This chapter covers Microsoft 365 admin roles and permissions, a core topic for MS-900 that appears in roughly 10-15% of exam questions. You will learn the built-in roles, how they are scoped, and how to delegate administration securely. Understanding roles is critical for managing access, compliance, and security in any Microsoft 365 deployment. The exam tests your ability to identify the correct role for a given task and to understand the principle of least privilege.
Jump to a section
Think of Microsoft 365 as a large corporate office building. Every employee (user) gets a basic access card that lets them enter the building and go to their own cubicle (basic user permissions). But some employees need more access: the IT manager needs a master key to all server rooms (Global Administrator), the HR team needs access to the personnel file room (Human Resources Administrator), the helpdesk staff need keys to the IT support closet (Helpdesk Administrator). Each role is like a specific set of keys and badges that grant access to certain rooms and actions. The building’s security system (Azure AD) checks each card at every door—if the card doesn't have permission for that door, the door stays locked. Importantly, the security system logs every attempt, so you can see who entered which room and when (audit logs). Also, if you give someone too many keys (elevated privileges), they could accidentally or intentionally access sensitive areas. That's why the principle of least privilege is enforced: only give the keys needed for the job. In Microsoft 365, roles are exactly these sets of permissions, and administrators assign them through the Azure AD portal or PowerShell.
What Are Admin Roles and Why Do They Exist?
Microsoft 365 uses role-based access control (RBAC) to grant permissions to administrators. Instead of assigning permissions individually to each user, permissions are grouped into roles, and users (or groups) are assigned to those roles. This simplifies management and enforces least privilege. The roles are defined in Azure Active Directory (Azure AD) and apply across Microsoft 365 services—Exchange Online, SharePoint Online, Teams, and more. The exam expects you to know the most common built-in roles and their typical use cases.
How Roles Work Internally
When a user performs an action in Microsoft 365, the system checks the user's role assignments. Each role has a set of permissions defined as a collection of 'roleDefinitions' in Azure AD Graph or Microsoft Graph. For example, the User Administrator role includes permissions to reset passwords, manage licenses, and update user profiles. The check is done at the API level: every operation calls the authorization service, which evaluates whether the user's role includes the required permission. If not, the operation is denied with an access denied error. Audit logs record all authorization attempts.
Key Built-in Roles
Microsoft 365 provides dozens of built-in roles. The most important for MS-900 are:
Global Administrator: Has full access to all administrative features in Microsoft 365. This is the most powerful role. There should be at least two but no more than four Global Administrators for security.
Billing Administrator: Can manage subscriptions, purchase services, and view invoices. Cannot manage users or reset passwords.
User Administrator: Can create and manage users, reset passwords, and manage groups. Cannot delete a Global Administrator or manage roles.
Helpdesk Administrator: Can reset passwords and force sign-out for non-administrators. Cannot change user roles.
Exchange Administrator: Full control over Exchange Online, including mailboxes, distribution groups, and anti-spam settings.
SharePoint Administrator: Full control over SharePoint Online, including site collections and OneDrive.
Teams Administrator: Full control over Microsoft Teams, including policies and meeting settings.
Security Administrator: Can manage security-related features like conditional access, identity protection, and security alerts.
Compliance Administrator: Can manage compliance features like data loss prevention (DLP), eDiscovery, and retention policies.
Global Reader: Can read all administrative settings but cannot make changes. Useful for auditing.
Role Scopes
Roles can be scoped to the entire organization (tenant-wide) or to a specific administrative unit (AU). An AU is a container of resources (users, groups, devices) that allows delegated administration. For example, you can assign a Helpdesk Administrator role scoped to the 'Sales' AU, so that admin can only manage users in the Sales department. This is called 'scoped administration' and is tested on the exam.
Default Role Assignments
When you create a Microsoft 365 tenant, the first account is automatically assigned the Global Administrator role. Microsoft recommends that you use separate accounts for administrative tasks (not your everyday user account). You can also create custom roles if the built-in roles don't meet your needs, but the exam focuses on built-in roles.
How to Assign Roles
Roles can be assigned through:
- Microsoft 365 Admin Center: Navigate to Users > Active users, select a user, click 'Manage roles', and check the appropriate role.
- Azure AD Portal: Under Azure Active Directory > Roles and administrators, select a role and add members.
- PowerShell: Use the Add-MsolRoleMember or Add-AzureADDirectoryRoleMember cmdlet.
- Microsoft Graph API: Use the POST /directoryRoles/{role-id}/members endpoint.
Example PowerShell command to add a user to the User Administrator role:
Add-AzureADDirectoryRoleMember -ObjectId <roleObjectId> -RefObjectId <userObjectId>Role Activation and Privileged Identity Management (PIM)
Azure AD Privileged Identity Management (PIM) provides just-in-time (JIT) access to roles. Instead of permanently assigning a role, you can make a user 'eligible' for a role, and they must activate it with approval and for a limited time. This reduces the risk of standing privileges. PIM also generates activation reports. The exam may ask about PIM as a security best practice.
Role Permissions and Delegate
Each role has a specific set of permissions. For example, the 'User Administrator' role includes:
Read all users
Create users
Update user properties
Reset passwords
Manage user licenses
Manage groups
But it cannot:
Delete a Global Administrator
Manage roles
Access security features
This granularity is defined in the role definition. The exam expects you to know which role can perform which task.
Interaction with Service-Specific Roles
Some services have their own admin roles. For example, Exchange Online has 'Organization Management' and 'View-Only Organization Management' role groups. These are separate from Azure AD roles but can be synchronized. In the exam, be careful: a user with Global Administrator in Azure AD has full access to Exchange Online, but an Exchange Administrator only has Exchange-specific permissions.
Audit and Monitoring
All role assignment changes and administrative actions are logged in the Azure AD audit logs and the unified audit log. You can view these in the Security & Compliance Center. The exam may test that you know where to find audit logs.
Common Misconfigurations
Assigning Global Administrator to too many users.
Not using scoped roles when delegating administration.
Not enabling PIM for critical roles.
Using a single account for both user and admin tasks.
Summary of Key Points for the Exam
Know the most common built-in roles: Global Admin, User Admin, Billing Admin, Helpdesk Admin, Exchange Admin, SharePoint Admin, Teams Admin, Security Admin, Compliance Admin.
Understand that Global Admin has full access and should be limited.
Know that roles can be scoped to administrative units.
Remember that PIM provides JIT access and requires Azure AD Premium P2.
Be able to identify which role can perform a given task.
Exam Trap
A common trap is confusing 'Helpdesk Administrator' with 'User Administrator'. Helpdesk Admin can only reset passwords for non-admins, while User Admin can also create users and manage groups. Another trap: 'Billing Administrator' can manage subscriptions but cannot manage users. The exam often asks 'Which role can reset a user's password?' The answer is Helpdesk Administrator or User Administrator, not Billing Administrator.
Identify the administrative task
Determine what needs to be done: reset a password, manage a license, create a user, etc. This determines the required permission. For example, resetting a non-admin password requires the 'Reset password' permission, which is included in Helpdesk Admin and User Admin roles.
Check the built-in role definitions
Review the permissions of each built-in role. Microsoft provides documentation listing each role's permissions. For instance, the Billing Administrator role includes 'View invoices' and 'Manage subscriptions' but not 'Reset passwords'. This step is crucial to avoid assigning too much privilege.
Select the appropriate role
Choose the role that has exactly the permissions needed. If no built-in role fits, consider creating a custom role (though this is less common in exam scenarios). For example, to manage user licenses without resetting passwords, use the License Administrator role.
Assign the role to the user or group
Use the Microsoft 365 Admin Center, Azure AD portal, PowerShell, or Graph API to assign the role. If using PIM, make the user eligible rather than permanently assigned. The assignment takes effect immediately (within a few minutes).
Verify the assignment and monitor
After assignment, test that the user can perform the intended task and cannot perform tasks outside the role. Check audit logs to confirm the assignment. Periodically review role assignments to ensure least privilege.
In a large enterprise with 10,000 users, the IT department typically has a tiered administration model. Tier 1 helpdesk staff are assigned the Helpdesk Administrator role scoped to specific administrative units (e.g., by department). This allows them to reset passwords for their assigned users only. Tier 2 support has User Administrator role for the entire organization to manage user creation and licensing. A separate team handles security with Security Administrator role, and another handles compliance with Compliance Administrator role. The Global Administrator role is assigned to only two senior IT managers, and they use PIM to activate it only when needed.
A common problem occurs when a helpdesk admin is accidentally assigned the User Administrator role, allowing them to create new users and potentially create unauthorized accounts. To prevent this, organizations use Azure AD access reviews to periodically review role assignments. Another issue is shadow admins: users who are not direct members of a role but have permissions through group membership. To mitigate, use role-assignable groups (Azure AD Premium P1) that allow groups to be assigned to roles.
Performance considerations: Role assignment changes are replicated across all datacenters within minutes. However, in very large tenants, there can be a slight delay (up to 15 minutes) for permissions to take effect globally. The audit log can handle millions of events per day, but queries should be scoped to a date range to avoid performance issues.
Misconfiguration: A company once assigned the Global Administrator role to all IT staff for convenience. When a disgruntled employee deleted critical user accounts, the company had to restore from backup. They now enforce strict role-based access with PIM and require all admin actions to be approved through a change management process.
The MS-900 exam tests admin roles and permissions under objective 1.2 'Describe the core capabilities of Microsoft 365'. Specifically, you need to know:
The purpose of role-based access control (RBAC) in Microsoft 365.
The most common built-in roles: Global Administrator, Billing Administrator, User Administrator, Helpdesk Administrator, Exchange Administrator, SharePoint Administrator, Teams Administrator, Security Administrator, Compliance Administrator, Global Reader.
The principle of least privilege and how to delegate administration.
The concept of administrative units for scoped roles.
Privileged Identity Management (PIM) as a security feature.
Common wrong answers: 1. 'Assign Global Administrator to all helpdesk staff.' This is wrong because it violates least privilege. The correct approach is to assign Helpdesk Administrator. 2. 'Billing Administrator can reset user passwords.' Wrong; Billing Admin only manages subscriptions and billing. 3. 'User Administrator can delete a Global Administrator.' Wrong; only Global Admin can manage other Global Admins. 4. 'Helpdesk Administrator can manage user licenses.' Wrong; Helpdesk Admin cannot manage licenses; that requires User Admin or License Admin.
Exam-specific numbers and terms:
There are about 60 built-in roles, but you only need to know the 10 listed above.
PIM requires Azure AD Premium P2.
Administrative units are available in Azure AD Premium P1.
The default Global Admin count should be at least 2 but no more than 4.
Edge cases:
A user with Global Reader can read all settings but cannot make changes. This is often tested as 'Which role can view security settings but not modify them?'
Custom roles exist but are rarely tested; know they can be created if needed.
Some roles are service-specific (e.g., Exchange Admin) and do not grant access to other services.
Elimination strategy: When you see a question about which role can perform a task, first eliminate roles that clearly don't have that permission (e.g., Billing Admin for password resets). Then consider the scope: if the task is user management, User Admin or Helpdesk Admin are candidates. If it involves security, Security Admin. If it involves billing, Billing Admin. If it involves all, Global Admin.
Global Administrator has full access; limit to 2-4 users.
Helpdesk Administrator can reset non-admin passwords; User Administrator can also create users and manage licenses.
Billing Administrator manages subscriptions and invoices, not users.
Roles can be scoped to administrative units for delegated administration.
Privileged Identity Management (PIM) provides just-in-time access and requires Azure AD Premium P2.
Global Reader can view all settings but cannot make changes.
Exchange, SharePoint, and Teams Administrators have service-specific full control.
Security Administrator manages security features; Compliance Administrator manages compliance features.
Role assignments are logged in Azure AD audit logs.
Always follow the principle of least privilege.
These come up on the exam all the time. Here's how to tell them apart.
Global Administrator
Full access to all Microsoft 365 administrative features.
Can manage all users, groups, and roles.
Can reset passwords for any user including other admins.
Should be limited to 2-4 users.
Has access to security and compliance centers.
User Administrator
Can manage users and groups but not roles.
Cannot delete or manage Global Administrators.
Can reset passwords for non-admin users only.
Can assign licenses to users.
Cannot access security or compliance centers.
Mistake
Global Administrator is the only role that can manage users.
Correct
User Administrator and Helpdesk Administrator can also manage users, but with limited permissions. User Admin can create users and reset passwords; Helpdesk Admin can only reset passwords for non-admins.
Mistake
Billing Administrator can manage user licenses.
Correct
Billing Administrator can view and manage subscriptions, but cannot assign licenses to users. That requires User Administrator or License Administrator.
Mistake
Helpdesk Administrator can reset passwords for any user including Global Administrators.
Correct
Helpdesk Administrator can only reset passwords for non-administrator users. Resetting a Global Admin's password requires a Global Admin or Privileged Authentication Administrator.
Mistake
Assigning a role to a group automatically grants permissions to all group members.
Correct
Yes, if the group is a role-assignable group (available in Azure AD Premium P1). Regular groups cannot be assigned to roles. This is a common trap.
Mistake
All admin roles are available in every Microsoft 365 subscription.
Correct
Some roles require specific licenses. For example, PIM requires Azure AD Premium P2. Also, some roles like Kaizala Administrator require Kaizala service.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Global Administrator has full access to all Microsoft 365 administrative features, including managing other admins and accessing security/compliance centers. User Administrator can manage users and groups but cannot manage roles or delete Global Administrators. User Administrator can reset passwords for non-admins only, while Global Admin can reset any password.
Yes, but only if the group is a role-assignable group, which requires Azure AD Premium P1 license. Regular security groups cannot be assigned to roles. Role-assignable groups can be used to delegate administration to multiple users without assigning roles individually.
PIM provides just-in-time (JIT) access to Azure AD roles. Instead of having permanent role assignments, users are made eligible and must activate the role for a limited time, often with approval. This reduces the risk of standing privileges and helps meet compliance requirements. PIM requires Azure AD Premium P2.
Helpdesk Administrator can reset passwords for non-administrator users. User Administrator can also reset passwords for non-admins. Global Administrator and Privileged Authentication Administrator can reset passwords for any user, including other admins. Billing Administrator cannot reset passwords.
Administrative units (AUs) are Azure AD containers that allow you to delegate administrative tasks to a subset of users. For example, you can create an AU for the Sales department and assign a Helpdesk Administrator role scoped to that AU, so the admin can only manage users in Sales. AUs require Azure AD Premium P1.
Microsoft recommends at least two, but no more than four Global Administrators. This ensures redundancy without increasing risk. Additional administrators should be assigned more specific roles like User Administrator or Security Administrator.
Yes, Global Reader can view all administrative settings, including security and compliance settings, but cannot make any changes. This is useful for auditing or for personnel who need to review configurations without modifying them.
You've just covered Microsoft 365 Admin Roles and Permissions — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?