Permissions in Office 365

How do permissions affect what users can do or see in Office 365? How are Exchange Online roles and permissions related to SharePoint Online Essentials roles and permissions, where do you assign these roles, and what can users do when they have these roles and permissions? This FAQ answers these questions and more.

What do you want to know?

What are the permissions models used by the different Office 365 services?

Service Permissions model
Office 365

Office 365 Enterprise and Office 365 Midsize Business

In Office 365 Enterprise and Office 365 Midsize Business, the permissions for each user are defined by the management role assigned to that user. This structure is referred to as role-based access control (RBAC).

There are five admin roles in Office 365 Enterprise and Office 365 Midsize Business:

  • Global admin
  • Billing admin
  • Password admin
  • Service admin
  • User management admin

The person who signs up for Office 365 Enterprise and Office 365 Midsize Business for his or her organization automatically becomes a global admin, or top-level admin. For more information about admin roles in Office 365 Enterprise and Office 365 Midsize Business, see Assigning admin roles.

Delegated administration

Microsoft partner companies that are authorized to provide delegated administration on behalf of a customer can also assign admin permissions in Office 365 Enterprise and Office 365 Midsize Business, either to support agents in their company or to the customers themselves.

Roles a partner can set:

  • Full administration, which has privileges equivalent to a global admin.
  • Limited administration, which has privileges equivalent to a password admin.

Before the partner can assign permissions to users as a delegated admin, the customer must first add the partner as a delegated admin to their account. This process is initiated by an authorized partner. The partner sends you an email to ask you if you want to give them permission to act as a delegated admin. For more information, see Add or delete a delegated admin.

Office 365 Small Business

In Office 365 Small Business, there is only one type of admin. The person who signs up for Office 365 Small Business automatically becomes an admin. He or she can then grant admin permissions to other users in the organization, as needed. All admins have the same permissions. For more information about admin permissions in Office 365 Small Business, see Assigning admin permissions.

Exchange Online

Admin roles and permissions

Exchange Online also uses role-based access control (RBAC), so that permissions are determined by the user’s management role, but the admin roles used in Exchange Online are different from the roles used in the Office 365 portal.

See Permissions in Exchange Online for information on Exchange Online permissions and admin roles, including:

  • Role-based access control in Exchange Online
  • Administrator role groups in Exchange Online
  • Role assignment policies in Exchange Online
  • A list of all roles in Exchange Online

Individual mailbox permissions

Individual mailbox permissions, such as allowing a user to open someone else's mailbox or to send email as a different user, aren't assigned with RBAC roles. See Manage Permissions for Recipients for more information about individual mailbox permissions, including:

  • Give an admin the ability to open and view the contents of a user's mailbox
  • Give users the Send As permission
SharePoint Online

SharePoint Online has its own separate security model and groups, designed specifically to secure sites, lists, and items in SharePoint Online. There is one shared role, however, and that is the SharePoint Online administrator. The person who signs up for Office 365 automatically becomes a global admin and is your SharePoint Online admin. The global admin is included as the primary site collection admin for the team site that is automatically set up for SharePoint Online.

 Note    Due to the default level of access and control that is provided when connected to the SharePoint online admin site and the associated list of sites, a SharePoint License must be assigned to the Global Administrator or you will receive an “Access Denied” message.

The SharePoint Online admin in Office 365 Enterprise and Office 365 Midsize Business plans has access to a special administrative site called the SharePoint Online admin center. It is from this site that the SharePoint Online admin can assign other users as site collection admins.

Other Office 365 admin roles (password admin, billing admin, and user management admin) do not play a part in the SharePoint Online security model. SharePoint Online has its own separate security model.

Site collection admins and permissions

Site collections serve as permissions boundaries within SharePoint. A site collection is a group of sites organized in a hierarchy under a single top-level site. This top-level site is called the root site of the site collection. By default, permissions set on the root site http://www.contoso.com/ are inherited by any of its subsites, such as http://www.contoso.com/informationTechnology.

If you create separate site collections, these will have their own unique permissions. A separate site collection, such as http://www.contoso.com/sites/Marketplace (new site collections can be identified by the presence of /sites or /teams after the domain) would have its own permissions, and would not inherit permissions from http://www.contoso.com.

Site collection admins have permissions to manage SharePoint Online at the site collection level, and their permissions extend to all the subsites and content in the site collection that they administer.

Non-admins

The majority of users of a SharePoint Online site will be non-admins. You can assign them to a default SharePoint Online security group (such as Members, Owners, Viewers, or Visitors), or you can place them in custom groups created by the site owner or site collection admins. You can also give them permissions to the site on an individual basis, but we recommend that you assign them to groups. Granting a large number of users individual permissions creates management issues. For more information, see the following:

Lync Online Lync Online follows the Office 365 permissions system in a very simple manner: anyone who is an Office 365 global admin or user management admin is automatically a Lync Online admin. Assigning a user to one of these two Office 365 Enterprise or Office 365 Midsize Business roles is the only way to enable them to administer Lync Online. Lync Online has no specific functions that have their own permissions.

Which services do my Office 365 permissions extend to?

The Office 365 portal is like a dashboard from which you launch the different Office 365 services. The permissions you set in the Office 365 portal apply only to objects in the Office 365 portal.

When you add users to your Office 365 subscription in the Office 365 portal, those users become available for you to add into SharePoint Online groups within your SharePoint Online team site, and into Exchange Online groups.

Certain admin roles in Office 365 Enterprise and Office 365 Midsize Business have a corresponding role in Exchange Online, SharePoint Online, and Lync Online. The table below describes how these Office 365 admin roles translate into roles in the different Office 365 services.

Office 365 admin role Translates to this in Exchange Online … Translates to this in SharePoint Online … Translates to this in Lync Online …
global admin

Exchange Online admin

Company admin

SharePoint Online admin Lync Online admin
billing admin N/A N/A N/A
password admin

Help Desk admin

N/A Lync Online admin
service admin N/A N/A N/A
user management admin N/A N/A Lync Online admin

Here are some descriptions of the permissions in the above table:

  • Exchange Online:    Most permissions that you set in Exchange Online apply only to objects in Exchange Online; however, the following roles in Office 365 Enterprise and Office 365 Midsize Business appear in Exchange Online:
    • Company administrator:    The global admin role in Office 365 Enterprise and Office 365 Midsize Business appears in Exchange Online as a security group named TenantAdmins_nnnnn. This security group appears in the list of admin role groups in the Exchange admin center. The display name of this security group is Company Administrator.
      By default, this security group is a member of the of the Organization Management role. This means that global admins in Office 365 Enterprise and Office 365 Midsize Business are Exchange Online admins. These users can perform all administrative tasks in the Exchange admin center or by connecting to Exchange Online using Windows PowerShell. The only exception is Multi-Mailbox Search. By default, even Exchange Online admins can't use Multi-Mailbox Search. To use Multi-Mailbox Search, the user must be a member of the Discovery Management Role group. For more information, see Add a User to the Discovery Management Role Group.
    • Help Desk administrator:    The password admin role in Office 365 Enterprise and Office 365 Midsize Business appears in Exchange Online as a security group named HelpDeskAdmins_nnnnn. This security group appears in the list of admin role groups in the Exchange admin center. The display name of this security group is Help Desk Administrator. By default, this security group is a member of the View-Only Organization Management role group in Exchange Online. This means that password admins in Office 365 Enterprise and Office 365 Midsize Business can use the Exchange admin center or they can connect to Exchange Online using Windows PowerShell to view all objects and object properties in Exchange Online. However, password admins and Help Desk administrators can't create new objects, delete existing objects, or modify the properties of existing objects.
  • SharePoint Online:    SharePoint Online has its own separate security model and groups, designed specifically to secure sites, lists, and items in SharePoint Online. There is one shared role, however:
    • SharePoint Online administrator:    By default, the person who signed up for Office 365 and became a global admin is going to be your SharePoint Online admin. He or she will be included as the primary site collection admin for the team site that was automatically set up for SharePoint Online.
  • Lync Online:    Has no admin permissions separate from Office 365.

How do permissions work for specific features in Exchange Online, Exchange Online Protection, or Exchange 2013 hybrid deployments?

To find out the permissions required for each feature, see:

Who can assign permissions in the Office 365 services?

Service Who can assign permissions?
Office 365

In Office 365 Enterprises and Office 365 Midsize Business, only global admins can assign an admin role (global, billing, password, service, or user management) to other Office 365 users.

Within partner companies, only those support agents with delegated full admin permissions can assign admin permissions to other Office 365 users within a customer’s account. For more information about delegated administration for Office 365 Enterprise, see Offer delegated administration.

In Office 365 Small Business, only someone with admin permissions can assign admin permissions to other Office 365 users. For more information about administering Office 365 Small Business, see Assigning admin permissions.

Exchange Online

Be default, only members of the Organization Management role group can assign permissions to other users in Exchange Online. Members of the Organization Management role group are called Exchange Online administrators, and they can perform all administrative tasks in Exchange Online. To make an existing user an Exchange Online administrator, see Manage Role Group Members.

Exchange has two types of role assignments:

  • A regular role assignment is just what you would expect: it assigns permissions and capabilities to users.
  • A delegating role assignment allows the user to assign that role to others without actually having the permissions and capabilities defined by the role.

Only the Organization Management role group has delegating role assignments for all the available admin roles and end-user roles in the organization.

There is another way for a user who isn't a member of the Organization Management to assign permissions. If a user has the Role Management role assigned to them, the user can modify the membership of role groups, and thereby affect the permissions of other users. However, only the Organization Management role group is assigned the Role Management role by default.

Did you know you can monitor the changes made to role groups in your organization, which can help track permission changes you or other Exchange Online administrators make? For more information, see Search the Role Group Changes or Administrator Audit Logs.

SharePoint Online

If you’re a SharePoint Online admin, site collection admin, or a site owner, you can manage user permissions. Global admins in Office 365 Enterprise are automatically SharePoint Online admins.

One of the important things that the SharePoint Online admin (or a global admin) can do is designate more site collection admins for your sites. For SharePoint Online admins can grant site collection admins permissions using the Owners command on the Site Collections ribbon. This command is unavailable until you select a specific site collection.

Site collection admins and site owners control permissions on a team site through the Site Settings page; however, there are site settings options that are only available to site collection admins. The site collection admin can add more site collection admins via this page, or add site owners by adding a user to the Owners group.

Site owners are granted rights to manage permissions on a specific site. Because sites, lists, and items in SharePoint Online are subject to permissions inheritance by default, those permissions may be inherited by subsites that users create underneath the site where they are site owners. A site owner cannot see or make changes to permissions or settings that belong at the site collection level. For more information, see Manage administrators for a site collection.

Lync Online Only global admins in Office 365 Enterprise can assign users the global admin or user management admin role, which gives those users admin permissions in Lync Online.

Where are permissions assigned?

Service Where you assign permissions
Office 365

You assign permissions in the Office 365 portal on the Users and groups page. See detailed instructions in the following Help topics:

Exchange Online

In Exchange Online, you can use the Exchange admin center to assign admin roles or end-user roles to users. You can perform those same tasks by connecting to Exchange Online using Windows PowerShell. However, there are some tasks that can only be done in Windows PowerShell.

To access the Exchange admin center, in the Office 365 portal, click Admin > Exchange.

To connect to Exchange Online using Windows PowerShell, see Connect to Exchange Online Using Remote PowerShell.

Admin roles

To manage admin roles in the Exchange admin center, select Permissions > Admin roles.

Here you can create and delete custom role groups, assign or remove admin roles from role groups, and manage the membership of role groups. For more information, see the following Help topics:

These are the tasks involving admin roles that you can only do in Windows PowerShell:

  • Create custom write scopes:    The write scope defines the administrative boundary of the roles assigned to the role group. In other words, the write scope defines where members of the role group can make changes. For built-in admin roles that allow users to modify objects, the default write scope is the entire organization. However, you can create a custom write scope based on recipient filters, also known as a recipient filter scope, to give users targeted administrative permissions. For more information, see Create a Regular or Exclusive Scope.
  • Create exclusive write scopes:    An exclusive write scope is a type of recipient filter scope that isolates specific mailboxes so they can be managed by designated admins only. For more information, see Create a Regular or Exclusive Scope.

If you make certain customizations to a role group using Windows PowerShell, you'll lose the ability to fully manage the role group using the Exchange admin center. Specifically, you'll have to use Windows PowerShell to add or remove roles from the role group or to modify the write scope of the roles assigned to the role group. Here are the actions that cause this:

  • Assigning an end-user role to a role group
  • Assigning a role to a role group using a different write scope than the other roles
  • Assigning a role to a role group using an exclusive write scope

To add or remove roles from these role groups, you can use the New-ManagementRoleAssignment or Remove-ManagementRoleAssignment cmdlets. To view or change the write scope of the role assignments, use the Get-ManagementRoleAssignment or Set-ManagementRoleAssignment cmdlets.

End user roles

To manage end-user roles in the Exchange admin center, select Permissions > User roles.

Here you can create, modify, and delete role assignment policies, and assign and remove end-user roles from role assignment policies. For more information, see Manage Role Assignment Policies.

By default, an Exchange Online organization has one role assignment policy, and that role assignment policy is automatically designated as the default policy that's applied to all mailboxes you create. Although you can create role assignment policies in the Exchange Control Panel, you specify the default role assignment policy using Windows PowerShell. For more information, see Manage Role Assignment Policies.

You can change the role assignment policy that's applied to an existing mailbox in the Mailbox Settings section in the properties of the mailbox in the Exchange admin center. For more information, see Change the Assignment Policy on a Mailbox.

SharePoint Online

Also, Office 365 uses admin roles that do not impact user access or security in SharePoint Online, including:

  • Billing admin
  • Password admin
  • Service admin
  • User management admin

In the SharePoint admin center, SharePoint Online admins can grant site collection admin permissions using the Owners command on the Site Collections ribbon. This command is grayed out until you select a specific site collection.

Security trimming is a feature of the SharePoint Online user interface. Security trimming means that users see only those commands that they have permission to use. For example, because Site collection admins have full control permissions for a site collection, they are able to see links like People and groups, Site Permissions, and Site collection administrators on the Site Settings page for a site collection. Site collection admins can use the Site collection admins link to add (or remove) users as back-up site collection admins. Site collection admins can use the People and Groups links and the Site permissions links to manage how users are assigned to SharePoint groups, or to create new groups. For more information see Introduction: Control user access with permissions.

It is important to understand how permissions inheritance works on SharePoint sites. Permissions inheritance means that the permission settings for a site collection are passed on to subsites within that site collection. Similarly, lists and libraries inherit their permissions from the sites where they are located. If you need to assign unique permissions to a site, list, or library because it needs to have different permissions from those it inherits (for example, it might need to be restricted to a small set of users), you will need to break permissions. For more information about how this works, see What is permissions inheritance? and Edit permissions for a list, library, or individual item.

Lync Online Lync Online admin permissions are assigned from the Office 365 portal; they are not assigned from within Lync Online.

What can I do when I have certain permissions or roles assigned to me?

Service What the roles allow you to do
Office 365

For a description of the permissions associated with each admin role:

Exchange Online

For examples of when and how to use permissions in specific scenarios, see the following Help topics:

SharePoint Online

A site owner has permissions within a specific site; a site collection admin has permissions to the site collection and all subsites created underneath it; and the SharePoint Online admin has permissions over all site collections. However, the majority of users will not be admins of any kind; they will be added to SharePoint Online groups. It’s important to understand how groups work in SharePoint Online. Each group is associated with a permission level. These permission levels are made up of individual permissions. For example, people in the Members group have the Edit permission level by default, which means they can do everything in the Read permission level, plus the following:

  • View, add, update and delete items
  • Add, edit, and delete lists
  • Delete versions
  • Browse directories
  • Edit personal user information
  • Manage personal views
  • Add, update, or remove personal Web Parts

For more information about SharePoint Online groups, see:

Lync Online Users who have the Office 365 Enterprise global admin or user management admin role assigned to them can perform all admin tasks in Lync Online, including setting Lync federation, enabling or disabling public IM connectivity, and changing Lync Online user settings.

How do permissions work in Windows PowerShell?

Service Windows PowerShell permissions
Office 365 When users connect to Office 365 Enterprise using Windows PowerShell, they have access only to the cmdlets and parameters that are defined by the admin role that is assigned to them. A role-based access control (RBAC) role is basically a list of cmdlets and parameters that define the capabilities of the role. If users attempt to run a cmdlet or a parameter on a cmdlet that isn't available to them, they'll receive an error as if the cmdlet or parameter doesn't exist. For more information about using Windows PowerShell with Office 365 Enterprise, see Manage Microsoft Azure Active Directory by using Windows PowerShell.
Exchange Online

In Exchange Online, the permissions work the same way in Windows PowerShell as they do in the Exchange admin center. Although there are some administrative tasks that can only be performed in Windows PowerShell, such as creating dynamic distribution groups, Windows PowerShell itself doesn't give users more permissions or capabilities than they would otherwise have. The Windows PowerShell experience is still controlled by role-based access control (RBAC) roles.

An RBAC role is basically a list of cmdlets and parameters that define the capabilities of the role. When a user connects to Exchange Online using Windows PowerShell, the user only has access to the cmdlets and parameters that are defined by the roles that are assigned to them. If the user attempts to run a cmdlet or a parameter on a cmdlet that isn't available to them, they'll receive an error as if the cmdlet or parameter doesn't exist.

For information about connecting to Exchange Online using Windows PowerShell, see Connect to Exchange Online Using Remote PowerShell.

Other thoughts:

  • Because Exchange Online is built on Windows PowerShell, the roles assigned to the user also affect what they see in the Exchange admin center. Graphical elements such as buttons, tabs, and sections on a page may appear when you assign roles to a user, and may disappear when you remove roles from a user. Also, objects that are dimmed typically indicate the user is allowed to view, but not modify the objects.
  • When you change the roles assigned to an existing user, the user will likely have to log off and log on before he or she can see the changes.
SharePoint Online SharePoint Online admins can use the SharePoint Online Management Shell to perform tasks like managing users in bulk. For more information about getting started, see Introduction to the SharePoint Online Management Shell.
Lync Online As in Office 365, users have access only to the cmdlets and parameters that are defined by the admin role that is assigned to them.

Does Active Directory play a part in determining permissions?

Service Active Directory and permissions
Office 365

Active Directory does not play a part in determining permissions; it is simply a repository for user accounts. In other words, it’s a directory store of all users, passwords, and objects. In Office 365 Enterprise, you can synchronize data from your local Active Directory to Office 365 using the Microsoft Azure Active Directory Sync Tool. For more information about Active Directory sync in Office 365 Enterprise, see Directory synchronization roadmap.

When you install the Directory Synchronization tool, the Microsoft Azure Active Directory Sync Configuration Wizard creates a service account to read from your local Active Directory and write to the Office 365 Enterprise synchronization database. The wizard creates this account using both your local Active Directory permissions and your Office 365 permissions, which you provide as part of setup. To run the Directory Sync tool, you must have Administrator permissions for the computer running the Directory Sync tool, and you must provide the credentials for an account with Enterprise Administrator permissions on your company's local Active Directory service. This account must have Enterprise Administrator permissions in the Active Directory forest to which the computer running the Directory Sync Tool is joined. For more information about credentials, see Active Directory credentials.

Exchange Online Active Directory doesn’t play a part in determining permissions; it is simply a repository for user accounts.
SharePoint Online Active Directory doesn’t play a part in determining permissions; it is simply a repository for user accounts.
Lync Online Active Directory doesn’t play a part in determining permissions; it is simply a repository for user accounts.

How does “permission inheritance” work in SharePoint Online, and when do I need to break inheritance?

Service Permission inheritance and when to break it
Office 365 Not applicable.
Exchange Online Not applicable.
SharePoint Online

By default, permissions inheritance flows down to all objects (sites, lists and libraries, and items) from the site collection level. When you create a root site collection (for example, https://fabrikam.sharepoint.com), it’s assigned a default set of permissions, permission levels, and groups. Permissions are grouped into a permission level, such as Full Control, which uses all of the available permissions. This permission level is assigned to a SharePoint Online group (such as Owners). Thus, when you add users into these groups, they have only certain permissions (for example, visitors can’t delete or edit items, but members can).

These groups automatically inherit down to every object in the site collection. This means that when you create https://fabrikam03.sharepoint.com/budget as your root site collection and you do NOT select the “Use same permissions as parent site” option, the same groups of users are NOT automatically copied there. If you break permissions inheritance by doing this, you’ll get a fresh, blank copy of the default groups and permission levels in the new site. If you’re in a list, and you want to break inheritance on an item, you’ll be able to click the drop-down menu for the item and then select Manage Permissions in the menu. For more information, see What is permissions inheritance? and Edit permissions for a list, library, or individual item.

Lync Online Not applicable.

If I migrate mailboxes from Exchange to Exchange Online, will mailbox permissions be migrated over?

Service Migration of mailbox permissions?
Office 365 Not applicable.
Exchange Online

In a cutover or staged Exchange migration, the mailbox contents, folder permissions, and delegate permissions of the on-premises mailbox are migrated to a new cloud-based mailbox. However, Send As or full mailbox access permissions aren't migrated. For more information about email migration, see Mailbox migration to Exchange Online.

In a hybrid deployment, a move request that moves the on-premises mailbox to the cloud copies the delegate and folder permissions of the mailbox. However, the migrated permissions only work if the target mailbox and the trustee are both in the cloud, because Outlook Web App (OWA) and Microsoft Outlook can't access folders in cross-premises mailboxes. Also, Send As and full mailbox access permissions aren't copied from the on-premises mailbox to the cloud mailbox. For more information about hybrid deployments and mailbox moves, see Permissions in Exchange 2013 Hybrid Deployments.

So, after an Exchange migration or after a mailbox move in a hybrid deployment, an Exchange Online administrator will need to verify and re-create Send As and full mailbox access permissions manually on the cloud-based mailbox. For more information, see Manage Permissions for Recipients.

SharePoint Online Not applicable.
Lync Online Not applicable.
 
 
Applies to:
Office 365 Enterprise admin, Office 365 Midsize Business admin, Office 365 Small Business admin