This chapter covers Microsoft 365 admin roles and the principle of least privilege, a core topic in the Tenant Management domain (Objective 1.2) of the MS-102 exam. Approximately 15-20% of exam questions touch on role-based access control, role assignments, and least privilege best practices. You will learn the exact role hierarchy, how to assign and manage roles, and how to apply least privilege to minimize security risks — all essential for both the exam and real-world administration.
Jump to a section
Imagine a secure office building with multiple floors and rooms. The building manager (Global Admin) has a master key that opens every door, but giving everyone a master key would be a security nightmare. Instead, the building uses a system of access cards with specific permissions. Each card is assigned a role: some cards open only the main entrance (Helpdesk Admin), others open IT server rooms (Exchange Admin), and some open all floors except the CEO's office (User Admin). The access control system (Azure AD) enforces these permissions. When an employee swipes their card at a door, the system checks their role and either grants or denies access. This is exactly how Microsoft 365 admin roles work: each role is a collection of permissions, and when an admin performs an action, Azure AD checks if their assigned role includes the required permission. The principle of least privilege means giving each employee the minimum card access needed to do their job—no more, no less. Just as you wouldn't give a janitor the master key, you shouldn't assign Global Admin to someone who only needs to reset passwords. This analogy highlights the granular, role-based access control (RBAC) that underpins Microsoft 365 administration.
What Are Microsoft 365 Admin Roles?
Microsoft 365 admin roles are predefined sets of permissions that control administrative access to Microsoft 365 services. They are part of Azure Active Directory (Azure AD) role-based access control (RBAC). When you assign a role to a user, that user gains the permissions associated with the role across the Microsoft 365 tenant. Roles are granular: there are over 60 built-in roles, each designed for specific administrative tasks. The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions — no more.
Why Do Admin Roles Exist?
Before granular roles, the only way to delegate administration was to assign the Global Administrator role, which grants unrestricted access to all settings and data. This violates least privilege and increases the blast radius of a compromised account. Microsoft 365 roles allow organizations to delegate tasks (e.g., resetting passwords, managing groups, configuring Exchange) without giving full control. The exam expects you to know the most common roles and their scopes.
How Admin Roles Work Internally
Azure AD stores role definitions as collections of permissions. When a user attempts an operation (e.g., via the Microsoft 365 admin center, PowerShell, or Graph API), Azure AD evaluates the user's role memberships. If any role grants the required permission, access is allowed. This is similar to how Windows RBAC works but at the cloud directory level.
Each role has a set of "allowedActions" and "notActions" (though notActions are rarely used). For example, the User Administrator role includes the permission to create users but not to delete them? Actually, User Administrator can delete users but not delete all users? Wait, let's be precise: User Administrator can create, manage, and delete users, but cannot manage roles or subscriptions. The exam tests these boundaries.
Key Built-in Roles and Their Permissions
Global Administrator: Full access to all admin features. Can assign any role to any user. This is the most powerful role.
Global Reader: Read-only access to all settings and admin centers. Cannot make changes.
Exchange Administrator: Full control over Exchange Online, including mailboxes, distribution groups, and transport rules.
SharePoint Administrator: Full control over SharePoint Online and OneDrive for Business.
User Administrator: Create and manage users, groups, and passwords. Cannot manage roles or subscriptions.
Helpdesk Administrator: Reset passwords, manage service requests, and monitor service health. Limited to non-admin users.
Password Administrator: Reset passwords for non-admin users only.
Billing Administrator: Manage subscriptions, invoices, and payment methods.
Application Administrator: Manage enterprise applications and app registrations.
Cloud Application Administrator: Similar to Application Admin but cannot manage service principals.
Conditional Access Administrator: Manage Conditional Access policies.
Security Administrator: Manage security-related features: Azure AD Identity Protection, Microsoft 365 Defender, and security policies.
Security Reader: Read-only access to security settings and reports.
Compliance Administrator: Manage compliance features: Data Loss Prevention, eDiscovery, retention policies.
Compliance Data Administrator: Manage compliance content but not policies.
Privileged Role Administrator: Manage role assignments in Azure AD Privileged Identity Management (PIM).
Hybrid Identity Administrator: Manage federation and synchronization settings.
Teams Administrator: Manage Microsoft Teams.
Teams Communications Administrator: Manage Teams calling and meetings.
Intune Administrator: Manage mobile device management (MDM) and mobile application management (MAM).
Role Hierarchy and Inheritance
Roles do not inherit from each other. For example, being a User Administrator does not automatically grant any Exchange Administrator permissions. However, some roles overlap in permissions. The exam may ask which role can perform a specific task — you must know the exact boundaries.
Role Assignment and Management
Roles are assigned to users (or groups — see below) via the Azure AD portal, Microsoft 365 admin center, PowerShell (AzureAD module or Microsoft Graph PowerShell SDK), or Microsoft Graph API. To assign a role:
Navigate to Azure AD > Roles and administrators.
Select a role, then click "Add assignments."
Choose the user(s) or group(s).
Using PowerShell:
# Connect to Azure AD
Connect-AzureAD
# Assign User Administrator role to user@contoso.com
Add-AzureADDirectoryRoleMember -ObjectId <RoleObjectId> -RefObjectId <UserObjectId>To find the role ObjectId:
Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "User Administrator"}Using Microsoft Graph PowerShell (recommended for newer tenants):
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
New-MgRoleManagementDirectoryRoleAssignment -PrincipalId <UserId> -RoleDefinitionId <RoleId> -DirectoryScopeId "/"Using Groups for Role Assignment
Azure AD allows assigning roles to cloud groups (security groups or Microsoft 365 groups) instead of individual users. This simplifies management: add users to the group, and they inherit the role. The group must be assigned the "role-assignable" attribute (isAssignableToRole: true). Only Global Administrators and Privileged Role Administrators can create such groups. This is a key exam point: role-assignable groups cannot be dynamic groups; they must be assigned membership.
Default Role Assignments
Every tenant has default role assignments: the person who signed up for the subscription becomes a Global Administrator. Additionally, Azure AD creates a few roles automatically: Global Administrator (the default), Billing Administrator (if a billing admin was added), etc. The exam may ask about the initial setup.
Least Privilege Principle
Least privilege means giving users the minimum permissions needed to perform their tasks. In Microsoft 365, this translates to:
Avoid using Global Administrator unless absolutely necessary.
Use the most specific role that covers the required tasks.
If no built-in role fits, consider creating a custom role (available in Azure AD Premium P1/P2).
Custom roles allow you to define a set of permissions from a list of over 1,000 actions. However, custom roles cannot include all permissions — some high-impact actions are reserved for built-in roles. The exam tests when to use built-in vs. custom roles.
Privileged Identity Management (PIM)
PIM provides just-in-time (JIT) privileged access, time-bound role activation, and approval workflows. It is a key tool for enforcing least privilege. With PIM:
Users are eligible for a role but must activate it when needed.
Activation requires MFA and may require approval.
Roles can be time-bound (e.g., 4 hours).
Auditing tracks all activations.
PIM is available with Azure AD Premium P2. The exam expects you to know PIM capabilities and how they support least privilege.
Role Scope
Most roles have a tenant-wide scope — they apply to all resources. However, some roles can be scoped to an administrative unit (AU). AUs allow you to delegate administration over specific subsets of users, groups, and devices. For example, you can create an AU for the "Sales" department and assign a Helpdesk Administrator role scoped to that AU. The admin can then only reset passwords for users in Sales. This is critical for large organizations.
Role Conflicts and Overlapping Permissions
If a user has multiple roles, they get the union of all permissions. For example, a user who is both User Administrator and Exchange Administrator can manage both users and mailboxes. There is no negative permission unless explicitly denied via custom roles (using notActions).
Role Activation and Auditing
When a user performs an action, Azure AD logs it in the Audit logs. You can review who did what, when, and from where. This is essential for compliance and troubleshooting. The exam may ask about audit log retention: 30 days for Azure AD Free, 30 days for Premium P1, and 365 days for Premium P2.
Common Misconfigurations
Assigning Global Administrator to all IT staff.
Not using PIM for privileged roles.
Using custom roles when a built-in role suffices.
Creating role-assignable groups without proper governance.
Exam Focus: Numbers and Values
There are over 60 built-in roles.
Global Administrator can assign any role.
Privileged Role Administrator can assign roles but cannot become Global Admin themselves? Actually, they can assign themselves Global Admin, but that would be audited.
Password Administrator can only reset passwords for non-admin users.
Helpdesk Administrator can reset passwords for non-admins and manage service requests.
User Administrator can create and manage users, but cannot delete a user who is a Global Admin? Actually, a User Admin cannot delete a Global Admin; they need higher privileges.
The default role for a new tenant is Global Administrator for the sign-up user.
Role-assignable groups must be assigned membership (not dynamic).
PIM activation requires MFA.
Audit logs retention: 30 days (Free/P1) or 365 days (P2).
Interaction with Other Technologies
Admin roles integrate with: - Microsoft 365 Defender: Security roles control access to security alerts and incidents. - Microsoft Purview compliance portal: Compliance roles manage DLP, eDiscovery, and retention. - Azure AD Identity Protection: Security Administrator can manage risk policies. - Exchange Online: Exchange Admin role manages mailboxes, transport rules, etc. - SharePoint Online: SharePoint Admin role manages site collections and sharing. - Teams: Teams Admin role manages teams settings and policies.
Step-by-Step: Assigning a Role Using Azure Portal
Sign in to the Azure portal as a Global Administrator or Privileged Role Administrator.
Go to Azure Active Directory > Roles and administrators.
Search for the role (e.g., "User Administrator").
Click on the role, then select "Add assignments."
Search for the user or group and select it.
Click "Add" to assign the role.
The user now has the permissions of that role. They may need to sign out and sign in again for the permissions to take effect (especially for admin center access).
Step-by-Step: Creating a Custom Role
In Azure AD > Roles and administrators, click "New custom role."
Provide a name and description.
Select permissions from the list. You can filter by service (e.g., Microsoft Graph, Azure AD).
Review and create.
Assign the custom role to users or groups as needed.
Note: Custom roles cannot include permissions for high-privilege actions like managing role assignments or subscriptions. Those require built-in roles.
Step-by-Step: Using PIM to Activate a Role
As an eligible user, go to the PIM portal (Azure AD > Privileged Identity Management > My roles).
Click "Activate" for the role.
Complete MFA if required.
Provide a reason for activation (and optionally an approval request).
Once approved, the role is activated for the specified duration (default 1 hour, configurable).
Perform administrative tasks, then either wait for expiration or deactivate manually.
Step-by-Step: Auditing Role Assignments
Go to Azure AD > Audit logs.
Filter by activity: "Add member to role" or "Remove member from role."
Review the logs to see who assigned roles and when.
For PIM activations, view the PIM audit history.
Step-by-Step: Scoping a Role with Administrative Units
Create an administrative unit: Azure AD > Administrative units > New.
Add users, groups, or devices to the unit.
Assign a role scoped to the unit: Under the role, select "Add assignments" and choose "Scoped to administrative unit."
The admin will only have permissions over resources in that unit.
Step-by-Step: Using Microsoft Graph PowerShell to Assign Role
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
# Get role definition ID
$role = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'User Administrator'"
# Get user ID
$user = Get-MgUser -Filter "UserPrincipalName eq 'user@contoso.com'"
# Create role assignment
New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $user.Id -RoleDefinitionId $role.Id -DirectoryScopeId "/"Step-by-Step: Creating a Role-Assignable Group
In Azure AD > Groups > New group.
Set Group type to Security.
Set "Azure AD roles can be assigned to this group" to Yes.
Add members.
Assign a role to the group as described above.
Note: Once created, the group cannot be converted to a dynamic group. Also, the group's membership must be assigned, not dynamic.
Step-by-Step: Reviewing Least Privilege with PIM Access Reviews
In PIM, create an access review for a role.
Set frequency (e.g., weekly, monthly).
Reviewers (e.g., managers) approve or deny continued access.
After the review, PIM automatically removes access for denied users.
This enforces least privilege by ensuring only necessary users retain role assignments.
Step-by-Step: Using the Microsoft 365 Admin Center to Assign Roles
Go to the Microsoft 365 admin center (admin.microsoft.com).
Navigate to Users > Active users.
Select a user, then click "Manage roles."
Choose a role (e.g., Helpdesk Admin) and save.
The user will have that role. Note: The admin center shows a subset of roles; for all roles, use Azure AD.
Step-by-Step: Removing a Role Assignment
In Azure AD > Roles and administrators, select the role.
Under Assignments, find the user/group.
Click the "..." and select "Remove assignment."
Confirm. The user loses those permissions immediately (may require sign-out).
Step-by-Step: Testing Role Permissions
Sign in as the assigned user.
Try to perform an action that the role should allow (e.g., reset a password).
Try to perform an action that the role should not allow (e.g., manage billing).
If the action fails, the role is correctly scoped. If it succeeds when it shouldn't, review the role assignment.
Step-by-Step: Using the "Who can do what" Report
Azure AD provides a report that lists each role and its permissions. To access:
Go to Azure AD > Roles and administrators.
Click "Roles and administrators" in the left menu.
Select a role to see its description and permissions.
You can also use the "Download assignments" option to get a CSV of all role assignments.
Step-by-Step: Using Graph API to List Role Assignments
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
Authorization: Bearer {token}This returns all role assignments. You can filter by principalId or roleDefinitionId.
Step-by-Step: Enforcing MFA for Role Activation in PIM
In PIM, go to Azure AD roles > Settings.
Select the role (e.g., Global Administrator).
Click "Edit."
Under Activation, require Azure AD Multi-Factor Authentication.
Optionally require approval and set a maximum activation duration (e.g., 4 hours).
Save. Now users must use MFA to activate the role.
Step-by-Step: Creating a Custom Role with Restricted Permissions
In Azure AD > Roles and administrators > New custom role.
Name: "Password Reset Only"
Description: "Can reset passwords for non-admin users."
Under Permissions, search for "password" and select "microsoft.directory/users/password/update" (or similar).
Create the role.
Assign it to helpdesk staff.
Note: Custom roles are available only with Azure AD Premium P1 or P2. The exact permission names are important for the exam.
Step-by-Step: Auditing PIM Activations
In PIM, go to Azure AD roles > Audit history.
Filter by activity "Activate role."
Review who activated which role, when, and for how long.
Use this to detect anomalous activations.
Step-by-Step: Using Conditional Access with Admin Roles
You can create a Conditional Access policy that targets admin roles (e.g., require MFA for all Global Administrators). This is a common exam scenario.
In Azure AD > Security > Conditional Access.
Create a new policy.
Under Users, select "Select users and groups" and check "All users" or specific roles.
Under Cloud apps, select "All cloud apps."
Under Conditions, set device/platform requirements.
Under Grant, require MFA.
Enable policy.
Step-by-Step: Using PowerShell to Export All Role Assignments
Connect-AzureAD
$roles = Get-AzureADDirectoryRole
$report = @()
foreach ($role in $roles) {
$members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
foreach ($member in $members) {
$report += [PSCustomObject]@{
RoleName = $role.DisplayName
UserName = $member.UserPrincipalName
}
}
}
$report | Export-Csv -Path "RoleAssignments.csv" -NoTypeInformationThis is useful for auditing and ensuring least privilege.
Step-by-Step: Understanding Role Definition IDs
Each role has a fixed GUID. For example:
Global Administrator: 62e90394-69f5-4237-9190-012177145e10
User Administrator: fe930be7-5e62-47db-91af-98c3a49a38b1
Helpdesk Administrator: 729827e3-9c14-49f7-bb1b-9608f156bbb8
The exam does not require memorizing GUIDs, but you should know how to find them.
Step-by-Step: Using Microsoft Graph PowerShell to Get Role Definitions
Get-MgRoleManagementDirectoryRoleDefinition | Select-Object DisplayName, IdThis lists all roles with their IDs.
Step-by-Step: Checking Role Permissions with Graph API
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/{role-id}
Authorization: Bearer {token}Returns the role definition including allowedActions.
Step-by-Step: Assigning Role to Group via Graph API
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
Content-Type: application/json
Authorization: Bearer {token}
{
"principalId": "group-id",
"roleDefinitionId": "role-definition-id",
"directoryScopeId": "/"
}Step-by-Step: Using PIM to Elevate for a Time-Limited Task
As a Global Admin, avoid using the role permanently. Instead, make yourself eligible for Global Admin via PIM.
When you need to perform a task, activate the role for 2 hours.
Complete the task.
The role deactivates automatically.
This is the essence of least privilege: temporary elevation.
Step-by-Step: Creating a Custom Role for a Specific Task
Suppose you need a role that can only manage user photos. There's no built-in role for that, so create a custom role with the permission "microsoft.directory/users/photo/update." Assign it to the HR team.
Step-by-Step: Reviewing Built-in Role Descriptions
Always read the description of a role before assigning. The description tells you exactly what the role can do. For example, "Helpdesk Administrator: Can reset passwords for non-administrators and helpdesk users."
Step-by-Step: Using the Microsoft 365 Defender Portal to Assign Security Roles
Security roles (e.g., Security Administrator) can also be managed from security.microsoft.com > Permissions. This is a common exam scenario: where to assign which role.
Step-by-Step: Understanding the Difference Between Azure AD Roles and Azure RBAC Roles
Azure AD roles control access to Azure AD resources (users, groups, roles). Azure RBAC roles control access to Azure resources (VMs, storage, etc.). They are separate. The exam may ask which role is needed for a task: Azure AD roles for directory tasks, Azure RBAC for Azure resources.
Step-by-Step: Delegating Role Management with Privileged Role Administrator
Only Global Administrators and Privileged Role Administrators can assign roles. So if you want to delegate role management to a security team, assign them the Privileged Role Administrator role. They can then assign other roles (including Global Admin to themselves, which is why this role is highly privileged).
Step-by-Step: Using Access Reviews to Remove Unused Roles
Set up recurring access reviews for sensitive roles. For example, quarterly review of Global Administrator assignments. If a user no longer needs the role, revoke it.
Step-by-Step: Monitoring Role Usage with Azure AD Logs
Use Azure AD sign-in logs and audit logs to see when admins are using their roles. If a role is never used, consider removing it.
Step-by-Step: Applying Least Privilege to Service Accounts
Service accounts (used by applications) should also follow least privilege. Assign the minimum roles needed, and avoid using Global Admin for service accounts. Use application permissions instead.
Step-by-Step: Using Microsoft 365 Admin Center to View Role Descriptions
In the admin center, go to Roles > Role descriptions. This provides a user-friendly list of roles and their capabilities.
Step-by-Step: Understanding Role Limits
There is no hard limit on the number of role assignments, but best practice is to keep them minimal. Azure AD Premium P2 is recommended for large organizations.
Step-by-Step: Preparing for the Exam
Memorize the top 10 roles and their key permissions.
Understand the difference between built-in and custom roles.
Know that PIM is for just-in-time access.
Remember that role-assignable groups cannot be dynamic.
Know audit log retention periods.
Be able to identify which role can perform a specific task from a list.
Step-by-Step: Common Exam Scenarios
Scenario: A helpdesk user needs to reset passwords for all users, including admins. Which role? Answer: Helpdesk Administrator cannot reset admin passwords; they need User Administrator or Global Admin. But User Admin can reset passwords for non-admins only? Actually, User Administrator can reset passwords for all users except other admins? Let's verify: User Administrator can reset passwords for non-admin users and other User Administrators? The exam says: User Administrator can reset passwords for users who are not assigned any admin role. So for admin users, you need Privileged Authentication Administrator or Global Admin. This is a common trick.
Scenario: You need to manage Azure AD Conditional Access policies. Which role? Answer: Conditional Access Administrator.
Scenario: You need to manage Microsoft 365 security alerts. Which role? Answer: Security Administrator.
Scenario: You need to manage eDiscovery cases. Which role? Answer: eDiscovery Manager (a compliance role) or Compliance Administrator.
Step-by-Step: Summary of Key Numbers
Over 60 built-in roles.
30-day audit log retention for Free/P1; 365 days for P2.
PIM activation duration: default 1 hour, max configurable (e.g., 8 hours).
Role-assignable groups: must be assigned membership, not dynamic.
Custom roles: require Azure AD Premium P1/P2.
Administrative units: available with Azure AD Premium P1/P2.
Step-by-Step: Final Exam Tips
Read the question carefully: "least privilege" often points to the most specific role.
If the question says "without granting additional permissions," choose the role that exactly matches the required tasks.
If the question involves PIM, look for answers that include activation, MFA, or time limits.
For role-assignable groups, remember the "isAssignableToRole" property.
For custom roles, remember they cannot include all permissions; some high-privilege actions are reserved.
This comprehensive coverage ensures you understand both the theory and practical application of Microsoft 365 admin roles and least privilege.
Identify Required Tasks
Begin by listing the specific administrative tasks that need to be performed. For example, resetting user passwords, managing groups, or configuring Exchange Online. This step is crucial because it determines which built-in role or custom role is appropriate. The exam often presents a scenario where you must choose the role that covers the tasks without extra permissions. For instance, if the only task is resetting passwords for non-admin users, the Helpdesk Administrator role is sufficient. If the task also includes managing user accounts, User Administrator is needed. Document the exact actions to avoid over-provisioning.
Select the Appropriate Role
Match the required tasks to a built-in Azure AD role. Use the role descriptions in the Azure portal or the Microsoft 365 admin center. For example, if the tasks include managing security policies and reviewing risk detections, the Security Administrator role is appropriate. If no built-in role exactly fits, consider creating a custom role (requires Azure AD Premium P1/P2). Remember: the principle of least privilege dictates using the most restrictive role that still allows the tasks. The exam frequently tests your ability to pick the correct role from a list.
Assign the Role via Azure Portal
Sign in as a Global Administrator or Privileged Role Administrator. Navigate to Azure Active Directory > Roles and administrators. Search for the selected role, click on it, and then click 'Add assignments.' Search for the user or group (if using a role-assignable group) and select them. Click 'Add' to complete the assignment. The user will receive the role permissions, though they may need to sign out and sign in again. This step is straightforward but often overlooked: ensure you are in the correct tenant and have the necessary privileges to assign roles.
Implement Just-In-Time Access with PIM
To enforce least privilege, use Privileged Identity Management (PIM) to make users eligible for roles rather than permanently assigned. Configure the role in PIM: set activation duration (e.g., 4 hours), require MFA, and optionally require approval. Users then activate the role only when needed. This reduces the attack surface by limiting the time window during which a role is active. The exam expects you to know that PIM is the primary tool for just-in-time administration and that it requires Azure AD Premium P2.
Monitor and Audit Role Usage
Regularly review audit logs to see who is using their assigned roles. Use Azure AD audit logs (retention: 30 days for Free/P1, 365 days for P2) and PIM activation reports. Look for anomalous activations, such as a helpdesk admin activating Global Admin. Set up alerts for suspicious activity. Additionally, conduct access reviews in PIM to periodically confirm that users still need their role assignments. This step is critical for maintaining least privilege over time and is a common exam topic.
Enterprise Scenario 1: Large Organization with Dedicated IT Teams
A multinational corporation with 50,000 employees has separate IT teams for helpdesk, security, compliance, and infrastructure. The helpdesk team needs to reset passwords for end users but not for executives or other admins. The security team needs to manage Microsoft 365 Defender and Conditional Access policies. The compliance team needs to manage eDiscovery and retention policies.
To enforce least privilege, the organization assigns:
Helpdesk Administrator role to helpdesk staff, scoped to an administrative unit for non-executive users.
Security Administrator role to the security team.
Compliance Administrator role to the compliance team.
Global Administrator is limited to two senior IT managers who use PIM to activate the role only when needed.
They create role-assignable groups for each team to simplify membership management. For example, the "Security Admins" group is assigned the Security Administrator role. When a new security analyst joins, they are added to the group and immediately inherit the role.
The organization also uses PIM access reviews quarterly to ensure no one retains unnecessary roles. This setup reduces the blast radius: if a helpdesk account is compromised, the attacker can only reset passwords for a subset of users, not access security settings.
Enterprise Scenario 2: Small Business with Limited IT Staff
A small business with 200 employees has one IT generalist who handles everything. The principle of least privilege still applies: the IT staff should not have Global Admin permanently. Instead, they use PIM to make themselves eligible for Global Admin. They also assign themselves the User Administrator role permanently for daily tasks like creating users and resetting passwords.
They create a custom role for a part-time contractor who only needs to manage SharePoint Online permissions. The custom role includes only SharePoint-related permissions. This avoids giving the contractor broader access.
The business also uses Azure AD audit logs to monitor all admin actions. Since they have Azure AD Premium P2, they retain logs for 365 days for compliance.
Common Misconfigurations and Pitfalls
Over-assigning Global Admin: The most common mistake. Even in small organizations, Global Admin should be reserved for emergency use with PIM.
Using custom roles when built-in roles suffice: Custom roles add complexity. Always check if a built-in role covers the tasks.
Ignoring administrative units: Without AUs, admins have tenant-wide scope. For example, a helpdesk admin could reset the CEO's password if not scoped.
Not using PIM for privileged roles: Permanent assignment of roles like Global Admin or Privileged Role Admin increases risk.
Creating role-assignable groups without governance: These groups should be tightly controlled because adding a user to the group grants them the role.
In production, always start with the most restrictive role, use PIM for elevation, and regularly audit assignments. This approach minimizes security incidents and satisfies compliance requirements.
The MS-102 exam tests your ability to apply the principle of least privilege by selecting the correct admin role for a given scenario. Key objective codes: 1.2 (Manage tenant roles and permissions). Expect 3-5 questions on role assignment, role hierarchy, and PIM.
Top Wrong Answers and Why Candidates Choose Them
Choosing Global Administrator for any administrative task. Candidates often think it's the safest because it covers everything. However, the exam explicitly tests least privilege — always choose the most specific role. For example, for resetting passwords, Global Admin is wrong; Helpdesk Admin or User Admin is correct.
Confusing User Administrator with Helpdesk Administrator. Both can reset passwords, but User Admin can also create and manage users. If the task is only password resets, Helpdesk Admin is more restrictive. Candidates pick User Admin because it's more familiar.
Selecting Security Administrator for compliance tasks. Security Admin focuses on security features; for eDiscovery or retention, Compliance Admin is correct. Candidates mix up the two domains.
Assuming custom roles can replace any built-in role. Custom roles cannot include high-privilege actions like managing roles or subscriptions. The exam may present a scenario where a custom role is insufficient, and you must use a built-in role.
Forgetting that PIM is required for just-in-time access. If a question asks for a solution that provides time-limited access, PIM is the answer — not permanent role assignment.
Specific Numbers, Values, and Terms
Role count: Over 60 built-in roles.
Audit log retention: 30 days (Free/P1), 365 days (P2).
PIM activation duration: Default 1 hour, configurable up to maximum set by admin.
Role-assignable groups: Must be assigned membership (not dynamic).
Custom roles: Require Azure AD Premium P1 or P2.
Administrative units: Available with Azure AD Premium P1 or P2.
Privileged Role Administrator: Can assign roles, including Global Admin.
Helpdesk Administrator: Cannot reset passwords for admin users.
Password Administrator: Can only reset passwords for non-admin users.
Edge Cases and Exceptions
Resetting admin passwords: Only Global Admin, Privileged Authentication Administrator, or Authentication Administrator can reset passwords for admins. Helpdesk Admin and Password Admin cannot.
Deleting a Global Admin: Only a Global Admin can delete another Global Admin. User Admin cannot.
Managing roles: Only Global Admin and Privileged Role Admin can assign roles.
Custom roles and high-privilege actions: Custom roles cannot include actions like "microsoft.directory/roles/assign" or "microsoft.directory/subscriptions/manage."
Role-assignable group creation: Only Global Admin and Privileged Role Admin can create groups with isAssignableToRole=true.
How to Eliminate Wrong Answers
Identify the exact tasks in the question. Underline verbs like "reset," "create," "manage."
Map tasks to the most specific role that covers all but no more.
If the question mentions "least privilege" or "minimum permissions," eliminate any role that grants extra capabilities.
If the question involves time-limited access, look for PIM.
If the question involves a group, check if it mentions "role-assignable."
For compliance vs. security, remember: Compliance = Purview, Security = Defender.
Mastering these patterns will help you quickly eliminate distractors and select the correct answer.
There are over 60 built-in admin roles in Azure AD; always choose the most specific role for the task.
Global Administrator has full access; use it sparingly and with PIM for just-in-time access.
Helpdesk Administrator can reset passwords only for non-admin users; for admin users, use Privileged Authentication Administrator or Global Admin.
Role-assignable groups simplify role management but must have assigned membership (not dynamic).
Custom roles require Azure AD Premium P1/P2 and cannot include high-privilege permissions.
Administrative units allow scoping roles to specific subsets of users, groups, or devices.
PIM provides time-bound role activation with MFA and approval, enforcing least privilege.
Audit logs retain 30 days for Free/P1, 365 days for Premium P2; review them regularly.
Privileged Role Administrator can assign any role, including Global Admin; this role is highly sensitive.
The principle of least privilege minimizes security risks by granting only necessary permissions.
These come up on the exam all the time. Here's how to tell them apart.
Built-in Roles
Predefined by Microsoft with fixed sets of permissions.
Available without any Azure AD Premium license (some roles).
Cannot be modified; you must use as-is.
Cover most common administrative scenarios.
Easier to manage and audit because they are well-documented.
Custom Roles
Created by administrators to meet specific needs not covered by built-in roles.
Require Azure AD Premium P1 or P2.
Allow you to select individual permissions from a list of over 1,000 actions.
Cannot include high-privilege permissions like role management or subscription management.
More complex to set up and maintain; may require updates as permissions change.
Mistake
Global Administrator is the only role that can reset passwords for all users.
Correct
Privileged Authentication Administrator and Authentication Administrator can also reset passwords for all users, including admins. Helpdesk Administrator and Password Administrator can only reset passwords for non-admin users.
Mistake
Custom roles can include any permission available in Azure AD.
Correct
Custom roles cannot include high-privilege permissions such as managing role assignments, subscriptions, or Global Administrator-level actions. These are reserved for built-in roles.
Mistake
Role-assignable groups can be dynamic groups.
Correct
Role-assignable groups must have assigned membership. Dynamic groups cannot be used for role assignment because membership changes automatically could grant roles unexpectedly.
Mistake
All admin roles have tenant-wide scope by default.
Correct
Roles can be scoped to administrative units (AUs). When scoped, the admin only has permissions over resources in that AU. This allows granular delegation.
Mistake
The Microsoft 365 admin center shows all available roles.
Correct
The admin center shows a subset of commonly used roles. For the full list of over 60 roles, you must use the Azure AD portal or PowerShell.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Helpdesk Administrator can reset passwords and manage service requests for non-admin users only. User Administrator can create and manage users and groups, reset passwords for non-admin users, and manage licenses. User Administrator has broader permissions, including the ability to create and delete users. For least privilege, if the task is only password resets, choose Helpdesk Administrator. If the task includes user management, choose User Administrator.
Yes, but only if the group is marked as role-assignable (isAssignableToRole=true). Such groups must have assigned membership (not dynamic). Only Global Administrators and Privileged Role Administrators can create these groups. Assigning a role to a group grants the role to all members of the group.
The person who signs up for the subscription automatically becomes a Global Administrator. This is the default and cannot be changed during initial setup. It is recommended to create additional admin accounts with limited roles and use PIM for Global Admin access.
Only another Global Administrator can reset the password of a Global Administrator. If you are locked out, you must use the self-service password reset (SSPR) if enabled, or contact Microsoft support. This is because no other role has the permission to modify a Global Admin.
Security Administrator manages security features such as Microsoft 365 Defender, Azure AD Identity Protection, Conditional Access, and security alerts. Compliance Administrator manages compliance features like Data Loss Prevention (DLP), eDiscovery, retention policies, and compliance score. They are separate domains; a Security Admin cannot access compliance settings and vice versa.
No. Custom roles cannot include high-privilege permissions such as managing role assignments or subscriptions. The ability to assign roles is reserved for the built-in Global Administrator and Privileged Role Administrator roles. Custom roles are for granular, lower-privilege tasks.
For Azure AD Free and Premium P1, audit logs are retained for 30 days. For Azure AD Premium P2, retention is 365 days. This is important for compliance and forensic investigations. You can export logs to a storage account or SIEM for longer retention.
You've just covered Microsoft 365 Admin Roles and Least Privilege — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?