SharePoint Online has two distinct permission layers: tenant-level admin roles assigned in the Microsoft 365 admin center, and site-level roles assigned per site collection. Mixing up which role grants what access is one of the most common support questions SharePoint administrators face. This reference covers every role from Global Administrator down to Visitor, with a capability matrix for each.
Tenant-Level Admin Roles
These roles are assigned in the Microsoft 365 admin center or via Azure Active Directory. They control what an administrator can do across the entire tenant, not just on individual sites.
| Role | Assigned In | Scope | Notes |
|---|---|---|---|
| Global Administrator | Microsoft 365 admin center / Azure AD | All Microsoft 365 services | Full access to all admin centers including SharePoint. Can do everything a SharePoint admin can. Should be limited to 2-4 accounts per tenant for security. |
| SharePoint Administrator | Microsoft 365 admin center / Azure AD | SharePoint and OneDrive tenant settings | Access to the SharePoint admin center. Can create and delete site collections, manage tenant sharing policies, manage hub sites, and access any site collection by adding themselves as a site collection admin. |
| Global Reader | Microsoft 365 admin center / Azure AD | All Microsoft 365 admin centers (read-only) | Can view all SharePoint admin center settings but cannot make changes. Useful for compliance reviewers and auditors who need to inspect configuration without changing it. |
| Teams Administrator | Microsoft 365 admin center / Azure AD | Microsoft Teams (and connected SharePoint sites) | Can manage Teams and the SharePoint sites connected to them. Does not have standalone SharePoint admin center access unless also assigned the SharePoint Administrator role. |
| Compliance Administrator | Microsoft 365 admin center / Azure AD | Microsoft Purview compliance portal | Can set and view retention policies, sensitivity labels, and eDiscovery holds on SharePoint content. Does not have access to the SharePoint admin center or individual site settings. |
SharePoint Admin Center Capabilities by Role
The following table shows which tenant-level tasks each role can perform in the SharePoint admin center.
| Task | Global Admin | SharePoint Admin | Global Reader |
|---|---|---|---|
| Create new site collections | Yes | Yes | No |
| Delete site collections | Yes | Yes | No |
| View active sites list | Yes | Yes | Yes |
| Set tenant-wide sharing policies | Yes | Yes | No |
| Manage hub sites | Yes | Yes | No |
| Set storage quotas per site | Yes | Yes | No |
| Add or remove site collection admins | Yes | Yes | No |
| Access tenant-level deleted sites | Yes | Yes | No |
| View sharing and usage reports | Yes | Yes | Yes |
| Manage the content type hub | Yes | Yes | No |
| Configure Information Barriers | Yes | Yes | No |
Site-Level Roles
These roles are assigned per site collection. They control what a user can do within a specific site, not across the tenant. A user can hold different roles on different sites simultaneously.
| Role | Default Permission Level | Scope | Notes |
|---|---|---|---|
| Site Collection Administrator | Full Control (elevated) | Entire site collection | Assigned by a SharePoint or Global admin. Has access to the second-stage Recycling Bin, site usage reports, and all content regardless of unique permissions. Does not propagate automatically to subsites created after assignment, but effectively has full control over all existing content. |
| Site Owner | Full Control | The specific site | Assigned by adding a user to the site's Owners group. Can manage site settings, add users to groups, and create subsites. Cannot access the second-stage Recycling Bin unless also a site collection admin. |
| Site Member | Edit (Contribute on classic sites) | The specific site | Assigned by adding a user to the site's Members group. Can add, edit, and delete content. Cannot manage site settings or user permissions. Appropriate for most users actively working with content. |
| Site Visitor | Read | The specific site | Assigned by adding a user to the site's Visitors group. Read-only access to all non-restricted content. Cannot create, edit, or delete content. |
Site-Level Capability Matrix
The following table shows what each site-level role can do within a site collection. "Partial" indicates conditional access.
| Capability | Site Collection Admin | Site Owner | Site Member | Site Visitor |
|---|---|---|---|---|
| View and download content | Yes | Yes | Yes | Yes |
| Create and upload files | Yes | Yes | Yes | No |
| Edit and delete files | Yes | Yes | Yes | No |
| Restore from first-stage Recycle Bin | Yes | Yes | Own items only | No |
| Access second-stage Recycle Bin | Yes | No | No | No |
| Share files externally (if tenant allows) | Yes | Yes | If allowed by site settings | No |
| Manage site settings | Yes | Yes | No | No |
| Add or remove users from site groups | Yes | Yes | No | No |
| Create and manage lists and libraries | Yes | Yes | No | No |
| Break or restore permission inheritance on items | Yes | Yes | No | No |
| View site usage analytics | Yes | Yes | No | No |
| Publish pages to the site | Yes | Yes | If allowed by site policy | No |
| Apply retention labels to content | Yes | Yes | Yes | No |
SharePoint Permission Levels
Permission levels are the building blocks of site-level access. Each site group (Owners, Members, Visitors) is mapped to a permission level by default. Administrators can create custom permission levels or change the mappings.
| Permission Level | Default Group | Included Rights |
|---|---|---|
| Full Control | Owners | All permissions, including managing other users' permissions and all site settings. |
| Edit | Members (modern sites) | Add, edit, and delete lists; add, edit, and delete list items and documents. Cannot manage permissions. |
| Contribute | Members (classic sites) | Add, edit, and delete items and documents. Cannot create or delete lists or libraries themselves. |
| Read | Visitors | View pages and items; open and download documents. Cannot create or modify content. |
| View Only | None by default (custom use) | View pages and items without the ability to download documents. Used for sensitive libraries where documents should open in the browser only. |
| Design | None by default (custom use) | All Contribute rights plus the ability to apply themes, borders, and style sheets. Rarely used in modern SharePoint. |
| Limited Access | Auto-assigned by SharePoint | Automatically granted when a user has access to an item within a library but not the library itself. Cannot be assigned directly; SharePoint sets it automatically when breaking inheritance below the library level. |
OneDrive Roles and Their Relationship to SharePoint
Each user's OneDrive is a SharePoint site collection with the account holder as the sole site collection administrator by default.
- The OneDrive owner is the site collection admin of their own OneDrive.
- SharePoint admins and Global admins can add themselves as site collection administrators to any user's OneDrive via the SharePoint admin center.
- When a user leaves the organisation, their OneDrive is retained for 30 days by default (configurable up to 180 days) before deletion. During this period, the designated secondary admin or manager can access the content.
- External sharing from OneDrive is governed by the same tenant sharing policy as SharePoint Online.
Role Assignment Best Practices
- Keep the number of Global Administrators to a minimum (2-4 accounts) and use dedicated admin accounts separate from day-to-day user accounts.
- Assign the SharePoint Administrator role to IT staff who need to manage SharePoint without needing access to the full Microsoft 365 admin center.
- Use Microsoft 365 groups or Azure AD groups as site members rather than individual user accounts. Group-based access makes offboarding and access reviews straightforward.
- Keep site collection administrator lists small. Most sites need 1-2 designated admins, not a long list of past project members.
- Run a quarterly permissions audit to catch stale access and external users who should no longer have access.