Relationship of Members, Roles, and Role Groups
Start course

This Managing Azure AD User Roles course will teach you how to plan user roles in Microsoft 365 and how to allocate roles in workloads. You will learn how to configure administrative accounts and how to configure RBAC within Azure AD. You'll also learn how to delegate and manage admin roles.

Later in the course, you will learn how to manage role allocations by using Azure AD and how to plan security and compliance roles for Microsoft 365.

Learning Objectives

  • Plan and Allocate User Roles
  • Configure Role-Based Access (RBAC)
  • Delegate and Manage Admin Access
  • Plan Security and Compliance Roles

Intended Audience

  • IT professionals who are interested in obtaining Microsoft 365 certification
  • Those tasked with configuring and managing Office 365 access


  • A moderate understanding of Microsoft 365 and of Azure AD

To better understand how permissioning and access works, it's important to understand the relationship between members, roles and role groups. So let's briefly touch on these relationships. 

A role is used to grant permissions that allow a user to perform a specific set of tasks. A typical use case here would be a situation where you assign the Case Management role to a user that needs to work with eDiscovery cases. A role group, however, is a set of roles. You use a role group to allow people to perform their jobs within the Security and Compliance Center. For example, a user who is a member of the Compliance Administrator role group will be assigned the roles that included in that role group. In this case, the user would be assigned the roles of Case Management, Content Search, Organization Configuration and a few others because a user who functions as a compliance admin is going to need these permissions for those tasks to do their job. 

The Security and Compliance Center includes default role groups for the most common tasks and functions that you'll need to assign users to. Microsoft recommends that you grant necessary access by adding users as members to the default role groups they're provided. It's important to note that while you can edit or delete existing role groups, it's not recommended by Microsoft. Instead of editing a default role group, what you should if necessary, is copy the group, modify it and then save it with a different name.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.