Overview
Microsoft Advertising provides granular user access controls to manage who can view, edit, and administer your advertising accounts. Proper user management ensures security, accountability, and efficient team collaboration.
User Access Levels
Super Admin
Capabilities:
- Full account control including billing
- Add, edit, and remove users
- Manage payment methods
- View and edit all campaigns
- Access all account settings
- Manage customer billing accounts
When to Grant:
- Account owners
- Finance managers responsible for billing
- Senior marketing leadership
Security Note: Limit Super Admin access to essential personnel only.
Standard User
Capabilities:
- View and edit campaigns, ad groups, and ads
- Manage keywords and bids
- View performance reports
- Create and edit conversion goals
- Manage audiences
- Cannot: Change billing, add users, delete account
When to Grant:
- Marketing managers
- PPC specialists
- Campaign optimizers
- Day-to-day account managers
Best For: Most team members who need operational access.
Advertiser Campaign Manager
Capabilities:
- All Standard User permissions
- Manage campaign budgets
- Create and delete campaigns
- Import and export settings
- Manage shared budgets
- Cannot: Change billing or add users
When to Grant:
- Senior campaign managers
- Agency account leads
- Team members responsible for budget allocation
Difference from Standard: Can manage campaign budgets and overall account structure.
Read Only (Viewer)
Capabilities:
- View campaigns and performance
- Access all reports
- View account settings
- Cannot: Make any changes
- Cannot: Edit campaigns, bids, or settings
When to Grant:
- Executives reviewing performance
- Analysts and data teams
- Clients in agency relationships
- Stakeholders needing visibility without edit access
Best For: Transparency without risk of accidental changes.
Access Scope Options
Account-Level Access
User has permissions for a specific Microsoft Advertising account:
- Access limited to one account
- Must add user separately to each account
- Appropriate for account-specific team members
- Clear separation of duties
Manager Account Access
User has permissions across multiple accounts via Manager Account (MCC):
- Single login for multiple client accounts
- Centralized user management
- Ideal for agencies managing many clients
- Can inherit permissions or customize per account
User Management Best Practices
1. Principle of Least Privilege
Grant minimum access level needed for job function:
- Good: Analyst needs reporting → Grant Read Only
- Bad: Analyst needs reporting → Grant Super Admin "just in case"
2. Regular Access Audits
Schedule quarterly reviews:
- Remove access for departed employees
- Downgrade access for role changes
- Verify access levels still appropriate
- Document access changes in audit log
3. Role-Based Access Control
Define standard roles for your organization:
Example Role Matrix:
| Role | Access Level | Use Case |
|---|---|---|
| PPC Specialist | Standard User | Day-to-day campaign management |
| PPC Manager | Advertiser Campaign Manager | Strategy and budget management |
| Finance Manager | Super Admin | Billing and payment management |
| Executive | Read Only | Performance oversight |
| Data Analyst | Read Only | Reporting and analysis |
| Agency Partner | Advertiser Campaign Manager | Full campaign control (no billing) |
4. Email Conventions
Use consistent email formats:
- Work emails only (no personal Gmail accounts)
- Shared inboxes for agencies (ads-team@agency.com)
- Department aliases where appropriate
- Easy to identify user's role from email
5. Two-Factor Authentication
Strongly recommended for Super Admin users:
- Navigate to Microsoft Account Security
- Enable two-step verification
- Use authenticator app (Microsoft Authenticator, Google Authenticator)
- Save backup codes in secure location
6. Offboarding Process
When employees leave:
- Immediate: Remove user access same day
- Document: Log removal in access audit trail
- Reassign: Transfer ownership of campaigns/rules if needed
- Review: Check for API access or OAuth tokens to revoke
- Monitor: Watch for unauthorized access attempts
7. Onboarding Process
When new employees join:
- Verify: Confirm manager approval for access
- Minimum access: Start with Read Only, escalate as needed
- Training: Provide Microsoft Advertising training resources
- Document: Record access grant in audit log
- Review: Schedule 30-day access review
Manager Accounts (MCC)
What is a Manager Account?
A Microsoft Advertising Manager Account (similar to Google Ads MCC) allows agencies and large advertisers to manage multiple accounts from a single interface.
Benefits
Centralized Management:
- Manage 100s of client accounts from one login
- Cross-account reporting
- Bulk operations across accounts
- Consistent settings and templates
Streamlined User Management:
- Grant user access to all accounts at once
- Inherit permissions from manager account
- Easy to add new clients without re-inviting users
Agency Features:
- Client approval workflows
- Billing management across clients
- Agency-level reporting
- White-label options
Create Manager Account
- Sign in to Microsoft Advertising
- Click Tools > Accounts
- Click Manager accounts
- Click Create a manager account
- Enter Account name (e.g., "Agency Name MCC")
- Select Time zone
- Click Save
Link Client Accounts
Option 1: Send Link Request
- In Manager Account, click Accounts > Accounts summary
- Click Link to accounts
- Enter client's Account number
- Click Send request
- Client receives email and accepts link
Option 2: Accept Link Invitation
- Client sends link invitation
- You receive email notification
- Click Accept in email
- Account appears in your Manager Account
Manager Account User Roles
| Role | Capabilities |
|---|---|
| Admin | Full control of manager account and all linked accounts |
| Standard | View and edit linked accounts (subject to individual account permissions) |
| Read-only | View all linked accounts without edit access |
| Restricted | Access only to specific linked accounts (custom permission) |
Permission Inheritance
When using Manager Accounts, permissions can inherit:
Scenario 1: User Added to Manager Account
- User granted "Standard" access to Manager Account
- User automatically gets "Standard" access to all linked accounts
- Adding new client accounts automatically grants access to user
Scenario 2: User Added to Individual Account
- User granted "Standard" access to Client Account A
- User does NOT get access to Client Account B
- User must sign in directly to Client Account A (not via Manager Account)
Best Practice: Use Manager Account access for agencies, individual account access for client-side teams.
API Access
When API Access is Needed
- Automated bid management tools
- Custom reporting dashboards
- Bulk campaign creation
- Integration with third-party platforms
- Programmatic ad management
Grant API Access
- User must have Standard or Admin account access
- User navigates to Tools > API Center
- User requests API access (requires Microsoft approval)
- User creates OAuth application credentials
- User implements OAuth flow in application
API Access Best Practices
- Service accounts: Create dedicated user for API access
- Secure credentials: Store client ID/secret in environment variables
- Token rotation: Refresh OAuth tokens before expiration
- Rate limiting: Implement backoff for API rate limits
- Logging: Track all API requests for auditing
- Revoke unused: Remove API access when no longer needed
Common User Management Scenarios
Scenario 1: Agency Managing Multiple Clients
Setup:
- Create Manager Account for agency
- Link all client accounts to Manager Account
- Add agency team members to Manager Account with appropriate roles:
- Account Directors: Admin
- Campaign Managers: Standard
- Analysts: Read-only
Benefit: Single access point for all client accounts, easy user management.
Scenario 2: In-House Team
Setup:
- Use individual account access (no Manager Account needed)
- Add team members directly to account:
- CMO: Read-only
- PPC Manager: Advertiser Campaign Manager
- PPC Specialists: Standard User
- CFO: Super Admin (for billing)
Benefit: Clear access boundaries, no complexity of Manager Account.
Scenario 3: Client + Agency Collaboration
Setup:
- Client maintains Super Admin access
- Agency has Manager Account that links to client account
- Agency users access via Manager Account (Standard or Admin)
- Client can view agency actions in change history
Benefit: Client retains control, agency has operational access.
Scenario 4: Temporary Contractor Access
Setup:
- Grant Standard User access with specific start date
- Set calendar reminder for contract end date
- Document access in contractor log
- Remove access on contract end date
- Verify no API tokens or OAuth access remains
Benefit: Time-bound access with clear offboarding.
Access Request Workflow
Standardized Request Process
Request Template:
Microsoft Advertising Access Request
Requestor Name: [Jane Doe]
Email Address: [jane.doe@company.com]
Microsoft Account Email: [jane.doe@company.com] (must be Microsoft account)
Account Name/ID: [Company Ads - 123456789]
Access Level Requested: [Standard User / Advertiser Campaign Manager / Read Only / Super Admin]
Business Justification: [Campaign management for Q1 2025 initiatives]
Manager Approval: [John Smith, Marketing Director]
Start Date: [2025-01-15]
End Date: [Ongoing / 2025-03-31]
Approval Workflow
- Submit Request: User submits access request form
- Manager Review: Direct manager approves business need
- Access Review: Admin verifies appropriate access level
- Grant Access: Admin adds user to account
- Notify: User receives invitation email
- Document: Log access grant in audit trail
- Follow-up: Schedule 30-day review for new users
Monitoring and Auditing
View Change History
Track all account changes and attribute to users:
- Navigate to Campaigns
- Click Change history in left sidebar
- Filter by:
- Date range
- User
- Change type (campaign, ad group, keyword, etc.)
- Entity name
User Activity Reporting
Microsoft Advertising provides user activity logs:
- Navigate to Tools > Reports
- Create User change report
- Select dimensions: User, Change type, Date
- Schedule report delivery (daily, weekly, monthly)
Access Audit Checklist
Quarterly audit tasks:
- Review all users with Super Admin access
- Verify all users still employed/contracted
- Confirm access levels match current job responsibilities
- Remove access for departed employees
- Check for inactive users (no login in 90+ days)
- Verify two-factor authentication enabled for Super Admins
- Review API access and active OAuth tokens
- Document audit findings and actions taken
- Schedule next audit (90 days)
Linked Runbooks
Detailed guides for specific user management tasks:
- Add User Access - Step-by-step user invitation process
- Update Access - Changing user roles and permissions
- Remove Access - Offboarding and access revocation
Security Best Practices
Account Security
- Strong Passwords: Enforce password complexity requirements
- Two-Factor Authentication: Required for Super Admin, recommended for all
- Password Rotation: Change passwords every 90 days
- Unique Credentials: Never share login credentials
- Secure Password Storage: Use password manager (1Password, LastPass, Bitwarden)
Access Controls
- Least Privilege: Minimum access level required
- Regular Reviews: Quarterly access audits
- Separation of Duties: Different users for billing vs. campaign management
- Time-Bound Access: Set expiration dates for contractors
- Immediate Revocation: Remove access same day as employee departure
Monitoring
- Change History: Regularly review account changes
- Login Alerts: Enable notifications for new login locations
- API Activity: Monitor API request logs
- Billing Alerts: Notifications for unusual spending
- Performance Anomalies: Alert on sudden campaign changes
Compliance Considerations
GDPR / Privacy
- Document who has access to customer data
- Maintain access logs for audit purposes
- Data processing agreements with users who access EU customer data
- Right to know who processes customer data
SOX / Financial Controls
For publicly traded companies:
- Segregation of duties (different users for approval vs. execution)
- Audit trail of all financial transactions
- Regular access reviews documented
- Super Admin access limited and monitored
Industry-Specific
Healthcare (HIPAA):
- No PHI in ad copy or landing pages
- Access controls documented
- Business Associate Agreements (BAAs) with users
Finance (PCI-DSS):
- No credit card data in ads or tracking
- Access logging and monitoring
- Secure credential storage
Troubleshooting Access Issues
User Can't Access Account
Solutions:
- Verify user accepted invitation email
- Check user signed in with correct Microsoft account
- Confirm user has permissions (not pending)
- Try accessing from different browser/incognito
- Check if user's Microsoft account is active
User Sees Limited Data
Solutions:
- Verify access level (may have Read-only instead of Standard)
- Check date range in reporting (default may be short)
- Confirm account has campaigns and data
- Verify user viewing correct account (check account switcher)
Can't Add New User
Solutions:
- Confirm you have Admin or Super Admin access
- Verify email is valid Microsoft account
- Check account hasn't reached user limit (unlikely)
- Try different browser or clear cache
User Management Checklist
- Access levels defined for each role in organization
- Manager Account configured (if applicable)
- All users have appropriate access level (least privilege)
- Two-factor authentication enabled for Super Admins
- Access request and approval workflow documented
- Offboarding process ensures same-day access removal
- Quarterly access audits scheduled
- Change history reviewed regularly
- API access limited and monitored
- Compliance requirements met (GDPR, SOX, etc.)
Support Resources
- Microsoft Advertising Help: about.ads.microsoft.com/en-us/resources/training/user-management
- Account Security: account.microsoft.com/security
- API Documentation: docs.microsoft.com/en-us/advertising/guides/authentication-oauth
- Manager Account Guide: about.ads.microsoft.com/en-us/resources/training/manager-accounts