Roles, Role Groups and Workload Permissions

Least privilege across the M365 stack

Simple explanation

Not every admin needs the keys to every room. The art of role management is giving people exactly enough access to do their job — and nothing more.

Imagine a hospital: the surgeon needs operating theatre access, the pharmacist needs the medicine cabinet, and the receptionist needs the front desk system. Nobody needs all three. That’s least privilege — and in Microsoft 365, you implement it through roles and role groups across multiple admin portals.

The tricky part? Microsoft 365 has MULTIPLE role systems: Entra ID roles, M365 admin roles, Exchange role groups, Defender permissions, and Purview role groups. They overlap, interact, and sometimes confuse even experienced admins.

Entra ID built-in roles (most common)

Role	What It Controls	Common Use
Global Administrator	Everything — all services, all settings	Break-glass accounts only (max 2-4)
User Administrator	Create/manage users, reset passwords, manage groups	Help desk leads, user provisioning teams
Licence Administrator	Assign/remove licences	Teams handling licence requests
Exchange Administrator	Exchange Online settings, mailboxes, mail flow	Email team
SharePoint Administrator	SharePoint/OneDrive settings, sites, storage	Collaboration team
Teams Administrator	Teams settings, policies, voice configuration	Teams/UC team
Security Administrator	Security settings across Defender, Entra, Purview	Security operations team
Compliance Administrator	Purview compliance features, DLP, retention	Compliance team
Privileged Role Administrator	Manage Entra role assignments and PIM policies	Identity governance team
Global Reader	Read-only access to everything	Auditors, reporting, oversight

Exam tip: Global Admin is almost never the right answer

When the exam asks “Which role should Elena assign to…” the answer is almost never Global Administrator. The exam rewards least-privilege thinking:

Need to manage mailboxes? → Exchange Administrator
Need to configure DLP? → Compliance Administrator
Need to investigate security incidents? → Security Administrator or Security Operator
Need to manage Conditional Access? → Conditional Access Administrator
Need to read everything for an audit? → Global Reader

If you find yourself selecting Global Admin, re-read the question — there’s almost certainly a more specific role.

Workload-specific role groups

Exchange Online role groups

Exchange has its own RBAC system in the Exchange admin center:

Role Group	Access	Managed In
Organization Management	Full Exchange admin	Exchange admin center
Recipient Management	Manage mailboxes, groups, contacts	Exchange admin center
Help Desk	View and reset passwords, manage recipients	Exchange admin center
Compliance Management	In-place eDiscovery, journaling, transport rules	Exchange admin center

Microsoft Defender XDR roles

The unified Defender portal (security.microsoft.com) uses its own permission model:

Role/Role Group	Access	Purpose
Security Administrator	Full security config	Manage Defender policies, alerts, settings
Security Operator	Investigate and respond	Manage incidents, run investigations, approve actions
Security Reader	Read-only security data	View incidents, alerts, reports without modification
Attack Simulation Administrator	Manage attack simulations	Create and manage phishing simulations (Defender for Office 365)

Microsoft Purview role groups

Role Group	Access	Purpose
Compliance Administrator	Full Purview admin	DLP, retention, sensitivity labels, compliance settings
Compliance Data Administrator	Data-related compliance	Content search, data classification, data connectors
eDiscovery Manager	eDiscovery cases	Create cases, run searches, place holds
Information Protection Admin	Labels and encryption	Sensitivity labels, Azure Information Protection
Records Management	Records and retention	Retention labels, file plans, disposition

Deep dive: How Entra roles and workload roles interact

Here’s the key insight for the exam: Entra ID roles and workload role groups are separate permission systems, but some Entra roles grant permissions in workloads:

Global Administrator (Entra) → has full access to ALL workloads (Exchange, Defender, Purview, etc.)
Exchange Administrator (Entra) → maps to Organization Management in Exchange
Security Administrator (Entra) → grants permissions in both Defender portal and Purview

However, Exchange role groups, Defender custom roles, and Purview role groups can grant permissions that no Entra role provides. For example:

eDiscovery Manager (Purview) gives case-level search authority that no Entra role grants
Attack Simulation Administrator (Defender) is a purpose-built role not available in Entra

When the exam asks which role to use, consider whether the task is tenant-wide (Entra role) or workload-specific (workload role group).

Elena’s least-privilege design for MedGuard Health

Elena designs the role structure for MedGuard Health’s admin team:

Admin	Entra Role	Workload Role Group	Why
Elena (Security Ops Lead)	Security Administrator	Defender: Security Operator	Investigate incidents, manage security policies
Compliance Officer	Compliance Administrator	Purview: eDiscovery Manager	Manage DLP, retention, run eDiscovery cases
Help Desk (3 staff)	Helpdesk Administrator	Exchange: Help Desk	Password resets, basic user support
IT Manager	User Administrator	—	Create users, manage groups, no security/compliance
External Auditor	Global Reader	Purview: Compliance Data Administrator (read)	View everything, modify nothing

She avoids assigning Global Admin to anyone except two break-glass accounts stored in a physical safe.

Key concepts to remember

Question

Name three Entra ID roles more specific than Global Administrator for common admin tasks.

Click or press Enter to reveal answer

Answer

1. Exchange Administrator — manage Exchange Online. 2. Security Administrator — manage security across Defender and Purview. 3. User Administrator — create/manage users and groups. Always choose the most specific role that covers the required tasks.

Click to flip back

Question

Where are Microsoft Defender XDR permissions managed?

Click or press Enter to reveal answer

Answer

In the Microsoft Defender portal (security.microsoft.com) under Settings > Permissions. Key roles: Security Administrator (full config), Security Operator (investigate and respond), Security Reader (view only), Attack Simulation Administrator (manage phishing sims).

Click to flip back

Question

What is the relationship between the Entra 'Exchange Administrator' role and Exchange Online role groups?

Click or press Enter to reveal answer

Answer

The Entra Exchange Administrator role maps to the Organization Management role group in Exchange Online. Assigning Exchange Administrator in Entra gives the user full Exchange admin rights. For more granular Exchange permissions, use Exchange-specific role groups like Recipient Management or Help Desk.

Click to flip back

Question

Which role should you assign for someone who only needs to manage eDiscovery cases in Purview?

Click or press Enter to reveal answer

Answer

The eDiscovery Manager role group in Microsoft Purview. This is a workload-specific role — no Entra ID role provides equivalent targeted eDiscovery permissions. Don't assign Compliance Administrator if only eDiscovery is needed.

Click to flip back

Knowledge check

Knowledge Check

Elena needs to give an external auditor read-only access to view security incidents in Defender XDR, compliance reports in Purview, and user lists in Entra — without the ability to modify anything. Which single Entra role achieves this?

Knowledge Check

Dev's client wants their compliance team to manage only DLP policies and sensitivity labels, without access to eDiscovery or security incident management. Which approach follows least privilege?

Next up: Delegate with Administrative Units and PIM — scoping admin powers to specific departments and activating roles only when needed.