Microsoft Entra built-in roles
In Microsoft Entra ID, if another administrator or non-administrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.
This article lists the Microsoft Entra built-in roles you can assign to allow management of Microsoft Entra resources. For information about how to assign roles, see Assign Microsoft Entra roles to users. If you are looking for roles to manage Azure resources, see Azure built-in roles.
All roles
Role | Description | Template ID |
---|---|---|
Application Administrator | Can create and manage all aspects of app registrations and enterprise apps. |
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 |
Application Developer | Can create application registrations independent of the 'Users can register applications' setting. |
cf1c38e5-3621-4004-a7cb-879624dced7c |
Attack Payload Author | Can create attack payloads that an administrator can initiate later. | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f |
Attack Simulation Administrator | Can create and manage all aspects of attack simulation campaigns. | c430b396-e693-46cc-96f3-db01bf8bb62a |
Attribute Assignment Administrator | Assign custom security attribute keys and values to supported Microsoft Entra objects. | 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d |
Attribute Assignment Reader | Read custom security attribute keys and values for supported Microsoft Entra objects. | ffd52fa5-98dc-465c-991d-fc073eb59f8f |
Attribute Definition Administrator | Define and manage the definition of custom security attributes. | 8424c6f0-a189-499e-bbd0-26c1753c96d4 |
Attribute Definition Reader | Read the definition of custom security attributes. | 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c |
Attribute Log Administrator | Read audit logs and configure diagnostic settings for events related to custom security attributes. | 5b784334-f94b-471a-a387-e7219fc49ca2 |
Attribute Log Reader | Read audit logs related to custom security attributes. | 9c99539d-8186-4804-835f-fd51ef9e2dcd |
Authentication Administrator | Can access to view, set and reset authentication method information for any non-admin user. |
c4e39bd9-1100-46d3-8c65-fb160da0071f |
Authentication Extensibility Administrator | Customize sign in and sign up experiences for users by creating and managing custom authentication extensions. |
25a516ed-2fa0-40ea-a2d0-12923a21473a |
Authentication Policy Administrator | Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. | 0526716b-113d-4c15-b2c8-68e3c22b9f80 |
Azure DevOps Administrator | Can manage Azure DevOps policies and settings. | e3973bdf-4987-49ae-837a-ba8e231c7286 |
Azure Information Protection Administrator | Can manage all aspects of the Azure Information Protection product. | 7495fdc4-34c4-4d15-a289-98788ce399fd |
B2C IEF Keyset Administrator | Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). |
aaf43236-0c0d-4d5f-883a-6955382ac081 |
B2C IEF Policy Administrator | Can create and manage trust framework policies in the Identity Experience Framework (IEF). | 3edaf663-341e-4475-9f94-5c398ef6c070 |
Billing Administrator | Can perform common billing related tasks like updating payment information. | b0f54661-2d74-4c50-afa3-1ec803f12efe |
Cloud App Security Administrator | Can manage all aspects of the Defender for Cloud Apps product. | 892c5842-a9a6-463a-8041-72aa08ca3cf6 |
Cloud Application Administrator | Can create and manage all aspects of app registrations and enterprise apps except App Proxy. |
158c047a-c907-4556-b7ef-446551a6b5f7 |
Cloud Device Administrator | Limited access to manage devices in Microsoft Entra ID. |
7698a772-787b-4ac8-901f-60d6b08affd2 |
Compliance Administrator | Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365. | 17315797-102d-40b4-93e0-432062caca18 |
Compliance Data Administrator | Creates and manages compliance content. | e6d1a23a-da11-4be4-9570-befc86d067a7 |
Conditional Access Administrator | Can manage Conditional Access capabilities. |
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 |
Customer LockBox Access Approver | Can approve Microsoft support requests to access customer organizational data. | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 |
Desktop Analytics Administrator | Can access and manage Desktop management tools and services. | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 |
Directory Readers | Can read basic directory information. Commonly used to grant directory read access to applications and guests. | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
Directory Synchronization Accounts | Only used by Microsoft Entra Connect service. | d29b2b05-8046-44ba-8758-1e26182fcf32 |
Directory Writers | Can read and write basic directory information. For granting access to applications, not intended for users. |
9360feb5-f418-4baa-8175-e2a00bac4301 |
Domain Name Administrator | Can manage domain names in cloud and on-premises. |
8329153b-31d0-4727-b945-745eb3bc5f31 |
Dynamics 365 Administrator | Can manage all aspects of the Dynamics 365 product. | 44367163-eba1-44c3-98af-f5787879f96a |
Dynamics 365 Business Central Administrator | Access and perform all administrative tasks on Dynamics 365 Business Central environments. | 963797fb-eb3b-4cde-8ce3-5878b3f32a3f |
Edge Administrator | Manage all aspects of Microsoft Edge. | 3f1acade-1e04-4fbc-9b69-f0302cd84aef |
Exchange Administrator | Can manage all aspects of the Exchange product. | 29232cdf-9323-42fd-ade2-1d097af3e4de |
Exchange Recipient Administrator | Can create or update Exchange Online recipients within the Exchange Online organization. | 31392ffb-586c-42d1-9346-e59415a2cc4e |
External ID User Flow Administrator | Can create and manage all aspects of user flows. | 6e591065-9bad-43ed-90f3-e9424366d2f0 |
External ID User Flow Attribute Administrator | Can create and manage the attribute schema available to all user flows. | 0f971eea-41eb-4569-a71e-57bb8a3eff1e |
External Identity Provider Administrator | Can configure identity providers for use in direct federation. |
be2f45a1-457d-42af-a067-6ec1fa63bc45 |
Fabric Administrator | Can manage all aspects of the Fabric and Power BI products. | a9ea8996-122f-4c74-9520-8edcd192826c |
Global Administrator | Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities. |
62e90394-69f5-4237-9190-012177145e10 |
Global Reader | Can read everything that a Global Administrator can, but not update anything. |
f2ef992c-3afb-46b9-b7cf-a126ee74c451 |
Global Secure Access Administrator | Create and manage all aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access, including managing access to public and private endpoints. | ac434307-12b9-4fa1-a708-88bf58caabc1 |
Groups Administrator | Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. | fdd7a751-b60b-444a-984c-02652fe8fa1c |
Guest Inviter | Can invite guest users independent of the 'members can invite guests' setting. | 95e79109-95c0-4d8e-aee3-d01accf2d47b |
Helpdesk Administrator | Can reset passwords for non-administrators and Helpdesk Administrators. |
729827e3-9c14-49f7-bb1b-9608f156bbb8 |
Hybrid Identity Administrator | Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health. |
8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 |
Identity Governance Administrator | Manage access using Microsoft Entra ID for identity governance scenarios. | 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e |
Insights Administrator | Has administrative access in the Microsoft 365 Insights app. | eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c |
Insights Analyst | Access the analytical capabilities in Microsoft Viva Insights and run custom queries. | 25df335f-86eb-4119-b717-0ff02de207e9 |
Insights Business Leader | Can view and share dashboards and insights via the Microsoft 365 Insights app. | 31e939ad-9672-4796-9c2e-873181342d2d |
Intune Administrator | Can manage all aspects of the Intune product. |
3a2c62db-5318-420d-8d74-23affee5d9d5 |
Kaizala Administrator | Can manage settings for Microsoft Kaizala. | 74ef975b-6605-40af-a5d2-b9539d836353 |
Knowledge Administrator | Can configure knowledge, learning, and other intelligent features. | b5a8dcf3-09d5-43a9-a639-8e29ef291470 |
Knowledge Manager | Can organize, create, manage, and promote topics and knowledge. | 744ec460-397e-42ad-a462-8b3f9747a02c |
License Administrator | Can manage product licenses on users and groups. | 4d6ac14f-3453-41d0-bef9-a3e0c569773a |
Lifecycle Workflows Administrator | Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID. |
59d46f88-662b-457b-bceb-5c3809e5908f |
Message Center Privacy Reader | Can read security messages and updates in Office 365 Message Center only. | ac16e43d-7b2d-40e0-ac05-243ff356ab5b |
Message Center Reader | Can read messages and updates for their organization in Office 365 Message Center only. | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b |
Microsoft 365 Migration Administrator | Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager. | 8c8b803f-96e1-4129-9349-20738d9f9652 |
Microsoft Entra Joined Device Local Administrator | Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices. | 9f06204d-73c1-4d4c-880a-6edb90606fd8 |
Network Administrator | Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. | d37c8bed-0711-4417-ba38-b4abe66ce4c2 |
Office Apps Administrator | Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. | 2b745bdf-0803-4d80-aa65-822c4493daac |
Organizational Branding Administrator | Manage all aspects of organizational branding in a tenant. | 92ed04bf-c94a-4b82-9729-b799a7a4c178 |
Organizational Messages Approver | Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users. | e48398e2-f4bb-4074-8f31-4586725e205b |
Password Administrator | Can reset passwords for non-administrators and Password Administrators. |
966707d0-3269-4727-9be2-8c3a10f19b9d |
Power Platform Administrator | Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. | 11648597-926c-4cf3-9c36-bcebb0ba8dcc |
Printer Administrator | Can manage all aspects of printers and printer connectors. | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f |
Printer Technician | Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
Privileged Authentication Administrator | Can access to view, set and reset authentication method information for any user (admin or non-admin). |
7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
Privileged Role Administrator | Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. |
e8611ab8-c189-46e8-94e1-60213ab1f814 |
Reports Reader | Can read sign-in and audit reports. | 4a5d8f65-41da-4de4-8968-e035b65339cf |
Search Administrator | Can create and manage all aspects of Microsoft Search settings. | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
Search Editor | Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
Security Administrator | Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365. |
194ae4cb-b126-40b2-bd5b-6091b380977d |
Security Operator | Creates and manages security events. |
5f2222b1-57c3-48ba-8ad5-d4759f1fde6f |
Security Reader | Can read security information and reports in Microsoft Entra ID and Office 365. |
5d6b6bb7-de71-4623-b4af-96380a352509 |
Service Support Administrator | Can read service health information and manage support tickets. | f023fd81-a637-4b56-95fd-791ac0226033 |
SharePoint Administrator | Can manage all aspects of the SharePoint service. | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
SharePoint Embedded Administrator | Manage all aspects of SharePoint Embedded containers. | 1a7d78b6-429f-476b-b8eb-35fb715fffd4 |
Skype for Business Administrator | Can manage all aspects of the Skype for Business product. | 75941009-915a-4869-abe7-691bff18279e |
Teams Administrator | Can manage the Microsoft Teams service. | 69091246-20e8-4a56-aa4d-066075b2a7a8 |
Teams Communications Administrator | Can manage calling and meetings features within the Microsoft Teams service. | baf37b3a-610e-45da-9e62-d9d1e5e8914b |
Teams Communications Support Engineer | Can troubleshoot communications issues within Teams using advanced tools. | f70938a0-fc10-4177-9e90-2178f8765737 |
Teams Communications Support Specialist | Can troubleshoot communications issues within Teams using basic tools. | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 |
Teams Devices Administrator | Can perform management related tasks on Teams certified devices. | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
Teams Telephony Administrator | Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service. | aa38014f-0993-46e9-9b45-30501a20909d |
Tenant Creator | Create new Microsoft Entra or Azure AD B2C tenants. | 112ca1a2-15ad-4102-995e-45b0bc479a6a |
Usage Summary Reports Reader | Read Usage reports and Adoption Score, but can't access user details. | 75934031-6c7e-415a-99d7-48dbd49e875e |
User Administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins. |
fe930be7-5e62-47db-91af-98c3a49a38b1 |
Virtual Visits Administrator | Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. | e300d9e7-4a2b-4295-9eff-f1c78b36cc98 |
Windows 365 Administrator | Can provision and manage all aspects of Cloud PCs. | 11451d60-acb2-45eb-a7d6-43d0f0125c13 |
Windows Update Deployment Administrator | Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
Application Administrator
This is a privileged role. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Azure AD Graph and Microsoft Graph.
Important
This exception means that you can still consent to application permissions for other apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.
Application Developer
This is a privileged role. Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations.
Attack Payload Author
Users in this role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation.
For more information, see Microsoft Defender for Office 365 permissions in the Microsoft 365 Defender portal and Permissions in the Microsoft Purview compliance portal.
Actions | Description |
---|---|
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks | Create and manage attack payloads in Attack Simulator |
microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read | Read reports of attack simulation, responses, and associated training |
Attack Simulation Administrator
Users in this role can create and manage all aspects of attack simulation creation, launch/scheduling of a simulation, and the review of simulation results. Members of this role have this access for all simulations in the tenant.
For more information, see Microsoft Defender for Office 365 permissions in the Microsoft 365 Defender portal and Permissions in the Microsoft Purview compliance portal.
Actions | Description |
---|---|
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks | Create and manage attack payloads in Attack Simulator |
microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read | Read reports of attack simulation, responses, and associated training |
microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks | Create and manage attack simulation templates in Attack Simulator |
Attribute Assignment Administrator
Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/read | Read all properties of attribute sets |
microsoft.directory/azureManagedIdentities/customSecurityAttributes/read | Read custom security attribute values for Microsoft Entra managed identities |
microsoft.directory/azureManagedIdentities/customSecurityAttributes/update | Update custom security attribute values for Microsoft Entra managed identities |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read | Read all properties of custom security attribute definitions |
microsoft.directory/devices/customSecurityAttributes/read | Read custom security attribute values for devices |
microsoft.directory/devices/customSecurityAttributes/update | Update custom security attribute values for devices |
microsoft.directory/servicePrincipals/customSecurityAttributes/read | Read custom security attribute values for service principals |
microsoft.directory/servicePrincipals/customSecurityAttributes/update | Update custom security attribute values for service principals |
microsoft.directory/users/customSecurityAttributes/read | Read custom security attribute values for users |
microsoft.directory/users/customSecurityAttributes/update | Update custom security attribute values for users |
Attribute Assignment Reader
Users with this role can read custom security attribute keys and values for supported Microsoft Entra objects.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/read | Read all properties of attribute sets |
microsoft.directory/azureManagedIdentities/customSecurityAttributes/read | Read custom security attribute values for Microsoft Entra managed identities |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read | Read all properties of custom security attribute definitions |
microsoft.directory/devices/customSecurityAttributes/read | Read custom security attribute values for devices |
microsoft.directory/servicePrincipals/customSecurityAttributes/read | Read custom security attribute values for service principals |
microsoft.directory/users/customSecurityAttributes/read | Read custom security attribute values for users |
Attribute Definition Administrator
Users with this role can define a valid set of custom security attributes that can be assigned to supported Microsoft Entra objects. This role can also activate and deactivate custom security attributes.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/allTasks | Manage all aspects of attribute sets |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks | Manage all aspects of custom security attribute definitions |
Attribute Definition Reader
Users with this role can read the definition of custom security attributes.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/read | Read all properties of attribute sets |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read | Read all properties of custom security attribute definitions |
Attribute Log Administrator
Assign the Attribute Log Reader role to users who need to do the following tasks:
- Read audit logs for custom security attribute value changes
- Read audit logs for custom security attribute definition changes and assignments
- Configure diagnostic settings for custom security attributes
Users with this role cannot read audit logs for other events.
By default, Global Administrator and other administrator roles do not have permissions to read audit logs for custom security attributes. To read audit logs for custom security attributes, you must be assigned this role or the Attribute Log Reader role.
For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.azure.customSecurityAttributeDiagnosticSettings/allEntities/allProperties/allTasks | Configure all aspects of custom security attributes diagnostic settings |
microsoft.directory/customSecurityAttributeAuditLogs/allProperties/read | Read audit logs related to custom security attributes |
Attribute Log Reader
Assign the Attribute Log Reader role to users who need to do the following tasks:
- Read audit logs for custom security attribute value changes
- Read audit logs for custom security attribute definition changes and assignments
Users with this role cannot do the following tasks:
- Configure diagnostic settings for custom security attributes
- Read audit logs for other events
By default, Global Administrator and other administrator roles do not have permissions to read audit logs for custom security attributes. To read audit logs for custom security attributes, you must be assigned this role or the Attribute Log Administrator role.
For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.directory/customSecurityAttributeAuditLogs/allProperties/read | Read audit logs related to custom security attributes |
Authentication Administrator
This is a privileged role. Assign the Authentication Administrator role to users who need to do the following:
- Set or reset any authentication method (including passwords) for non-administrators and some roles. For a list of the roles that an Authentication Administrator can read or update authentication methods, see Who can reset passwords.
- Require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in.
- Manage MFA settings in the legacy MFA management portal.
- Perform sensitive actions for some users. For more information, see Who can perform sensitive actions.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
Users with this role cannot do the following:
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
- Cannot manage Hardware OATH tokens.
The following table compares the capabilities of authentication-related roles.
Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
---|---|---|---|---|---|---|---|
Authentication Administrator | Yes for some users | Yes for some users | Yes | No | No | Yes for some users | Yes for some users |
Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
Authentication Policy Administrator | No | Yes | Yes | Yes | Yes | No | No |
User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, Microsoft Purview compliance portal, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Authentication Extensibility Administrator
This is a privileged role. Assign the Authentication Extensibility Administrator role to users who need to do the following tasks:
- Create and manage all aspects of custom authentication extensions.
Users with this role cannot do the following:
- Cannot assign custom authentication extensions to applications to modify the authentication experiences, and cannot consent to application permissions or create app registrations associated with the custom authentication extension. Instead, you must use the Application Administrator, Application Developer, or Cloud Application Administrator roles.
A custom authentication extension is an API endpoint created by a developer for authentication events and is registered in Microsoft Entra ID. Application administrators and application owners can use custom authentication extensions to customize their application's authentication experiences, such as sign in and sign up, or password reset.
Actions | Description |
---|---|
microsoft.directory/customAuthenticationExtensions/allProperties/allTasks | Create and manage custom authentication extensions |
Authentication Policy Administrator
Assign the Authentication Policy Administrator role to users who need to do the following:
- Configure the authentication methods policy, tenant-wide MFA settings, and password protection policy that determine which methods each user can register and use.
- Manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.
- Manage MFA settings in the legacy MFA management portal.
- Create and manage verifiable credentials.
- Create and manage Azure support tickets.
Users with this role cannot do the following:
- Cannot update sensitive properties. For more information, see Who can perform sensitive actions.
- Cannot delete or restore users. For more information, see Who can perform sensitive actions.
- Cannot manage Hardware OATH tokens.
The following table compares the capabilities of authentication-related roles.
Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
---|---|---|---|---|---|---|---|
Authentication Administrator | Yes for some users | Yes for some users | Yes | No | No | Yes for some users | Yes for some users |
Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
Authentication Policy Administrator | No | Yes | Yes | Yes | Yes | No | No |
User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Actions | Description |
---|---|
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/organization/strongAuthentication/allTasks | Manage all aspects of strong authentication properties of an organization |
microsoft.directory/userCredentialPolicies/basic/update | Update basic policies for users |
microsoft.directory/userCredentialPolicies/create | Create credential policies for users |
microsoft.directory/userCredentialPolicies/delete | Delete credential policies for users |
microsoft.directory/userCredentialPolicies/owners/read | Read owners of credential policies for users |
microsoft.directory/userCredentialPolicies/owners/update | Update owners of credential policies for users |
microsoft.directory/userCredentialPolicies/policyAppliedTo/read | Read policy.appliesTo navigation link |
microsoft.directory/userCredentialPolicies/standard/read | Read standard properties of credential policies for users |
microsoft.directory/userCredentialPolicies/tenantDefault/update | Update policy.isOrganizationDefault property |
microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials |
microsoft.directory/verifiableCredentials/configuration/allProperties/update | Update configuration required to create and manage verifiable credentials |
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read | Read a verifiable credential contract |
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update | Update a verifiable credential contract |
microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read | Read a verifiable credential card |
microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke | Revoke a verifiable credential card |
microsoft.directory/verifiableCredentials/configuration/contracts/create | Create a verifiable credential contract |
microsoft.directory/verifiableCredentials/configuration/create | Create configuration required to create and manage verifiable credentials |
microsoft.directory/verifiableCredentials/configuration/delete | Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials |
Azure DevOps Administrator
Users with this role can manage all enterprise Azure DevOps policies, applicable to all Azure DevOps organizations backed by Microsoft Entra ID. Users in this role can manage these policies by navigating to any Azure DevOps organization that is backed by the company's Microsoft Entra ID. Additionally, users in this role can claim ownership of orphaned Azure DevOps organizations. This role grants no other Azure DevOps-specific permissions (for example, Project Collection Administrators) inside any of the Azure DevOps organizations backed by the company's Microsoft Entra organization.
Actions | Description |
---|---|
microsoft.azure.devOps/allEntities/allTasks | Read and configure Azure DevOps |
Azure Information Protection Administrator
Users with this role have all permissions in the Azure Information Protection service. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. This role does not grant any permissions in Microsoft Entra ID Protection, Privileged Identity Management, Monitor Microsoft 365 Service Health, Microsoft 365 Defender portal, or Microsoft Purview compliance portal.
Actions | Description |
---|---|
microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
B2C IEF Keyset Administrator
This is a privileged role. User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can roll over secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation.
Important
This is a sensitive role. The keyset administrator role should be carefully audited and assigned with care during pre-production and production.
Actions | Description |
---|---|
microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks | Read and configure key sets in Azure Active Directory B2C |
B2C IEF Policy Administrator
Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the organization.
Important
The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production. Activities by these users should be closely audited, especially for organizations in production.
Actions | Description |
---|---|
microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks | Read and configure custom policies in Azure Active Directory B2C |
Billing Administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.commerce.billing/allEntities/allProperties/allTasks | Manage all aspects of Office 365 billing |
microsoft.directory/organization/basic/update | Update basic properties on organization |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Cloud App Security Administrator
Users with this role have full permissions in Defender for Cloud Apps. They can add administrators, add Microsoft Defender for Cloud Apps policies and settings, upload logs, and perform governance actions.
Actions | Description |
---|---|
microsoft.directory/cloudAppSecurity/allProperties/allTasks | Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Cloud Application Administrator
This is a privileged role. Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Azure AD Graph and Microsoft Graph.
Important
This exception means that you can still consent to application permissions for other apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.
Cloud Device Administrator
This is a privileged role. Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.
Compliance Administrator
Users with this role have permissions to manage compliance-related features in the Microsoft Purview compliance portal, Microsoft 365 admin center, Azure, and Microsoft 365 Defender portal. Assignees can also manage all features within the Exchange admin center and create support tickets for Azure and Microsoft 365. For more information, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
In | Can do |
---|---|
Microsoft Purview compliance portal | Protect and manage your organization's data across Microsoft 365 services Manage compliance alerts |
Microsoft Purview Compliance Manager | Track, assign, and verify your organization's regulatory compliance activities |
Microsoft 365 Defender portal | Manage data governance Perform legal and data investigation Manage Data Subject Request This role has the same permissions as the Compliance Administrator role group in Microsoft 365 Defender portal role-based access control. |
Intune | View all Intune audit data |
Microsoft Defender for Cloud Apps | Has read-only permissions and can manage alerts Can create and modify file policies and allow file governance actions Can view all the built-in reports under Data Management |
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Microsoft Entra entitlement management |
microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Compliance Data Administrator
Users with this role have permissions to track data in the Microsoft Purview compliance portal, Microsoft 365 admin center, and Azure. Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. For more information about the differences between Compliance Administrator and Compliance Data Administrator, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
In | Can do |
---|---|
Microsoft Purview compliance portal | Monitor compliance-related policies across Microsoft 365 services Manage compliance alerts |
Microsoft Purview Compliance Manager | Track, assign, and verify your organization's regulatory compliance activities |
Microsoft 365 Defender portal | Manage data governance Perform legal and data investigation Manage Data Subject Request This role has the same permissions as the Compliance Data Administrator role group in Microsoft 365 Defender portal role-based access control. |
Intune | View all Intune audit data |
Microsoft Defender for Cloud Apps | Has read-only permissions and can manage alerts Can create and modify file policies and allow file governance actions Can view all the built-in reports under Data Management |
Actions | Description |
---|---|
microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.directory/cloudAppSecurity/allProperties/allTasks | Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps |
microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Conditional Access Administrator
This is a privileged role. Users with this role have the ability to manage Microsoft Entra Conditional Access settings.
Customer LockBox Access Approver
Manages Microsoft Purview Customer Lockbox requests in your organization. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn the Customer Lockbox feature on or off. Only Global Administrators can reset the passwords of people assigned to this role.
Actions | Description |
---|---|
microsoft.office365.lockbox/allEntities/allTasks | Manage all aspects of Customer Lockbox |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Desktop Analytics Administrator
Users in this role can manage the Desktop Analytics service. This includes the ability to view asset inventory, create deployment plans, and view deployment and health status.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.desktopAnalytics/allEntities/allTasks | Manage all aspects of Desktop Analytics |
Directory Readers
Users in this role can read basic directory information. This role should be used for:
- Granting a specific set of guest users read access instead of granting it to all guest users.
- Granting a specific set of non-admin users access to Microsoft Entra admin center when "Restrict access to Microsoft Entra admin center" is set to "Yes".
- Granting service principals access to directory where Directory.Read.All is not an option.
Actions | Description |
---|---|
microsoft.directory/administrativeUnits/members/read | Read members of administrative units |
microsoft.directory/administrativeUnits/standard/read | Read basic properties on administrative units |
microsoft.directory/applicationPolicies/standard/read | Read standard properties of application policies |
microsoft.directory/applications/owners/read | Read owners of applications |
microsoft.directory/applications/policies/read | Read policies of applications |
microsoft.directory/applications/standard/read | Read standard properties of applications |
microsoft.directory/contacts/memberOf/read | Read the group membership for all contacts in Microsoft Entra ID |
microsoft.directory/contacts/standard/read | Read basic properties on contacts in Microsoft Entra ID |
microsoft.directory/contracts/standard/read | Read basic properties on partner contracts |
microsoft.directory/devices/memberOf/read | Read device memberships |
microsoft.directory/devices/registeredOwners/read | Read registered owners of devices |
microsoft.directory/devices/registeredUsers/read | Read registered users of devices |
microsoft.directory/devices/standard/read | Read basic properties on devices |
microsoft.directory/directoryRoles/eligibleMembers/read | Read the eligible members of Microsoft Entra roles |
microsoft.directory/directoryRoles/members/read | Read all members of Microsoft Entra roles |
microsoft.directory/directoryRoles/standard/read | Read basic properties of Microsoft Entra roles |
microsoft.directory/domains/standard/read | Read basic properties on domains |
microsoft.directory/groups/appRoleAssignments/read | Read application role assignments of groups |
microsoft.directory/groupSettings/standard/read | Read basic properties on group settings |
microsoft.directory/groupSettingTemplates/standard/read | Read basic properties on group setting templates |
microsoft.directory/groups/memberOf/read | Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups/members/read | Read members of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups/owners/read | Read owners of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups/settings/read | Read settings of groups |
microsoft.directory/groups/standard/read | Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/oAuth2PermissionGrants/standard/read | Read basic properties on OAuth 2.0 permission grants |
microsoft.directory/organization/standard/read | Read basic properties on an organization |
microsoft.directory/organization/trustedCAsForPasswordlessAuth/read | Read trusted certificate authorities for passwordless authentication |
microsoft.directory/roleAssignments/standard/read | Read basic properties on role assignments |
microsoft.directory/roleDefinitions/standard/read | Read basic properties on role definitions |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read service principal role assignments |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read role assignments assigned to service principals |
microsoft.directory/servicePrincipals/memberOf/read | Read the group memberships on service principals |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read | Read delegated permission grants on service principals |
microsoft.directory/servicePrincipals/ownedObjects/read | Read owned objects of service principals |
microsoft.directory/servicePrincipals/owners/read | Read owners of service principals |
microsoft.directory/servicePrincipals/policies/read | Read policies of service principals |
microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals |
microsoft.directory/subscribedSkus/standard/read | Read basic properties on subscriptions |
microsoft.directory/users/appRoleAssignments/read | Read application role assignments for users |
microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users |
microsoft.directory/users/directReports/read | Read the direct reports for users |
microsoft.directory/users/invitedBy/read | Read the user that invited an external user to a tenant |
microsoft.directory/users/licenseDetails/read | Read license details of users |
microsoft.directory/users/manager/read | Read manager of users |
microsoft.directory/users/memberOf/read | Read the group memberships of users |
microsoft.directory/users/oAuth2PermissionGrants/read | Read delegated permission grants on users |
microsoft.directory/users/ownedDevices/read | Read owned devices of users |
microsoft.directory/users/ownedObjects/read | Read owned objects of users |
microsoft.directory/users/photo/read | Read photo of users |
microsoft.directory/users/registeredDevices/read | Read registered devices of users |
microsoft.directory/users/scopedRoleMemberOf/read | Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit |
microsoft.directory/users/sponsors/read | Read sponsors of users |
microsoft.directory/users/standard/read | Read basic properties on users |
Directory Synchronization Accounts
Do not use. This role is automatically assigned to the Microsoft Entra Connect service, and is not intended or supported for any other use.
Actions | Description |
---|---|
microsoft.directory/onPremisesSynchronization/standard/read | Read and manage objects to enable on-premises directory synchronization |
Directory Writers
This is a privileged role. Users in this role can read and update basic information of users, groups, and service principals.
Domain Name Administrator
This is a privileged role. Users with this role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects possess domain dependencies. For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Microsoft Entra based services with their on-premises passwords via single sign-on. Federation settings need to be synced via Microsoft Entra Connect, so users also have permissions to manage Microsoft Entra Connect.
Dynamics 365 Administrator
Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. For more information, see Use service admin roles to manage your tenant.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is named Dynamics 365 Service Administrator. In the Azure portal, it is named Dynamics 365 Administrator.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365 |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Dynamics 365 Business Central Administrator
Assign the Dynamics 365 Business Central Administrator role to users who need to do the following tasks:
- Access Dynamics 365 Business Central environments
- Perform all administrative tasks on environments
- Manage the lifecycle of customer's environments
- Supervise the extensions installed on environments
- Control upgrades of environments
- Perform data exports of environments
- Read and configure Azure and Microsoft 365 service health dashboards
This role does not provide any permissions for other Dynamics 365 products.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.directory/domains/standard/read | Read basic properties on domains |
microsoft.directory/organization/standard/read | Read basic properties on an organization |
microsoft.directory/subscribedSkus/standard/read | Read basic properties on subscriptions |
microsoft.directory/users/standard/read | Read basic properties on users |
microsoft.dynamics365.businessCentral/allEntities/allProperties/allTasks | Manage all aspects of Dynamics 365 Business Central |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Edge Administrator
Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. Learn more
Actions | Description |
---|---|
microsoft.edge/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Edge |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Exchange Administrator
Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. For more information, see About admin roles in the Microsoft 365 admin center.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is named Exchange Service Administrator. In the Azure portal, it is named Exchange Administrator. In the Exchange admin center, it is named Exchange Online administrator.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.backup/exchangeProtectionPolicies/allProperties/allTasks | Create and manage Exchange Online protection policy in Microsoft 365 Backup |
microsoft.backup/exchangeRestoreSessions/allProperties/allTasks | Read and configure restore session for Exchange Online in Microsoft 365 Backup |
microsoft.backup/restorePoints/userMailboxes/allProperties/allTasks | Manage all restore points associated with selected Exchange Online mailboxes in M365 Backup |
microsoft.backup/userMailboxProtectionUnits/allProperties/allTasks | Manage mailboxes added to Exchange Online protection policy in Microsoft 365 Backup |
microsoft.backup/userMailboxRestoreArtifacts/allProperties/allTasks | Manage mailboxes added to restore session for Exchange Online in Microsoft 365 Backup |
microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
microsoft.office365.exchange/allEntities/basic/allTasks | Manage all aspects of Exchange Online |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Exchange Recipient Administrator
Users with this role have read access to recipients and write access to the attributes of those recipients in Exchange Online. For more information, see Recipients in Exchange Server.
Actions | Description |
---|---|
microsoft.office365.exchange/migration/allProperties/allTasks | Manage all tasks related to migration of recipients in Exchange Online |
microsoft.office365.exchange/recipients/allProperties/allTasks | Create and delete all recipients, and read and update all properties of recipients in Exchange Online |
External ID User Flow Administrator
Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. These users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token, manage API connectors and their credentials, and configure session settings for all user flows in the Microsoft Entra organization. On the other hand, this role does not include the ability to review user data or make changes to the attributes that are included in the organization schema. Changes to Identity Experience Framework policies (also known as custom policies) are also outside the scope of this role.
Actions | Description |
---|---|
microsoft.directory/b2cUserFlow/allProperties/allTasks | Read and configure user flow in Azure Active Directory B2C |
External ID User Flow Attribute Administrator
Users with this role add or delete custom attributes available to all user flows in the Microsoft Entra organization. As such, users with this role can change or add new elements to the end-user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.
Actions | Description |
---|---|
microsoft.directory/b2cUserAttribute/allProperties/allTasks | Read and configure user attribute in Azure Active Directory B2C |
External Identity Provider Administrator
This is a privileged role. This administrator manages federation between Microsoft Entra organizations and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). This user can enable the Microsoft Entra organization to trust authentications from external identity providers. The resulting impact on end-user experiences depends on the type of organization:
- Microsoft Entra organizations for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed.
- Azure Active Directory B2C organizations: The addition of a federation (for example, with another Microsoft Entra organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). To change user flows, the limited role of "B2C User Flow Administrator" is required.
Fabric Administrator
Users with this role have global permissions within Microsoft Fabric and Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Fabric and Power BI |
Global Administrator
This is a privileged role. Users with this role have access to all administrative features in Microsoft Entra ID, as well as services that use Microsoft Entra identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Global Administrators can view Directory Activity logs. Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Microsoft Entra tenant. The person who signs up for the Microsoft Entra organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has zero Global Administrators.
Note
As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. For more information, see Best practices for Microsoft Entra roles.
Global Reader
This is a privileged role. Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global Reader is the read-only counterpart to Global Administrator. Assign Global Reader instead of Global Administrator for planning, audits, or investigations. Use Global Reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global Reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Microsoft 365 Defender portal, Microsoft Purview compliance portal, Azure portal, and Device Management admin center.
Users with this role cannot do the following:
- Cannot access the Purchase Services area in the Microsoft 365 admin center.
Note
Global Reader role has the following limitations:
- OneDrive admin center - OneDrive admin center does not support the Global Reader role
- Microsoft 365 Defender portal - Global Reader can't read SCC audit logs, do content search, or see Secure Score.
- Teams admin center - Global Reader cannot read Teams lifecycle, Analytics & reports, IP phone device management, and App catalog. For more information, see Use Microsoft Teams administrator roles to manage Teams.
- Privileged Access Management doesn't support the Global Reader role.
- Azure Information Protection - Global Reader is supported for central reporting only, and when your Microsoft Entra organization isn't on the unified labeling platform.
- SharePoint - Global Reader has read access to SharePoint Online PowerShell cmdlets and Read APIs.
- Power Platform admin center - Global Reader is not yet supported in the Power Platform admin center.
- Microsoft Purview doesn't support the Global Reader role.
Global Secure Access Administrator
Assign the Global Secure Access Administrator role to users who need to do the following:
- Create and manage all aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access
- Manage access to public and private endpoints
Users with this role cannot do the following:
- Cannot manage enterprise applications, application registrations, Conditional Access, or application proxy settings
Actions | Description |
---|---|
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/applicationPolicies/standard/read | Read standard properties of application policies |
microsoft.directory/applications/applicationProxy/read | Read all application proxy properties |
microsoft.directory/applications/owners/read | Read owners of applications |
microsoft.directory/applications/policies/read | Read policies of applications |
microsoft.directory/applications/standard/read | Read standard properties of applications |
microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |
microsoft.directory/conditionalAccessPolicies/standard/read | Read Conditional Access for policies |
microsoft.directory/connectorGroups/allProperties/read | Read all properties of private network connector groups |
microsoft.directory/connectors/allProperties/read | Read all properties of private network connectors |
microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |
microsoft.directory/namedLocations/standard/read | Read basic properties of custom rules that define network locations |
microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |
microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access |
microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Groups Administrator
Users in this role can create/manage groups and its settings like naming and expiration policies. It is important to understand that assigning a user to this role gives them the ability to manage all groups in the organization across various workloads like Teams, SharePoint, Yammer in addition to Outlook. Also the user will be able to manage the various groups settings across various admin portals like Microsoft admin center, Azure portal, as well as workload specific ones like Teams and SharePoint admin centers.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/deletedItems.groups/delete | Permanently delete groups, which can no longer be restored |
microsoft.directory/deletedItems.groups/restore | Restore soft deleted groups to original state |
microsoft.directory/groups/assignLicense | Assign product licenses to groups for group-based licensing |
microsoft.directory/groups/basic/update | Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/classification/update | Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/create | Create Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/delete | Delete Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/groupType/update | Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups/members/update | Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/onPremWriteBack/update | Update Microsoft Entra groups to be written back to on-premises with Microsoft Entra Connect |
microsoft.directory/groups/owners/update | Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups/reprocessLicenseAssignment | Reprocess license assignments for group-based licensing |
microsoft.directory/groups/restore | Restore groups from soft-deleted container |
microsoft.directory/groups/settings/update | Update settings of groups |
microsoft.directory/groups/visibility/update | Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Guest Inviter
Users in this role can manage Microsoft Entra B2B guest user invitations when the Members can invite user setting is set to No. More information about B2B collaboration at About Microsoft Entra B2B collaboration. It does not include any other permissions.
Actions | Description |
---|---|
microsoft.directory/users/appRoleAssignments/read | Read application role assignments for users |
microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users |
microsoft.directory/users/directReports/read | Read the direct reports for users |
microsoft.directory/users/invitedBy/read | Read the user that invited an external user to a tenant |
microsoft.directory/users/inviteGuest | Invite guest users |
microsoft.directory/users/licenseDetails/read | Read license details of users |
microsoft.directory/users/manager/read | Read manager of users |
microsoft.directory/users/memberOf/read | Read the group memberships of users |
microsoft.directory/users/oAuth2PermissionGrants/read | Read delegated permission grants on users |
microsoft.directory/users/ownedDevices/read | Read owned devices of users |
microsoft.directory/users/ownedObjects/read | Read owned objects of users |
microsoft.directory/users/photo/read | Read photo of users |
microsoft.directory/users/registeredDevices/read | Read registered devices of users |
microsoft.directory/users/scopedRoleMemberOf/read | Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit |
microsoft.directory/users/sponsors/read | Read sponsors of users |
microsoft.directory/users/standard/read | Read basic properties on users |
Helpdesk Administrator
This is a privileged role. Users with this role can change passwords, invalidate refresh tokens, create and manage support requests with Microsoft for Azure and Microsoft 365 services, and monitor service health. Invalidating a refresh token forces the user to sign in again. Whether a Helpdesk Administrator can reset a user's password and invalidate refresh tokens depends on the role the user is assigned. For a list of the roles that a Helpdesk Administrator can reset passwords for and invalidate refresh tokens, see Who can reset passwords.
Users with this role cannot do the following:
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
Important
Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the password of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Helpdesk Administrators. Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who might have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, Microsoft Purview compliance portal, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Delegating administrative permissions over subsets of users and applying policies to a subset of users is possible with Administrative Units.
This role was previously named Password Administrator in the Azure portal. It was renamed to Helpdesk Administrator to align with the existing name in the Microsoft Graph API and Azure AD PowerShell.
Hybrid Identity Administrator
This is a privileged role. Users in this role can create, manage and deploy provisioning configuration setup from Active Directory to Microsoft Entra ID using Cloud Provisioning as well as manage Microsoft Entra Connect, Password hash synchronization (PHS), and federation settings. Users can also troubleshoot and monitor logs using this role.
Identity Governance Administrator
Users with this role can manage Microsoft Entra ID Governance configuration, including access packages, access reviews, catalogs and policies, ensuring access is approved and reviewed and guest users who no longer need access are removed.
Actions | Description |
---|---|
microsoft.directory/accessReviews/allProperties/allTasks | (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Microsoft Entra ID |
microsoft.directory/accessReviews/definitions.applications/allProperties/allTasks | Manage access reviews of application role assignments in Microsoft Entra ID |
microsoft.directory/accessReviews/definitions.entitlementManagement/allProperties/allTasks | Manage access reviews for access package assignments in entitlement management |
microsoft.directory/accessReviews/definitions.groups/allProperties/read | Read all properties of access reviews for membership in Security and Microsoft 365 groups, including role-assignable groups. |
microsoft.directory/accessReviews/definitions.groups/allProperties/update | Update all properties of access reviews for membership in Security and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/accessReviews/definitions.groups/create | Create access reviews for membership in Security and Microsoft 365 groups. |
microsoft.directory/accessReviews/definitions.groups/delete | Delete access reviews for membership in Security and Microsoft 365 groups. |
microsoft.directory/entitlementManagement/allProperties/allTasks | Create and delete resources, and read and update all properties in Microsoft Entra entitlement management |
microsoft.directory/groups/members/update | Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments |
Insights Administrator
Users in this role can access the full set of administrative capabilities in the Microsoft Viva Insights app. This role has the ability to read directory information, monitor service health, file support tickets, and access the Insights Administrator settings aspects.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.insights/allEntities/allProperties/allTasks | Manage all aspects of Insights app |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Insights Analyst
Assign the Insights Analyst role to users who need to do the following:
- Analyze data in the Microsoft Viva Insights app, but can't manage any configuration settings
- Create, manage, and run queries
- View basic settings and reports in the Microsoft 365 admin center
- Create and manage service requests in the Microsoft 365 admin center
Actions | Description |
---|---|
microsoft.insights/queries/allProperties/allTasks | Run and manage queries in Viva Insights |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Insights Business Leader
Users in this role can access a set of dashboards and insights via the Microsoft Viva Insights app. This includes full access to all dashboards and presented insights and data exploration functionality. Users in this role do not have access to product configuration settings, which is the responsibility of the Insights Administrator role.
Actions | Description |
---|---|
microsoft.insights/programs/allProperties/update | Deploy and manage programs in Insights app |
microsoft.insights/reports/allProperties/read | View reports and dashboard in Insights app |
Intune Administrator
This is a privileged role. Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. For more information, see Role-based administration control (RBAC) with Microsoft Intune.
This role can create and manage all security groups. However, Intune Administrator does not have admin rights over Office groups. That means the admin cannot update owners or memberships of all Office groups in the organization. However, he/she can manage the Office group that he creates which comes as a part of his/her end-user privileges. So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is named Intune Service Administrator. In the Azure portal, it is named Intune Administrator.
Kaizala Administrator
Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.
Actions | Description |
---|---|
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Knowledge Administrator
Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. They have a general understanding of the suite of products, licensing details and have responsibility to control access. Knowledge Administrator can create and manage content, like topics, acronyms and learning resources. Additionally, these users can create content centers, monitor service health, and create service requests.
Actions | Description |
---|---|
microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/create | Create Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/createAsOwner | Create Security groups, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups |
microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks | Read and update all properties of content understanding in Microsoft 365 admin center |
microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks | Read and update all properties of knowledge network in Microsoft 365 admin center |
microsoft.office365.knowledge/learningSources/allProperties/allTasks | Manage learning sources and all their properties in Learning App. |
microsoft.office365.protectionCenter/sensitivityLabels/allProperties/read | Read all properties of sensitivity labels in the Security and Compliance centers |
microsoft.office365.sharePoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in SharePoint |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Knowledge Manager
Users in this role can create and manage content, like topics, acronyms and learning content. These users are primarily responsible for the quality and structure of knowledge. This user has full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers.
Actions | Description |
---|---|
microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/create | Create Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/createAsOwner | Create Security groups, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups |
microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read | Read analytics reports of content understanding in Microsoft 365 admin center |
microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks | Manage topic visibility of knowledge network in Microsoft 365 admin center |
microsoft.office365.sharePoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in SharePoint |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
License Administrator
Users in this role can read, add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no access to view, create, or manage support tickets.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.directory/groups/assignLicense | Assign product licenses to groups for group-based licensing |
microsoft.directory/groups/reprocessLicenseAssignment | Reprocess license assignments for group-based licensing |
microsoft.directory/users/assignLicense | Manage user licenses |
microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users |
microsoft.directory/users/usageLocation/update | Update usage location of users |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Lifecycle Workflows Administrator
This is a privileged role. Assign the Lifecycle Workflows Administrator role to users who need to do the following tasks:
- Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID
- Check the execution of scheduled workflows
- Launch on-demand workflow runs
- Inspect workflow execution logs
Message Center Privacy Reader
Users in this role can monitor all notifications in the Message Center, including data privacy messages. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups, domains, and subscriptions. This role has no permission to view, create, or manage service requests.
Actions | Description |
---|---|
microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
microsoft.office365.messageCenter/securityMessages/read | Read security messages in Message Center in the Microsoft 365 admin center |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Message Center Reader
Users in this role can monitor notifications and advisory health updates in Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Microsoft 365. In Microsoft Entra ID, users assigned to this role will only have read-only access on Microsoft Entra services such as users and groups. This role has no access to view, create, or manage support tickets.
Actions | Description |
---|---|
microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Microsoft 365 Migration Administrator
Assign the Microsoft 365 Migration Administrator role to users who need to do the following tasks:
- Use Migration Manager in the Microsoft 365 admin center to manage content migration to Microsoft 365, including Teams, OneDrive for Business, and SharePoint sites, from Google Drive, Dropbox, Box, and Egnyte
- Select migration sources, create migration inventories (such as Google Drive user lists), schedule and execute migrations, and download reports
- Create new SharePoint sites if the destination sites don't already exist, create SharePoint lists under the SharePoint admin sites, and create and update items in SharePoint lists
- Manage migration project settings and migration lifecycle for tasks
- Manage permission mappings from source to destination
Note
This role doesn't allow you to migrate from file share sources using the SharePoint admin center. You can use the SharePoint Administrator role to migrate from file share sources.
Actions | Description |
---|---|
microsoft.office365.migrations/allEntities/allProperties/allTasks | Manage all aspects of Microsoft 365 migrations |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Microsoft Entra Joined Device Local Administrator
This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra ID. They do not have the ability to manage devices objects in Microsoft Entra ID.
Actions | Description |
---|---|
microsoft.directory/groupSettings/standard/read | Read basic properties on group settings |
microsoft.directory/groupSettingTemplates/standard/read | Read basic properties on group setting templates |
Network Administrator
Users in this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture which is generally user location specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations
Actions | Description |
---|---|
microsoft.office365.network/locations/allProperties/allTasks | Manage all aspects of network locations |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Office Apps Administrator
Users in this role can manage Microsoft 365 apps' cloud settings. This includes managing cloud policies, self-service download management and the ability to view Office apps related report. This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. Users assigned to this role can also manage communication of new features in Office apps.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.userCommunication/allEntities/allTasks | Read and update what's new messages visibility |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Organizational Branding Administrator
Assign the Organizational Branding Administrator role to users who need to do the following tasks:
- Manage all aspects of organizational branding in a tenant
- Read, create, update, and delete branding themes
- Manage the default branding theme and all branding localization themes
Actions | Description |
---|---|
microsoft.directory/loginOrganizationBranding/allProperties/allTasks | Create and delete loginTenantBranding, and read and update all properties |
Organizational Messages Approver
Assign the Organizational Messages Approver role to users who need to do the following tasks:
- Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users using the Microsoft 365 Organizational Messages platform
- Read all aspects of organizational messages
- Read basic properties on all resources in the Microsoft 365 admin center
Actions | Description |
---|---|
microsoft.office365.organizationalMessages/allEntities/allProperties/read | Read all aspects of Microsoft 365 Organizational Messages |
microsoft.office365.organizationalMessages/allEntities/allProperties/update | Approve or reject new organizational messages for delivery in the Microsoft 365 admin center |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Organizational Messages Writer
Assign the Organizational Messages Writer role to users who need to do the following tasks:
- Write, publish, and delete organizational messages using Microsoft 365 admin center or Microsoft Intune
- Manage organizational message delivery options using Microsoft 365 admin center or Microsoft Intune
- Read organizational message delivery results using Microsoft 365 admin center or Microsoft Intune
- View usage reports and most settings in the Microsoft 365 admin center, but can't make changes
Actions | Description |
---|---|
microsoft.office365.organizationalMessages/allEntities/allProperties/allTasks | Manage all authoring aspects of Microsoft 365 Organizational Messages |
microsoft.office365.usageReports/allEntities/standard/read | Read tenant-level aggregated Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Password Administrator
This is a privileged role. Users with this role have limited ability to manage passwords. This role does not grant the ability to manage service requests or monitor service health. Whether a Password Administrator can reset a user's password depends on the role the user is assigned. For a list of the roles that a Password Administrator can reset passwords for, see Who can reset passwords.
Users with this role cannot do the following:
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
Power Platform Administrator
Users in this role can create and manage all aspects of environments, Power Apps, Flows, Data Loss Prevention policies. Additionally, users with this role have the ability to manage support tickets and monitor service health.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365 |
microsoft.flow/allEntities/allTasks | Manage all aspects of Microsoft Power Automate |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.powerApps/allEntities/allTasks | Manage all aspects of Power Apps |
Printer Administrator
Users in this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.
Actions | Description |
---|---|
microsoft.azure.print/allEntities/allProperties/allTasks | Create and delete printers and connectors, and read and update all properties in Microsoft Print |
Printer Technician
Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key task a Printer Technician cannot do is set user permissions on printers and sharing printers.
Actions | Description |
---|---|
microsoft.azure.print/connectors/allProperties/read | Read all properties of connectors in Microsoft Print |
microsoft.azure.print/printers/allProperties/read | Read all properties of printers in Microsoft Print |
microsoft.azure.print/printers/basic/update | Update basic properties of printers in Microsoft Print |
microsoft.azure.print/printers/register | Register printers in Microsoft Print |
microsoft.azure.print/printers/unregister | Unregister printers in Microsoft Print |
Privileged Authentication Administrator
This is a privileged role. Assign the Privileged Authentication Administrator role to users who need to do the following:
- Set or reset any authentication method (including passwords) for any user, including Global Administrators.
- Delete or restore any users, including Global Administrators. For more information, see Who can perform sensitive actions.
- Force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke remember MFA on the device, prompting for MFA on the next sign-in of all users.
- Update sensitive properties for all users. For more information, see Who can perform sensitive actions.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
Users with this role cannot do the following:
- Cannot manage per-user MFA in the legacy MFA management portal.
The following table compares the capabilities of authentication-related roles.
Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
---|---|---|---|---|---|---|---|
Authentication Administrator | Yes for some users | Yes for some users | Yes | No | No | Yes for some users | Yes for some users |
Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
Authentication Policy Administrator | No | Yes | Yes | Yes | Yes | No | No |
User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, and Microsoft Purview compliance portal, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Privileged Role Administrator
This is a privileged role. Users with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management. They can create and manage groups that can be assigned to Microsoft Entra roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.
Important
This role grants the ability to manage assignments for all Microsoft Entra roles including the Global Administrator role. This role does not include any other privileged abilities in Microsoft Entra ID like creating or updating users. However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.
Reports Reader
Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Fabric and Power BI. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Microsoft Entra ID and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |
microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs |
microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Search Administrator
Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Additionally, these users can view the message center, monitor service health, and create service requests.
Actions | Description |
---|---|
microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
microsoft.office365.search/content/manage | Create and delete content, and read and update all properties in Microsoft Search |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Search Editor
Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.
Actions | Description |
---|---|
microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
microsoft.office365.search/content/manage | Create and delete content, and read and update all properties in Microsoft Search |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Security Administrator
This is a privileged role. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview compliance portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
In | Can do |
---|---|
Microsoft 365 Defender portal | Monitor security-related policies across Microsoft 365 services Manage security threats and alerts View reports |
Privileged Identity Management | All permissions of the Security Reader role Cannot manage Microsoft Entra role assignments or settings |
Microsoft Purview compliance portal | Manage security policies View, investigate, and respond to security threats View reports |
Azure Advanced Threat Protection | Monitor and respond to suspicious security activity |
Microsoft Defender for Endpoint | Assign roles Manage machine groups Configure endpoint threat detection and automated remediation View, investigate, and respond to alerts View machines/device inventory |
Intune | Maps to the Intune Endpoint Security Manager role |
Microsoft Defender for Cloud Apps | Add admins, add policies and settings, upload logs and perform governance actions |
Microsoft 365 service health | View the health of Microsoft 365 services |
Smart lockout | Define the threshold and duration for lockouts when failed sign-in events happen. |
Password Protection | Configure custom banned password list or on-premises password protection. |
Security Operator
This is a privileged role. Users with this role can manage alerts and have global read-only access on security-related features, including all information in Microsoft 365 Defender portal, Microsoft Entra ID Protection, Privileged Identity Management and Microsoft Purview compliance portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
In | Can do |
---|---|
Microsoft 365 Defender portal | All permissions of the Security Reader role View, investigate, and respond to security threats alerts Manage security settings in Microsoft 365 Defender portal |
Privileged Identity Management | All permissions of the Security Reader role |
Microsoft Purview compliance portal | All permissions of the Security Reader role View, investigate, and respond to security alerts |
Microsoft Defender for Endpoint | All permissions of the Security Reader role View, investigate, and respond to security alerts When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Security Reader role lose access until they are assigned a Microsoft Defender for Endpoint role. |
Intune | All permissions of the Security Reader role |
Microsoft Defender for Cloud Apps | All permissions of the Security Reader role View, investigate, and respond to security alerts |
Microsoft 365 service health | View the health of Microsoft 365 services |
Security Reader
This is a privileged role. Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 Defender portal, Microsoft Entra ID Protection, Privileged Identity Management, as well as the ability to read Microsoft Entra sign-in reports and audit logs, and in Microsoft Purview compliance portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
In | Can do |
---|---|
Microsoft 365 Defender portal | View security-related policies across Microsoft 365 services View security threats and alerts View reports |
Privileged Identity Management | Has read-only access to all information surfaced in Microsoft Entra Privileged Identity Management: Policies and reports for Microsoft Entra role assignments and security reviews. Cannot sign up for Microsoft Entra Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Administrator or Privileged Role Administrator), if the user is eligible for them. |
Microsoft Purview compliance portal | View security policies View and investigate security threats View reports |
Microsoft Defender for Endpoint | View and investigate alerts When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Security Reader role lose access until they are assigned a Microsoft Defender for Endpoint role. |
Intune | Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune. |
Microsoft Defender for Cloud Apps | Has read permissions. |
Microsoft 365 service health | View the health of Microsoft 365 services |
Service Support Administrator
Users with this role can create and manage support requests with Microsoft for Azure and Microsoft 365 services, and view the service dashboard and message center in the Azure portal and Microsoft 365 admin center. For more information, see About admin roles in the Microsoft 365 admin center.
Note
This role was previously named Service Administrator in the Azure portal and Microsoft 365 admin center. It was renamed to Service Support Administrator to align with the existing name in the Microsoft Graph API and Azure AD PowerShell.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
SharePoint Administrator
Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. For more information, see About admin roles in the Microsoft 365 admin center.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is named SharePoint Service Administrator. In the Azure portal, it is named SharePoint Administrator.
Note
This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks | Create and manage OneDrive protection policy in Microsoft 365 Backup |
microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks | Read and configure restore session for OneDrive in Microsoft 365 Backup |
microsoft.backup/restorePoints/sites/allProperties/allTasks | Manage all restore points associated with selected SharePoint sites in M365 Backup |
microsoft.backup/restorePoints/userDrives/allProperties/allTasks | Manage all restore points associated with selected OneDrive accounts in M365 Backup |
microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks | Create and manage SharePoint protection policy in Microsoft 365 Backup |
microsoft.backup/sharePointRestoreSessions/allProperties/allTasks | Read and configure restore session for SharePoint in Microsoft 365 Backup |
microsoft.backup/siteProtectionUnits/allProperties/allTasks | Manage sites added to SharePoint protection policy in Microsoft 365 Backup |
microsoft.backup/siteRestoreArtifacts/allProperties/allTasks | Manage sites added to restore session for SharePoint in Microsoft 365 Backup |
microsoft.backup/userDriveProtectionUnits/allProperties/allTasks | Manage accounts added to OneDrive protection policy in Microsoft 365 Backup |
microsoft.backup/userDriveRestoreArtifacts/allProperties/allTasks | Manage accounts added to restore session for OneDrive in Microsoft 365 Backup |
microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
microsoft.office365.migrations/allEntities/allProperties/allTasks | Manage all aspects of Microsoft 365 migrations |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.sharePoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in SharePoint |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
SharePoint Embedded Administrator
Assign the SharePoint Embedded Administrator role to users who need to do the following tasks:
- Perform all tasks using PowerShell, Microsoft Graph API, or SharePoint admin center
- Manage, configure, and maintain SharePoint Embedded containers
- Enumerate and manage SharePoint Embedded containers
- Enumerate and manage permissions for SharePoint Embedded containers
- Manage storage of SharePoint Embedded containers in a tenant
- Assign security and compliance policies on SharePoint Embedded containers
- Apply security and compliance policies on SharePoint Embedded containers in a tenant
Actions | Description |
---|---|
microsoft.office365.fileStorageContainers/allEntities/allProperties/allTasks | Manage all aspects of SharePoint Embedded containers |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Skype for Business Administrator
Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Microsoft Entra ID. Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business admin center. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. For more information, see Skype for Business Online Admin and Teams licensing information at Skype for Business add-on licensing.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is named Lync Service Administrator. In the Azure portal, it is named Skype for Business Administrator.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Teams Administrator
Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role additionally grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |
microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |
microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |
microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |
microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |
microsoft.directory/externalUserProfiles/basic/update | Update basic properties of external user profiles in the extended directory for Teams |
microsoft.directory/externalUserProfiles/delete | Delete external user profiles in the extended directory for Teams |
microsoft.directory/externalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |
microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups |
microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
microsoft.directory/pendingExternalUserProfiles/basic/update | Update basic properties of external user profiles in the extended directory for Teams |
microsoft.directory/pendingExternalUserProfiles/create | Create external user profiles in the extended directory for Teams |
microsoft.directory/pendingExternalUserProfiles/delete | Delete external user profiles in the extended directory for Teams |
microsoft.directory/pendingExternalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |
microsoft.directory/permissionGrantPolicies/standard/read | Read standard properties of permission grant policies |
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams |
Teams Communications Administrator
Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.teams/callQuality/allProperties/read | Read all data in the Call Quality Dashboard (CQD) |
microsoft.teams/meetings/allProperties/allTasks | Manage meetings including meeting policies, configurations, and conference bridges |
microsoft.teams/voice/allProperties/allTasks | Manage voice including calling policies and phone number inventory and assignment |
Teams Communications Support Engineer
Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can view full call record information for all participants involved. This role has no access to view, create, or manage support tickets.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.teams/callQuality/allProperties/read | Read all data in the Call Quality Dashboard (CQD) |
Teams Communications Support Specialist
Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can only view user details in the call for the specific user they have looked up. This role has no access to view, create, or manage support tickets.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.teams/callQuality/standard/read | Read basic data in the Call Quality Dashboard (CQD) |
Teams Devices Administrator
Users with this role can manage Teams-certified devices from the Teams admin center. This role allows viewing all devices at single glance, with ability to search and filter devices. The user can check details of each device including logged-in account, make and model of the device. The user can change the settings on the device and update the software versions. This role does not grant permissions to check Teams activity and call quality of the device.
Actions | Description |
---|---|
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.teams/devices/standard/read | Manage all aspects of Teams-certified devices including configuration policies |
Teams Telephony Administrator
Assign the Teams Telephony Administrator role to users who need to do the following tasks:
- Manage voice and telephony, including calling policies, phone number management and assignment, and voice applications
- Access to only Public Switched Telephone Network (PSTN) usage reports from Teams admin center
- View user profile page
- Create and manage support tickets in Azure and the Microsoft 365 admin center
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.teams/callQuality/allProperties/read | Read all data in the Call Quality Dashboard (CQD) |
microsoft.teams/voice/allProperties/allTasks | Manage voice including calling policies and phone number inventory and assignment |
Tenant Creator
Assign the Tenant Creator role to users who need to do the following tasks:
- Create both Microsoft Entra and Azure Active Directory B2C tenants even if the tenant creation toggle is turned off in the user settings
Note
The tenant creators will be assigned the Global Administrator role on the new tenants they create.
Actions | Description |
---|---|
microsoft.directory/tenantManagement/tenants/create | Create new tenants in Microsoft Entra ID |
Usage Summary Reports Reader
Assign the Usage Summary Reports Reader role to users who need to do the following tasks in the Microsoft 365 admin center:
- View the Usage reports and Adoption Score
- Read organizational insights, but not personally identifiable information (PII) of users
This role only allows users to view organizational-level data with the following exceptions:
- Member users can view user management data and settings.
- Guest users assigned this role cannot view user management data and settings.
Actions | Description |
---|---|
microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
microsoft.office365.usageReports/allEntities/standard/read | Read tenant-level aggregated Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
User Administrator
This is a privileged role. Assign the User Administrator role to users who need to do the following:
Permission | More information |
---|---|
Create users | |
Update most user properties for all users, including all administrators | Who can perform sensitive actions |
Update sensitive properties (including user principal name) for some users | Who can perform sensitive actions |
Disable or enable some users | Who can perform sensitive actions |
Delete or restore some users | Who can perform sensitive actions |
Create and manage user views | |
Create and manage all groups | |
Assign and read licenses for all users, including all administrators | |
Reset passwords | Who can reset passwords |
Invalidate refresh tokens | Who can reset passwords |
Update (FIDO) device keys | |
Update password expiration policies | |
Create and manage support tickets in Azure and the Microsoft 365 admin center | |
Monitor service health |
Users with this role cannot do the following:
- Cannot manage MFA.
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
- Cannot manage shared mailboxes.
- Cannot modify security questions for password reset operation.
Important
Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the password of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to User Administrators. Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, Microsoft Purview compliance portal, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Virtual Visits Administrator
Users with this role can do the following tasks:
- Manage and configure all aspects of Virtual Visits in Bookings in the Microsoft 365 admin center, and in the Teams EHR connector
- View usage reports for Virtual Visits in the Teams admin center, Microsoft 365 admin center, Fabric, and Power BI
- View features and settings in the Microsoft 365 admin center, but can't edit any settings
Virtual Visits are a simple way to schedule and manage online and video appointments for staff and attendees. For example, usage reporting can show how sending SMS text messages before appointments can reduce the number of people who don't show up for appointments.
Actions | Description |
---|---|
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
microsoft.virtualVisits/allEntities/allProperties/allTasks | Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app |
Windows 365 Administrator
Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
This role can create and manage security groups, but does not have administrator rights over Microsoft 365 groups. That means administrators cannot update owners or memberships of Microsoft 365 groups in the organization. However, they can manage the Microsoft 365 group they create, which is a part of their end-user privileges. So, any Microsoft 365 group (not security group) they create is counted against their quota of 250.
Assign the Windows 365 Administrator role to users who need to do the following tasks:
- Manage Windows 365 Cloud PCs in Microsoft Intune
- Enroll and manage devices in Microsoft Entra ID, including assigning users and policies
- Create and manage security groups, but not role-assignable groups
- View basic properties in the Microsoft 365 admin center
- Read usage reports in the Microsoft 365 admin center
- Create and manage support tickets in Azure and the Microsoft 365 admin center
Actions | Description |
---|---|
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.cloudPC/allEntities/allProperties/allTasks | Manage all aspects of Windows 365 |
microsoft.directory/deletedItems.devices/delete | Permanently delete devices, which can no longer be restored |
microsoft.directory/deletedItems.devices/restore | Restore soft deleted devices to original state |
microsoft.directory/deviceManagementPolicies/standard/read | Read standard properties on mobile device management and mobile app management policies |
microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies |
microsoft.directory/devices/basic/update | Update basic properties on devices |
microsoft.directory/devices/create | Create devices (enroll in Microsoft Entra ID) |
microsoft.directory/devices/delete | Delete devices from Microsoft Entra ID |
microsoft.directory/devices/disable | Disable devices in Microsoft Entra ID |
microsoft.directory/devices/enable | Enable devices in Microsoft Entra ID |
microsoft.directory/devices/extensionAttributeSet1/update | Update the extensionAttribute1 to extensionAttribute5 properties on devices |
microsoft.directory/devices/extensionAttributeSet2/update | Update the extensionAttribute6 to extensionAttribute10 properties on devices |
microsoft.directory/devices/extensionAttributeSet3/update | Update the extensionAttribute11 to extensionAttribute15 properties on devices |
microsoft.directory/devices/registeredOwners/update | Update registered owners of devices |
microsoft.directory/devices/registeredUsers/update | Update registered users of devices |
microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/classification/update | Update the classification property on Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/create | Create Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups |
microsoft.directory/groups.security/visibility/update | Update the visibility property on Security groups, excluding role-assignable groups |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Windows Update Deployment Administrator
Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed, and specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress.
Actions | Description |
---|---|
microsoft.windows.updatesDeployments/allEntities/allProperties/allTasks | Read and configure all aspects of Windows Update Service |
Deprecated roles
The following roles should not be used. They have been deprecated and will be removed from Microsoft Entra ID in the future.
- AdHoc License Administrator
- Device Join
- Device Managers
- Device Users
- Email Verified User Creator
- Mailbox Administrator
- Workplace Device Join
Roles not shown in the portal
Not every role returned by PowerShell or MS Graph API is visible in Azure portal. The following table organizes those differences.
API name | Azure portal name | Notes |
---|---|---|
Device Join | Deprecated | Deprecated roles documentation |
Device Managers | Deprecated | Deprecated roles documentation |
Device Users | Deprecated | Deprecated roles documentation |
Directory Synchronization Accounts | Not shown because it shouldn't be used | Directory Synchronization Accounts documentation |
Guest User | Not shown because it can't be used | NA |
Partner Tier 1 Support | Not shown because it shouldn't be used | Partner Tier1 Support documentation |
Partner Tier 2 Support | Not shown because it shouldn't be used | Partner Tier2 Support documentation |
Restricted Guest User | Not shown because it can't be used | NA |
User | Not shown because it can't be used | NA |
Workplace Device Join | Deprecated | Deprecated roles documentation |