Microsoft 365: Top 10 Non-Global Roles

Key insights

• Global Administrator risk: The video shows an MSP who failed an audit after giving too many people the Global Administrator role. Granting that role widely creates a single point of failure and raises the chance of a large, costly breach.
  
• Principle of least privilege and Privileged Identity Management (PIM): Apply least privilege by giving only needed rights. Use PIM for just-in-time elevation so admins get high privileges only when required and for a limited time.
  
• Top non-Global admin roles to use instead of Global Admin: Billing Administrator, User Administrator, Password Administrator, Exchange Administrator, SharePoint Administrator, Teams Administrator, Intune Administrator, Security Administrator, Compliance Administrator, and Helpdesk Administrator.
  
• Map roles to real jobs: assign User Administrator for HR tasks, Helpdesk Administrator for password resets, Billing Administrator for finance, Exchange/Teams/SharePoint/Intune Administrators for specific IT systems, and Security/Compliance Administrators for incident response and audits.
  
• Recent platform improvements and benefits: Microsoft added more granular built-in roles and expanded RBAC and audit features. These changes improve security, make audits easier, and let teams operate without unchecked access.
  
• Clear action steps for admins and MSPs: audit current admin assignments, remove unnecessary Global Administrator accounts, assign targeted roles, enable PIM, log and monitor privilege use, and document role policies for compliance.
  

Introduction

Jonathan Edwards published a practical YouTube video that warns against handing out the Global Administrator role to too many people in a tenant. In the clip, he walks viewers through ten alternative Microsoft 365 roles that better match real job functions while reducing security risk. Consequently, the video targets MSPs, IT teams, and internal auditors who need concrete guidance on role delegation. In this article, we summarize the video’s main points and explain tradeoffs and implementation challenges for newsroom readers.

What the Video Covers

First, Edwards highlights why overusing the Global Administrator role "kills" security by creating many overly powerful accounts that could be misused or compromised. Then, he maps common organizational functions—such as HR, finance, and helpdesk—to specific Microsoft 365 admin roles so people keep their day-to-day capabilities without full tenant control. Moreover, he emphasizes the principle of least privilege and demonstrates how to use Privileged Identity Management for just-in-time administrative access. As a result, the video balances practical role assignments with tools to reduce standing privileges.

Next, Edwards lists the top non-global roles and briefly describes what each role can do, illustrating how those rights match typical tasks. The audience hears clear examples like who should manage billing, who should control Teams settings, and who should handle device policies in Intune. Importantly, Edwards frames these roles as a way to maintain operational efficiency while improving compliance and auditability. Overall, his approach aims to make delegation sensible and measurable.

Key Microsoft 365 Roles Highlighted

Edwards points to several specific roles that cover most administrative needs without granting tenant-wide control. He highlights roles such as User Administrator, Helpdesk Administrator, Exchange Administrator, Teams Administrator, SharePoint Administrator, Intune Administrator, Security Administrator, Compliance Administrator, Billing Administrator, and Service Support Administrator. For each role, he explains how the role maps to real responsibilities and why it is safer than a blanket global assignment. Consequently, organizations can assign targeted duties while retaining oversight from a small set of true global admins.

Furthermore, Edwards underscores newer granular roles in Microsoft Entra and related services that improve alignment with business needs. He notes that this granularity helps teams avoid granting more rights than necessary and supports role-based auditing. Therefore, IT managers should review built-in roles before creating custom ones, since built-ins often match common scenarios. In this way, the video encourages sensible use of Microsoft’s role catalog rather than defaulting to broad permissions.

Security Benefits and Use of PIM

Reducing the number of permanent global administrators lowers attack surface and simplifies incident response, Edwards explains, because fewer highly privileged accounts mean fewer targets for attackers. Moreover, assigning specific roles makes it easier to track who made changes, improving forensic and audit processes. Edwards also recommends Privileged Identity Management to provide just-in-time activation for sensitive roles, which further reduces standing privileges and exposure. As a result, the combination of role delegation and PIM forms a stronger security posture than wide distribution of global rights.

However, Edwards points out that PIM and just-in-time access add procedural steps that teams must manage carefully so operational work does not slow down. Therefore, he advises organizations to pilot PIM with a few critical roles and measure impact on support workflows. In addition, he recommends logging and alerting to detect unusual elevations of privilege quickly. Consequently, security improves while remaining practical for daily operations.

Implementation Tips, Tradeoffs, and Challenges

Edwards stresses that the main tradeoff involves balancing security and convenience: tighter role assignments reduce risk but can create friction if users lack needed access at critical times. He suggests clear role ownership, documented processes for escalation, and training to reduce friction without weakening controls. Additionally, routine role reviews and audits help curb role sprawl and ensure permissions still reflect job requirements. Thus, ongoing governance disciplines are essential when decentralizing administration.

Another challenge Edwards highlights is the potential for misconfigured roles or overlapping responsibilities that create gaps in coverage. Consequently, he recommends mapping business processes to admin capabilities before assigning roles and testing those assignments in a staging environment. Moreover, central teams should provide quick escalation paths and retain a small number of emergency Global Administrator accounts protected by PIM and strong authentication. In short, careful planning and monitoring address the main tradeoffs between security and responsiveness.

Conclusion

In summary, Jonathan Edwards’ video offers a clear, practical roadmap for replacing broad administrative permissions with role-specific assignments in Microsoft 365. By combining targeted roles, Privileged Identity Management, and routine governance, organizations can strengthen security while keeping people productive. Nevertheless, teams must accept some operational change and invest in training, monitoring, and review cycles to avoid new problems such as role sprawl or blocked workflows. Finally, for IT leaders and MSPs, the video serves as a useful reminder: thoughtful delegation beats blanket permissions every time.

https://hubsite365cdn001img.azureedge.net/SiteAssets/TopicImages/marvin-meyer-SYTO3xs06fU-unsplash.jpg

Keywords

Microsoft 365 admin roles, Non-Global Admin roles Microsoft 365, Least privilege Microsoft 365 roles, Exchange Online admin role, SharePoint Online admin role, Teams admin role Microsoft 365, Compliance admin Microsoft 365, Helpdesk admin Microsoft 365