Roles
Administrators for the NHSmail platform will be assigned a role. This role determines permissions when performing activities on the platform. Below outlines the different roles in the NHSmail platform and the matrix highlights the permission assigned to these roles:
All enhanced roles and privileged accounts have Multi Factor Authentication (MFA) enforced. These accounts are added to the MFA Conditional Access Standard policy which enables MFA.
All enhanced roles and privileged accounts should be enrolled with the Authenticator Application as the primary authentication method for Multi Factor Authentication (MFA).
- Local Primary Admin
- Local Admin
- Global Admin
- Tenant Admin
- Local Helpdesk
- Global Helpdesk
- Connectors
- Authorisations
- Audit
- O365 Licence Admin
- Local Report Admin
- O365 Local Report Admin
- Global Report Admin
User Account and Contact Permissions
It is advised that Local Admin accounts do not need Local Report Admin role, this role is given to Local Admin role as a default. If you do provide both a Local Admin and Local Report Admin roles, this may cause some loss to admin access. You should only provide Local Report Admin role to standard users.
| Roles | Permissions | |||||||||
| Create User | Read User | Update User | Delete User | Restore User | Create Contact | Read Contact | Update Contact | Delete Contact | Licence Assignment | |
| Local Primary Admin |  |
|
|
 |
|
|
|
|
|
|
| Local Admin | |
|
|
|
|
|
|
|
|
|
| Local Helpdesk | |
|
|
|
|
|
|
|
|
|
| Global Admin | |
|
|
|
|
|
|
|
|
|
| Global Helpdesk | |
|
|
|
|
|
|
|
|
|
| Tenant Admin | |
|
|
|
|
|
|
|
|
|
| Audit | |
|
|
|
|
|
|
|
|
|
| Authorisations | |
|
|
|
|
|
|
|
|
|
| Connector | |
|
|
|
|
|
|
|
|
|
| O365 Licence Admin | |
|
|
|
|
|
|
|
|
|
| Local Report Admin | |
|
|
|
|
|
|
|
|
|
| Global Report Admin | |
|
|
|
|
|
|
|
|
|
Shared Mailbox and Distribution List Permissions
| Roles | Permissions | ||||||||
| Create Shared Mailbox | Read Shared Mailbox | Update Shared Mailbox | Delete Shared Mailbox | Restore Shared Mailbox | Create Distribution List | Read Distribution List | Update Distribution List | Delete Distribution List | |
| Local Primary Admin | |
|
|
|
|
|
|
|
|
| Local Admin | |
|
|
|
|
|
|
|
|
| Local Helpdesk | |
|
|
|
|
|
|
|
|
| Global Admin | |
|
|
|
|
|
|
|
|
| Global Helpdesk | |
|
|
|
|
|
|
|
|
| Tenant Admin | |
|
|
|
|
|
|
|
|
| Audit | |
|
|
|
|
|
|
|
|
| Authorisations | |
|
|
|
|
|
|
|
|
| Connector | |
|
|
|
|
|
|
|
|
| O365 Licence Admin | |
|
|
|
|
|
|
|
|
| Local Report Admin | |
|
|
|
|
|
|
|
|
| Global Report Admin | |
|
|
|
|
|
|
|
|
Organisation Permissions
| Roles | Permissions | ||||||||
| Create Org Unit | Read Org Unit | Update Org Unit | Delete Org Unit | Org Unit Shortname edit | Org Unit Registration Limits | Read Audit | Top-up Updates | ||
| Local Primary Admin | |
|
|
|
|
|
|
|
|
| Local Admin | |
|
|
|
|
|
|
|
|
| Local Helpdesk | |
|
|
|
|
|
|
|
|
| Global Admin | |
|
|
|
|
|
|
|
|
| Global Helpdesk | |
|
|
|
|
|
|
|
|
| Tenant Admin | |
|
|
|
|
|
|
|
|
| Audit | |
|
|
|
|
|
|
|
|
| Authorisations | |
|
|
|
|
|
|
|
|
| Connector | |
|
|
|
|
|
|
|
|
| O365 Licence Admin | |
|
|
|
|
|
|
|
|
| Local Report Admin | |
|
|
|
|
|
|
|
|
| Global Report Admin | |
|
|
|
|
|
|
|
|
Resource Mailbox Permissions
| Roles | Permissions | ||||||||
| Create Resource Mailbox | Read Resource Mailbox | Update Resource Mailbox | Delete Resource Mailbox | Restore Resource Mailbox | |||||
| Local Primary Admin | |
|
|
|
|
||||
| Local Admin | |
|
|
|
|
||||
| Local Helpdesk | |
|
|
|
|
||||
| Global Admin | |
|
|
|
|
||||
| Global Helpdesk | |
|
|
|
|
||||
| Tenant Admin | |
|
|
|
|
||||
| Audit | |
|
|
|
|
||||
| Authorisations | |
|
|
|
|
||||
| Connector | |
|
|
|
|
||||
| O365 Licence Admin | |
|
|
|
|
||||
| Local Report Admin | |
|
|
|
|
||||
| Global Report Admin | |
|
|
|
|
||||
Reporting Permissions
| Roles | Permissions | ||||||||
| Mailbox Report | Contact Report | Distribution List Report | Mobile Report | Possible Duplicate Users Report | Top-up Report | O365 Licence Report | |||
| Local Primary Admin | |
|
|
|
|
|
|
||
| Local Admin | |
|
|
|
|
|
|
||
| Local Helpdesk | |
|
|
|
|
|
|
||
| Global Admin | |
|
|
|
|
|
|
||
| Global Helpdesk | |
|
|
|
|
|
|
||
| Tenant Admin | |
|
|
|
|
|
|
||
| Audit | |
|
|
|
|
|
|
||
| Authorisations | |
|
|
|
|
|
|
||
| Connector | |
|
|
|
|
|
|
||
| O365 Licence Admin | |
|
|
|
|
|
|
||
| O365 Local Report Admin | |
|
|
|
|
|
|
||
| Local Report Admin | |
|
|
|
|
|
|
||
| Global Report Admin | |
|
|
|
|
|
|
||
| Roles | Permissions | ||||||||
| ATP User Membership Report | Azure AD Allowed list External Organisation Report | Azure AD External Federated Groups Report | Azure AD Guest Access Report | O365 Activations User Detail Report | MFA Status Report | O365 Privacy Report | |||
| Local Primary Admin | |
|
|
|
|
|
|
||
| Local Admin | |
|
|
|
|
|
|
||
| Local Helpdesk | |
|
|
|
|
|
|
||
| Global Admin | |
|
|
|
|
|
|
||
| Global Helpdesk | |
|
|
|
|
|
|
||
| Tenant Admin | |
|
|
|
|
|
|
||
| Audit | |
|
|
|
|
|
|
||
| Authorisations | |
|
|
|
|
|
|
||
| Connector | |
|
|
|
|
|
|
||
| O365 Licence Admin | |
|
|
|
|
|
|
||
| O365 Local Report Admin | |
|
|
|
|
|
|
||
| Local Report Admin | |
|
|
|
|
|
|
||
| Global Report Admin | |
|
|
|
|
|
|
||
| Roles | Permissions | ||||||||
| O365 Usage Active User Detail Report | Teams User Activity Report | O365 User Licence Allocation Report | OneDrive User Consumption Report | Sharepoint Site Usage Detail Report | Teams Usage Report | ATP Group Management Report | |||
| Local Primary Admin | |
|
|
|
|
|
|
||
| Local Admin | |
|
|
|
|
|
|
||
| Local Helpdesk | |
|
|
|
|
|
|
||
| Global Admin | |
|
|
|
|
|
|
||
| Global Helpdesk | |
|
|
|
|
|
|
||
| Tenant Admin | |
|
|
|
|
|
|
||
| Audit | |
|
|
|
|
|
|
||
| Authorisations | |
|
|
|
|
|
|
||
| Connector | |
|
|
|
|
|
|
||
| O365 Licence Admin | |
|
|
|
|
|
|
||
| O365 Local Report Admin | |
|
|
|
|
|
|
||
| Local Report Admin | |
|
|
|
|
|
|
||
| Global Report Admin | |
|
|
|
|
|
|
||
| Roles | Permissions | ||||||||
| Organisation Admin Report | Dashboard Report | Connector Report | Organisation Traffic Report | Mover Leaver Report | Shared Channels Permissions Report | ||||
| Local Primary Admin | |
|
|
|
|
|
|||
| Local Admin | |
|
|
|
|
|
|||
| Local Helpdesk | |
|
|
|
|
|
|||
| Global Admin | |
|
|
|
|
|
|||
| Global Helpdesk | |
|
|
|
|
|
|||
| Tenant Admin | |
|
|
|
|
|
|||
| Audit | |
|
|
|
|
|
|||
| Authorisations | |
|
|
|
|
|
|||
| Connector | |
|
|
|
|
|
|||
| O365 Licence Admin | |
|
|
|
|
|
|||
| Local Report Admin | |
|
|
|
|
|
|||
| Global Report Admin | |
|
|
|
|
|
|||
Security Groups
| Roles | Permissions | ||||||||
| Create Security Groups | Update Security Groups | View Security Groups | |||||||
| Global Admin | |
|
|
||||||
| Local Primary Admin | |
|
|
||||||
| Local Admin | |
|
|
||||||
| Global Helpdesk | |
|
|
||||||
| Tenant Admin | |
|
|
||||||
| Local Helpdesk | |
|
|
||||||
| Local Report Admin | |
|
|
||||||
| Global Report Admin | |
|
|
||||||
| Audit | |
|
|
||||||
| Last Reviewed Date | 19/11/2024 |
