Roles in Microsoft 365

Roles in Microsoft 365

Most administrators will be familiar with the 8 main admin roles in Microsoft 365. These 8 Microsoft 365 roles are called suggested roles as we will see later on in this post.

Roles in Microsoft 365 1

But when you open up the Show all by category you will find another 42 user roles.

The little (i)-icons will give you some details on what is included but it will not give you the exact details to make the right choice.

Microsoft 365 Roles descriptions

When you go to the Microsoft 365 Admin center and login with your admin credentials you will find the option, Show all.

Roles in Microsoft 365 2

When you click on Show all you will see some additional option appear in your menu.

If you want these options to appear without you having to click on the show all then you could also use the Customize navigation and add the options that you want.

Customize your navigation pane

Now that the Roles option is visible we can get to the roles screen.

Roles in Microsoft 365 3

The roles screen will list all roles that you could possible use.

All roles in Microsoft 365

When you scroll to the end you will see the show suggested roles.

Roles in Microsoft 365 4

If you still haven’t had enough roles yet then there are also a few Intune specific roles available here.

Roles in Microsoft 365 5

Ok, I’ve had enough roles.

Time to look at what each role does.

Reports Reader role

I’m going to focus on the Reports reader role for a bit now.

When you click on the Reports reader role for example a blade will slide in with a fill description of the role.

General description of the reports reader role.

The General overview explains when you should use this role.

Who should be assigned this role?

Assign the Reports reader role to users who need to do the following:

  • View usage data and the activity reports in the Microsoft 365 admin center
  • Access to the Power BI adoption content pack
  • Access to sign-in reports and activity in Azure AD
  • View data returned by Microsoft Graph reporting API

But, it will also tell you how many people have been assigned the role.

You can even find who has been assigned the role and you can add new people to the role.

Added a user to a role

This is so much easier to use, when you want to apply multiple people to a single role, than the users section in the Microsoft 365 admin center.

Permissions

I still haven’t looked at what permissions a user with a role will get. Going back to the example of the Reports reader role.

The 3rd tab of the role blade gives all the answers

The reports reader role

So a reports reader can:

  • Read and configure Azure Service Health
  • Read and configure Service Health
  • Read all properties (including privileged properties) on auditLogs in ‎Azure Active Directory‎
  • Read all properties of provisioning logs
  • Read all properties (including privileged properties) on signInReports in ‎Azure Active Directory‎
  • Read ‎Office 365‎ usage reports

Compare roles

Ok, that is great, I can now go through all 50 roles and see what they do. When you want to make a choice between the different roles however you might want to compare the permissions.

The compare option is available to us right there in the roles section of the Microsoft 365 admin center.

You simply select 2 roles and hit the Compare roles link.

Select roles to compare

and within no time you get the following overview

Compare roles

It is possible to export this overview so that you can view it in an Excel file.

It is possible to compare 3 roles at a time only. Wouldn’t it have been nice if you could export all of the roles in one go?

Export admin list

Then there is one final option that I want to have a look at in this post.

There is the Export admin list option to export all your admin roles and an overview of all users assigned to each role. All in a single csv file. Making it very easy to get a quick overview of your role assignments within your tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: