Every SharePoint Implementation can vary, but Microsoft 365 offers a great list of Roles and Responsibilities that can be used to create order within your SharePoint site structure.
Here is a list of the most common roles and their responsibilities that will help you understand the logical hierarchy for your setup.
Billing Admin:
Assign the Billing admin role to users who:
- Make purchases
- Manage subscriptions and service requests
- Monitor service health
Billing admins also can:
- Manage all aspects of billing
- Create and manage support tickets in the Azure portal
Exchange Admin
Assign the Exchange admin role to users who need to view and manage your user’s email mailboxes, Microsoft 365 groups, and Exchange Online.
Exchange admins can also:
- Recover deleted items in a user’s mailbox
- Set up “Send As” and “Send on behalf” delegates
Global Admin
Assign the Global admin role to users who need global access to most management features and data across Microsoft online services.
Giving too many users global access is a security risk. We recommend that you have between two and four Global admins.
Only global admins can:
- Reset passwords for all users
- Add and manage domains
Note: The person who first signed up for Microsoft online services in your organisation automatically becomes a Global admin.
Global Reader
Assign the global reader role to users who need to view admin features and settings in admin centres that the global admin can view. This is a good method of keeping Admin control within a compliance structure without providing Global control in too many hands.
The global reader admin cannot edit any settings.
Groups Admin
Assign the groups admin role to users who need to manage all groups settings across admin centres, including the Microsoft 365 admin centre and Azure Active Directory portal.
Groups admins can:
- Create, edit, delete, and restore Microsoft 365 groups
- Create and update group creation, expiration, and naming policies
- Create, edit, delete, and restore Azure Active Directory security groups
Helpdesk Admin
Assign the Helpdesk admin role to users who need to:
- Reset passwords
- Force users to sign out
- Manage service requests
- Monitor service health
Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message centre reader, and Reports reader.
License Admin
Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location.
License admins can also:
- Reprocess license assignments for group-based licensing
- Assign product licenses to groups for group-based licensing
Office Apps Admin
Assign the Office Apps admin role to users who need to do the following:
- Use the Office cloud policy service to create and manage cloud-based policies for Office
- Create and manage service requests
- Manage the What’s New content that users see in their Office apps
- Monitor service health
Password Admin
Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators.
Message Centre Reader
Assign the Reports reader role to users who need to:
- Monitor message centre notifications
- Get weekly email digests of message centre posts and updates
- Share message centre posts
- Have read-only access to Azure AD services, such as users and groups
Power Platform Admin
Assign the Power Platform admin role to users who need to do the following:
- Manage all admin features for PowerApps, Microsoft Flow, and data loss prevention
- Create and manage service requests
- Monitor service health
Reports Reader
Assign the Reports reader role to users who need to do the following:
- View usage data and the activity reports in the Microsoft 365 admin centre
- Get access to the Power BI adoption content pack
- Get access to sign-in reports and activity in Azure AD
- View data returned by Microsoft Graph reporting API
Service Support Admin
Assign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role:
- Open and manage service requests
- View and share message centre posts
- Monitor service health
SharePoint Admin
Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin centre.
SharePoint admins can also:
- Create and delete sites
- Manage site collections and global SharePoint settings
Teams Service Admin
Assign the Teams service admin role to users who need to access and manage the Teams admin centre.
Teams service admins can also:
- Manage meetings
- Manage conference bridges
- Manage all org-wide settings, including federation, teams upgrade, and teams client settings
User Admin
Assign the User admin role to users who need to do the following for all users:
- Add users and groups
- Assign licenses
- Manage most users properties
- Create and manage user views
- Update password expiration policies
- Manage service requests
- Monitor service health
The user admin can also do the following actions for users who aren’t Admins and for users assigned to the following roles: Directory Reader, Guest Inviter, Helpdesk Admin, Message Centre Reader, Reports Reader:
- Manage usernames
- Delete and restore users
- Reset passwords
- Force users to sign out
- Update (FIDO) device keys
How to assign Roles to SharePoint users in the Microsoft 365 Admin Centre:
- In the Microsoft 365 admin centre, go to Roles and then select any role to open its detail pane.
- Select the Permissions tab to view the detailed list of what admins assigned that role have permissions to do.
- Select the Assigned or Assigned admins tab to add users to roles.
By using these defined roles in a logical way that aligns with your SharePoint structure, you can make an effective Admin system that will give you peace of mind as your organisation evolves.
If you want help making sense of this, Blackbird Corporate Ltd, is here to help.
Our consultancy services can help you build the most efficient SharePoint system for your organisation and we can offer bespoke training to ensure that everyone from your Global Admins to your Message Center Readers is confident in working with you.
To find out how we can help you, call us on 0800 107 6362 or email training@blackbirdcorporate.co.uk