What are the default user permissions in Azure Active Directory?

Article
03/09/2023
10 minutes to read

In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user's access consists of the type of user, their role assignments, and their ownership of individual objects.

This article describes those default permissions and compares the member and guest user defaults. The default user permissions can be changed only in user settings in Azure AD.

Member and guest users

The set of default permissions depends on whether the user is a native member of the tenant (member user) or whether the user is brought over from another directory as a business-to-business (B2B) collaboration guest (guest user). For more information about adding guest users, see What is Azure AD B2B collaboration?. Here are the capabilities of the default permissions:

Member users can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests. These users can also read all directory information (with a few exceptions).
Guest users have restricted directory permissions. They can manage their own profile, change their own password, and retrieve some information about other users, groups, and apps. However, they can't read all directory information.

For example, guest users can't enumerate the list of all users, groups, and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions. Guests can also invite other guests.

Compare member and guest default permissions

Area	Member user permissions	Default guest user permissions	Restricted guest user permissions
Users and contacts	Enumerate the list of all users and contacts Read all public properties of users and contacts Invite guests Change their own password Manage their own mobile phone number Manage their own photo Invalidate their own refresh tokens	Read their own properties Read display name, email, sign-in name, photo, user principal name, and user type properties of other users and contacts Change their own password Search for another user by object ID (if allowed) Read manager and direct report information of other users	Read their own properties Change their own password Manage their own mobile phone number
Groups	Create security groups Create Microsoft 365 groups Enumerate the list of all groups Read all properties of groups Read non-hidden group memberships Read hidden Microsoft 365 group memberships for joined groups Manage properties, ownership, and membership of groups that the user owns Add guests to owned groups Manage dynamic membership settings Delete owned groups Restore owned Microsoft 365 groups	Read properties of non-hidden groups, including membership and ownership (even non-joined groups) Read hidden Microsoft 365 group memberships for joined groups Search for groups by display name or object ID (if allowed)	Read object ID for joined groups Read membership and ownership of joined groups in some Microsoft 365 apps (if allowed)
Applications	Register (create) new applications Enumerate the list of all applications Read properties of registered and enterprise applications List permissions granted to applications Manage application properties, assignments, and credentials for owned applications Create or delete application passwords for users Delete owned applications Restore owned applications List permissions granted to applications	Read properties of registered and enterprise applications List permissions granted to applications	Read properties of registered and enterprise applications List permissions granted to applications
Devices	Enumerate the list of all devices Read all properties of devices Manage all properties of owned devices	No permissions	No permissions
Organization	Read all company information Read all domains Read configuration of certificate-based authentication Read all partner contracts	Read company display name Read all domains Read configuration of certificate-based authentication	Read company display name Read all domains
Roles and scopes	Read all administrative roles and memberships Read all properties and membership of administrative units	No permissions	No permissions
Subscriptions	Read all subscriptions Enable service plan memberships	No permissions	No permissions
Policies	Read all properties of policies Manage all properties of owned policies	No permissions	No permissions

Restrict member users' default permissions

It's possible to add restrictions to users' default permissions.

You can restrict default permissions for member users in the following ways:

Caution

Using the Restrict access to Azure AD administration portal switch is NOT a security measure. For more information on the functionality, see the table below.

Permission	Setting explanation
Register applications	Setting this option to No prevents users from creating application registrations. You can then grant the ability back to specific individuals, by adding them to the application developer role.
Create security groups	Setting this option to No prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see Azure Active Directory cmdlets for configuring group settings.
Create Microsoft 365 groups	Setting this option to No prevents users from creating Microsoft 365 groups. Setting this option to Some allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see Azure Active Directory cmdlets for configuring group settings.
Restrict access to Azure AD administration portal	What does this switch do? No lets non-administrators browse the Azure AD administration portal. Yes Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. What does it not do? It doesn't restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. It doesn't restrict access as long as a user is assigned a custom role (or any role). When should I use this switch? Use this option to prevent users from misconfiguring the resources that they own. When should I not use this switch? Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Azure Management that blocks non-administrators access to Azure Management. How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal? Set this option to Yes, then assign them a role like global reader. Restrict access to the Entra administration portal A Conditional Access policy that targets Azure Management targets access to all Azure management.
Restrict non-admin users from creating tenants	Users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations. What does this switch do? Setting this option to Yes restricts creation of Azure AD tenants to the Global Administrator or tenant creator roles. Setting this option to No allows non-admin users to create Azure AD tenants. Tenant create will continue to be recorded in the Audit log. How do I grant only a specific non-administrator users the ability to create new tenants? Set this option to Yes, then assign them the tenant creator role.
Read other users	This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online. This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`.

The Restrict non-admin users from creating tenants option is shown below

Screenshot showing the option to **Restrict non-admins from creating tenants**

Restrict guest users' default permissions

You can restrict default permissions for guest users in the following ways.

Note

The Guest user access restrictions setting replaced the Guest users permissions are limited setting. For guidance on using this feature, see Restrict guest access permissions in Azure Active Directory.

Permission	Setting explanation
Guest user access restrictions	Setting this option to Guest users have the same access as members grants all member user permissions to guest users by default. Setting this option to Guest user access is restricted to properties and memberships of their own directory objects restricts guest access to only their own user profile by default. Access to other users is no longer allowed, even when they're searching by user principal name, object ID, or display name. Access to group information, including groups memberships, is also no longer allowed. This setting doesn't prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. To learn more, see Microsoft Teams guest access. Guest users can still be added to administrator roles regardless of this permission setting.
Guests can invite	Setting this option to Yes allows guests to invite other guests. To learn more, see Configure external collaboration settings.

Permission

Setting explanation

Guest user access restrictions

Setting this option to Guest users have the same access as members grants all member user permissions to guest users by default.

Setting this option to Guest user access is restricted to properties and memberships of their own directory objects restricts guest access to only their own user profile by default. Access to other users is no longer allowed, even when they're searching by user principal name, object ID, or display name. Access to group information, including groups memberships, is also no longer allowed.

This setting doesn't prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. To learn more, see Microsoft Teams guest access.

Guest users can still be added to administrator roles regardless of this permission setting.

Guests can invite

Setting this option to Yes allows guests to invite other guests. To learn more, see Configure external collaboration settings.

Object ownership

Application registration owner permissions

When a user registers an application, they're automatically added as an owner for the application. As an owner, they can manage the metadata of the application, such as the name and permissions that the app requests. They can also manage the tenant-specific configuration of the application, such as the single sign-on (SSO) configuration and user assignments.

An owner can also add or remove other owners. Unlike global administrators, owners can manage only the applications that they own.

Enterprise application owner permissions

When a user adds a new enterprise application, they're automatically added as an owner. As an owner, they can manage the tenant-specific configuration of the application, such as the SSO configuration, provisioning, and user assignments.

An owner can also add or remove other owners. Unlike global administrators, owners can manage only the applications that they own.

Group owner permissions

When a user creates a group, they're automatically added as an owner for that group. As an owner, they can manage properties of the group (such as the name) and manage group membership.

An owner can also add or remove other owners. Unlike global administrators and user administrators, owners can manage only the groups that they own.

To assign a group owner, see Managing owners for a group.

Ownership permissions

The following tables describe the specific permissions in Azure AD that member users have over owned objects. Users have these permissions only on objects that they own.

Owned application registrations

Users can perform the following actions on owned application registrations:

Action	Description
microsoft.directory/applications/audience/update	Update the `applications.audience` property in Azure AD.
microsoft.directory/applications/authentication/update	Update the `applications.authentication` property in Azure AD.
microsoft.directory/applications/basic/update	Update basic properties on applications in Azure AD.
microsoft.directory/applications/credentials/update	Update the `applications.credentials` property in Azure AD.
microsoft.directory/applications/delete	Delete applications in Azure AD.
microsoft.directory/applications/owners/update	Update the `applications.owners` property in Azure AD.
microsoft.directory/applications/permissions/update	Update the `applications.permissions` property in Azure AD.
microsoft.directory/applications/policies/update	Update the `applications.policies` property in Azure AD.
microsoft.directory/applications/restore	Restore applications in Azure AD.

Owned enterprise applications

Users can perform the following actions on owned enterprise applications. An enterprise application consists of a service principal, one or more application policies, and sometimes an application object in the same tenant as the service principal.

Action	Description
microsoft.directory/auditLogs/allProperties/read	Read all properties (including privileged properties) on audit logs in Azure AD.
microsoft.directory/policies/basic/update	Update basic properties on policies in Azure AD.
microsoft.directory/policies/delete	Delete policies in Azure AD.
microsoft.directory/policies/owners/update	Update the `policies.owners` property in Azure AD.
microsoft.directory/servicePrincipals/appRoleAssignedTo/update	Update the `servicePrincipals.appRoleAssignedTo` property in Azure AD.
microsoft.directory/servicePrincipals/appRoleAssignments/update	Update the `users.appRoleAssignments` property in Azure AD.
microsoft.directory/servicePrincipals/audience/update	Update the `servicePrincipals.audience` property in Azure AD.
microsoft.directory/servicePrincipals/authentication/update	Update the `servicePrincipals.authentication` property in Azure AD.
microsoft.directory/servicePrincipals/basic/update	Update basic properties on service principals in Azure AD.
microsoft.directory/servicePrincipals/credentials/update	Update the `servicePrincipals.credentials` property in Azure AD.
microsoft.directory/servicePrincipals/delete	Delete service principals in Azure AD.
microsoft.directory/servicePrincipals/owners/update	Update the `servicePrincipals.owners` property in Azure AD.
microsoft.directory/servicePrincipals/permissions/update	Update the `servicePrincipals.permissions` property in Azure AD.
microsoft.directory/servicePrincipals/policies/update	Update the `servicePrincipals.policies` property in Azure AD.
microsoft.directory/signInReports/allProperties/read	Read all properties (including privileged properties) on sign-in reports in Azure AD.

Owned devices

Users can perform the following actions on owned devices:

Action	Description
microsoft.directory/devices/bitLockerRecoveryKeys/read	Read the `devices.bitLockerRecoveryKeys` property in Azure AD.
microsoft.directory/devices/disable	Disable devices in Azure AD.

Owned groups

Users can perform the following actions on owned groups.