Microsoft Advertising User Management | OpsBlu Docs

Microsoft Advertising User Management

Manage Microsoft Advertising users with Super Admin, Standard User, and Viewer roles across manager and advertiser accounts.

Overview

Microsoft Advertising provides granular user access controls to manage who can view, edit, and administer your advertising accounts. Proper user management ensures security, accountability, and efficient team collaboration.

User Access Levels

Super Admin

Capabilities:

  • Full account control including billing
  • Add, edit, and remove users
  • Manage payment methods
  • View and edit all campaigns
  • Access all account settings
  • Manage customer billing accounts

When to Grant:

  • Account owners
  • Finance managers responsible for billing
  • Senior marketing leadership

Security Note: Limit Super Admin access to essential personnel only.

Standard User

Capabilities:

  • View and edit campaigns, ad groups, and ads
  • Manage keywords and bids
  • View performance reports
  • Create and edit conversion goals
  • Manage audiences
  • Cannot: Change billing, add users, delete account

When to Grant:

  • Marketing managers
  • PPC specialists
  • Campaign optimizers
  • Day-to-day account managers

Best For: Most team members who need operational access.

Advertiser Campaign Manager

Capabilities:

  • All Standard User permissions
  • Manage campaign budgets
  • Create and delete campaigns
  • Import and export settings
  • Manage shared budgets
  • Cannot: Change billing or add users

When to Grant:

  • Senior campaign managers
  • Agency account leads
  • Team members responsible for budget allocation

Difference from Standard: Can manage campaign budgets and overall account structure.

Read Only (Viewer)

Capabilities:

  • View campaigns and performance
  • Access all reports
  • View account settings
  • Cannot: Make any changes
  • Cannot: Edit campaigns, bids, or settings

When to Grant:

  • Executives reviewing performance
  • Analysts and data teams
  • Clients in agency relationships
  • Stakeholders needing visibility without edit access

Best For: Transparency without risk of accidental changes.

Access Scope Options

Account-Level Access

User has permissions for a specific Microsoft Advertising account:

  • Access limited to one account
  • Must add user separately to each account
  • Appropriate for account-specific team members
  • Clear separation of duties

Manager Account Access

User has permissions across multiple accounts via Manager Account (MCC):

  • Single login for multiple client accounts
  • Centralized user management
  • Ideal for agencies managing many clients
  • Can inherit permissions or customize per account

User Management Best Practices

1. Principle of Least Privilege

Grant minimum access level needed for job function:

  • Good: Analyst needs reporting → Grant Read Only
  • Bad: Analyst needs reporting → Grant Super Admin "just in case"

2. Regular Access Audits

Schedule quarterly reviews:

  • Remove access for departed employees
  • Downgrade access for role changes
  • Verify access levels still appropriate
  • Document access changes in audit log

3. Role-Based Access Control

Define standard roles for your organization:

Example Role Matrix:

Role Access Level Use Case
PPC Specialist Standard User Day-to-day campaign management
PPC Manager Advertiser Campaign Manager Strategy and budget management
Finance Manager Super Admin Billing and payment management
Executive Read Only Performance oversight
Data Analyst Read Only Reporting and analysis
Agency Partner Advertiser Campaign Manager Full campaign control (no billing)

4. Email Conventions

Use consistent email formats:

  • Work emails only (no personal Gmail accounts)
  • Shared inboxes for agencies (ads-team@agency.com)
  • Department aliases where appropriate
  • Easy to identify user's role from email

5. Two-Factor Authentication

Strongly recommended for Super Admin users:

  1. Navigate to Microsoft Account Security
  2. Enable two-step verification
  3. Use authenticator app (Microsoft Authenticator, Google Authenticator)
  4. Save backup codes in secure location

6. Offboarding Process

When employees leave:

  1. Immediate: Remove user access same day
  2. Document: Log removal in access audit trail
  3. Reassign: Transfer ownership of campaigns/rules if needed
  4. Review: Check for API access or OAuth tokens to revoke
  5. Monitor: Watch for unauthorized access attempts

7. Onboarding Process

When new employees join:

  1. Verify: Confirm manager approval for access
  2. Minimum access: Start with Read Only, escalate as needed
  3. Training: Provide Microsoft Advertising training resources
  4. Document: Record access grant in audit log
  5. Review: Schedule 30-day access review

Manager Accounts (MCC)

What is a Manager Account?

A Microsoft Advertising Manager Account (similar to Google Ads MCC) allows agencies and large advertisers to manage multiple accounts from a single interface.

Benefits

Centralized Management:

  • Manage 100s of client accounts from one login
  • Cross-account reporting
  • Bulk operations across accounts
  • Consistent settings and templates

Streamlined User Management:

  • Grant user access to all accounts at once
  • Inherit permissions from manager account
  • Easy to add new clients without re-inviting users

Agency Features:

  • Client approval workflows
  • Billing management across clients
  • Agency-level reporting
  • White-label options

Create Manager Account

  1. Sign in to Microsoft Advertising
  2. Click Tools > Accounts
  3. Click Manager accounts
  4. Click Create a manager account
  5. Enter Account name (e.g., "Agency Name MCC")
  6. Select Time zone
  7. Click Save

Option 1: Send Link Request

  1. In Manager Account, click Accounts > Accounts summary
  2. Click Link to accounts
  3. Enter client's Account number
  4. Click Send request
  5. Client receives email and accepts link

Option 2: Accept Link Invitation

  1. Client sends link invitation
  2. You receive email notification
  3. Click Accept in email
  4. Account appears in your Manager Account

Manager Account User Roles

Role Capabilities
Admin Full control of manager account and all linked accounts
Standard View and edit linked accounts (subject to individual account permissions)
Read-only View all linked accounts without edit access
Restricted Access only to specific linked accounts (custom permission)

Permission Inheritance

When using Manager Accounts, permissions can inherit:

Scenario 1: User Added to Manager Account

  • User granted "Standard" access to Manager Account
  • User automatically gets "Standard" access to all linked accounts
  • Adding new client accounts automatically grants access to user

Scenario 2: User Added to Individual Account

  • User granted "Standard" access to Client Account A
  • User does NOT get access to Client Account B
  • User must sign in directly to Client Account A (not via Manager Account)

Best Practice: Use Manager Account access for agencies, individual account access for client-side teams.

API Access

When API Access is Needed

  • Automated bid management tools
  • Custom reporting dashboards
  • Bulk campaign creation
  • Integration with third-party platforms
  • Programmatic ad management

Grant API Access

  1. User must have Standard or Admin account access
  2. User navigates to Tools > API Center
  3. User requests API access (requires Microsoft approval)
  4. User creates OAuth application credentials
  5. User implements OAuth flow in application

API Access Best Practices

  • Service accounts: Create dedicated user for API access
  • Secure credentials: Store client ID/secret in environment variables
  • Token rotation: Refresh OAuth tokens before expiration
  • Rate limiting: Implement backoff for API rate limits
  • Logging: Track all API requests for auditing
  • Revoke unused: Remove API access when no longer needed

Common User Management Scenarios

Scenario 1: Agency Managing Multiple Clients

Setup:

  1. Create Manager Account for agency
  2. Link all client accounts to Manager Account
  3. Add agency team members to Manager Account with appropriate roles:
    • Account Directors: Admin
    • Campaign Managers: Standard
    • Analysts: Read-only

Benefit: Single access point for all client accounts, easy user management.

Scenario 2: In-House Team

Setup:

  1. Use individual account access (no Manager Account needed)
  2. Add team members directly to account:
    • CMO: Read-only
    • PPC Manager: Advertiser Campaign Manager
    • PPC Specialists: Standard User
    • CFO: Super Admin (for billing)

Benefit: Clear access boundaries, no complexity of Manager Account.

Scenario 3: Client + Agency Collaboration

Setup:

  1. Client maintains Super Admin access
  2. Agency has Manager Account that links to client account
  3. Agency users access via Manager Account (Standard or Admin)
  4. Client can view agency actions in change history

Benefit: Client retains control, agency has operational access.

Scenario 4: Temporary Contractor Access

Setup:

  1. Grant Standard User access with specific start date
  2. Set calendar reminder for contract end date
  3. Document access in contractor log
  4. Remove access on contract end date
  5. Verify no API tokens or OAuth access remains

Benefit: Time-bound access with clear offboarding.

Access Request Workflow

Standardized Request Process

Request Template:

Microsoft Advertising Access Request

Requestor Name: [Jane Doe]
Email Address: [jane.doe@company.com]
Microsoft Account Email: [jane.doe@company.com] (must be Microsoft account)
Account Name/ID: [Company Ads - 123456789]
Access Level Requested: [Standard User / Advertiser Campaign Manager / Read Only / Super Admin]
Business Justification: [Campaign management for Q1 2025 initiatives]
Manager Approval: [John Smith, Marketing Director]
Start Date: [2025-01-15]
End Date: [Ongoing / 2025-03-31]

Approval Workflow

  1. Submit Request: User submits access request form
  2. Manager Review: Direct manager approves business need
  3. Access Review: Admin verifies appropriate access level
  4. Grant Access: Admin adds user to account
  5. Notify: User receives invitation email
  6. Document: Log access grant in audit trail
  7. Follow-up: Schedule 30-day review for new users

Monitoring and Auditing

View Change History

Track all account changes and attribute to users:

  1. Navigate to Campaigns
  2. Click Change history in left sidebar
  3. Filter by:
    • Date range
    • User
    • Change type (campaign, ad group, keyword, etc.)
    • Entity name

User Activity Reporting

Microsoft Advertising provides user activity logs:

  1. Navigate to Tools > Reports
  2. Create User change report
  3. Select dimensions: User, Change type, Date
  4. Schedule report delivery (daily, weekly, monthly)

Access Audit Checklist

Quarterly audit tasks:

  • Review all users with Super Admin access
  • Verify all users still employed/contracted
  • Confirm access levels match current job responsibilities
  • Remove access for departed employees
  • Check for inactive users (no login in 90+ days)
  • Verify two-factor authentication enabled for Super Admins
  • Review API access and active OAuth tokens
  • Document audit findings and actions taken
  • Schedule next audit (90 days)

Linked Runbooks

Detailed guides for specific user management tasks:

Security Best Practices

Account Security

  1. Strong Passwords: Enforce password complexity requirements
  2. Two-Factor Authentication: Required for Super Admin, recommended for all
  3. Password Rotation: Change passwords every 90 days
  4. Unique Credentials: Never share login credentials
  5. Secure Password Storage: Use password manager (1Password, LastPass, Bitwarden)

Access Controls

  1. Least Privilege: Minimum access level required
  2. Regular Reviews: Quarterly access audits
  3. Separation of Duties: Different users for billing vs. campaign management
  4. Time-Bound Access: Set expiration dates for contractors
  5. Immediate Revocation: Remove access same day as employee departure

Monitoring

  1. Change History: Regularly review account changes
  2. Login Alerts: Enable notifications for new login locations
  3. API Activity: Monitor API request logs
  4. Billing Alerts: Notifications for unusual spending
  5. Performance Anomalies: Alert on sudden campaign changes

Compliance Considerations

GDPR / Privacy

  • Document who has access to customer data
  • Maintain access logs for audit purposes
  • Data processing agreements with users who access EU customer data
  • Right to know who processes customer data

SOX / Financial Controls

For publicly traded companies:

  • Segregation of duties (different users for approval vs. execution)
  • Audit trail of all financial transactions
  • Regular access reviews documented
  • Super Admin access limited and monitored

Industry-Specific

Healthcare (HIPAA):

  • No PHI in ad copy or landing pages
  • Access controls documented
  • Business Associate Agreements (BAAs) with users

Finance (PCI-DSS):

  • No credit card data in ads or tracking
  • Access logging and monitoring
  • Secure credential storage

Troubleshooting Access Issues

User Can't Access Account

Solutions:

  1. Verify user accepted invitation email
  2. Check user signed in with correct Microsoft account
  3. Confirm user has permissions (not pending)
  4. Try accessing from different browser/incognito
  5. Check if user's Microsoft account is active

User Sees Limited Data

Solutions:

  1. Verify access level (may have Read-only instead of Standard)
  2. Check date range in reporting (default may be short)
  3. Confirm account has campaigns and data
  4. Verify user viewing correct account (check account switcher)

Can't Add New User

Solutions:

  1. Confirm you have Admin or Super Admin access
  2. Verify email is valid Microsoft account
  3. Check account hasn't reached user limit (unlikely)
  4. Try different browser or clear cache

User Management Checklist

  • Access levels defined for each role in organization
  • Manager Account configured (if applicable)
  • All users have appropriate access level (least privilege)
  • Two-factor authentication enabled for Super Admins
  • Access request and approval workflow documented
  • Offboarding process ensures same-day access removal
  • Quarterly access audits scheduled
  • Change history reviewed regularly
  • API access limited and monitored
  • Compliance requirements met (GDPR, SOX, etc.)

Support Resources

Back to top