M365 admin roles explained: you don't need to make everyone a Global Admin

M365 has ~70 admin roles. Most SMBs use just 2 (Global Admin + User Admin). Here are the roles you really need to know — and when to use them.

Not every admin task requires Global Admin. M365 has a rich role structure — using it properly is the difference between "everyone can do everything" and targeted least-privilege access.

The roles you really need to know

• Global Administrator: everything. 2–3 people max.
• User Administrator: create users, password resets, assign licences. For the office manager.
• Helpdesk Administrator: password resets for non-admin users. Junior helpdesk.
• Exchange Administrator: mailbox management, distribution lists. For whoever handles that.
• SharePoint Administrator: SharePoint site management and permissions.
• Teams Administrator: Teams settings, meeting policies.
• Security Administrator: security settings, Defender, CA policies. For the security officer.
• Global Reader: read-only Global Admin. For auditors or a compliance officer.

Assignment: common patterns

• Office manager / HR: User Administrator (sufficient for user onboarding/offboarding).
• Security officer: Security Administrator + Global Reader.
• Accountant/compliance: Global Reader.
• IT partner: depends on scope — often broader but temporary.

PIM

A Premium P2 licence gives you Privileged Identity Management — admin roles aren't permanently active; you activate them for a session. For SMBs: worth considering once you have > 30 employees, at least for your Global Admin role.

See also: M365 pillar, PAM article.