Roles across Microsoft services
Services in Microsoft 365 can be managed with administrative roles in Microsoft Entra ID. Some services also provide additional roles that are specific to that service. This article lists content, API references, and audit and monitoring references related to role-based access control (RBAC) for Microsoft 365 and other services.
Microsoft Entra
Microsoft Entra ID and related services in Microsoft Entra.
Microsoft Entra ID
Area | Content |
---|---|
Overview | Microsoft Entra built-in roles |
Management API reference | Microsoft Entra roles Microsoft Graph v1.0 roleManagement API • Use directory provider• When role is assigned to a group, manage group memberships with the Microsoft Graph v1.0 groups API |
Audit and monitoring reference | Microsoft Entra roles Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category• When a role is assigned to a group, to audit changes to group memberships, see audits with category GroupManagement and activities Add member to group and Remove member from group |
Entitlement management
Area | Content |
---|---|
Overview | Entitlement management roles |
Management API reference | Entitlement Management-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with: microsoft.directory/entitlementManagement Entitlement Management-specific roles Microsoft Graph v1.0 roleManagement API • Use entitlementManagement provider |
Audit and monitoring reference | Entitlement Management-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryEntitlement Management-specific roles In Microsoft Entra audit log, with category EntitlementManagement and Activity is one of:• Remove Entitlement Management role assignment • Add Entitlement Management role assignment |
Microsoft 365
Services in the Microsoft 365 suite.
Exchange
Area | Content |
---|---|
Overview | Permissions in Exchange Online |
Management API reference | Exchange-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.office365.exchange Exchange-specific roles Microsoft Graph Beta roleManagement API • Use exchange provider |
Audit and monitoring reference | Exchange-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryExchange-specific roles Use the Microsoft Graph Beta Security API (audit log query) and list audit events where recordType == ExchangeAdmin and Operation is one of:Add-RoleGroupMember , Remove-RoleGroupMember , Update-RoleGroupMember , New-RoleGroup , Remove-RoleGroup , New-ManagementRole , Remove-ManagementRoleEntry , New-ManagementRoleAssignment |
SharePoint
Includes SharePoint, OneDrive, Delve, Lists, Project Online, and Loop.
Area | Content |
---|---|
Overview | About the SharePoint Administrator role in Microsoft 365 Delve for admins Control settings for Microsoft Lists Change permission management in Project Online |
Management API reference | SharePoint-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.office365.sharepoint |
Audit and monitoring reference | SharePoint-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Intune
Area | Content |
---|---|
Overview | Role-based access control (RBAC) with Microsoft Intune |
Management API reference | Intune-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.intune Intune-specific roles Microsoft Graph Beta roleManagement API • Use deviceManagement provider• Alternatively, use Intune-specific Microsoft Graph Beta RBAC management API |
Audit and monitoring reference | Intune-specific roles in Microsoft Entra ID Microsoft Graph v1.0 directoryAudit API • RoleManagement categoryIntune-specific roles Intune auditing overview API access to Intune-specific audit logs: • Microsoft Graph Beta getAuditActivityTypes API • First list activity types where category= Role , then use Microsoft Graph Beta auditEvents API to list all auditEvents for each activity type |
Teams
Includes Teams, Bookings, Copilot Studio for Teams, and Shifts.
Area | Content |
---|---|
Overview | Use Microsoft Teams administrator roles to manage Teams |
Management API reference | Teams-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.teams |
Audit and monitoring reference | Teams-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Purview suite
Includes Purview suite, Azure Information Protection, and Information Barriers.
Area | Content |
---|---|
Overview | Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview |
Management API reference | Purview-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with: microsoft.office365.complianceManager microsoft.office365.protectionCenter microsoft.office365.securityComplianceCenter Purview-specific roles Use PowerShell: Security & Compliance PowerShell. Specific cmdlets are: Get-RoleGroup Get-RoleGroupMember New-RoleGroup Add-RoleGroupMember Update-RoleGroupMember Remove-RoleGroupMember Remove-RoleGroup |
Audit and monitoring reference | Purview-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryPurview-specific roles Use the Microsoft Graph Beta Security API (audit log query Beta) and list audit events where recordType == SecurityComplianceRBAC and Operation is one of Add-RoleGroupMember , Remove-RoleGroupMember , Update-RoleGroupMember , New-RoleGroup , Remove-RoleGroup |
Power Platform
Includes Power Platform, Dynamics 365, Flow, and Dataverse for Teams.
Area | Content |
---|---|
Overview | Use service admin roles to manage your tenant Security roles and privileges |
Management API reference | Power Platform-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with: microsoft.powerApps microsoft.dynamics365 microsoft.flow Dataverse-specific roles Perform operations using the Web API • Query the User (SystemUser) table/entity reference • Role assignments are part of the systemuserroles_association tables |
Audit and monitoring reference | Power Platform-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryDataverse-specific roles Dataverse auditing overview API to access dataverse-specific audit logs Dataverse Web API • Audit table reference • Audits with action codes: 53 - Assign Role To Team 54 - Remove Role From Team 55 - Assign Role To User 56 - Remove Role From User 57 - Add Privileges to Role 58 - Remove Privileges From Role 59 - Replace Privileges In Role |
Defender suite
Includes Defender suite, Secure Score, Cloud App Security, and Threat Intelligence.
Area | Content |
---|---|
Overview | Microsoft Defender XDR Unified role-based access control (RBAC) |
Management API reference | Defender-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions (reference): Security Administrator, Security Operator, Security Reader, Global Administrator, and Global Reader Defender-specific roles Workloads must be activated to use Defender unified RBAC. See Activate Microsoft Defender XDR Unified role-based access control (RBAC). Activating defender Unified RBAC will turn off individual Defender solution roles. • Can only be managed via security.microsoft.com portal. |
Audit and monitoring reference | Defender-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Viva Engage
Area | Content |
---|---|
Overview | Manage administrator roles in Viva Engage |
Management API reference | Viva Engage-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.yammer .Viva Engage-specific roles • Verified admin and Network admin roles can be managed via the Yammer admin center. • Corporate communicator role can be assigned via the Viva Engage admin center. • Yammer Data Export API can be used to export admins.csv to read the list of admins |
Audit and monitoring reference | Viva Engage-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryViva Engage-specific roles • Use Yammer Data Export API to incrementally export admins.csv for a list of admins |
Viva Connections
Area | Content |
---|---|
Overview | Admin roles and tasks in Microsoft Viva |
Management API reference | Viva Connections-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: SharePoint Administrator, Teams Administrator, and Global Administrator |
Audit and monitoring reference | Viva Connections-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Viva Learning
Area | Content |
---|---|
Overview | Set up Microsoft Viva Learning in the Teams admin center |
Management API reference | Viva Learning-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.knowledge |
Audit and monitoring reference | Viva Learning-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Viva Insights
Area | Content |
---|---|
Overview | Roles in Viva Insights |
Management API reference | Viva Insights-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.insights |
Audit and monitoring reference | Viva Insights-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Search
Area | Content |
---|---|
Overview | Set up Microsoft Search |
Management API reference | Search-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.search |
Audit and monitoring reference | Search-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Universal Print
Area | Content |
---|---|
Overview | Universal Print Administrator Roles |
Management API reference | Universal Print-specifc roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.azure.print |
Audit and monitoring reference | Universal Print-specifc roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Microsoft 365 Apps suite management
Includes Microsoft 365 Apps suite management and Forms.
Area | Content |
---|---|
Overview | Overview of the Microsoft 365 Apps admin center Administrator settings for Microsoft Forms |
Management API reference | Microsoft 365 Apps-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: Office Apps Administrator, Security Administrator, Global Administrator |
Audit and monitoring reference | Microsoft 365 Apps-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Azure
Azure role-based access control (Azure RBAC) for the Azure control plane and subscription information.
Azure
Includes Azure and Sentinel.
Area | Content |
---|---|
Overview | What is Azure role-based access control (Azure RBAC)? Roles and permissions in Microsoft Sentinel |
Management API reference | Azure service-specific roles in Azure Azure Resource Manager Authorization API • Role assignment: List, Create/Update, Delete • Role definition: List, Create/Update, Delete • There is a legacy method to grant access to Azure resources called classic administrators. Classic administrators are equivalent to the Owner role in Azure RBAC. Classic administrators will be retired in August 2024. • Note that an Microsoft Entra Global Administrator can gain unilateral access to Azure via elevate access. |
Audit and monitoring reference | Azure service-specific roles in Azure Monitor Azure RBAC changes in the Azure Activity Log • Azure Activity Log API • Audits with Event Category Administrative and Operation Create role assignment , Delete role assignment , Create or update custom role definition , Delete custom role definition .View Elevate Access logs in the tenant level Azure Activity Log • Azure Activity Log API - Tenant Activity Logs • Audits with Event Category Administrative and containing string elevateAccess .• Access to tenant level activity logs requires using elevate access at least once to gain tenant level access. |
Commerce
Services related to purchasing and billing.
Cost Management and Billing - Enterprise Agreements
Area | Content |
---|---|
Overview | Managing Azure Enterprise Agreement roles |
Management API reference | Enterprise Agreements-specific roles in Microsoft Entra ID Enterprise Agreements does not support Microsoft Entra roles. Enterprise Agreements-specific roles Billing Role Assignments API • Enterprise Administrator (Role ID: 9f1983cb-2574-400c-87e9-34cf8e2280db) • Enterprise Administrator (read only) (Role ID: 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e) • EA Purchaser (Role ID: da6647fb-7651-49ee-be91-c43c4877f0c4) Enrollment Department Role Assignments API • Department Admin (Role ID: fb2cf67f-be5b-42e7-8025-4683c668f840) • Department Reader (Role ID: db609904-a47f-4794-9be8-9bd86fbffd8a) Enrollment Account Role Assignments API • Account Owner (Role ID: c15c22c0-9faf-424c-9b7e-bd91c06a240b) |
Audit and monitoring reference | Enterprise Agreements-specific roles Azure Activity Log API - Tenant Activity Logs • Access to tenant level activity logs requires using elevate access at least once to gain tenant level access. • Audits where resourceProvider == Microsoft.Billing and operationName contains billingRoleAssignments or EnrollmentAccount |
Cost Management and Billing - Microsoft Customer Agreements
Area | Content |
---|---|
Overview | Understand Microsoft Customer Agreement administrative roles in Azure Understand your Microsoft business billing account |
Management API reference | Microsoft Customer Agreements-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: Billing Administrator, Global Administrator. Microsoft Customer Agreements-specific roles • By default, the Microsoft Entra Global Administrator and Billing Administrator roles are automatically assigned the Billing Account Owner role in Microsoft Customer Agreements-specific RBAC. • Billing Role Assignment API |
Audit and monitoring reference | Microsoft Customer Agreements-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category RoleManagement Microsoft Customer Agreements-specific roles Azure Activity Log API - Tenant Activity Logs • Access to tenant level activity logs requires using elevate access at least once to gain tenant level access. • Audits where resourceProvider == Microsoft.Billing and operationName one of the following (all prefixed with Microsoft.Billing ):/permissionRequests/write /billingAccounts/createBillingRoleAssignment/action /billingAccounts/billingProfiles/createBillingRoleAssignment/action /billingAccounts/billingProfiles/invoiceSections/createBillingRoleAssignment/action /billingAccounts/customers/createBillingRoleAssignment/action /billingAccounts/billingRoleAssignments/write /billingAccounts/billingRoleAssignments/delete /billingAccounts/billingProfiles/billingRoleAssignments/delete /billingAccounts/billingProfiles/customers/createBillingRoleAssignment/action /billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments/delete /billingAccounts/departments/billingRoleAssignments/write /billingAccounts/departments/billingRoleAssignments/delete /billingAccounts/enrollmentAccounts/transferBillingSubscriptions/action /billingAccounts/enrollmentAccounts/billingRoleAssignments/write /billingAccounts/enrollmentAccounts/billingRoleAssignments/delete /billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/transfer/action /billingAccounts/billingProfiles/invoiceSections/initiateTransfer/action /billingAccounts/billingProfiles/invoiceSections/transfers/delete /billingAccounts/billingProfiles/invoiceSections/transfers/cancel/action /billingAccounts/billingProfiles/invoiceSections/transfers/write /transfers/acceptTransfer/action /transfers/accept/action /transfers/decline/action /transfers/declineTransfer/action /billingAccounts/customers/initiateTransfer/action /billingAccounts/customers/transfers/delete /billingAccounts/customers/transfers/cancel/action /billingAccounts/customers/transfers/write /billingAccounts/billingProfiles/invoiceSections/products/transfer/action /billingAccounts/billingSubscriptions/elevateRole/action |
Business Subscriptions and Billing - Volume Licensing
Area | Content |
---|---|
Overview | Manage volume licensing user roles Frequently Asked Questions |
Management API reference | Volume Licensing-specific roles in Microsoft Entra ID Volume Licensing does not support Microsoft Entra roles. Volume Licensing-specific roles VL users and roles are managed in the M365 Admin Center. |
Other services
Unified Support Portal for managing customer support cases
Includes Unified Support Portal and Services Hub.
Area | Content |
---|---|
Overview | Services Hub roles and permissions |
Management API reference | Manage these roles in the Services Hub portal, https://serviceshub.microsoft.com. |
Microsoft Graph application permissions
In addition to the previously mentioned RBAC systems, elevated permissions can be granted to Microsoft Entra application registrations and service principals using application permissions. For example, a non-interactive, non-human application identity can be granted the ability to read all mail in a tenant (the Mail.Read
application permission). The following table lists how to manage and monitor application permissions.
Area | Content |
---|---|
Overview | Overview of Microsoft Graph permissions |
Management API reference | Microsoft Graph-specific roles in Microsoft Entra ID Microsoft Graph v1.0 servicePrincipal API • Enumerate the appRoleAssignments for each servicePrincipal in the tenant. • For each appRoleAssignment, get information about the permissions granted by the assignment by reading the appRole property on the servicePrincipal object referenced by the resourceId and appRoleId in the appRoleAssignment. • Of specific interest are app permissions to the Microsoft Graph (servicePrincipal with appID == "00000003-0000-0000-c000-000000000000") which grant access to Exchange, SharePoint, Teams, and so on. Here is a reference for Microsoft Graph permissions. |
Audit and monitoring reference | Microsoft Graph-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category ApplicationManagement and Activity name Add app role assignment to service principal |