Least privileged roles by task in Microsoft Entra ID
In this article, you can find the information needed to restrict a user's administrator permissions by assigning least privileged roles in Microsoft Entra ID. You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.
You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Microsoft Entra roles at different scopes or Create and assign a custom role in Microsoft Entra ID.
External Identities/B2C
Note
Azure AD B2C Global Administrators do not have the same permissions as Microsoft Entra Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory.
Company branding
Task | Least privileged role | Additional roles |
---|---|---|
Configure company branding | Organizational Branding Administrator | |
Read all configuration | Directory Readers | Default user role |
Connect
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Global Reader | Hybrid Identity Administrator |
Cloud Provisioning
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Global Reader | Hybrid Identity Administrator |
Custom domain names
Task | Least privileged role | Additional roles |
---|---|---|
Manage domains | Domain Name Administrator | |
Read all configuration | Directory Readers | Default user role |
Domain Services
Task | Least privileged role | Additional roles |
---|---|---|
Create Microsoft Entra Domain Services instance | Application Administrator Groups Administrator Domain Services Contributor |
|
Perform all Microsoft Entra Domain Services tasks | AAD DC Administrators group | |
Read all configuration | Reader on Azure subscription containing AD DS service |
Devices
Task | Least privileged role | Additional roles |
---|---|---|
Delete device | Cloud Device Administrator | Intune Administrator |
Disable device | Cloud Device Administrator | Intune Administrator |
Enable device | Cloud Device Administrator | Intune Administrator |
Read basic configuration | Default user role | |
Read BitLocker keys | Cloud Device Administrator | Helpdesk Administrator Intune Administrator Security Administrator Security Reader |
Enterprise applications
Entitlement management
Task | Least privileged role | Additional roles |
---|---|---|
Add resources to a catalog | Identity Governance Administrator | With entitlement management, you can delegate this task to the catalog owner |
Add SharePoint Online sites to catalog | SharePoint Administrator |
Groups
Task | Least privileged role | Additional roles |
---|---|---|
Assign license | User Administrator | |
Create group | Groups Administrator | User Administrator |
Create, update, or delete access review of a group or of an app | User Administrator | |
Manage group expiration | User Administrator | |
Manage group settings | Groups Administrator | User Administrator |
Read all configuration (except hidden membership) | Directory Readers | Default user role |
Read hidden membership | Group member | Group owner Password Administrator Exchange Administrator SharePoint Administrator Teams Administrator User Administrator |
Read membership of groups with hidden membership | Helpdesk Administrator | User Administrator Teams Administrator |
Revoke license | License Administrator | User Administrator |
Update dynamic membership groups | Group owner | User Administrator |
Update group owners | Group owner | User Administrator |
Update group properties | Group owner | User Administrator |
Delete group | Groups Administrator | User Administrator |
Licenses
Task | Least privileged role | Additional roles |
---|---|---|
Assign license | License Administrator | User Administrator |
Read all configuration | Directory Readers | Default user role |
Revoke license | License Administrator | User Administrator |
Try or buy subscription | Billing Administrator |
Microsoft Entra Health
Task | Least privileged role | Additional roles |
---|---|---|
View scenario monitoring signals | Reports Reader | Security Reader Security Operator Security Administrator Helpdesk Administrator Global Reader |
Monitoring and health - Audit and sign-in logs
Task | Least privileged role | Additional roles |
---|---|---|
Read audit logs | Reports Reader | Application Administrator Cloud Application Administrator Cloud Device Administrator Global Secure Access Administrator Hybrid Identity Administrator Security Administrator Security Operator Security Reader |
Monitoring and health - Recommendations
Multifactor authentication
Task | Least privileged role | Additional roles |
---|---|---|
Delete all existing app passwords generated by the selected users | Authentication Policy Administrator | Authentication Administrator |
Disable per-user MFA | Authentication Administrator | Privileged Authentication Administrator |
Enable per-user MFA | Authentication Administrator | Privileged Authentication Administrator |
Manage MFA service settings | Authentication Policy Administrator | |
Require selected users to provide contact methods again | Authentication Administrator | |
Restore multifactor authentication on all remembered devices | Authentication Administrator |
Organizational relationships
Task | Least privileged role | Additional roles |
---|---|---|
Manage identity providers | External Identity Provider Administrator | |
Read all configuration | Global Reader |
Password reset
Task | Least privileged role | Additional roles |
---|---|---|
Configure authentication methods | Authentication Policy Administrator | |
Configure customization | Authentication Policy Administrator | |
Configure notification | Authentication Policy Administrator | |
Configure on-premises integration | Authentication Policy Administrator | |
Configure password reset properties | User Administrator | Authentication Policy Administrator |
Configure registration | Authentication Policy Administrator | |
Read all configuration | Security Administrator | User Administrator |
Privileged identity management
Task | Least privileged role | Additional roles |
---|---|---|
Assign users to roles | Privileged Role Administrator | |
Configure role settings | Privileged Role Administrator | |
View audit activity | Security Reader | |
View role memberships | Security Reader |
Roles and administrators
Task | Least privileged role | Additional roles |
---|---|---|
Manage role assignments | Privileged Role Administrator | |
Read access review of a Microsoft Entra role | Security Reader | Security Administrator Privileged Role Administrator |
Read all configuration | Default user role |
Security - Authentication methods
Task | Least privileged role | Additional roles |
---|---|---|
Enable or disable authentication methods | Authentication Policy Administrator | |
View, provision on behalf of, and manage individual user authentication methods | Authentication Administrator | Privileged Authentication Administrator |
Configure password protection | Security Administrator | |
Configure smart lockout | Security Administrator | |
Read all configuration | Global Reader |
Security - Conditional Access
Security - Identity security score
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Security Reader | Security Administrator |
Read security score | Security Reader | Security Administrator |
Update event status | Security Administrator |
Security - Risky sign-ins
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Security Reader | |
Read risky sign-ins | Security Reader |
Security - Users flagged for risk
Task | Least privileged role | Additional roles |
---|---|---|
Dismiss all events | Security Administrator | |
Read all configuration | Security Reader | |
Read users flagged for risk | Security Reader |
Temporary Access Pass
Task | Least privileged role | Additional roles |
---|---|---|
Create, delete, or view a Temporary Access Pass for admins or members (except themselves) | Privileged Authentication Administrator | |
Create, delete, or view a Temporary Access Pass for members (except themselves) | Authentication Administrator | |
View a Temporary Access Pass details for a user (without reading the code itself) | Global Reader | |
Configure or update the Temporary Access Pass authentication method policy | Authentication Policy Administrator |
Tenant
Task | Least privileged role | Additional roles |
---|---|---|
Create Microsoft Entra ID or Azure AD B2C Tenant | Tenant Creator | |
Update Microsoft Entra tenant properties | Billing Administrator | |
Manage privacy statement and contact | Billing Administrator |