Roles, Role Groups and Workload Permissions
Implement least-privilege administration across Microsoft 365, Entra ID, Defender XDR, Purview, Exchange, SharePoint, and Teams using built-in and custom roles.
Least privilege across the M365 stack
Not every admin needs the keys to every room. The art of role management is giving people exactly enough access to do their job β and nothing more.
Imagine a hospital: the surgeon needs operating theatre access, the pharmacist needs the medicine cabinet, and the receptionist needs the front desk system. Nobody needs all three. Thatβs least privilege β and in Microsoft 365, you implement it through roles and role groups across multiple admin portals.
The tricky part? Microsoft 365 has MULTIPLE role systems: Entra ID roles, M365 admin roles, Exchange role groups, Defender permissions, and Purview role groups. They overlap, interact, and sometimes confuse even experienced admins.
Entra ID built-in roles (most common)
| Role | What It Controls | Common Use |
|---|---|---|
| Global Administrator | Everything β all services, all settings | Break-glass accounts only (max 2-4) |
| User Administrator | Create/manage users, reset passwords, manage groups | Help desk leads, user provisioning teams |
| Licence Administrator | Assign/remove licences | Teams handling licence requests |
| Exchange Administrator | Exchange Online settings, mailboxes, mail flow | Email team |
| SharePoint Administrator | SharePoint/OneDrive settings, sites, storage | Collaboration team |
| Teams Administrator | Teams settings, policies, voice configuration | Teams/UC team |
| Security Administrator | Security settings across Defender, Entra, Purview | Security operations team |
| Compliance Administrator | Purview compliance features, DLP, retention | Compliance team |
| Privileged Role Administrator | Manage Entra role assignments and PIM policies | Identity governance team |
| Global Reader | Read-only access to everything | Auditors, reporting, oversight |
Exam tip: Global Admin is almost never the right answer
When the exam asks βWhich role should Elena assign toβ¦β the answer is almost never Global Administrator. The exam rewards least-privilege thinking:
- Need to manage mailboxes? β Exchange Administrator
- Need to configure DLP? β Compliance Administrator
- Need to investigate security incidents? β Security Administrator or Security Operator
- Need to manage Conditional Access? β Conditional Access Administrator
- Need to read everything for an audit? β Global Reader
If you find yourself selecting Global Admin, re-read the question β thereβs almost certainly a more specific role.
Workload-specific role groups
Exchange Online role groups
Exchange has its own RBAC system in the Exchange admin center:
| Role Group | Access | Managed In |
|---|---|---|
| Organization Management | Full Exchange admin | Exchange admin center |
| Recipient Management | Manage mailboxes, groups, contacts | Exchange admin center |
| Help Desk | View and reset passwords, manage recipients | Exchange admin center |
| Compliance Management | In-place eDiscovery, journaling, transport rules | Exchange admin center |
Microsoft Defender XDR roles
The unified Defender portal (security.microsoft.com) uses its own permission model:
| Role/Role Group | Access | Purpose |
|---|---|---|
| Security Administrator | Full security config | Manage Defender policies, alerts, settings |
| Security Operator | Investigate and respond | Manage incidents, run investigations, approve actions |
| Security Reader | Read-only security data | View incidents, alerts, reports without modification |
| Attack Simulation Administrator | Manage attack simulations | Create and manage phishing simulations (Defender for Office 365) |
Microsoft Purview role groups
| Role Group | Access | Purpose |
|---|---|---|
| Compliance Administrator | Full Purview admin | DLP, retention, sensitivity labels, compliance settings |
| Compliance Data Administrator | Data-related compliance | Content search, data classification, data connectors |
| eDiscovery Manager | eDiscovery cases | Create cases, run searches, place holds |
| Information Protection Admin | Labels and encryption | Sensitivity labels, Azure Information Protection |
| Records Management | Records and retention | Retention labels, file plans, disposition |
Deep dive: How Entra roles and workload roles interact
Hereβs the key insight for the exam: Entra ID roles and workload role groups are separate permission systems, but some Entra roles grant permissions in workloads:
- Global Administrator (Entra) β has full access to ALL workloads (Exchange, Defender, Purview, etc.)
- Exchange Administrator (Entra) β maps to Organization Management in Exchange
- Security Administrator (Entra) β grants permissions in both Defender portal and Purview
However, Exchange role groups, Defender custom roles, and Purview role groups can grant permissions that no Entra role provides. For example:
- eDiscovery Manager (Purview) gives case-level search authority that no Entra role grants
- Attack Simulation Administrator (Defender) is a purpose-built role not available in Entra
When the exam asks which role to use, consider whether the task is tenant-wide (Entra role) or workload-specific (workload role group).
Elenaβs least-privilege design for MedGuard Health
Elena designs the role structure for MedGuard Healthβs admin team:
| Admin | Entra Role | Workload Role Group | Why |
|---|---|---|---|
| Elena (Security Ops Lead) | Security Administrator | Defender: Security Operator | Investigate incidents, manage security policies |
| Compliance Officer | Compliance Administrator | Purview: eDiscovery Manager | Manage DLP, retention, run eDiscovery cases |
| Help Desk (3 staff) | Helpdesk Administrator | Exchange: Help Desk | Password resets, basic user support |
| IT Manager | User Administrator | β | Create users, manage groups, no security/compliance |
| External Auditor | Global Reader | Purview: Compliance Data Administrator (read) | View everything, modify nothing |
She avoids assigning Global Admin to anyone except two break-glass accounts stored in a physical safe.
Key concepts to remember
Knowledge check
Elena needs to give an external auditor read-only access to view security incidents in Defender XDR, compliance reports in Purview, and user lists in Entra β without the ability to modify anything. Which single Entra role achieves this?
Dev's client wants their compliance team to manage only DLP policies and sensitivity labels, without access to eDiscovery or security incident management. Which approach follows least privilege?
π¬ Video coming soon
Next up: Delegate with Administrative Units and PIM β scoping admin powers to specific departments and activating roles only when needed.