MSP Mike was having a nightmare. One of his biggest clients had just undergone a security audit and apparently he had handed out global admin access to half the staff.

"Oh no," he muttered. "I thought they needed admin access…"

Mike’s predicament is not unusual. Many IT pros, especially in MSPs, give global administrator access to anyone who needs to do admin tasks. It seems harmless until there is an audit, a breach, or someone clicks the wrong button. Global Admin rights give complete control over your Microsoft 365 tenant: identity, email, files, compliance settings, everything. That level of access should be reserved for a very small number of accounts.

The good news is Microsoft 365 offers over 60 built-in admin roles that provide just enough access for each user to do their job and nothing more. This is called the principle of least privilege and it is a key part of zero trust security.

Here is how Mike and I fixed his mess, one role at a time.

1. User Administrator

Sally in HR onboards new staff and manages user accounts. She does not need global admin. The User Administrator role gives her enough access to manage users and reset passwords. It is safe, simple, and low risk.

2. Helpdesk Administrator

Aaron spends his days unlocking accounts and resetting passwords. He only needs the Helpdesk Administrator role. It is enough to manage user issues without opening any doors to sensitive areas.

3. Exchange Administrator

Gemma works in IT but focuses on email. She manages shared mailboxes, distribution lists, and mailflow. Assign her as an Exchange Administrator and she can do her job without touching anything else in Microsoft 365.

4. Teams Administrator

Marcus lives in Teams. He manages meeting policies and app setups. The Teams Administrator role keeps him focused on Teams without giving access to other areas.

5. SharePoint Administrator

Karen manages SharePoint sites and structure. She only needs the SharePoint Administrator role. It allows her to oversee sites and sharing settings without interfering with anyone else.

6. Compliance Administrator

Natalie works in legal and manages eDiscovery and retention policies. The Compliance Administrator role gives her access to Microsoft Purview tools without broader admin rights.

7. Security Administrator

Dev monitors Defender alerts and handles incident response. The Security Administrator role gives him full access to security tools but no control over users or other areas.

8. Billing Administrator

Cla in finance needs to check invoices and subscriptions. The Billing Administrator role gives her exactly what she needs and nothing more.

9. Intune Administrator

Sanjay manages devices, laptops, and compliance settings. The Intune Administrator role covers all endpoint management and keeps devices secure without extra privileges.

10. Service Support Administrator

Mike only needs to raise tickets with Microsoft. The Service Support Administrator role gives him just enough access for support with no real admin rights.

And what about Gavin, who wanders around unplugging cables? Sadly, there is no Microsoft 365 role for Vice President of Ethernet Wriggling.

Extra Tip: Privileged Identity Management

Even with the right roles, you do not want to leave the door wide open. Microsoft Entra Privileged Identity Management (PIM) allows roles to be assigned as eligible rather than permanent.

Users can request access only when they need it. You can require approval, MFA, or justification before granting access. Access automatically expires after a set time.

Instead of making someone a permanent SharePoint admin or worse a global admin, they get time-limited access when it is required. This is zero trust in action.

PIM is included with Microsoft Entra ID P2, which comes with Microsoft 365 E5 or can be added to Business Premium. If your business hands out global admin like sweets at Halloween, it is time to tighten things up. Pick the right role, use PIM, and keep auditors happy.

Microsoft 365 roles do not need to be scary. By using the correct admin roles and combining them with PIM, you can give your team exactly the access they need and nothing more.