In Office 365 there are a number of different Administrator roles you can assign to users according to their job functions in Office 365. Most users will fit into the User (no administrator access) assignment and they will only have access to applications that they are licensed for inside Office 365 and not the Admin center. What I’ve been noticing lately is people don’t make good use of the Customized Admin roles and stick their admin users under Global administrator and trust that those users will do only what they need. This isn’t a great security practice especially in the cloud where the authentication mechanisms are open to the internet. Because the cloud by its nature is internet accessible, it’s even more important to keep tabs on strong security practices such as least privilege which is why I’d like to talk about the Customized administrator role. Let’s get into this and talk about each role.
The first user you ever create in your tenant will be a Global administrator and it’s very important to restrict this role. Typically I would recommend, no more than 2 people or possibly your system administrator depart have this role available or even 1 user and 1 generic account. Make sure you have a valid email address assigned to these accounts in case you do forget a password. The Global administrator account is just what it sounds like, it has access to everything in your Office 365 tenant, and it can be used to assigned all of the other Customized administrator roles to other users.
Customized administrator roles:
These roles can be used can be assigned to different individuals or multiple roles can be assigned to one individual. It’s important to understand what each does so when you do combine them you understand exactly what permissions you are assigning. This will ensure your users get the permissions they need in an efficient manner. I’ve often seen in the past people just “play” around with permissions until they get something that works, but ignore security. When your outcome requires the combination of working and security, it becomes much more thought invoking to make sure you get the right combination. In Active Directory , this can be trick, in Office 365 it’s relatively easy once you understand the Customized administrator roles.
Note: If you are taking 70-346 and 70-347 you will need to understand what these roles do, there are more than a few questions on Customized administrator roles and some of them can be tricky. What I am doing is re-interpreting the matrix found here Office 365 Admin Roles Matrix
The Billing Admin role should be assigned to accounting users. They have very access to the Admin center, they can only view the organization and user information, manage support tickets and perform billing and purchasing operations. The only other function that’s available to this user type is the ability to view service health and message center posts. It’s important to know that this is the ONLY user type that does have access to billing and purchasing options other than the Global admin.
Tip: If your test question or requirements talk about access to Billing and purchasing, only this user and the Global admin have access to this module. In a least priviledge question, the Billing Admin is a good answer.
The Password admin account should primarily be thought of as an account that resets users passwords and only users. This account type cannot reset admin account passwords. It can pretty much only be used to reset passwords too, you cannot create accounts.
The Service admin role on its own is one I haven’t quiet figured out yet. It was designed solely to manage support requests and view the health of services, but it on it’s own can’t do anything. I imagine in combination with Password Admin or another account it’d be more useful.
User management admin:
The User management admin role is something like a junior admin. It’s focus is really to manage users. It has more permissions than Password Admin. With this account you can Create, edit and delete users and groups with the except of other admins, you can manage and view user licenses with it (not users with Admin roles).
The other Admin roles available are application specific. (Exchange, Sharepoint and Skype for Business) and they give Admin permissions over specific applications. They become useful when you have enough users to warrant seperating out the roles however in most cases one user will have these admin access to all of these. I like to use these accounts for consultants where you want to give them access to the application but not to the Office 365 Admin Center.
Grants access to EAC (Exchange admin center)
Grants administrative access to SharePoint admin center and can perform any tasks within SharePoint.
Skype for Business administrator:
Grants access to Skype for Business admin center
I would highly recommend you look at assigning these permissions to your administrators and consultants. Don’t assign everyone as a Global admin and if you are writing 70-346 and 70-347 know these roles well.