Assigning Staff Security Roles in Microsoft 365 | Mytech

Assigning Staff Security Roles in Microsoft 365 | Mytech

July 7, 2020

Microsoft 365 includes a host of security settings, levels, and features. Global Admins, Power Users, Team Owners, Team Members – each member is different, and has a different level of control over your systems and your info. How do you determine those levels, and instill a sense of responsibility in each team member?

This session will break down a user’s membership in different teams and groups across Microsoft 365, and how it informs everything from Teams to SharePoint to client-facing Forms and more. Learn how to effectively manage your team members' permissions and privileges, and how to set expectations while preserving efficiency.

Why should I have Security Roles?

Depending on the size of your organization, you might be wondering whether this process is really that important. After all, if you have other ways to limit and track your team members’ usage, assigning them specific usage roles in Microsoft 365 might feel redundant. But it’s about more than actual security: like so many other business functions, managing how your team members interact with Microsoft 365 is a matter of intentionality.

By assigning the right roles and permissions within your Microsoft 365 structure, you’re essentially delegating the day-to-day management to those users who directly interact with each group – whether it’s a site, team, or channel. This reduces micromanaging and overcommunication: after all, your VP of Sales doesn’t need to know the minutiae of how her team is collaborating; she just needs to know how things are going. Delegating someone else to create & manage a Microsoft Teams channel helps her to focus on her more immediate concerns.

It’s also a simple way to protect your data and your organization. By setting clear parameters around who’s allowed to do what, you can avoid the loss of important data or communications. And if team members only have access for the settings they’re trained to use, you can ensure accountability at every level of the organization.

Security Role types

Global Admins

Global Admins, or “sysadmins,” are the ones in charge of everything. They have complete access to your administrative functions, can get in anywhere, and have dedicated tools to accomplish the work they need to do. Depending on your setup, this role might be filled by your IT director/manager, your support team at Mytech, or even the owner at a small, tech-savvy organization.

Power Users

Power Users aren’t the ones in complete control, but they understand your organization’s business strategy and the risks that it’s facing. They’re members of your team designated to drive adoption of a tool or process, and a critical part of keeping your team up to date.

They don’t have to be on your IT team, or even have extensive technical knowledge – they just need to understand your organization’s structure and its needs in relation to whatever tool they’re using. By making this Power User the “go-to” person for a given tool, you can foster accountability and institutional knowledge as your team begins to adopt it more fully.

Unlike other roles, you can’t designate someone as a Power User by default in the Microsoft 365 system. It takes a bit of setup and tweaking from the global admin. But once they are configured, they’re able to perform many higher-level functions, such as creating entire Groups. This can be handy if the Global Admin is busy, and you need to set up a new team quickly – you still want a knowledgeable team member to do it, and that’s why the Power Users are given their permissions and trained on how to use them.


By comparison, Owners have a lot less control. They aren’t creating new Groups, but they can be designated by the higher security roles to “own” a certain Group. That means being able to add or approve members, as well as invite guests in.

You might wonder why Owners can’t create their own structures or new teams, but ultimately this isn’t a responsibility you want the majority of team members to have. Imagine five different team members taking initiative to create a new Group for Product A Development: you might wind up with five similar groups, with data or files in multiple different locations. By controlling who creates the groups, you can maintain intentionality in your process and keep things consistent.

Users & Guests

Finally, you have your standard users (and guest users, if you choose to support that functionality). This role will likely make up the bulk of your team, and comes with all the standard permissions, which you can slightly tweak depending on how you’ve chosen to set up your team. Standard users can join public groups, and request to join private ones, and can interact with any team they’re on.


These everyday interactions and rules make up the bulk of your team’s Microsoft 365 experience, but it’s easy to overlook how they all add up. How important is it, really, to let anybody create these structures? And for some organizations, security roles won’t ever be a point of confusion, or a source of disrupted/duplicated work.

Sure, you can do some of this on the fly. But when it comes to your organization’s security and productivity, why take chances? By implementing some ground rules upon which everything else is based, you can ensure that things will be where you need them, when you need them, accessible to whoever needs them, and nowhere else. That’s intentionality, and it’s crucial to making sure your IT strategy is a benefit – not a detriment – to the important work your organization does.

Has this article sparked any questions or concerns for you? Maybe we’ve got you thinking a bit more about your approach to security roles and your overall structure. Or maybe you just want to bounce some ideas off of us. It’s our goal to Make IT Easy, so we’d love to hear your thoughts. Use the form below to let us know what you thought of this article and webinar, or let us know what you’d like to see in future pieces!

Share this post