1.2.2. Roles, Licenses, and Access Control

💡 First Principle: In Microsoft 365, "access" has two completely separate meanings — admin access (what you can configure) and user access (what features you can use). Admin roles control the first; licenses control the second. A global administrator without a Copilot license can't use Copilot, just like a licensed user without an admin role can't reconfigure the tenant.

Microsoft 365 uses role-based access control (RBAC) for administration. Instead of giving admins direct access to everything, RBAC assigns roles that bundle specific permissions. The Global Administrator role has full control of the tenant — it's the highest-privilege role and should be assigned sparingly. Most day-to-day admin work uses scoped roles:

Least privilege is the principle you apply when assigning roles: give people only the permissions they need to do their job. A helpdesk technician should be a User Administrator, not a Global Administrator.

Licenses work differently. They're entitlements that gate feature availability at the user level. Microsoft 365 Business Basic, Business Standard, Business Premium, E3, and E5 are common license SKUs — each unlocks a different set of features. Group-based licensing lets you assign licenses to a security group so that all members inherit the license automatically when they join.

⚠️ Exam Trap: Group-based licensing is propagated automatically, but the process isn't always instant, and some features require post-license configuration steps. Assigning the license is the first step, not the final one.

Reflection Question: Your organization has 500 users. You want all members of the "Sales Team" group to automatically get the Microsoft 365 E3 license when they join the group. What feature do you use, and what potential delay or follow-up step should you account for?