Microsoft Entra ID · M365 Workloads & Services
Teams Administrator
Can manage the Microsoft Teams service including meetings, calling, messaging policies, and Teams-certified devices.
Scope: Full Microsoft Teams and Skype for Business Online administration
Permissions
- Full Teams administration
- Create Microsoft 365 groups
- Delete Microsoft 365 groups
- Update M365 group members
- Update M365 group owners
- Restore deleted M365 groups
- Update M365 group properties
- Read hidden group members
- Create cross-tenant access for Teams
- Update cross-cloud meeting settings
- Manage external user profiles for Teams
- Manage pending external profiles
- Read permission grant policies
- Read network performance
- Manage Skype for Business
- Read usage reports
- Manage all Teams policies (messaging, meeting, calling, app, etc.)
- Configure Teams phone system and calling plans
- Manage Teams-certified devices
Common use cases
- Teams deployment and management
- Meeting policy configuration for organization
- Calling policy and phone system administration
- Teams app governance and permissions
- Teams device management (phones, displays, rooms)
- Cross-tenant meeting federation settings
- Messaging policy and compliance configuration
- Live events and webinar management
- Teams channel and team governance
- Guest access configuration for Teams
- Teams analytics and reporting review
- Shift management and frontline worker configuration
Best practices
- Use Teams RBAC for granular delegation
- Create separate roles for calling vs. meeting management
- Coordinate with SharePoint Admin for storage policies
- Test policies with pilot groups before broad deployment
- Document all Teams configuration changes
- Use sensitivity labels for team classification
- Configure guest access policies carefully
- Monitor Teams usage and adoption metrics
- Set up alerts for policy changes
- Use Teams templates for consistent team creation
- Configure external access federation appropriately
- Review Teams app permissions and governance
- Implement retention policies for compliance
- Consider PIM for just-in-time access
Security considerations
- Can configure external federation affecting data sharing
- Can manage guest access policies
- Can modify app permission policies
- Can access call and meeting recordings settings
- Can configure cross-tenant meeting access
- Microsoft 365 group management affects SharePoint access
- Review external sharing settings regularly
- Monitor for overly permissive guest policies
- Alert on external access configuration changes
- Consider separation from compliance policy roles
Common questions
When should I assign the Teams Administrator role?
Assign Teams Administrator when you need to: Teams deployment and management; Meeting policy configuration for organization; Calling policy and phone system administration; Teams app governance and permissions; and Teams device management (phones, displays, rooms). It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Teams Administrator role do?
The Teams Administrator role grants permissions including: Full Teams administration; Create Microsoft 365 groups; Delete Microsoft 365 groups; Update M365 group members; Update M365 group owners; and Restore deleted M365 groups. See the Permissions section above for the full list.
What are the security risks of the Teams Administrator role?
Key considerations when assigning Teams Administrator: Can configure external federation affecting data sharing; Can manage guest access policies; Can modify app permission policies; and Can access call and meeting recordings settings. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.