Microsoft 365 Admin Roles Explained: Global vs User vs Helpdesk
Microsoft 365 ships with more than 60 built-in admin roles. Most organizations end up using two of them: Global Administrator (because they didn't know there was anything else) and "nothing" (everyone else files tickets).
Three roles cover the vast majority of legitimate delegation scenarios for non-IT staff: Global Administrator, User Administrator, and Helpdesk Administrator. Here's what each actually grants, when each is appropriate, and where each one breaks down for the most common real-world case — letting HR or office staff handle routine user management.
Global Administrator
What it grants: everything. Full read/write access to every Microsoft 365 and Entra ID service. Can manage users, billing, security policies, conditional access, Exchange, Teams, SharePoint, compliance, the works. Can also assign and revoke other admin roles, including Global Admin itself.
When it's appropriate:
- The two break-glass accounts your security policy requires (Microsoft's recommendation: keep these to exactly two, MFA-enforced, hardware-key protected, used only for emergencies)
- Initial tenant setup
- Migration projects with explicit time-boxed access
When it's the wrong answer:
- HR password resets
- Onboarding new employees
- Managing Teams memberships
- License assignment
- Literally any routine task
Every Global Admin account is a phishing target with total tenant access. Microsoft's 2025 Digital Defense Report found admin account compromise was involved in over 60% of serious Microsoft 365 security incidents. Most of those compromised accounts were Global Admins who had the role for routine work — not for emergencies.
We covered this in detail in Too Many Global Admins?. Short version: never more than five Global Admins. Ideally two. Don't grant the role to solve a delegation problem.
User Administrator
What it grants: full read/write on all users and groups in the tenant. Can create users, delete users, reset passwords (including for other admins below their tier), assign licenses, manage group memberships. Cannot modify Global Admins or security/conditional access policies.
When it's appropriate:
- A dedicated IT administrator who handles all user-management operations and trusts the org with that level of access
- A senior helpdesk lead at a larger company where user ops are their primary job
When it's the wrong answer:
- HR doing onboarding for the Sales department only
- An office coordinator handling password resets for the office she works in
- A team lead managing their own team's Teams membership
The problem is blast radius. User Administrator can manage all users in the tenant, including resetting passwords for other administrators (Global Admins excepted). A compromised User Admin can lock out every IT staffer below Global Admin tier and then escalate. For a role we want to give to a non-IT person doing one specific job, that's far too much surface.
There's also the interface problem: User Administrator gives access to the M365 admin center, which is designed for IT pros. HR coordinators dropped into it will either get overwhelmed (and file a ticket anyway) or click something dangerous. We unpack this further in Why the User Admin role is the wrong answer for HR delegation.
Helpdesk Administrator
What it grants: password resets for non-administrators. That's almost the whole story. Can also manage service requests and read directory data. Cannot create or delete users, cannot assign licenses, cannot modify groups.
When it's appropriate:
- A dedicated helpdesk team whose only M365 responsibility is unlocking accounts
- A small IT team that wants to grant the new tech password-reset access during their first week without giving them anything else
When it's the wrong answer:
- HR onboarding (they need user creation, not just password reset)
- Office managers handling distribution list memberships
- Anyone who needs to do anything beyond resetting a password
Helpdesk Administrator is the closest built-in role to what most "I just need HR to reset passwords" requests are actually asking for. Same caveats apply as with Password Administrator (which is a near-clone of Helpdesk Administrator scoped to password actions only): the role-holder still gets access to the M365 admin center, audit logs live in Azure Monitor, and there's no department-level scoping. We covered the specific shape of this gap in How to Give HR Password Reset Access Without Global Admin.
Other roles worth knowing exist
For completeness — these come up less often but are worth knowing:
| Role | What it adds |
|---|---|
| Password Administrator | Can reset passwords for non-admins. Subset of Helpdesk Administrator. |
| License Administrator | Manage license assignments without other user-mgmt powers. |
| Groups Administrator | Create, edit, delete groups (including Microsoft 365 Groups / Teams). |
| Exchange Administrator | Full Exchange Online: mailboxes, distribution lists, transport rules. |
| Teams Administrator | Manage Teams, channels, calling, meeting policies. |
| Authentication Administrator | Reset MFA methods (separate from password reset). |
| Security Reader / Security Administrator | Read or manage security & compliance posture. |
A full list lives in Microsoft's admin role reference. For 95% of organizations under 500 users, you'll never need most of them.
The pattern Microsoft's built-in roles miss
Notice what none of these roles do:
- Scope user-management actions to a specific department or office
- Give the user a focused interface that doesn't include the rest of the admin center
- Surface audit logs in a format non-IT staff can actually review
- Restrict which licenses can be assigned (e.g., "HR can assign Business Premium but not E5")
These are the four properties of actually-safe delegation, and they're the reason most organizations end up over-permissioning to compensate for the gap.
A delegation layer that sits on top of the Microsoft Graph API — authenticating each delegate with their own OAuth token but constraining what operations they can call — covers the gap cleanly. It lets you assign roles like "Admin," "Member," "Viewer" within a portal, and have those roles map to specific operations regardless of what Entra ID would let the underlying user do.
That's what UserDesk for M365 does. The delegate signs in with their normal Microsoft account. The portal calls Graph on their behalf for the specific operations you've allowed — and refuses to call anything else, regardless of what their Entra ID role would technically permit. Audit log lives in the portal where the compliance team can actually read it.
See the role model in action: the interactive demo lets you switch between Admin / Member / Viewer roles and watch the available actions change. No signup, sample data, 2 minutes.
Keep reading
The Hidden Cost of Global Admin Roles in Microsoft 365
Every extra Global Admin in your M365 tenant costs real money — not in licensing, but in incident response time, compliance audit complexity, and breach impact when (not if) one of them gets phished.
How to Give HR Password Reset Access Without Global Admin
Your HR team shouldn't need Global Admin to reset a password. Here's how to give them safe, scoped password reset access — and what Microsoft's built-in roles get wrong about delegation.
Too Many Global Admins? Your Microsoft 365 Tenant Is a Breach Waiting to Happen
Every extra Global Admin in your M365 tenant is an attack surface. Here's why organizations end up with too many, and how to fix it without slowing your team down.
Newsletter
Get M365 management tips
Practical guides on delegation, security, and reducing IT overhead. No spam, unsubscribe anytime.
Try it yourself
See UserDesk work in 2 minutes.
Interactive demo with sample data — no signup, nothing touches a real tenant. When you're ready, connecting yours takes 60 seconds.