min read

How to assign Microsoft Teams roles in the admin center

ShareGate Team

Published on

May 14, 2026

Put your Microsoft Teams management on auto-pilot

We identify potential issues so you can course-correct them before they escalate!

Free trial

Master Hacks: Migrate like a pro

Check out our video series to help you turn migration projects into masterpieces!

Watch now

Text Link

Microsoft Teams is built for self-service. In many orgs, users can create workspaces and invite guests without ever filing a help desk ticket. That flexibility is great for productivity. But it also means Microsoft Teams roles and permissions can quickly get out of hand if nobody’s paying attention.

The tricky part is that Microsoft Teams roles don’t all live in the same place: Admins have to assign owner, member, and guest permissions from inside the app or Teams admin center. Complicating things even further, if they want to assign administrative roles, they have to use Microsoft Entra ID and the M365 admin center.

Confusion between team-level roles and admin roles can lead to gaps in control, like too many team owners or unclear accountability for managing content and settings. Or admins who lack access to troubleshoot even basic call quality issues.

In this guide, we offer step-by-step instructions and governance best practices to help you manage Microsoft Teams access without slowing anyone down.

‍

What are roles and permissions in Microsoft Teams?

Team-level roles, Microsoft 365 group membership, and underlying SharePoint permissions determine what users can see, edit, and control. Here are the major categories.

Teams end-user roles

Team-level roles govern what someone can do inside a specific workspace, like creating channels, uploading files, or managing the team name and settings.

Owner

Team owners have full control over the workspace, with the power to:

Add or remove members
Promote someone else to owner status
Manage channels
Assign moderators
Change the team picture
Delete the team entirely

TIP: Always assign at least two owners per team. Otherwise, if an owner left the company or switched departments, their team would become ownerless—nobody could manage its settings or membership until an admin intervened. This kind of ownership drift can add up quickly and cause real administrative headaches.

Member

Members handle day-to-day work, like participating in channel discussions, joining meetings, and collaborating on documents. If the team owner allows, members can also create their own channels and add apps.

You can limit members’ permissions in the team Settings menu. For example, you could prevent members from deleting or editing messages, or restrict who can post in specific channels.

Guest

Guests are external users that admins, owners, or members with the necessary permissions have added to your environment. Guests can participate in channel conversations and access shared files, but they can’t create teams.

You can configure Teams guest access in both Entra ID and the Teams admin center. Don’t confuse it with external access (also known as federation), which allows users to chat and call people in other organizations without adding them to your environment.

Teams admin roles

You assign admin roles in Microsoft Entra ID. They dictate who can manage policies and settings across the service. Teams administrators don’t automatically become the owners of every team. Admins operate at the service level. Team ownership stays with the people doing the work.

Here’s what each role does:

Teams administrator: Manages the entire Teams service. This role manages the overall Teams experience, while group ownership and lifecycle are handled at the Microsoft 365 level.
Teams communications administrator: Focuses on call and meeting features. Manages voice policies, phone number inventory, and resource accounts.
Teams communications support engineer: Troubleshoots communications issues with advanced tools, including the Call Quality Dashboard with user-level detail.
Teams communications support specialist: Handles basic troubleshooting. Can only view call analytics for the specific user being searched for.
Teams device administrator: Manages physical devices configured for Teams. Updates and configuration profiles, but doesn’t have access to call quality data.
Teams telephony administrator: Manages voice and telephony features, public switched telephone network (PSTN) usage reports, and resource accounts.
Teams reader: Has read-only access to the Teams admin center for auditing and review.

Microsoft recommends following the principle of least privilege: assign the most specific role that covers the job, and avoid handing out global administrator access unless it’s an emergency.

‍

Governance best practices and risks

Keeping role assignments accurate over time is trickier than it might seem, especially as people change jobs and leave the company.

Start with these practical governance habits to avoid the most common headaches down the line.

Best practice	Risk it mitigates
Assign at least two owners per team	Prevents a team from becoming ownerless when employees leave or switch roles
Use least privilege for admin roles	Limits the damage if an account is compromised or misused
Review guest access on a regular schedule	Prevents guest sprawl and lingering access to sensitive files
Use lifecycle policies (not just manual reviews) to manage inactive teams	Helps control sprawl and makes sure outdated workspaces don’t pile up
Standardize team creation with policies and templates—not just documentation	Improves consistency across teams and reduces governance drift

‍

How to assign Microsoft Teams roles: Step-by-step

How you assign Microsoft Teams roles depends on the layer you’re working with.

Assign team-level roles

You can assign team-level roles directly in the Microsoft Teams app or through the Teams admin center. Here’s how:

In the Teams app:

1. Open Microsoft Teams and find the team you want to manage.

2. Click the three dots (more options) next to the team name and select Manage team.

3. Go to the Members tab.

4. To add someone new, click Add member, type their name, and confirm.

5. Use the role dropdown next to their name to assign them as an owner or member.

In the Teams admin center:

1. Go to admin.teams.microsoft.com.

2. Select Teams > Manage teams.

3. Choose the team you want to manage

4. In the Members tab, add or remove members and assign roles.

‍

Check out Microsoft's documentation on assigning team owners and members in the Teams admin center.

‍

Assign admin roles

To grant service-level administrative privileges, you’ll need to use Microsoft Entra ID. Follow these steps:

‍

1. Sign in to the Microsoft Entra admin center. You will need at least “privileged role administrator” access.

2. Navigate to Identity → Roles & admins.

3. Search for the Teams role you want to assign (for example, Teams administrator).

4. Select the role to open its details pane.

5. Click Add assignments, select the user, and confirm the scope.

‍

Simplify Teams governance with ShareGate Protect

Native tools are handy for basic role assignment, but when you’re managing hundreds or thousands of users, keeping track of Teams permissions is a complex job. The Teams admin center simply wasn’t built for that kind of visibility at scale.

ShareGate Protect helps you see exactly who has access to what—across every team, site, group, and drive. Detect ownerless and inactive workspaces before they create access problems, identify risky sharing links with excessive or stale permissions, and review guest access across your entire tenant. When you find an issue, fix it fast—simple or bulk remediation actions, right where you're already working.

Plus, ShareGate Protect doesn’t try to replace Microsoft’s role assignment architecture. It gives you the visibility to spot oversharing and access drift, and the tools to clean it up before it compounds.

To see how ShareGate Protect can help streamline your governance efforts, request a demo today.