Office 365 admin roles give users the power of permissions

Two levels of administrative permissions

By default, new accounts created in the Office 365 admin center do not have administrative permissions. An Office 365 user account can have two levels of administrative permissions: customized administrator role and global administrator role.

In a customized administrator role, the user account has one or more individual administrator roles. Available Office 365 admin roles include billing administrator, compliance administrator, Dynamics 365 administrator, Exchange administrator, password administrator, Skype for Business administrator, Power BI service administrator, service administrator, SharePoint administrator and user management administrator.

Some Office 365 admin roles provide application-specific permissions, while others provide service-specific permissions. For example, end users granted an Exchange administrator role can manage Exchange Online, while users with the password administrator role can reset passwords, monitor service health and manage service requests.

Customized administrator configurations benefit both large and small organizations. In large organizations, it's common for separate administrators to manage different services, such as Exchange, Skype for Business and SharePoint. Conversely, small organizations typically have fewer administrators who manage multiple -- if not all -- systems. In either scenario, if additional help is needed for certain tasks, you can assign appropriate administrative roles to the most qualified users, allowing them to make modifications to the tenancy.

The global administrator role provides complete control over Office 365 services. It's the only administrator role that can assign users with Office 365 admin roles. The first account created in a new Office 365 tenancy automatically gets the global administrator role. An organization can give the global administrator role to multiple user accounts, but it's best to restrict this role to as few accounts as possible.

Managing Yammer requires careful planning because it's separate in the Yammer admin center. The highest level of administrative permissions in Yammer is the verified admin role. An organization can give all Office 365 global administrators this role, but regular users with a Yammer verified role shouldn't have it.

Security and compliance permissions

An organization must also decide how to configure permissions in the Security & Compliance Center. These permissions use the same role-based access control (RBAC) permissions model that on-premises Exchange and Exchange Online use.

The Security & Compliance Center features eight role groups that allow a user to perform administrative tasks related to security and compliance. For example, members of the eDiscovery Manager role group receive case management and compliance search roles that allow the user to create, delete and edit eDiscovery cases. These users also can perform search queries across mailboxes.

Office 365 provides 29 different roles that an organization can add to role groups, and each role holds different security and compliance permissions. This comprehensive range of role groups and available roles means that an organization must determine the most appropriate security and compliance permissions model.

It's important to understand differences in role groups and plan permissions accordingly. For example, both the Security & Compliance Center and Exchange Online have role groups named organization management, but they are separate entities and serve different permissions purposes.

Multifactor authentication matters

Enabling Azure multifactor authentication adds another layer of protection around Office 365 accounts with administrator access. Administrators provide proof of their identity via a second authentication factor, such as a phone call acknowledgement, text message verification code or phone app notification, each time they log into the Office 365 account.

If the business uses Azure multifactor authentication, it should educate administrators and service desk staff to ensure everyone knows operational and service desk procedures involved with the security service.

Keep tabs on administrator actions

As administrators make changes to the systems and grant or revoke permissions to users and other administrators, you'll need a way to review these actions.

In the Office 365 Security & Compliance Center, an organization can enable audit logging and search the log for details of administrator activities from the last 90 days. This log tracks a wide range of administrator actions, such as user deletion, password resets, group membership changes and eDiscovery activities.