I realize its been a while since I started this series on Identity in Office 365, but I’d really like to get back to it and make a point of wrapping it up before I get into too many other topics here on My Central Admin. So this post is going to take a look at another aspect of Identity that was introduced in Office 365: Account Roles. In the previous version of the platform, most commonly referred to as the Business Productivity Online Suite (BPOS), there were only two types of accounts you could create: Administrators and Users. The User role was for normal end user accounts that could be provisioned subscriptions for the services included in BPOS (Exchange Online, SharePoint Online, Lync Online, and/or Live Meeting Services) and the Administrator role was for accounts that could manage aspects of the BPOS service such as provision accounts, purchase licenses, and create shared contacts or SharePoint sites.
The problem with this approach was that the BPOS Administrator role was an all or nothing proposition. A lot of organizations who wanted to limit the Administrator to only being able to manage specific areas of their BPOS environments could not do so because there was no way to change the rights of that type of user. You had to either give an account full administrative rights in a BPOS environment or set the account to be a standard user and not have any administrative rights. Well, that’s changed with Office 365. Microsoft got a lot of feedback about the inflexibility of the Administrator role in BPOS and listened to it by creating five different types of Administrator roles in Office 365, listed below:
- Global Administrator
- Billing Administrator
- Password Administrator
- User Management Administrator
- Service Support Administrator
Before I cover each of the role types, I do want to mention a few general things that you should keep in mind:
- First of all, it is very important to keep track of the account you used to register and provision your new Office 365 subscription. This account is by default granted full administrative rights for the subscription (same as the Global Admin role), and it is also the defined point of contact that Microsoft has for your organization. You should make sure that the information you provide for this account is accurate, and you need to make sure that this account’s details are known by multiple people in your organization so contact can be maintained with Microsoft should the account owner win the lottery and head off for the Bahamas.
- It is also important to understand that the roles discussed here pertain to the overall administration and management of the Office 365 platform and not necessarily the various services within it (Exchange Online, SharePoint Online, and Lync Online). This is covered below in the Service Administrator role, but just remember that these roles, other than the Global Admin role, do not directly grant users rights within Office 365’s individual services.
- At this time I’m not aware of any limits on the number of users you can assign to a given role within Office 365, but they could exist. I do know that there are some sizing limits around security within SharePoint 2010 (which SharePoint Online is based on), but those are pretty high.
Ok, now let’s look at each of the Office 365 admin roles:
- Global Administrator: this is also known as the “Company Administrator” role, and maps to the old Administrator role available in BPOS. Accounts with this role have full control of your organization’s Office 365 subscription. These are the keys to the kingdom, so make sure to hand them out carefully. Now that there are other role types available, you shouldn’t have to give these rights to everyone, so try not to.
- Billing Administrator: users with this role can manage anything within your Office 365 subscription that’s going to involve a financial transaction. They can purchase additional licenses, change how payments are made for the Office 365 subscriptions, or purchase additional resources such as SharePoint storage or Exchange Archival services.
- Password Administrator: Password Admins have the ability to reset user passwords, manage service requests that have been submitted to Microsoft for assistance (available with Enterprise or “E” SKUs only since Professional or “P” SKU subscriptions cannot submit service requests), and view the Office 365 Service Health information available within the Admin Portal. This is a handy admin role to have, because you can provide Tier 1 support staff with the ability to handle one of the most common support tasks you’ll face with Office 365, password resets, without the risk of giving them access to more complex aspects of the service that they could harm without the proper training or knowledge. It is important to note that these admins can only reset the passwords of normal users and other password admins; they cannot reset the passwords of admins in the other types of roles.
- User Management Administrator: In addition to the rights of Password Admins, User Management Admins also have the ability to create user accounts and provision them with Office 365 User Subscription Licenses (USLs) and to create user groups within Office 365. While they can manage normal user accounts and accounts with the Password Admin role, they cannot make changes to accounts with other admin roles (Global or Billing) nor can they reset passwords for those accounts either.
- Service Administrator: I think the Service Admin role is interesting, but can also be a little confusing. On one hand, this is an actual role that can be assigned to a user account, but all a user can do within the Office 365 Admin Portal is view user information and manage support tickets (E SKUs only). But on the other , it is necessary to assign this role to a user if you want them to have the ability to manage one or more of the services within Office 365 (Exchange Online, SharePoint Online, and Lync Online), in addition to granting them admin rights within the service itself. It’s important to remember that these services are very directly descended from their equivalent full server platform versions and retain a lot of the security functionality present within those parent platforms. Exchange Online provides much of the same Role Based Account Control (RBAC) settings as Exchange Server 2010 (defined by Exchange Role Groups such as Organization Management, Recipient Management, Help Desk, etc) and SharePoint Online (including SharePoint privilege levels such as Owner, Contributor, and Reader, roles such as Site Collection Administrator, and the use of SharePoint security groups to manage access control lists). So if you want to grant a user some of those granular admin rights within a specific service, you first need to assign them this role in Office 365.
NOTE: there is one other class of admin roles that you may encounter with Office 365, the Delegated Administrator. The Delegated Admin role allows you to grant access to a Microsoft Partner to aid in management of your Office 365 subscription without having to assign a USL (which you pay for) to someone working for that partner to help you. You must have a stated Partner of Record on file with Office 365 to be able to assign the Delegated Admin role, and the users in the role must be affiliated with that Partner. For more information, see http://onlinehelp.microsoft.com/en-us/office365-enterprises/gg243434.aspx.
If you want more information on this topic, Office 365’s Online Help site is a good place to start. There’s a pretty good page on assigning Office 365 Admin Roles which was a helpful source for me in putting this together, http://onlinehelp.microsoft.com/en-us/office365-enterprises/4697284e-c6ed-4c5a-a062-047ada7b1282, it also includes a good matrix showing which rights are available for each admin role as well as information on how to assign those roles to user accounts.