Least privileged roles by task in Microsoft Entra ID

  • Article

This article describes the least privileged role you should use for several tasks in Microsoft Entra ID. You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.

You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Microsoft Entra roles or Create a custom role in Microsoft Entra ID.

External Identities/Azure AD B2C least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra External ID and Azure Active Directory B2C.

Task Least privileged role Additional roles
Create Azure AD B2C directories All non-guest users
Create enterprise applications Cloud Application Administrator Application Administrator
Create, read, update, and delete B2C policies B2C IEF Policy Administrator
Create, read, update, and delete identity providers External Identity Provider Administrator
Create, read, update, and delete password reset user flows External ID User Flow Administrator
Create, read, update, and delete profile editing user flows External ID User Flow Administrator
Create, read, update, and delete sign-in user flows External ID User Flow Administrator
Create, read, update, and delete sign-up user flow External ID User Flow Administrator
Create, read, update, and delete user attributes External ID User Flow Attribute Administrator
Create, read, update, and delete users User Administrator
Configure B2B external collaboration settings - Guest user access Privileged Role Administrator
Configure B2B external collaboration settings - Guest invite settings Guest Inviter External ID User Flow Administrator
Configure B2B external collaboration settings - External user leave settings External Identity Provider Administrator
Configure B2B external collaboration settings - Collaboration restrictions Global Administrator
Read all configuration Global Reader
Read B2C audit logs Global Reader

Note

Azure AD B2C Global Administrators do not have the same permissions as Microsoft Entra Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory.

Company branding least privileged roles

Here are the least privileged roles you should use when performing tasks for company branding in Microsoft Entra ID.

Task Least privileged role Additional roles
Configure company branding Organizational Branding Administrator
Read all configuration Directory Readers Default user role

Connect least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect.

Task Least privileged role Additional roles
Read all configuration Global Reader Hybrid Identity Administrator

Connect Sync least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect Sync.

Task Least privileged role Additional roles
Manage on-premises directory synchronization Hybrid Identity Administrator

Custom domain names least privileged roles

Here are the least privileged roles you should use when performing tasks for custom domain names in Microsoft Entra ID.

Task Least privileged role Additional roles
Manage domains Domain Name Administrator
Read all configuration Directory Readers Default user role

Domain Services least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Domain Services.

Task Least privileged role Additional roles
Create Microsoft Entra Domain Services instance Application Administrator
Groups Administrator
Domain Services Contributor
Perform all Microsoft Entra Domain Services tasks AAD DC Administrators group
Read all configuration Reader on Azure subscription containing AD DS service

Devices least privileged roles

Here are the least privileged roles you should use when performing tasks for device identity in Microsoft Entra ID.

Task Least privileged role Additional roles
Delete device Cloud Device Administrator Intune Administrator
Disable device Cloud Device Administrator Intune Administrator
Enable device Cloud Device Administrator Intune Administrator
Read basic configuration Default user role
Read BitLocker keys Cloud Device Administrator Helpdesk Administrator
Intune Administrator
Security Administrator
Security Reader

Enterprise applications least privileged roles

Here are the least privileged roles you should use when performing tasks for application management in Microsoft Entra ID.

Task Least privileged role Additional roles
Consent to any delegated permissions Cloud Application Administrator Application Administrator
Consent to application permissions not including Microsoft Graph Cloud Application Administrator Application Administrator
Consent to application permissions to Microsoft Graph Privileged Role Administrator
Consent to applications accessing own data Default user role
Create enterprise application Cloud Application Administrator Application Administrator
Manage Application Proxy Application Administrator
Read access review of a group or of an app Security Reader Security Administrator
User Administrator
Read all configuration Default user role
Update enterprise application assignments Enterprise application owner Cloud Application Administrator
Application Administrator
User Administrator
Update enterprise application owners Enterprise application owner Cloud Application Administrator
Application Administrator
Update enterprise application properties Enterprise application owner Cloud Application Administrator
Application Administrator
Update enterprise application provisioning Enterprise application owner Cloud Application Administrator
Application Administrator
Update enterprise application self-service Enterprise application owner Cloud Application Administrator
Application Administrator
Update single sign-on properties Enterprise application owner Cloud Application Administrator
Application Administrator
Create and modify custom authentication extensions Authentication Extensibility Administrator Application Administrator

Entitlement management least privileged roles

Here are the least privileged roles you should use when performing tasks for entitlement management in Microsoft Entra ID Governance.

Task Least privileged role Additional roles
Tasks in Entitlement Management Identity Governance Administrator. For roles lesser privlege than this within the Entitlement Management system, see: Delegation and roles in entitlement management.

Groups least privileged roles

Here are the least privileged roles you should use when performing tasks for groups in Microsoft Entra ID.

Task Least privileged role Additional roles
Assign license User Administrator
Create group Groups Administrator User Administrator
Create, update, or delete access review of a group or of an app User Administrator
Manage group expiration User Administrator
Manage group settings Groups Administrator User Administrator
Read all configuration (except hidden membership) Directory Readers Default user role
Read hidden membership Group member Group owner
Password Administrator
Exchange Administrator
SharePoint Administrator
Teams Administrator
User Administrator
Read membership of groups with hidden membership Helpdesk Administrator User Administrator
Teams Administrator
Revoke license License Administrator User Administrator
Update dynamic membership groups Group owner User Administrator
Update group owners Group owner User Administrator
Update group properties Group owner User Administrator
Delete group Groups Administrator User Administrator

Licenses least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra licensing.

Task Least privileged role Additional roles
Assign license License Administrator User Administrator
Read all configuration Directory Readers Default user role
Revoke license License Administrator User Administrator
Try or buy subscription Billing Administrator

Microsoft Entra Health least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Health monitoring.

Task Least privileged role Additional roles
View scenario monitoring signals Reports Reader Security Reader
Security Operator
Security Administrator
Helpdesk Administrator
Global Reader

Monitoring and health - Audit and sign-in logs least privileged roles

Here are the least privileged roles you should use when performing tasks for audit and sign-in logs in Microsoft Entra monitoring.

Task Least privileged role Additional roles
Read audit and sign-in logs Reports Reader Application Administrator
Cloud Application Administrator
Cloud Device Administrator
Global Secure Access Administrator
Hybrid Identity Administrator
Security Administrator
Security Operator
Security Reader

Monitoring and health - Recommendations least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra identity recommendations.

Task Least privileged role Additional roles
Read recommendations Reports Reader Security Reader
Global Reader
Helpdesk Administrator
Service Support Administrator
User Administrator
Update recommendations Authentication Policy Administrator Application Administrator
Authentication Administrator
Cloud Application Administrator
Conditional Access Administrator
Exchange Administrator
Hybrid Identity Administrator
Identity Governance Administrator
Privileged Role Administrator
Security Administrator
Security Operator
SharePoint Administrator

Monitoring and health - Sign-in diagnostic tool

Here are the least privileged roles you should use when running the sign-in diagnostic tool.

Task Least privileged roles Additional roles
Use sign-in diagnostic from Diagnose and solve problems Billing Administrator Application Administrator
Cloud Application Administrator
Cloud Device Administrator
Conditional Access Administrator
Customer LockBox Access Approver
Groups Administrator
License Administrator
Global Reader
Helpdesk Administrator
Privileged Role Administrator
Security Administrator
User Administrator
Use sign-in diagnostic from the Sign-in logs BOTH Reports Reader AND Billing Administrator Global Secure Access Administrator
Hybrid Identity Administrator
Security Administrator
Security Operator
Security Reader

Multifactor authentication least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra authentication.

Task Least privileged role Additional roles
Delete all existing app passwords generated by the selected users Authentication Policy Administrator Authentication Administrator
Disable per-user MFA Authentication Administrator Privileged Authentication Administrator
Enable per-user MFA Authentication Administrator Privileged Authentication Administrator
Manage MFA service settings Authentication Policy Administrator
Require selected users to provide contact methods again Authentication Administrator
Restore multifactor authentication on all remembered devices  Authentication Administrator

Organizational relationships least privileged roles

Here are the least privileged roles you should use when performing tasks for external collaboration settings in Microsoft Entra External ID.

Task Least privileged role Additional roles
Manage identity providers External Identity Provider Administrator
Read all configuration Global Reader

Password reset least privileged roles

Here are the least privileged roles you should use when performing tasks for password reset in Microsoft Entra ID.

Task Least privileged role Additional roles
Configure authentication methods Authentication Policy Administrator
Configure customization Authentication Policy Administrator
Configure notification Authentication Policy Administrator
Configure on-premises integration Authentication Policy Administrator
Configure password reset properties User Administrator Authentication Policy Administrator
Configure registration Authentication Policy Administrator
Read all configuration Security Administrator User Administrator

Privileged Identity Management least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra Privileged Identity Management in Microsoft Entra ID Governance.

Task Least privileged role Additional roles
Assign users to roles Privileged Role Administrator
Configure role settings Privileged Role Administrator
View audit activity Security Reader
View role memberships Security Reader

Roles and administrators least privileged roles

Here are the least privileged roles you should use when performing tasks for roles and administrators in Microsoft Entra ID.

Task Least privileged role Additional roles
Manage role assignments Privileged Role Administrator
Read access review of a Microsoft Entra role Security Reader Security Administrator
Privileged Role Administrator
Read all configuration Default user role

Security - Authentication methods least privileged roles

Here are the least privileged roles you should use when performing tasks for authentication methods in Microsoft Entra ID.

Task Least privileged role Additional roles
Enable or disable authentication methods Authentication Policy Administrator
View, provision on behalf of, and manage individual user authentication methods Authentication Administrator Privileged Authentication Administrator
Configure password protection Security Administrator
Configure smart lockout Security Administrator
Read all configuration Global Reader

Security - Conditional Access least privileged roles

Here are the least privileged roles you should use when performing tasks for Conditional Access in Microsoft Entra ID.

Task Least privileged role Additional roles
Configure MFA trusted IP addresses Conditional Access Administrator
Create custom controls Conditional Access Administrator Security Administrator
Create named locations Conditional Access Administrator Security Administrator
Create policies Conditional Access Administrator Security Administrator
Create terms of use Conditional Access Administrator Security Administrator
Create VPN connectivity certificate Cloud Application Administrator Application Administrator
Delete classic policy Conditional Access Administrator Security Administrator
Delete terms of use Conditional Access Administrator Security Administrator
Delete VPN connectivity certificate Conditional Access Administrator Security Administrator
Disable classic policy Conditional Access Administrator Security Administrator
Manage custom controls Conditional Access Administrator Security Administrator
Manage named locations Conditional Access Administrator Security Administrator
Manage terms of use Conditional Access Administrator Security Administrator
Read all configuration Security Reader
Read named locations Security Reader
Read terms of use Security Reader Global Reader
Read which terms of use were accepted by the signed-in user Default user role

Security - Identity Security Score least privileged roles

Here are the least privileged roles you should use when performing tasks for Identity Secure Score in Microsoft Entra ID.

Task Least privileged role Additional roles
Read all configuration Security Reader Security Administrator
Read security score Security Reader Security Administrator
Update event status Security Administrator

Tenants least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra tenants.

Task Least privileged role Additional roles
Create Microsoft Entra ID or Azure AD B2C Tenant Tenant Creator
Update Microsoft Entra tenant properties Billing Administrator
Manage privacy statement and contact Billing Administrator

Users least privileged roles

Here are the least privileged roles you should use when performing tasks for users in Microsoft Entra ID.

Task Least privileged role Additional roles
Add user to directory role Privileged Role Administrator
Add user to group User Administrator
Assign license License Administrator User Administrator
Create guest user Guest Inviter User Administrator
Reset guest user invite Helpdesk Administrator User Administrator
Create user User Administrator
Delete users User Administrator
Invalidate refresh tokens of limited admins User Administrator
Invalidate refresh tokens of non-admins Helpdesk Administrator User Administrator
Invalidate refresh tokens of privileged admins Privileged Authentication Administrator
Read basic configuration Default user role
Reset password for limited admins User Administrator
Reset password of non-admins Password Administrator User Administrator
Reset password of privileged admins Privileged Authentication Administrator
Revoke license License Administrator User Administrator
Update all properties except User Principal Name User Administrator
Update On-premises sync enabled property Hybrid Identity Administrator
Update User Principal Name for limited admins User Administrator
Update User Principal Name property on privileged admins Privileged Authentication Administrator
Update user settings - Default user role permissions Privileged Role Administrator
Update user settings - Guest user access Privileged Role Administrator
Update user settings - Administration center Global Administrator
Update user settings - Show keep user signed in Global Administrator
Update Authentication methods Authentication Administrator Privileged Authentication Administrator

Support least privileged roles

Here are the least privileged roles you should use when performing tasks for support in Microsoft Entra ID.

Task Least privileged role Additional roles
Submit support ticket Service Support Administrator Application Administrator
Azure Information Protection Administrator
Billing Administrator
Cloud Application Administrator
Compliance Administrator
Dynamics 365 Administrator
Desktop Analytics Administrator
Exchange Administrator
Intune Administrator
Password Administrator
Fabric Administrator
Privileged Authentication Administrator
SharePoint Administrator
Skype for Business Administrator
Teams Administrator
Teams Communications Administrator
User Administrator

Next steps