role assignment policy office 365

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to enforce office 365 custom "role assignment policy" applied default to all new emails to be created?

I have created a RoleAssignmentPolicy called "DisabledForwardingRoleAssignmentPolicy" via Exchange admin center --permissions-- user roles .

I would like to apply "DisabledForwardingRoleAssignmentPolicy" default to all new emails accounts to be created.

In gui of Exchange admin center, there seems to be no way to do this. So I did this by longing to office 365 in powershell.

The command successfully executed. and when I verify it via Get-RoleAssignmentPolicy it says DisabledForwardingRoleAssignmentPolicy is default .

But when I create a new email and when i go to recipients --mailboxes-- select user and mailbox features--- Role assignment policy , still the default policy is applied.

I have to change it manually to DisabledForwardingRoleAssignmentPolicy

What I'm missing here? Please shade a light.

• email-server
• microsoft-office

You need to run "Set-MailboxPlan" cmdlet to change the default role assignment policy to the customize one.

First, run "get-mailboxplan" to confirm which plan your license is used, as below:

Then, run "Set-MailboxPlan" to change the RoleAssignmentPolciy to the customize one:

• You are truly a great resource to serverfault. thanks a lot for your time testing it before posting. I was googling and no correct path was found. It worked. –  user879 Commented May 30, 2018 at 5:21

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged email exchange email-server microsoft-office mailbox ..

• The Overflow Blog
• No code, only natural language: Q&A on prompt engineering with Professor Greg...
• One of the world’s biggest web scrapers has some thoughts on data ownership
• Featured on Meta
• More network sites to see advertising test

Hot Network Questions

• What if the current US president dies after the next president is elected but before inauguration?
• Probability of 2 consecutive heads in an odd number of flips
• Can I waterproof old drywall before battoning it and then fixing cement boards in shower area for tiling?
• Rocket Equation
• Issue with forced linebreaks in the wrapstuff package
• Are Zombees possible?
• What is the meaning of the logo of the Tehran Metro?
• Child thinks the term "eetee" implies an "eater"
• If someone buys a ticket for me, can they check if I am actually on the flight?
• Recommendations on the number of exercises to do from Linear Algebra and It's Applications 6th edition (by Lay & McDonald)
• Formatting \overbrace
• What's a good short, casual term to say "overly likely to prioritize recent ideas"
• Is there an analytical solution for this summation?
• Trimming multi-spline curve with Geometry Nodes
• What happens if you lose "half your life" if you have less than zero life?
• Jiro Horikoshi's Full Personal Diary
• Is extortion prohibited by the Torah?
• How can slow thinkers learn to respond to questions?
• Knight tour graph for a board with holes
• How to extract Polygon Coordinates in order
• The differences among/between three types of renewable energy sources
• How does the QFT circuit correspond to the FFT algorithm?
• Why do I see half of earth’s surface from space but the area of its shadow is only a fourth?
• For a t-distribution, df = n-1. What does n represent?

If you have any other Microsoft account sign in issues, use our  Sign-in helper   tool.

June 12, 2024

Hello! Are you trying to recover or access your Microsoft Account?

• Search the community and support articles
• Outlook.com
• Search Community member

Ask a new question

How to set the default role assignment policy?

I'v created a custom "Default Role Assignment Policy" for my company and want to set it as a default.

There is a way to do it using PowerShell?

Report abuse

Reported content has been submitted​

Hi Vandrey,

Do you mean that you have created a ‘Default Role Assignment Policy’ in Exchange admin center->permissions->user roles-> Default Role Assignment Policy? If so, it will be the default policy automatically after saving your settings.

If you want to replace the built-in default role assignment policy with your own default role assignment policy, you can use the  Set-RoleAssignmentPolicy cmdlet to select a new default. When you do this, any new mailboxes are assigned the role assignment policy you specified by default if you don't explicitly specify a role assignment policy. More information can be found in the article below:

https://technet.microsoft.com/en-us/library/dd638090(v=exchg.160).aspx

To connect to Exchange Online using remote PowerShell:

https://technet.microsoft.com/library/jj984289(v=exchg.160).aspx

If I have misunderstood anything, please let me know.

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Replies (2) 

Question info.

• Norsk Bokmål
• Ελληνικά
• Русский
• עברית
• العربية
• ไทย
• 한국어
• 中文(简体)
• 中文(繁體)
• 日本語

Home › Insights › Blogs › A Breakdown of Microsoft 365 Admin Roles & Responsibilities (Previously Office 365 Admin Roles)

A Breakdown of Microsoft 365 Admin Roles & Responsibilities (Previously Office 365 Admin Roles)

Updated: January 29, 2021

In a more recent blog post , we talk about how to access Office 365 Security and Compliance Center and a set of new admin roles that can be used while managing permissions from a tenant security/compliance angle.

Original Post: July 1, 2020

Office 365 is now Microsoft 365

Many times, I have been asked questions on the various administrator roles and responsibilities of Microsoft 365 (M365) which prompted me to write this blog. If your organization is new to Microsoft 365 or has already been using a Microsoft 365 (previously Office 365) tenant for some time, it is always critical to spend time reviewing the various admin portal access available. Microsoft has been providing several different roles to target various M365 workloads to help prevent intentional or unintentional internal breaches. Here is a comprehensive list of roles that are available to you within Microsoft 365 along with best practices and recommendations based on my vast experience. If you are currently in the process of migrating to Microsoft 365 , you will need to make sure you have the right admin memberships in place prior to going live.

Advanced/Granular Admin Roles and Permissions

Additionally, if you are part of a larger organization, you should be looking into admin roles with reduced access (using Role-Based Access Control – RBAC), which are only available for both Exchange Online and Microsoft Teams . As your IT department grows larger, you will find these roles useful when dedicating some IT admins to specific areas of Microsoft 365 as you work through best securing your corporate data in your tenant.

Exchange Online

In Exchange Online, there are several built-in role groups that can be used for specific tasks within the service (e.g Compliance work, Troubleshooting, Configuration, etc…) Based on my experience, these are some of the common roles that get assigned:

• Help Desk Role to have admins manage user mailbox settings while being prevented from making changes to mail flow.
• Compliance Role for security admins so they can perform audit log search.

Microsoft Teams

In Teams, the following “sub-roles” are available in addition to the Teams Service Administrator:

Compare Admin Roles

Pro Tip: Given the large number of roles and tasks available to admins in Microsoft 365, it may be challenging sometimes to find out what role to grant for an admin who will performing a specific duty. Microsoft 365 has a built-in tool which helps you compare roles and determine which ones should be used for which administrator. You can access the Roles menu in the Admin Portal: https://admin.microsoft.com/AdminPortal/Home#/rbac/directory , select three roles and click “Compare Roles”

Key Microsoft 365 Best Practices

Here are some guidelines to help you implement admin roles in Microsoft 365:

• Have 2-4 Global Administrators in the tenant and reduce/limit usage of secondary admin roles
• Make sure to enable Multi-Factor on all Global Admins except for one – break glass account
• Create a break glass account directly in the cloud (not synced) with a complex password and store its password in a Password Manager. Make sure not to enable MFA on that account. It should only be used in the event of an outage with MFA.
• In addition to the 2-4 Global Administrators, segment other IT administrators into multiple other admin roles
• Make sure to segment only when necessary, as a deep segmentation may hinder IT admins from performing all their required tasks.

In my next blog , I will talk about different types of roles to manage a Microsoft 365 tenant from a Security and Compliance point of view as opposed to this current blog post which described the more traditional Service-based admin roles.

In conclusion, as the saying goes, with great power comes great responsibility. Take the time to review and compare the roles and assign the right people for the tasks.

For more information on this topic, please reach out to a member of Withum’s Digital and Technology Transformation Services Team .

Measuring Knowledge Management ROI – Part 1 of Microsoft Project Cortex and SharePoint Syntex

Getting your Trinity Audio player ready… Share Microsoft Project Cortex and SharePoint Syntex: Pie in the Sky or ROI Part One: Measuring Knowledge Management ROI. This is the first in […]

Digital Workplace Solutions

Getting your Trinity Audio player ready… Delivering personalized and agile Microsoft Cloud and AI-driven solutions that move your business forward. Technology continues to reshape industries. The cloud and AI have […]

Search Withum.com

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

about-admin-roles.md

Latest commit, file metadata and controls, about admin roles in the microsoft 365 admin center.

Check out Microsoft 365 small business help on YouTube.

Microsoft 365 or Office 365 subscription comes with a set of admin roles that you can assign to users in your organization using the Microsoft 365 admin center . Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers.

If you need help with the steps in this topic, consider working with a Microsoft small business specialist . With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

Watch: What is an admin?

Check out this video and others on our YouTube channel .

[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1SRc0 ]

• While signed into Microsoft 365, select the app launcher. If you see the Admin button, then you're an admin.
• Select Admin to go to the Microsoft 365 admin center.
• In the left navigation pane, select Users > Active users .
• Select the person who you want to make an admin. The user's details appear in the right dialog box.

Before you begin

The Microsoft 365 admin center lets you manage Microsoft Entra roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Microsoft Entra admin center and the Intune admin center.

For the full list of detailed Microsoft Entra role descriptions you can manage in the Microsoft 365 admin center , check out Administrator role permissions in Microsoft Entra built-in roles .

For the full list of detailed Intune role descriptions you can manage in the Microsoft 365 admin center , check out Role-based access control (RBAC) with Microsoft Intune .

For more information on assigning roles in the Microsoft 365 admin center , see Assign admin roles .

Security guidelines for assigning roles

Because admins have access to sensitive data and files, we recommend that you follow these guidelines to keep your organization's data more secure.

If you get a message in the admin center that you don't have permissions to edit a setting or page, it's because you're assigned a role that doesn't have that permission. Talk to another admin to assign you the correct permissions or see Assign admin roles to assign yourself the correct role.

Commonly used Microsoft 365 admin center roles

In the Microsoft 365 admin center, you can go to Role assignments , and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned that role have permissions to do. Select the Assigned or Assigned admins tab to add users to roles.

You'll probably only need to assign the following roles in your organization. By default, we first show roles that most organizations use. If you can't find a role, go to the bottom of the list and select Show all by Category . For detailed information, including the cmdlets associated with a role, see Microsoft Entra built-in roles .

Permissions based on Admin role and Group type in M365 Admin page

Delegated administration for microsoft partners.

If you're working with a Microsoft partner, you can assign them admin roles. They, in turn, can assign users in your company, or their company, admin roles. You may want to assign admin roles to partners if they're setting up and managing your online organization for you.

A partner can assign these roles:

Admin Agent Privileges equivalent to a global admin, except for managing multi-factor authentication through the Partner Center.

Helpdesk Agent Privileges equivalent to a helpdesk admin.

Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. The partner has to be an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For instructions, see Authorize or remove partner relationships .

Volume licensing roles

Permissions to volume licensing information in Microsoft 365 admin center are controlled by the VL Agreement Administrators in Volume Licensing Service Center (VLSC), even for VL roles that predominantly use functionality in the Microsoft 365 admin center rather than VLSC.

Some volume licensing (VL) functionality is now available in Microsoft 365 admin center in a new volume licensing blade visible only to volume licensing users only.

Volume licensing users see no other Microsoft 365 admin center information or functionality.

Microsoft 365 admin center Global Admins have no role in assigning VL user permissions and do not need to assign any admin permissions to VL users for them to see the volume licensing blade.

Volume licensing users must first register on the Volume Licensing Service Center (VLSC), where all roles and permissions for volume licensing functions is managed.

For more information about volume licensing in Microsoft 365 admin center, see Frequently Asked Questions for the Volume Licensing Service Center or contact the Volume Licensing Service team .

Related content

Assign admin roles (article) Microsoft Entra roles in the Microsoft 365 admin center (article) Activity reports in the Microsoft 365 admin center (article) Exchange Online admin role (article)

Nate Chamberlain, Microsoft MCT

Microsoft 365 training and content for modern digital workplaces

Demystifying Microsoft 365 admin roles in Azure AD and the M365 admin center

As a rule of thumb (not to mention for improving your Secure Score ), you should limit the number of people who have the “global admin” role in your organization. Microsoft recommends fewer than 5 global admins . That makes it important to get to know the other roles available and assign the least permissive role (a phrase you’ll see frequently if seeking certifications) rather than blanket roles that often include more permissions than what are necessary (or secure).

Global admins can assign other admin roles, purchase additional products and subscriptions, reset all (including each others’) passwords, and manage absolutely everything in your tenant. So of course you can see why we’d want to restrict how many are working with these capabilities simultaneously.

You may end up assigning five different, non-global admin roles to a user instead of the single global admin role, but your security will be improved significantly.

There are a couple places to assign admin roles: the Azure AD portal , and the M365 admin center . My goal with this post is to consolidate and simplify information on the roles, including which are only available in Azure. I’ve combined information from:

• About admin roles
• Administrator role permissions in Azure Active Directory
• M365 admin center

Those marked with * are only available to assign from Azure AD. All others are in both the M365 admin center AND the Azure portal.

Note: Most role descriptions are copied directly from the resources listed above as of date of publish and are subject to change. Always check Microsoft documentation prior to making significant decisions. 

Available roles

Full access to enterprise applications, application registrations, and application proxy settings.

> Read more about this role on docs.microsoft.com

Create application registrations and consent to app access on their own behalf.

Can require users to re-register authentication for non-password credentials, like MFA.

Can manage Azure DevOps organization policy and settings.

Manages labels for the Azure Information Protection policy, manages protection templates, and activates protection.

Can create and manage all aspects of user flows.

Can create and manage the attribute schema available to all user flows.

Can manage secrets for federation and encryption in the Identity Experience Framework.

Can create and manage trust framework policies in the Identity Experience Framework.

Makes purchases, manages subscriptions, manages service requests, and monitors service health.

Full access to enterprise applications and application registrations. No application proxy.

Full access to manage devices in Azure AD.

Manages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps.

Can create and manage compliance content.

Manages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy.

Manages Customer Lockbox requests, can turn Customer Lockbox on or off.

Can access and manage Desktop management tools and services.

Can read basic directory information. Commonly used to grant directory read access to applications and guests.

Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

This is a legacy role that is to be assigned to applications that do not support the  Consent Framework . It should not be assigned to any users.

Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.

Full access to Exchange Online, creates and manages groups, manages service requests, and monitors service health.

Configure identity providers for use in direct federation.

Has unlimited access to all management features and most data in all admin centers.

Has read-only access to all management features and most data in all admin centers.

Creates groups and manages all groups settings across admin centers.

Manages Azure Active Directory B2B guest user invitations.

Resets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.

Full access to Intune, manages users and devices to associate policies, creates and manages groups.

Full access to all Kaizala management features and data, manages service requests.

Assigns and removes licenses from users and edits their usage location.

Access to data privacy messages in Message center, gets email notifications.

Reads and shares regular messages in Message center, gets weekly email digests, has read-only access to users, groups, domains, and subscriptions.

Manages cloud-based policies for Office and the What’s New content that users see in their Office apps.

Can reset passwords for non-administrators and Password administrators.

Full access to Power BI management tasks, manages service requests, and monitors service health.

Full access to Microsoft Dynamics 365, PowerApps, data loss prevention policies, and Microsoft Flow.

Allowed to view, set and reset authentication method information for any user (admin or non-admin).

Manages role assignments and all access control features of Privileged Identity Management.

Reads usage reporting data from the reports dashboard, PowerBI adoption content pack, sign-in reports, and Microsoft Graph reporting API.

Full access to Microsoft Search, assigns the Search admin and Search editor roles, manages editorial content, monitors service health, and creates service requests.

Can only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations.

Can read security information and reports, and manage configuration in Azure AD and Office 365.

Can create and manage security events.

Can read security information and reports in Azure AD and Office 365.

Creates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.

Full access to SharePoint Online, manages Office 365 groups, manages service requests, and monitors service health.

Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health.

Full access to Teams & Skype admin center, manages Office 365 groups and service requests, and monitors service health.

Can manage calling and meetings features within the Microsoft Teams service. Assigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics.

Reads call record details for all call participants to troubleshoot communication issues.

Reads user call details only for a specific user to troubleshoot communication issues.

The default role assigned to all users. No admin center access.

Resets user passwords, creates and manages users and groups, including filters, manages service requests, and monitors service health.

Not finding a perfect fit? You can create CUSTOM admin roles in Azure AD if you have Azure AD Premium Plan 1.

Assign admin roles (single or bulk) in M365 admin center

To assign admin roles to a user or multiple users via the M365 admin center:

• Go to the M365 admin center
• Select Active users from under Users

Assign admin roles in bulk in Azure AD

To assign the same role(s) to multiple users:

•  Sign in to  Azure AD

View/edit assigned roles in Azure AD for an individual

To review a single user’s current roles, or assign more, follow these steps:

• Sign in to Azure AD
• Find and select the user for whom you want to review admin role(s)

Spread the word:

Leave a reply cancel reply.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Discover more from Nate Chamberlain, Microsoft MCT

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

Code of Conduct - Terms and Conditions - Privacy Policy

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Configure administrative roles in Microsoft 365

This module examines the key functionality that's available in the more commonly used Microsoft 365 admin roles. It also provides instruction on how to configure these roles.

Learning objectives

By the end of this module, you should be able to:

• Describe the Azure RBAC permission model used in Microsoft 365.
• Describe the most common Microsoft 365 admin roles.
• Identify the key tasks assigned to the common Microsoft 365 admin roles.
• Delegate admin roles to partners.
• Manage permissions using administrative units in Microsoft Entra ID.
• Elevate privileges to access admin centers by using Microsoft Entra ID Privileged Identity Management.

Prerequisites

Module Assessment Results

Assess your understanding of this module. Sign in and answer all questions correctly to earn a pass designation on your profile.

• Introduction min
• Explore the Microsoft 365 permission model min
• Explore the Microsoft 365 admin roles min
• Assign admin roles to users in Microsoft 365 min
• Delegate admin roles to partners min
• Manage permissions using administrative units in Microsoft Entra ID min
• Elevate privileges using Microsoft Entra Privileged Identity Management min
• Examine best practices when configuring administrative roles min
• Knowledge check min
• Summary min

Permissions Management: Defender XDR's RBAC Walkthrough for Microsoft Defender for Office 365