Office 365 tenant administrator roles have changed

UPDATE 7/2/14:

According to an update from Microsoft, these changes were accidental and are being reversed. If these changes truly were accidental, that does not speak well of Microsoft change control process for Office 365. Either way, things are going back to the way they were. I assume this changes will be reintroduced at some point in the future.


For the last 3 years, Office 365 has had a rather poor set of choices for the roles you can assign to your administrators. The old administrator roles for Office 365 are; Billing admin, Global admin, Password admin Service admin, and User management admin. I don’t think that these roles are terribly self-explanatory to most of the people to whom they would be assigned, and they don’t really map to real world jobs that administrators do. The only role there with usable administrate rights is global admin, the other roles are all for some level of running Office 365 itself. The Global admin role has all the rights to all the constituent parts of Office 365; Exchange, Lync, and SharePoint. In the real world, there are not many people who actually know how to work those 3 different technologies. As of this morning, Microsoft has changed the roles groups into something that looks like it makes more sense.

To make the discussion more understandable I have copied the description for the old roles below. This is still the information that is linked from the Office 365 portal under above the new choices.

  • Billing admin: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Global admin: Has access to all administrative features. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. The person who signs up to purchase Office 365 becomes a global admin.
  • Password admin: Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users and other password admins.
  • Service admin: Manages service requests and monitors service health.
  • User management admin: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for billing, global, and service admins.

The new roles groups are; Billing administrator, Company administrator, Exchange administrator, Helpdesk administrator, Lync administrator, Service support administrator, and User administrator. As of this writing, I am unable to find any documentation on what these new roles are or how they map to the old roles. I am fairly sure the mapping is straight forward, although I would argue that “fairly sure” is not nearly good enough when you are talking about hundreds of millions of Office 365 users. Below are my guesses for how the new roles map to the old.

  • Billing admin > Billing Administrator: No permissions change, just renamed the role.
  • Global admin > Company Administrator: No permissions change, just renamed the role.
  • Password admin > Helpdesk administrator: Not sure if the permissions here have changed, or if it’s a straight mapping.
  • Service admin > Service support administrator: No permissions change, just renamed the role
  • User management admin > User Administrator: No permissions change, just renamed the role
  • Exchange administrator: Full rights to manage all Exchange settings
  • Lync administrator: Full rights to manage all Lync settings
  • SharePoint administrator: Full rights to manage all SharePoint settings Oops, it looks like I jumped the gun on “SharePoint administrator”. That one does not exist. I wonder why…

It looks to me like these changes are for the better. I do wish Microsoft would do a better job of communicating changes like this.