-->
Microsoft 365 or Office 365 subscription comes with a set of admin roles that you can assign to users in your organization using the Microsoft 365 admin center. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers.
The Microsoft 365 admin center lets you manage Azure AD roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center.
Microsoft To-Do is a new, intelligent task management app that makes it easy to plan and manage your day.
- Microsoft To Do is a cloud-based personal task management tool. It is part of an Office 365 suite, so that means that it is accessible, just like the rest of Office 365 apps in the cloud (read: from any device with an internet connection). Microsoft To Do vs.
- As of April 21, 2020, the official branding of Microsoft's productivity suite has changed from Office 365 to just Microsoft 365. The new naming convention reflects Microsoft's strategy of providing.
- To-Do is a task management app that helps you organize your day. It has an innovative 'My Day' feature that lets you plan every day from scratch by pulling i.
- Get started with Office 365 for free. Students and educators at eligible institutions can sign up for Office 365 Education for free, including Word, Excel, PowerPoint, OneNote, and now Microsoft Teams, plus additional classroom tools. Use your valid school email address to get started today.
Before you begin
Looking for the full list of detailed Azure AD role descriptions you can manage in the Microsoft 365 admin center? Check out Administrator role permissions in Azure Active Directory. Administrator role permissions in Azure Active Directory.
Looking for the full list of detailed Intune role descriptions you can manage in the Microsoft 365 admin center? Check out Role-based access control (RBAC) with Microsoft Intune.
For more information on assigning roles in the Microsoft 365 admin center, see Assign admin roles.
Microsoft 365 To Do List
Watch: What is an admin?
Security guidelines for assigning roles
Because admins have access to sensitive data and files, we recommend that you follow these guidelines to keep your organization's data more secure.
| Recommendation | Why is this important? |
|---|---|
| Have 2 to 4 global admins | Because only another global admin can reset a global admin's password, we recommend that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org's settings and most of the data, so we also recommend that you don't have more than 4 global admins because that's a security threat. |
| Assign the least permissive role | Assigning the least permissive role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. This will help keep your data secure. |
| Require multi-factor authentication for admins | It's actually a good idea to require MFA for all of your users, but admins should definitely be required to use MFA to sign in. MFA makes users enter a second method of identification to verify they are who they say they are. Admins can have access to a lot of customer and employee data and if you require MFA, even if the admin's password gets compromised, the password is useless without the second form of identification. When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery. Set up multi-factor authentication |
If you get a message in the admin center telling you that you don't have permissions to edit a setting or page, it's because you are assigned a role that doesn't have that permission.
Commonly used Microsoft 365 admin center roles
In the Microsoft 365 admin center, you can go to Roles, and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned that role have permissions to do. Select the Assigned or Assigned admins tab to add users to roles.
You'll probably only need to assign the following roles in your organization. By default, we first show roles that most organizations use. If you can't find a role, go to the bottom of the list and select Show all by Category. (For detailed information, including the cmdlets associated with a role, see Administrator role permissions in Azure Active Directory.)
| Admin role | Who should be assigned this role? |
|---|---|
| Billing admin | Assign the Billing admin role to users who make purchases, manage subscriptions and service requests, and monitor service health. Billing admins also can: - Manage all aspects of billing - Create and manage support tickets in the Azure portal |
| Exchange admin | Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups, and Exchange Online. Exchange admins can also: - Recover deleted items in a user's mailbox - Set up 'Send As' and 'Send on behalf' delegates |
| Global admin | Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. Only global admins can: - Reset passwords for all users - Add and manage domains Note: The person who signed up for Microsoft online services automatically becomes a Global admin. |
| Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. |
| Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. Groups admins can: - Create, edit, delete, and restore Microsoft 365 groups - Create and update group creation, expiration, and naming policies - Create, edit, delete, and restore Azure Active Directory security groups |
| Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following: - Reset passwords - Force users to sign out - Manage service requests - Monitor service health Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
| License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. License admins also can: - Reprocess license assignments for group-based licensing - Assign product licenses to groups for group-based licensing |
| Office Apps admin | Assign the Office Apps admin role to users who need to do the following: - Use the Office cloud policy service to create and manage cloud-based policies for Office - Create and manage service requests - Manage the What's New content that users see in their Office apps - Monitor service health |
| Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
| Service support admin | Assign the Service Support admin role as an additional role to admins or users need to do the following in addition to their usual admin role: - Open and manage service requests - View and share message center posts - Monitor service health |
| SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. SharePoint admins can also: - Create and delete sites - Manage site collections and global SharePoint settings |
| Teams service admin | Assign the Teams service admin role to users who need to access and manage the Teams admin center. Teams service admins can also: - Manage meetings - Manage conference bridges - Manage all org-wide settings, including federation, teams upgrade, and teams client settings |
| User admin | Assign the User admin role to users who need to do the following for all users: - Add users and groups - Assign licenses - Manage most users properties - Create and manage user views - Update password expiration policies - Manage service requests - Monitor service health The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: - Manage usernames - Delete and restore users - Reset passwords - Force users to sign out - Update (FIDO) device keys |
Delegated administration for Microsoft Partners
If you're working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in your company, or their company, admin roles. You might want them to do this, for example, if they are setting up and managing your online organization for you.
Microsoft 365 To Do List App
A partner can assign these roles:
Admin Agent Privileges equivalent to a global admin, with the exception of managing multi-factor authentication through the Partner Center.
Helpdesk Agent Privileges equivalent to a helpdesk admin.
Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see Authorize or remove partner relationships.
Microsoft Office 365 2016 Download
Related articles