions about managing Azure AD group membership, which directly affects Teams roles. Since each team is backed by a Microsoft 365 Group, changing group membership changes who is an Owner or Member. Understanding this relationship is important.

The SC-300 exam (Identity and Access Administrator) covers Azure AD identity governance. Here, Teams roles illustrate RBAC in a real application. You might be asked about the impact of guest user policies on Teams or how to use access reviews to verify team membership.

In all exams, the key is to remember three things. First, Owners have full control. Second, Members can collaborate but not administer. Third, Guests have the least privilege and come from outside the organization. Exam questions often include distractors like “Teams Admin” or “Global Admin” as answer choices. You must know that team-level roles are different from administrative roles. A Global Admin can manage Teams settings at the tenant level, but they are not an Owner of every team unless explicitly added as one.

Questions may also test your knowledge of limitations. For example, a Member can delete their own messages, but only an Owner can delete any message in the team. Know the default settings that Owners can change, such as allowing members to create channels or use @mentions. The exam expects you to know that these settings are configurable only by Owners. Understanding the nuance that a Guest cannot create channels or start a new chat outside the team is also testable. Finally, role inheritance matters: if a user is an Owner of a team, they automatically become an Owner of the underlying Microsoft 365 Group and a Site Collection Admin on the associated SharePoint site. This linkage is a frequent exam point.

Simple Meaning

Think of a Teams role like the keycard access levels in an office building. The building has different areas: the lobby, the main work floor, the meeting rooms, and the executive suite. A guest visiting the office might only get a keycard that opens the front door and the specific meeting room they are using. They cannot enter the main work floor or the break room. A regular employee has a keycard that opens the main work floor, their department area, and the break room. They can also book meeting rooms and invite visitors. A building manager or owner has a master keycard that opens every door, including the IT server room, the executive suite, and the security office. They can also change the locks and decide who else gets keycards.

In Microsoft Teams, these access levels are called roles. The Guest role is like the visitor keycard. Guests are people from outside your company who are invited to a specific team. They can read messages, share files in that team, and participate in chats, but they cannot see the rest of the organization's teams or create new ones. The Member role is like the regular employee keycard. Members can create channels, upload files, start conversations, and add apps to the team. They have a lot of freedom to collaborate, but they cannot delete the team or change its settings. The Owner role is like the building manager keycard. Owners control everything. They can add or remove members, delete the entire team, change permissions, and manage the team's settings. Every team must have at least one owner.

Just as a building needs clear access policies to keep people safe and work running smoothly, Microsoft Teams uses roles to keep collaboration organized and secure. Without roles, anyone could delete important channels or invite outsiders, causing chaos. Roles ensure that each person has exactly the right level of access to do their job without risking the team's data.

Full Technical Definition

In Microsoft Teams, a user role is an attribute that determines the scope of administrative and collaborative actions a user can perform within a specific team or across the entire organization. Roles are part of Microsoft’s role-based access control (RBAC) model, deeply integrated with Azure Active Directory (Azure AD) and Microsoft 365 Groups. There are three default roles in a team: Owner, Member, and Guest. These roles are not configurable in granular detail; rather, Microsoft provides fixed permission sets that align with common collaboration scenarios.

Owners have full control over the team. They can add or remove members and other owners, delete the team, change the team name and description, create and manage channels (including private and shared channels), add and remove apps, configure tabs, manage team settings (such as @mentions and permissions for creating channels), and control whether members can delete or edit messages. An owner can also promote a member to owner or demote another owner to member. In Microsoft 365 Groups, the team owner is also the group owner, which gives them control over the underlying group membership and settings. If a team is tied to a SharePoint site, the owner automatically gains site collection administrator rights for that site.

Members, the default role for internal users, can participate in conversations, create new channels (if the owner allows it), upload and download files, create tabs, add apps (if permissions are granted), and share content. Members cannot delete the team, change its settings, or add or remove other members. They can delete messages they created, but may not be able to delete messages from others depending on the global messaging policy. From a protocol standpoint, Teams uses a combination of REST APIs and signalR for real-time updates. Permissions are enforced through token claims in Azure AD. When a user makes an action, the Teams client sends an API request that includes an access token. The backend validates the token against the user’s role in the team’s membership list stored in Azure AD.

Guest access is a special role for users from external Azure AD organizations or consumer accounts. Guests must be added by an owner or a global admin. They have the most restricted permissions. Guests can participate in conversations, view files, and make posts, but they cannot browse the global address list, create teams, or access sensitive organization-wide features. Guest permissions are controlled at the tenant level by a global admin who can enable or disable guest access entirely. Each team owner can decide whether to allow guests into their specific team. Under the hood, guest users are represented as B2B collaboration users in Azure AD, with a UserType of "Guest." Their access is governed by both Azure AD conditional access policies and Teams-specific settings.

Beyond these three default roles, there are also administrative roles at the tenant level, such as Teams Administrator or Global Administrator. These are separate from team-level roles. A Teams Administrator manages organization-wide Teams settings, policies, and compliance. They do not automatically own every team. In the context of general IT certifications, understanding Teams roles is crucial for managing collaboration and security. Microsoft’s documentation specifies that a team can have up to 250 owners, though best practices recommend 2–3 owners to avoid permission conflicts. Role changes propagate through Azure AD within minutes, but full synchronization across clients may take up to 24 hours.

Real-Life Example

Imagine a community library that is run entirely by volunteers. The library has a director, several librarians, and some occasional helpers from the neighborhood. The director has a master key that opens every door, including the storage room, the computer server closet, and the safe where membership fees are kept. The director can hire or fire librarians, decide which books to buy, and set the library’s hours. The librarians have keys to the main entrance, the reading rooms, and the staff break room. They can check books in and out, organize shelves, and lead reading programs, but they cannot change the library’s schedule or access the safe. The neighborhood helpers are volunteers who come in once a week to dust shelves and straighten chairs. They are given a temporary key that only works for the front door during their shift, and they cannot go into the staff area or use the computer system.

In this library analogy, the director is the Teams Owner. They have the highest level of control and responsibility. The librarians are the Members. They do the daily work of running the library and can make many decisions on their own, but they answer to the director for big changes. The neighborhood helpers are the Guests. They have limited access for a specific purpose and cannot view the full library operation.

Now, compare this to a company using Microsoft Teams. A project team might be working on developing a new product. The project manager is the Owner. They create the team, invite the engineers and designers, and set up channels for each workstream. The engineers and designers are Members. They chat, share files, and update tasks inside their channels. The product’s external beta tester is a Guest. They are invited only to the "Beta Feedback" channel, where they can post bugs and suggestions, but they cannot see the team’s internal planning or financial documents. This role structure keeps the project organized, secure, and efficient.

Why This Term Matters

Understanding Teams roles matters because collaboration tools like Microsoft Teams are at the heart of modern business communication. When an organization adopts Teams, every user’s ability to do their job depends on having the right permissions. If too many people are Owners, the team can become unstable because any owner can delete the team or change settings. If too few people are Owners, the team may become stuck when the only owner leaves the company and no one can manage the team. Roles solve this balance.

From an IT professional’s perspective, roles are a core administrative responsibility. When you deploy Microsoft 365, you must plan role assignments carefully. You need to decide who can create teams, who can add guests, and what members can do. Misconfigured roles can lead to security breaches. For example, if a team project contains sensitive financial data and a member with the Owner role accidentally shares it with a guest, that data could be leaked. On the other hand, if a team’s settings are too restrictive, members may become frustrated and find workarounds outside the compliant platform.

Roles also affect compliance and auditing. In regulated industries, you must maintain an audit trail of who had access to which teams and what actions they performed. Teams logs all role changes, and these logs can be reviewed by compliance officers. For IT support, troubleshooting role issues is common. A user might complain they cannot create a channel, and the fix is often simply changing their role from Member to Owner. Understanding the distinction between team-level roles and tenant-level admin roles is critical. A global admin can access any team, even as a Member, but they might not be an Owner of that specific team.

For exam takers, Teams roles tie directly to Microsoft’s identity and access management concepts. They are a practical example of RBAC in a cloud environment. Knowing how roles work helps you design secure collaboration structures, which is a key skill for any IT certification involving Microsoft 365.

How It Appears in Exam Questions

Exam questions about Teams roles typically appear in scenario-based formats, configuration tasks, and troubleshooting scenarios. Multiple-choice questions often describe a situation and ask which role is required. For example: “A company uses Microsoft Teams for project collaboration. The project lead needs to add an external consultant to the team. What is the minimum role the project lead must have?” The correct answer is Owner. Another variant asks: “A team member reports they cannot create a new channel. The team owner confirms that members are allowed to create channels in the team settings. What is the most likely reason?” The answer is that the user is a Guest.

Configuration questions may require you to select the correct steps to assign a role. For instance: “You need to promote a team member to owner. What should you do?” The correct answer is to navigate to the team, manage members, and change their role from Member to Owner. You might be given a list of PowerShell commands and asked which one changes a role. The command is: Add-TeamUser -GroupId <ID> -User <UPN> -Role Owner.

Troubleshooting questions often involve a user who cannot perform an action. For example: “A user named Jane is a Member of a team. She cannot delete a message that she posted. She suddenly realizes that the message was posted in a different team where she is a Guest. What explains this?” The correct understanding is that Guests have even more restricted permissions than Members. Or: “The team owner left the company and no one else is an owner. How can a new owner be assigned?” The answer is that a Global Admin must go into the Microsoft 365 admin center or Azure AD and add a new owner.

Drag-and-drop questions may ask you to match actions to roles. For example: “Drag each action to the correct role.” Actions like “Invite external users” go to Owner, and “Post a message in a channel” go to Member. You may also see hot area questions where you click on the correct role or permission in a diagram of Teams settings.

In the MS-700 exam, there are case studies that present a company’s team structure. You must analyze role assignments and recommend changes. For example: “The sales team has 15 members and 5 owners. Several accidental deletions have occurred. What should you do?” The best answer is to reduce the number of owners to 2–3. Another case might involve guest access: “The marketing team needs to collaborate with a vendor. The vendor should only see one channel. How should you configure this?” The answer is to add the vendor as a Guest and configure private channel permissions.

Finally, be prepared for questions that test role limits. For example: “How many owners can a team have?” The answer is 250. Or: “Can a Guest become an Owner?” The answer is no; only internal users can be Owners. Knowing these boundaries will help you eliminate wrong answers quickly.

Practise Teams role Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Contoso Ltd is a medium-sized software company that uses Microsoft Teams for daily work. The development team has a team called “DevTeam” with 12 members. The team’s owner is Sarah, the development manager. She created the team and set up channels for frontend, backend, and QA. Members include five frontend developers, five backend developers, and two QA testers. One day, the QA team needs help from an external consultant named Mike, who works for a partner company. Sarah, as the owner, adds Mike as a Guest to the DevTeam. Mike can only see the QA channel because Sarah configured it as a private channel and added Mike to it.

Mike participates in the QA channel, posts bug reports, and shares test files. However, Mike tries to access the backend channel and sees it is not listed. He also tries to start a chat with a frontend developer who is not in his channel, but the Teams client shows a message that he cannot start a chat because he is a guest. This is expected behavior because guests have limited scope. Mike works in the QA channel for two weeks. Then a frontend developer named John wants to add a new channel called “Performance Testing.” John tries to create the channel, but the option is grayed out. He asks Sarah why. Sarah checks the team settings and remembers that she recently changed the setting “Allow members to create channels” to Off because she wanted to keep the team organized.

Later, the backend team wants to use a new app for code reviews. One of the backend members, Priya, tries to add the app to the team. She finds that she cannot because the Owner set the policy that only Owners can add apps. Priya asks Sarah to add the app. Sarah adds the app for the entire team. At the end of the project, the company needs to archive the DevTeam. Sarah, as the Owner, archives the team, which makes it read-only but still accessible for historical reference. If Sarah had left the company without transferring ownership, the team would be orphaned, and a Global Admin would need to assign a new owner.

This scenario demonstrates how each role affects what users can do. Guests have very limited access, Members have collaborative power but not administrative control, and Owners have full authority over the team’s lifecycle and configuration.

Common Mistakes

Thinking that a Global Admin is automatically an Owner of every team.

A Global Admin has tenant-wide administrative privileges, but they do not automatically become a team Owner. They can access the team as a Member unless they specifically add themselves as an Owner.

Understand that team-level roles are separate from admin roles. A Global Admin must be explicitly added to a team to have Owner privileges.

Assuming a Guest can become an Owner after being in the team for a long time.

Guest users can never hold the Owner role in a team. Owner is reserved for internal organization users. Even if a Guest is promoted, the system does not allow it.

Know that the Owner role is available only to internal users. If a guest needs more control, they must be converted to a regular user, which requires Azure AD changes.

Believing that Members can always create channels by default.

While it is the default setting, team Owners can change the setting to restrict channel creation to Owners only. Members then lose that ability.

Always check the team’s settings before assuming a Member’s capabilities. The setting is called "Allow members to create channels" and is controlled by Owners.

Confusing the Teams role with the role in the underlying Microsoft 365 Group.

The roles are the same for practical purposes, but the mechanism is different. A team Owner is also a group Owner, but not all group members are team Members. Someone can be a group member but not a team member if the team uses private channels.

Remember that Teams role is tied to the group membership. Changes to group membership affect the team, but the team also has its own membership list for private channels.

Thinking that deleting a user from Azure AD automatically removes them from all teams.

While Azure AD deletion does remove the user’s access, the team membership list may still show the user as a member until synchronization happens. This can cause orphaned entries.

Use proper cleanup procedures. Remove the user from the team first or wait for Azure AD deletion to propagate, which can take up to 24 hours.

Exam Trap — Don't Get Fooled

{"trap":"A question states: \"A user is a Member of a team and wants to delete a message posted by another member. Can they do this?\" Many learners answer \"Yes\" because they know members can delete their own messages, but they overlook that this message is from another user."

,"why_learners_choose_it":"They remember that members can delete messages, but they forget the qualifier that it only applies to messages they posted themselves.","how_to_avoid_it":"Read the question carefully. Always distinguish between deleting your own message and deleting someone else's.

Only Owners can delete any message in the team. Members can delete only their own messages."

Step-by-Step Breakdown

1

User Authentication

The user signs in to Microsoft Teams using their organization credentials. Azure AD authenticates the user and issues an access token containing claims about the user’s identity, including groups and roles.

2

Access Token Validation

When the user performs an action, such as creating a channel, the Teams client sends an API request to the Teams backend. The request includes the access token. The backend validates the token and extracts the user’s object ID and tenant ID.

3

Role Lookup

The Teams backend queries Azure AD to retrieve the user’s membership in the Microsoft 365 Group that backs the team. The group membership includes a property indicating whether the user is an Owner or a Member. If the user is an external guest, their UserType is Guest.

4

Policy Check

The backend also checks the team-level settings, such as whether members are allowed to create channels. Even if the user is a Member, the action may be blocked if the Owner has disabled that permission. This is a finer-grained control beyond the role itself.

5

Authorization Decision

Based on the role and policy combination, the backend either authorizes the action or returns an error. For example, if a Guest tries to create a channel, the backend sees the Guest role and denies the request regardless of the team setting.

6

Audit Logging

All role changes and significant actions are logged in the Microsoft 365 audit log. This includes adding or removing an Owner, promoting a Member, or adding a Guest. Auditors and compliance teams can review these logs later.

7

Propagation Delay

Role changes take effect almost immediately in Azure AD, but it may take several minutes for the Teams client to reflect the change. In some cases, a user may need to sign out and sign back in to see updated permissions.

Practical Mini-Lesson

In practice, managing Teams roles is a daily task for IT professionals in organizations using Microsoft 365. The most important thing to understand is that the Owner role carries significant responsibility. As an Owner, you can delete the entire team, remove all content, and change settings that affect everyone. Therefore, best practices recommend limiting the number of Owners to three or fewer per team. This reduces the risk of accidental changes. In large organizations, it is common to have a service account or a break-glass account that is an Owner of all critical teams, so that if all human owners leave, the company can still administer the team.

When adding guests, you must first ensure that guest access is enabled at the tenant level by a Global Admin. Then, as an Owner, you can add external users by entering their email address. The guest receives an invitation email and must accept it before accessing the team. Once added, the guest has limited permissions, but you can further restrict them by using private channels. For example, you can create a private channel and add only the guest to it, preventing them from seeing the rest of the team.

Configuration of team settings is another critical area. To change what Members can do, click the ellipsis (three dots) next to the team name and select "Manage team." Then go to the "Settings" tab. Here you can toggle options like "Allow members to create channels," "Allow members to delete and restore channels," and "Allow members to add apps." Each of these settings can be set to "On" or "Off." Modifying these is an Owner-only action.

What can go wrong? The most common issue is role assignment errors. For instance, if you accidentally remove the last Owner from a team, the team becomes orphaned. No one can manage it. The only way to fix this is through the Microsoft 365 admin center. A Global Admin must go to the Groups section, find the associated Microsoft 365 Group, and add an Owner there. This is a common troubleshooting scenario in the job.

Another issue is confusion between team-level roles and SharePoint permissions. When a team is created, a SharePoint site is also created. The team Owner is added as a Site Collection Admin. However, if you later change the team Owner, the SharePoint ownership may not automatically update. You may need to manually update the SharePoint site permissions to match. This is a known gap and a frequent exam point.

From a professional perspective, you should also understand how to use PowerShell to manage roles efficiently. For example, if you need to add 50 users as Members of a team, you can use the Add-TeamUser cmdlet in a loop. PowerShell is especially useful for scripting bulk role assignments during onboarding. Finally, always monitor the audit log for role changes, especially when someone is promoted to Owner. It is a best practice to treat Owner promotions with the same level of care as granting admin privileges.

Memory Tip

Owners own the whole house, Members live in it, Guests visit only the living room.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can a Guest become a Member or Owner?

No, a Guest cannot be changed to a Member or Owner through Teams. The only way to change a Guest’s role is to convert them to an internal user in Azure AD, which requires an organization to have a licensing agreement and the user to be added as a regular user.

How many Owners can a team have?

A team can have up to 250 Owners, but best practices recommend keeping the number to 2 or 3 to avoid management conflicts.

What happens if the last Owner leaves the company?

The team becomes orphaned. A Global Administrator can assign a new Owner by going to the Microsoft 365 admin center, finding the associated Microsoft 365 Group, and adding an owner.

Is a Team Owner automatically a Site Collection Admin?

Yes, when a team is created, the Owner is added as a Site Collection Admin on the associated SharePoint site. However, this link is not automatically updated if you change the team Owner later.

Can a Member delete a message posted by another Member?

No, by default only Owners can delete messages posted by other users. Members can only delete their own messages.

How do I change a Member to an Owner?

Go to the team, click the ellipsis, select "Manage team," find the member, and in the "Role" column change their role from Member to Owner.

Summary

In Microsoft Teams, a role defines what a user can do within a team. The three default roles are Owner, Member, and Guest. Owners have full administrative control over the team, including the ability to add or remove members, delete the team, and change settings. Members can collaborate by creating channels, posting messages, and sharing files, but they cannot alter team-wide settings or add external users. Guests are external users with the most limited permissions, able to participate only in specific teams and channels to which they are invited.

Understanding these roles is essential for IT professionals because they directly impact security, collaboration efficiency, and compliance. In certification exams, particularly MS-700 and MS-900, you will be tested on the differences between these roles, their capabilities, and how to manage them. Common exam questions include scenario-based tasks asking which role is needed for a specific action, configuration steps to change roles, and troubleshooting why a user cannot perform an action.

The key takeaway is to remember the hierarchy: Owners can do everything, Members can do most collaborative tasks, and Guests have minimal access. Always pay attention to the distinction between team-level roles and tenant-level admin roles, such as Global Administrator or Teams Administrator. Using the memory hook "Owners own the whole house, Members live in it, Guests visit only the living room" can help you quickly recall the concept. Mastering Teams roles will not only help you pass exams but also equip you to manage real-world collaboration environments effectively.