Privileged roles and permissions in Microsoft Entra ID (preview)
Important
The label for privileged roles and permissions is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Microsoft Entra ID has roles and permissions that are identified as privileged. These roles and permissions can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. Privileged role assignments can lead to elevation of privilege if not used in a secure and intended manner. This article describes privileged roles and permissions and best practices for how to use.
Which roles and permissions are privileged?
For a list of privileged roles and permissions, see Microsoft Entra built-in roles. You can also use the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API to identify roles, permissions, and role assignments that are identified as privileged.
In the Microsoft Entra admin center, look for the PRIVILEGED label.
On the Roles and administrators page, privileged roles are identified in the Privileged column. The Assignments column lists the number of role assignments. You can also filter privileged roles.
When you view the permissions for a privileged role, you can see which permissions are privileged. If you view the permissions as a default user, you won't be able to see which permissions are privileged.
When you create a custom role, you can see which permissions are privileged and the custom role will be labeled as privileged.
Best practices for using privileged roles
Here are some best practices for using privileged roles.
- Apply principle of least privilege
- Use Privileged Identity Management to grant just-in-time access
- Turn on multi-factor authentication for all your administrator accounts
- Configure recurring access reviews to revoke unneeded permissions over time
- Limit the number of Global Administrators to less than 5
- Limit the number of privileged role assignments to less than 10
For more information, see Best practices for Microsoft Entra roles.
Privileged permissions versus protected actions
Privileged permissions and protected actions are security-related capabilities that have different purposes. Permissions that have the PRIVILEGED label help you identify permissions that can lead to elevation of privilege if not used in a secure and intended manner. Protected actions are role permissions that have been assigned Conditional Access policies for added security, such as requiring multi-factor authentication. Conditional Access requirements are enforced when a user performs the protected action. Protected actions are currently in Preview. For more information, see What are protected actions in Microsoft Entra ID?.
Capability | Privileged permission | Protected action |
---|---|---|
Identify permissions that should be used in a secure manner | ✅ | |
Require additional security to perform an action | ✅ |
Terminology
To understand privileged roles and permissions in Microsoft Entra ID, it helps to know some of the following terminology.
Term | Definition |
---|---|
action | An activity a security principal can perform on an object type. Sometimes referred to as an operation. |
permission | A definition that specifies the activity a security principal can perform on an object type. A permission includes one or more actions. |
privileged permission | In Microsoft Entra ID, permissions that can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. |
privileged role | A built-in or custom role that has one or more privileged permissions. |
privileged role assignment | A role assignment that uses a privileged role. |
elevation of privilege | When a security principal obtains more permissions than their assigned role initially provided by impersonating another role. |
protected action | Permissions with Conditional Access applied for added security. |
How to understand role permissions
The schema for permissions loosely follows the REST format of Microsoft Graph:
<namespace>/<entity>/<propertySet>/<action>
For example:
microsoft.directory/applications/credentials/update
Permission element | Description |
---|---|
namespace | Product or service that exposes the task and is prepended with microsoft . For example, all tasks in Microsoft Entra ID use the microsoft.directory namespace. |
entity | Logical feature or component exposed by the service in Microsoft Graph. For example, Microsoft Entra ID exposes User and Groups, OneNote exposes Notes, and Exchange exposes Mailboxes and Calendars. There is a special allEntities keyword for specifying all entities in a namespace. This is often used in roles that grant access to an entire product. |
propertySet | Specific properties or aspects of the entity for which access is being granted. For example, microsoft.directory/applications/authentication/read grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Microsoft Entra ID.
|
action | Operation being granted, most typically create, read, update, or delete (CRUD). There is a special allTasks keyword for specifying all of the above abilities (create, read, update, and delete). |
Compare authentication roles
The following table compares the capabilities of authentication-related roles.
Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
---|---|---|---|---|---|---|---|
Authentication Administrator | Yes for some users | Yes for some users | Yes | No | No | Yes for some users | Yes for some users |
Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
Authentication Policy Administrator | No | Yes | Yes | Yes | Yes | No | No |
User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Who can reset passwords
In the following table, the columns list the roles that can reset passwords and invalidate refresh tokens. The rows list the roles for which their password can be reset. For example, a Password Administrator can reset the password for Directory Readers, Guest Inviter, Password Administrator, and users with no administrator role. If a user is assigned any other role, the Password Administrator cannot reset their password.
The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, further restrictions apply.
Role that password can be reset | Password Admin | Helpdesk Admin | Auth Admin | User Admin | Privileged Auth Admin | Global Admin |
---|---|---|---|---|---|---|
Auth Admin | ✅ | ✅ | ✅ | |||
Directory Readers | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Global Admin | ✅ | ✅* | ||||
Groups Admin | ✅ | ✅ | ✅ | |||
Guest Inviter | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Helpdesk Admin | ✅ | ✅ | ✅ | ✅ | ||
Message Center Reader | ✅ | ✅ | ✅ | ✅ | ✅ | |
Password Admin | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Privileged Auth Admin | ✅ | ✅ | ||||
Privileged Role Admin | ✅ | ✅ | ||||
Reports Reader | ✅ | ✅ | ✅ | ✅ | ✅ | |
User (no admin role) |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
User (no admin role, but member or owner of a role-assignable group) |
✅ | ✅ | ||||
User with a role scoped to a restricted management administrative unit | ✅ | ✅ | ||||
User Admin | ✅ | ✅ | ✅ | |||
User Experience Success Manager | ✅ | ✅ | ✅ | ✅ | ✅ | |
Usage Summary Reports Reader | ✅ | ✅ | ✅ | ✅ | ✅ | |
All other built-in and custom roles | ✅ | ✅ |
Important
The Partner Tier2 Support role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). The Partner Tier1 Support role can reset passwords and invalidate refresh tokens for only non-administrators. These roles should not be used because they are deprecated.
The ability to reset a password includes the ability to update the following sensitive properties required for self-service password reset:
- businessPhones
- mobilePhone
- otherMails
Who can perform sensitive actions
Some administrators can perform the following sensitive actions for some users. All users can read the sensitive properties.
Sensitive action | Sensitive property name |
---|---|
Disable or enable users | accountEnabled |
Update business phone | businessPhones |
Update mobile phone | mobilePhone |
Update on-premises immutable ID | onPremisesImmutableId |
Update other emails | otherMails |
Update password profile | passwordProfile |
Update user principal name | userPrincipalName |
Delete or restore users | Not applicable |
In the following table, the columns list the roles that can perform sensitive actions. The rows list the roles for which the sensitive action can be performed upon.
The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, further restrictions apply.
Role that sensitive action can be performed upon | Auth Admin | User Admin | Privileged Auth Admin | Global Admin |
---|---|---|---|---|
Auth Admin | ✅ | ✅ | ✅ | |
Directory Readers | ✅ | ✅ | ✅ | ✅ |
Global Admin | ✅ | ✅ | ||
Groups Admin | ✅ | ✅ | ✅ | |
Guest Inviter | ✅ | ✅ | ✅ | ✅ |
Helpdesk Admin | ✅ | ✅ | ✅ | |
Message Center Reader | ✅ | ✅ | ✅ | ✅ |
Password Admin | ✅ | ✅ | ✅ | ✅ |
Privileged Auth Admin | ✅ | ✅ | ||
Privileged Role Admin | ✅ | ✅ | ||
Reports Reader | ✅ | ✅ | ✅ | ✅ |
User (no admin role) |
✅ | ✅ | ✅ | ✅ |
User (no admin role, but member or owner of a role-assignable group) |
✅ | ✅ | ||
User with a role scoped to a restricted management administrative unit | ✅ | ✅ | ||
User Admin | ✅ | ✅ | ✅ | |
User Experience Success Manager | ✅ | ✅ | ✅ | ✅ |
Usage Summary Reports Reader | ✅ | ✅ | ✅ | ✅ |
All other built-in and custom roles | ✅ | ✅ |