Dellenny

Guide me in IT world

Microsoft 365

Understanding the Role of Roles in the Microsoft 365 Permission Model

Dellenny

Managing permissions in a cloud-first world like Microsoft 365 requires a clear understanding of how roles are structured and applied. Whether you’re an IT admin, architect, or consultant designing secure environments for clients, leveraging roles effectively can mean the difference between streamlined access and a tangled mess of permissions.

In this post, we’ll explore the Microsoft 365 permission model through the lens of roles—what they are, how they’re used, how scopes and assignments work, and best practices for applying them across services like SharePoint Online, Exchange, Teams, and Azure Active Directory.

What Are Roles in Microsoft 365?

Roles in Microsoft 365 are essentially collections of permissions that can be assigned to users or groups to perform specific administrative or functional tasks. These roles span Microsoft Entra ID (formerly Azure AD), Microsoft 365 admin center, and individual workloads like SharePoint, Teams, and Exchange.

There are three main categories:

  1. Microsoft Entra Roles (Azure AD Roles)
    These control permissions at the directory level. Examples include:
    • Global Administrator
    • User Administrator
    • Security Reader
    • Privileged Role Administrator
  2. Workload-specific Roles
    These are roles within individual Microsoft 365 services:
    • SharePoint Admin (via Microsoft 365 or SharePoint Online)
    • Exchange Admin (Exchange Admin Center)
    • Teams Administrator
  3. RBAC (Role-Based Access Control) in specific workloads
    For example, Exchange Online and Microsoft Purview use RBAC to define custom roles with granular permissions.

Role Assignments and Scopes

A role on its own does nothing until it’s assigned—this is where scope comes into play.

🔄 What is a Role Assignment?

A role assignment is the act of assigning a role definition to a principal (user, group, or service principal) within a scope. This combination determines:

  • Who can do something (the principal)
  • What they can do (the role)
  • Where they can do it (the scope

🎯 Understanding Scopes

Scope defines the boundary or target of the permissions. It answers the question: Where does this role apply?

Scopes in Microsoft Entra (Azure AD):

  • Tenant-wide – Most Entra roles are tenant-scoped by default.
  • Administrative Units (AUs) – Allow scoping of roles to a specific subset of users or groups.
    • Example: Assigning a User Administrator to manage only users in the HR AU.

Scopes in Exchange Online:

  • Exchange RBAC allows management scopes:
    • Based on recipients, servers, or databases
    • You can create custom scopes to limit who a role assignment affects.

Scopes in Microsoft Purview:

  • Compliance-related roles (e.g., Content Search, eDiscovery) can be scoped to specific locations:
    • SharePoint sites
    • Exchange mailboxes
    • Teams chats

Scopes in SharePoint and Teams:

  • Roles are scoped per site (SharePoint) or per team (Teams).
  • SharePoint permissions rely on site-level groups with limited cross-site inheritance.

Common Use Cases

🔐 Delegating Administration

Instead of giving everyone Global Admin rights (a dangerous anti-pattern), assign workload-specific roles:

  • Give the SharePoint Admin role to those managing sites and content.
  • Assign the User Administrator role to HR or helpdesk staff to manage user accounts and passwords.

Scoped Assignment Example: Assign a User Administrator role only to the HR administrative unit, limiting them to managing HR users only.

📁 Controlling Access in SharePoint Online

SharePoint uses a separate role model at the site level, including:

  • Site Owners
  • Site Members
  • Site Visitors

These roles are mapped to SharePoint permission levels (Full Control, Edit, Read). You can also map Microsoft 365 groups to these roles for more seamless management.

Best Practices

  1. Use PIM (Privileged Identity Management)
    Temporarily elevate roles with approval workflows to reduce standing privilege exposure.
  2. Avoid Overuse of Global Admin
    Limit this role to as few users as possible. Use workload-specific or scoped roles wherever feasible.
  3. Leverage Security Groups and Administrative Units
    Group-based role assignment and AU-scoped delegation improves clarity and scalability.
  4. Audit Regularly
    Periodically review role assignments to ensure they still make sense.
  5. Train and Educate
    Ensure administrators understand what each role allows—especially with new Entra roles being added frequently.

Discover more from Dellenny

Subscribe to get the latest posts sent to your email.