Azure Active Directory 中的管理员角色权限Administrator role permissions in Azure Active Directory

使用 Azure Active Directory (Azure AD) 时,可以指定有限的管理员以权限较低的角色来管理标识任务。Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. 可以分配管理员来执行各种任务,例如,添加或更改用户、分配管理角色、重置用户密码、管理用户许可证,以及管理域名。Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. 只能在 Azure AD 的用户设置中更改默认用户权限。The default user permissions can be changed only in user settings in Azure AD.

全局管理员有权使用所有管理功能。The Global Administrator has access to all administrative features. 默认情况下,系统会将注册 Azure 订阅的人员指派为目录的全局管理员角色。By default, the person who signs up for an Azure subscription is assigned the Global Administrator role for the directory. 只有全局管理员和特权角色管理员可以委托管理员角色。Only Global Administrators and Privileged Role Administrators can delegate administrator roles. 为了降低业务风险,我们建议仅将此角色分配给你的公司中的少数人。To reduce the risk to your business we recommend that you assign this role to only a few people in your company.

分配或删除管理员角色Assign or remove administrator roles

若要了解如何在 Azure Active Directory 中向用户分配管理角色,请参阅在 Azure Active Directory 中查看和分配管理员角色To learn how to assign administrative roles to a user in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

可用的角色Available roles

提供以下管理员角色:The following administrator roles are available:

  • 应用程序管理员:充当此角色的用户可以创建和管理企业应用程序、应用程序注册和应用程序代理设置的所有方面。Application Administrator: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. 此角色还可以同意委派权限,以及除 Microsoft Graph 和 Azure AD Graph 之外的应用程序权限。This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. 在创建新应用程序注册或企业应用程序时,不会将分配到此角色的用户添加为所有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

    重要说明:此角色授予管理应用程序凭据这一功能。Important: This role grants the ability to manage application credentials. 分配有此角色的用户可以将凭据添加到应用程序,并使用这些凭据模拟应用程序的标识。Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. 如果已向应用程序的标识授予 Azure Active Directory 访问权限,如创建或更新用户或其他对象,那么分配到此角色的用户在模拟应用程序时可以执行这些操作。If the application’s identity has been granted access to Azure Active Directory, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. 这种模拟应用程序标识的能力可能是用户在 Azure AD 中角色分配的基础上的权限提升。This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments in Azure AD. 请务必了解,向用户分配应用程序管理员角色,会赋予其模拟应用程序标识的能力。It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.

  • 应用程序开发人员:在将设置“用户可以注册应用程序”设置为“否”时,充当此角色的用户可以创建应用程序注册。Application Developer: Users in this role can create application registrations when the "Users can register applications" setting is set to No. 当“用户可以同意应用代表他们访问公司数据”设置设为“否”时,此角色还能够代表自己授权同意。This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. 在创建新应用程序注册或企业应用程序时,会将分配到此角色的用户添加为所有者。Users assigned to this role are added as owners when creating new application registrations or enterprise applications.

  • 身份验证管理员:具有此角色的用户可以设置或重置非密码凭据。Authentication Administrator: Users with this role can set or reset non-password credentials. 身份验证管理员可以要求用户重新注册现有非密码凭据(例如 MFA 或 FIDO),并可以撤销“在设备上记住 MFA”(当非管理员或仅分配有以下角色的用户下次登录时提示他们执行 MFA):Authentication Administrators can require users to re-register against existing non-password credential (for example, MFA or FIDO) and revoke remember MFA on the device, which prompts for MFA on the next sign-in of users who are non-administrators or assigned the following roles only:

    • 身份验证管理员Authentication Administrator
    • 目录读者Directory Readers
    • 来宾邀请者Guest Inviter
    • 消息中心读取者Message Center Reader
    • 报告读者Reports Reader

    身份验证管理员角色目前以公共预览版提供。The Authentication administrator role is currently in public preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

    重要说明:具有此角色的用户可以更改可能有权访问 Azure Active Directory 内外敏感或私有信息或关键配置的用户的凭据。Important: Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 更改用户的凭据可能意味着假定用户标识和权限的能力。Changing the credentials of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

    • 应用程序注册和企业应用程序所有者,可以管理他们拥有的应用的凭据。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 这些应用程序可能在 Azure AD 或其他位置拥有未授予身份验证管理员的特权。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. 通过此路径,身份验证管理员可能能够假定应用程序所有者的身份,然后通过更新应用程序的凭据来进一步假定特权应用程序的标识。Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
    • Azure 订阅所有者,可能对 Azure 中的敏感或私有信息或关键配置拥有访问权限。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
    • 安全组和 Office 365 组所有者,可以管理组成员身份。Security Group and Office 365 Group owners, who can manage group membership. 这些组可能会授予对 Azure AD 或其他位置敏感或私有信息或关键配置的访问权限。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
    • Azure AD 之外的其他服务中的管理员,如 Exchange Online、Office 安全与合规中心以及人力资源系统。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
    • 高级管理人员、法律顾问和人力资源员工之类的非管理员,可能有权访问敏感或私有信息。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
  • B2C 用户流管理员:具有此角色的用户可以在 Azure 门户中创建和管理 B2C 用户流(也称为“内置”策略)。B2C User Flow Administrator: Users with this role can create and manage B2C User Flows (aka "built-in" policies) in Azure Portal. 通过创建或编辑用户流,这些用户可以更改用户体验的 html/CSS/javascript 内容、更改每个用户流的 MFA 要求、更改令牌中的声明,以及调整租户中所有策略的会话设置。 By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token and adjust session settings for all policies in the tenant. 但是,此角色无法查看用户数据,或者对租户架构中包含的属性进行更改。On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the tenant schema. 对 Identity Experience Framework(也称为“自定义”)策略的更改超出了此角色的权限范围。 Changes to Identity Experience Framework (aka Custom) policies is also outside the scope of this role.

  • B2C 用户流属性管理员:具有此角色的用户可以添加或删除适用于租户中所有用户流的自定义属性。B2C User Flow Attribute Administrator: Users with this role add or delete custom attributes available to all user flows in the tenant. 因此,具有此角色的用户可以在最终用户架构中更改或新增元素,影响所有用户流的行为,间接导致更改可以请求最终用户提供的并最终作为声明发送到应用程序的数据。 As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. 此角色无法编辑用户流。 This role cannot edit user flows.

  • B2C IEF 密钥集管理员: 用户可以创建和管理策略密钥与机密用于令牌加密、令牌签名以及声明加密/解密。B2C IEF Keyset Administrator: User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. 通过将新密钥添加到现有密钥容器,此受限管理员可以根据需要滚动更新机密,而不会影响现有的应用程序。 By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. 即使是在创建这些机密之后,此用户也可以查看这些机密的完整内容及其过期日期。 This user can see the full content of these secrets and their expiration dates even after their creation.

    重要说明: 这是一个敏感角色。Important: This is a sensitive role. 在生产前与生产期间,应该谨慎地审核和分配密钥集管理员角色。 The keyset administrator role should be carefully audited and assigned with care during preproduction and production.

  • B2C IEF 策略管理员:充当此角色的用户可以在 Azure AD B2C 中创建、读取、更新和删除所有自定义策略,因此对相关 Azure AD B2C 租户中的 Identity Experience Framework 拥有完全控制权。B2C IEF Policy Administrator: Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant. 通过编辑策略,此用户可以直接与外部标识提供者建立联合、更改目录架构、更改所有面向用户的内容(HTML、CSS、JavaScript)、更改完成身份验证所要符合的要求、创建新用户、将用户数据发送到外部系统(包括完整迁移),以及编辑所有用户信息(包括密码和电话号码等敏感字段)。By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. 相比之下,此角色无法更改加密密钥,或编辑租户中的联合身份验证使用的机密。Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the tenant.

    重要提示:B2 IEF 策略管理员是高度敏感的角色,在生产环境中应以极大的限制度将其分配给租户。Important: The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for tenants in production. 应该密切审核这些用户的活动,尤其是对于生产环境中的租户。 Activities by these users should be closely audited, especially for tenants in production.

  • 计费管理员:进行采购、管理订阅、管理支持票证,以及监视服务运行状况。Billing Administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

  • 云应用程序管理员:充当此角色的用户具有与应用程序管理员角色相同的权限,但不包括管理应用程序代理的权限。Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. 此角色授予创建和管理企业应用程序和应用程序注册的所有方面的权限。This role grants the ability to create and manage all aspects of enterprise applications and application registrations. 此角色还可以同意委派权限,以及除 Microsoft Graph 和 Azure AD Graph 之外的应用程序权限。This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. 在创建新应用程序注册或企业应用程序时,不会将分配到此角色的用户添加为所有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

    重要说明:此角色授予管理应用程序凭据这一功能。Important: This role grants the ability to manage application credentials. 分配有此角色的用户可以将凭据添加到应用程序,并使用这些凭据模拟应用程序的标识。Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. 如果已向应用程序的标识授予 Azure Active Directory 访问权限,如创建或更新用户或其他对象,那么分配到此角色的用户在模拟应用程序时可以执行这些操作。If the application’s identity has been granted access to Azure Active Directory, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. 这种模拟应用程序标识的能力可能是用户在 Azure AD 中角色分配的基础上的权限提升。This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments in Azure AD. 请务必了解,向用户分配云应用程序管理员角色,会赋予其模拟应用程序标识的能力。It is important to understand that assigning a user to the Cloud Application Administrator role gives them the ability to impersonate an application’s identity.

  • 合规性管理员:具有此角色的用户有权管理 Microsoft 365 合规中心、Microsoft 365 管理中心、Azure 和 Office 365 安全与合规中心中的合规性相关功能。Compliance Administrator: Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. 这些用户还可以管理 Exchange 管理中心、Teams 和 Skype for Business 管理中心内的所有功能,并可创建适用于 Azure 和 Microsoft 365 的支持票证。Users can also manage all features within the Exchange admin center and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. 关于 Office 365 管理员角色中提供了详细信息。More information is available at About Office 365 admin roles.

    InIn 有权执行的操作Can do
    Microsoft 365 合规中心Microsoft 365 compliance center 跨 Microsoft 365 服务保护和管理组织数据Protect and manage your organization’s data across Microsoft 365 services
    管理合规性警报Manage compliance alerts
    合规性管理器Compliance Manager 跟踪、分配并验证组织的法规合规性活动Track, assign, and verify your organization's regulatory compliance activities
    Office 365 安全与合规中心Office 365 Security & Compliance Center 管理数据治理Manage data governance
    执行法律和数据调查Perform legal and data investigation
    管理数据主体请求Manage Data Subject Request
    IntuneIntune 查看所有 Intune 审核数据View all Intune audit data
    Cloud App SecurityCloud App Security 拥有只读权限,可以管理警报Has read-only permissions and can manage alerts
    可以创建和修改文件策略并允许执行文件管理操作Can create and modify file policies and allow file governance actions
    可以查看数据管理下的所有内置报表Can view all the built-in reports under Data Management
  • 客户密码箱访问审批者:管理你的组织中的客户密码箱请求Customer Lockbox access approver: Manages Customer Lockbox requests in your organization. 他们接收客户密码箱请求的电子邮件通知,并且可以批准和拒绝来自 Microsoft 365 管理中心的请求。They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. 他们还可以开启或关闭客户密码箱功能。They can also turn the Customer Lockbox feature on or off. 只有全局管理员可以重置分配到此角色的用户的密码。Only global admins can reset the passwords of people assigned to this role.

  • Dynamics 365 管理员/CRM 管理员:具有此角色的用户具有 Microsoft Dynamics 365 Online 中的全局权限(如果该服务存在),并且能够管理支持票证和监视服务运行状况。Dynamics 365 administrator / CRM Administrator: Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. 有关详细信息,请参阅使用服务管理员角色管理租户More information at Use the service admin role to manage your tenant.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“Dynamics 365 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator". 它是 Azure 门户中的“Dynamics 365 管理员”。It is "Dynamics 365 Administrator" in the Azure portal.

  • Exchange 管理员:具有此角色的用户具有 Microsoft Exchange Online 内的全局权限(如果该服务存在)。Exchange Administrator: Users with this role have global permissions within Microsoft Exchange Online, when the service is present. 还能够创建和管理所有 Office 365 组、管理支持票证和监视服务运行状况。Also has the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health. 有关详细信息,请参阅 About Office 365 admin roles(关于 Office 365 管理员角色)。More information at About Office 365 admin roles.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“Exchange 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Exchange Service Administrator ". 它是 Azure 门户中的“Exchange 管理员”。It is "Exchange Administrator" in the Azure portal. 它是 Exchange 管理中心中的“Exchange Online 管理员”。It is "Exchange Online admininistrator" in the Exchange admin center.

  • 外部标识提供者管理员:此管理员可以管理 Azure Active Directory 租户与外部标识提供者之间的联合。External Identity Provider Administrator: This administrator manages federation between Azure Active Directory tenants and external identity providers. 用户可以使用此角色添加新的标识提供者及配置所有可用设置(例如身份验证路径、服务 ID 和分配的密钥容器)。 With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service id, assigned key containers). 此用户可让租户信任来自外部标识提供者的身份验证。 This user can enable the tenant to trust authentications from external identity providers. 对最终用户体验造成的影响取决于租户类型: The resulting impact on end user experiences depends on the type of tenant:

    • 员工与合作伙伴的 Azure Active Directory 租户: 添加联合身份验证(例如使用 Gmail)会立即影响所有尚未兑换的来宾邀请。Azure Active Directory tenants for employees and partners: The addition  of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. 上获取。.
    • Azure Active Directory B2C 租户:在将标识提供者添加为用户流(也称为内置策略)中的一个选项之前,添加联合身份验证(例如,使用另一个 Azure Active Directory)不会立即影响最终用户流。Azure Active Directory B2C tenants: The addition of a federation (e.g. with another Azure Active Directory) does not immediately impact end user flows until the identity provider is added as an option in a user flow (aka built-in policy). 若要更改用户流,需要使用受限角色“B2C 用户流管理员”。To change user flows, the limited role of "B2C User Flow Administrator" is required.
  • 全局管理员/公司管理员:具有此角色的用户有权访问 Azure Active Directory 以及使用 Azure Active Directory 标识的服务(例如 Microsoft 365 安全中心、Microsoft 365 合规中心、Exchange Online、SharePoint Online 和 Skype for Business Online)中的所有管理功能。Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. 注册 Azure Active Directory 租户的人员将成为全局管理员。The person who signs up for the Azure Active Directory tenant becomes a global administrator. 只有全局管理员才能分配其他管理员角色。Only global administrators can assign other administrator roles. 公司中可以有多个全局管理员。There can be more than one global administrator at your company. 全局管理员可以为任何用户和所有其他管理员重置密码。Global admins can reset the password for any user and all other administrators.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“公司管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". 它是 Azure 门户中的“全局管理员”。It is "Global Administrator" in the Azure portal.

  • 来宾邀请者:此角色的用户可在“成员可以邀请”用户设置设置为“否”时管理 Azure Active Directory B2B 来宾用户邀请。Guest Inviter: Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can invite user setting is set to No. 它不包括任何其他权限。It does not include any other permissions.

  • Intune 管理员:具有此角色的用户具有 Microsoft Intune Online 内的全局权限(如果该服务存在)。Intune Administrator: Users with this role have global permissions within Microsoft Intune Online, when the service is present. 此外,此角色包含管理以关联策略,以及创建和管理组的用户和设备的能力。Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. 有关详细信息,请参阅使用 Microsoft Intune 进行基于角色的管理控制 (RBAC)More information at Role-based administration control (RBAC) with Microsoft Intune

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“Intune 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Intune Service Administrator ". 它是 Azure 门户中的“Intune 管理员”。It is "Intune Administrator" in the Azure portal.

  • 支持(密码)管理员:具有此角色的用户可以更改密码、使刷新令牌失效、管理服务请求和监视服务运行状况。Helpdesk (Password) Administrator: Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. 使刷新令牌失效会强制用户重新登录。Invalidating a refresh token forces the user to sign in again. 对于非管理员或仅分配有以下角色的其他用户,支持管理员可以重置其密码,以及使其刷新令牌失效:Helpdesk administrators can reset passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following roles only:

    • 目录读者Directory Readers
    • 来宾邀请者Guest Inviter
    • 支持管理员Helpdesk Administrator
    • 消息中心读取者Message Center Reader
    • 报告读者Reports Reader

    重要说明:具有此角色的用户可以更改可能有权访问 Azure Active Directory 内外敏感或私有信息或关键配置的用户的密码。Important: Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 更改用户的密码可能意味着假定用户标识和权限的能力。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

    • 应用程序注册和企业应用程序所有者,可以管理他们拥有的应用的凭据。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 这些应用程序可能在 Azure AD 或其他位置拥有未授予支持人员管理员的特权。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. 通过此路径,支持人员管理员可能能够假定应用程序所有者的身份,然后通过更新应用程序的凭据来进一步假定特权应用程序的标识。Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
    • Azure 订阅所有者,可能对 Azure 中的敏感或私有信息或关键配置拥有访问权限。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
    • 安全组和 Office 365 组所有者,可以管理组成员身份。Security Group and Office 365 Group owners, who can manage group membership. 这些组可能会授予对 Azure AD 或其他位置敏感或私有信息或关键配置的访问权限。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
    • Azure AD 之外的其他服务中的管理员,如 Exchange Online、Office 安全与合规中心以及人力资源系统。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
    • 高级管理人员、法律顾问和人力资源员工之类的非管理员,可能有权访问敏感或私有信息。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

    Note

    Azure 门户中,此角色以前称为“密码管理员”。This role was previously called "Password Administrator" in Azure portal. 其名称即将更改为“支持管理员”,以便与 Azure AD PowerShell、Azure AD 图形 API 和 Microsoft 图形 API 中的名称相匹配。We are changing its name to "Helpdesk Administrator" to match its name in Azure AD PowerShell, Azure AD Graph API and Microsoft Graph API. Azure 门户中的名称将暂时性地更改为“支持(密码)管理员”,不久之后将更改为“支持管理员”。For a short time, we will change the name to "Helpdesk (Password) Administrator" in Azure portal before the change to "Helpdesk Administrator".

  • Power BI 管理员:具有此角色的用户具有 Power BI 内的全局权限(如果该服务存在),并且能够管理支持票证和监视服务运行状况。Power BI Administrator: Users with this role have global permissions within Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. 有关详细信息,请参阅了解 Power BI 管理员角色More information at Understanding the Power BI admin role.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“Power BI 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". 它是 Azure 门户中的“Power BI 管理员”。It is "Power BI Administrator" in the Azure portal.

  • 特权身份验证管理员:具有此角色的用户可以设置或重置所有用户(包括全局管理员)的非密码凭据。Privileged Authentication Administrator: Users with this role can set or reset non-password credentials for all users, including global administrators. 特权身份验证管理员可以强制用户重新注册现有非密码凭据(例如 MFA、FIDO),以及撤销“在设备上记住 MFA”(所有用户下次登录时提示执行 MFA)。Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users. 特权身份验证管理员可以:Privileged Authentication Administrators can:

    • 强制用户针对现有非密码凭据(例如 MFA、FIDO)重新注册Force users to re-register against existing non-password credential (e.g. MFA, FIDO)
    • 撤销“在设备上记住 MFA”(下次登录时提示执行 MFA)Revoke ‘remember MFA on the device’, prompting for MFA on the next login
  • 特权角色管理员:具有此角色的用户可以管理 Azure Active Directory 和 Azure AD Privileged Identity Management 中的角色分配。Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. 此外,此角色允许 Privileged Identity Management 的所有方面。In addition, this role allows management of all aspects of Privileged Identity Management.

    重要说明:此角色授予管理所有 Azure AD 角色(包括全局管理员角色)的分配的能力。Important: This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. 此角色不包括 Azure AD 中的任何其他权限功能,如创建或更新用户。This role does not include any other privileged abilities in Azure AD like creating or updating users. 但是,分配到此角色的用户可通过分配其他角色,授予自己或其他人额外的特权。However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.

  • 安全管理员:具有此角色的用户有权管理 Microsoft 365 安全中心、Azure Active Directory Identity Protection、Azure 信息保护和 Office 365 安全与合规中心中与安全相关的功能。Security Administrator: Users with this role have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Information Protection, and Office 365 Security & Compliance Center. Office 365 安全与合规中心提供了有关 Office 365 权限的详细信息。More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

    InIn 有权执行的操作Can do
    Microsoft 365 安全中心Microsoft 365 security center 跨 Microsoft 365 服务监视与安全相关的策略Monitor security-related policies across Microsoft 365 services
    管理安全威胁和警报Manage security threats and alerts
    查看报告View reports
    Identity Protection CenterIdentity Protection Center 安全读取者角色的所有权限All permissions of the Security Reader role
    此外,还能够执行除了重置密码以外的所有 Identity Protection Center 操作Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
    Privileged Identity ManagementPrivileged Identity Management 安全读取者角色的所有权限All permissions of the Security Reader role
    无法管理 Azure AD 角色分配或设置Cannot manage Azure AD role assignments or settings
    Office 365 安全与合规中心Office 365 Security & Compliance Center 管理安全策略Manage security policies
    查看、调查和响应安全威胁View, investigate, and respond to security threats
    查看报告View reports
    Azure 高级威胁防护Azure Advanced Threat Protection 监视和响应可疑安全活动Monitor and respond to suspicious security activity
    Windows Defender ATP 和 EDRWindows Defender ATP and EDR 分配角色Assign roles
    管理计算机组Manage machine groups
    配置终结点威胁检测和自动修正Configure endpoint threat detection and automated remediation
    查看、调查并响应警报View, investigate, and respond to alerts
    IntuneIntune 视图用户、设备、注册、配置和应用程序信息Views user, device, enrollment, configuration, and application information
    无法对 Intune 进行更改Cannot make changes to Intune
    Cloud App SecurityCloud App Security 添加管理员、添加策略和设置、上传日志以及执行管理操作Add admins, add policies and settings, upload logs and perform governance actions
    Azure 安全中心Azure Security Center 可以查看安全策略、查看安全状态、编辑安全策略、查看警报和建议、关闭警报和建议Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations
    Office 365 服务运行状况Office 365 service health 查看 Office 365 服务的运行状况View the health of Office 365 services
  • 安全读取者:具有此角色的用户对安全相关的功能具有全局只读访问权限,包括 Microsoft 365 安全中心、Azure Active Directory、Identity Protection、Privileged Identity Management 中的所有信息,并且能够阅读 Azure Active Directory 登录报告和审核日志,还授予了对 Office 365 安全与合规中心的只读权限。Security Reader: Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. Office 365 安全与合规中心提供了有关 Office 365 权限的详细信息。More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

    InIn 有权执行的操作Can do
    Microsoft 365 安全中心Microsoft 365 security center 跨 Microsoft 365 服务查看与安全相关的策略View security-related policies across Microsoft 365 services
    查看安全威胁和警报View security threats and alerts
    查看报告View reports
    Identity Protection CenterIdentity Protection Center 读取安全功能的所有安全报告和设置信息Read all security reports and settings information for security features
    • 反垃圾邮件Anti-spam
    • 加密Encryption
    • 数据丢失防护Data loss prevention
    • 反恶意软件Anti-malware
    • 高级威胁防护Advanced threat protection
    • 防网络钓鱼Anti-phishing
    • 邮件流规则Mailflow rules
    Privileged Identity ManagementPrivileged Identity Management 以只读方式访问 Azure AD PIM 中显示的所有信息:Azure AD 角色分配的策略和报告、安全审阅,以及在未来还可通过读取来访问 Azure AD 角色分配以外的方案的策略数据和报告。Has read-only access to all information surfaced in Azure AD PIM: Policies and reports for Azure AD role assignments, security reviews and in the future read access to policy data and reports for scenarios besides Azure AD role assignment.
    不能注册 Azure AD PIM 或对其进行任何更改。Cannot sign up for Azure AD PIM or make any changes to it. 充当此角色的人员可以在 PIM 门户中或通过 PowerShell 为符合条件的用户激活其他角色(例如,全局管理员或特权角色管理员)。In the PIM portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is eligible for them.
    Office 365 安全与合规中心Office 365 Security & Compliance Center 查看安全策略View security policies
    查看并调查安全威胁View and investigate security threats
    查看报告View reports
    Windows Defender ATP 和 EDRWindows Defender ATP and EDR 查看并调查警报View and investigate alerts
    IntuneIntune 视图用户、设备、注册、配置和应用程序信息。Views user, device, enrollment, configuration, and application information. 无法对 Intune 进行更改。Cannot make changes to Intune.
    Cloud App SecurityCloud App Security 拥有只读权限,可以管理警报Has read-only permissions and can manage alerts
    Azure 安全中心Azure Security Center 可以查看建议和警报、查看安全策略、查看安全状态,但不能进行更改Can view recommendations and alerts, view security policies, view security states, but cannot make changes
    Office 365 服务运行状况Office 365 service health 查看 Office 365 服务的运行状况View the health of Office 365 services
  • 服务支持管理员:具有此角色的用户可为 Azure 和 Office 365 服务提出 Microsoft 支持请求,以及在 Azure 门户Microsoft 365 管理中心内查看访问仪表板和消息中心。Service Support Administrator: Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Microsoft 365 admin center. 有关详细信息,请参阅 About Office 365 admin roles(关于 Office 365 管理员角色)。More information at About Office 365 admin roles.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“服务支持管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Service Support Administrator." 它是 Azure 门户Microsoft 365 管理中心和 Intune 门户中的“服务管理员”。It is "Service Administrator" in the Azure portal, the Microsoft 365 admin center, and the Intune portal.

  • SharePoint 管理员:具有此角色的用户在 Microsoft SharePoint Online(如果存在此服务)中拥有全局权限,并且能够创建和管理所有 Office 365 组、管理支持票证和监视服务运行状况。SharePoint Administrator: Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health. 有关详细信息,请参阅 About Office 365 admin roles(关于 Office 365 管理员角色)。More information at About Office 365 admin roles.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“SharePoint 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." 它是 Azure 门户中的“SharePoint 管理员”。It is "SharePoint Administrator" in the Azure portal.

  • Skype for Business/Lync 管理员:具有此角色的用户具有 Microsoft Skype for Business 中的全局权限,以及管理 Azure Active Directory 中的特定于 Skype 的用户属性。Skype for Business / Lync Administrator: Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. 此外,此角色可授予管理支持票证、监视服务运行状况以及访问 Teams 和 Skype for Business 管理中心的能力。Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. 帐户必须获取 Teams 许可证,否则无法运行 Teams PowerShell cmdlet。The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. 有关详细信息,请参阅关于 Skype for Business 管理员角色;有关 Teams 许可信息,请参阅 Skype for Business 和 Microsoft Teams 附加许可More information at About the Skype for Business admin role and Teams licensing information at Skype for Business and Microsoft Teams add-on licensing

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“Lync 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Lync Service Administrator". 它是 Azure 门户中的“Skype for Business 管理员”。It is "Skype for Business Administrator" in the Azure portal.

  • Teams 管理员:充当此角色的用户可以通过 Microsoft Teams 和 Skype for Business 管理中心以及相应的 PowerShell 模块来管理 Microsoft Teams 工作负荷的所有方面。Teams Administrator: Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. 这包括(但不限于)与电话、消息、会议和 Teams 自身相关的所有管理工具。This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. 此外,此角色还能够创建和管理所有 Office 365 组、管理支持票证和监视服务运行状况。This role additionally grants the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health.

    Note

    在 Microsoft 图形 API、Azure AD 图形 API 和 Azure AD PowerShell 中,此角色标识为“Teams 服务管理员”。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Teams Service Administrator ". 它是 Azure 门户中的“Teams 管理员”。It is "Teams Administrator" in the Azure portal.

  • Teams 通信管理员:充当此角色的用户可以管理 Microsoft Teams 工作负荷的语音与电话相关方面。Teams Communications Administrator: Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. 这包括用于分配电话号码的管理工具、语音和会议策略,以及通话分析工具集的完全访问权限。This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.

  • Teams 通信支持工程师:充当此角色的用户可以使用 Microsoft Teams 和 Skype for Business 管理中心的用户通话故障排除工具,来排查 Microsoft Teams 和 Skype for Business 中的通信问题。Teams Communications Support Engineer: Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 充当此角色的用户可以查看所有参与方的完整通话记录信息。Users in this role can view full call record information for all participants involved. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

  • Teams 通信支持专家:充当此角色的用户可以使用 Microsoft Teams 和 Skype for Business 管理中心的用户通话故障排除工具,来排查 Microsoft Teams 和 Skype for Business 中的通信问题。Teams Communications Support Specialist: Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 充当此角色的用户只能查看他们所查找的特定用户的通话中的用户详细信息。Users in this role can only view user details in the call for the specific user they have looked up. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

  • 用户管理员:具有此角色的用户可以创建用户、管理用户的所有方面(但存在一些限制,具体请参阅下文),以及更新密码过期策略。User Administrator: Users with this role can create users, and manage all aspects of users with some restrictions (see below), and can update password expiration policies. 此外,具有此角色的用户可以创建和管理所有组。Additionally, users with this role can create and manage all groups. 此角色还能够创建和管理用户视图、管理支持票证和监视服务运行状况。This role also includes the ability to create and manage user views, manage support tickets, and monitor service health.

    常规权限General permissions

    创建用户和组Create users and groups

    创建和管理用户视图Create and manage user views

    管理 Office 支持票证Manage Office support tickets

    更新密码过期策略Update password expiration policies

    适用于所有用户,包括所有管理员On all users, including all admins

    管理许可证Manage licenses

    管理除用户主体名称之外的所有用户属性Manage all user properties except User Principal Name

    仅适用于不是管理员或具有以下任一管理员角色(权限有限)的用户:Only on users who are non-admins or in any of the following limited admin roles:
    • 目录读者Directory Readers
    • 来宾邀请者Guest Inviter
    • 支持管理员Helpdesk Administrator
    • 消息中心读取者Message Center Reader
    • 报告读者Reports Reader
    • 用户管理员User Administrator

    删除和还原Delete and restore

    禁用和启用Disable and enable

    使刷新令牌失效Invalidate refresh Tokens

    管理包括用户主体名称在内的所有用户属性Manage all user properties including User Principal Name

    重置密码Reset password

    更新 (FIDO) 设备密钥Update (FIDO) device keys

    重要说明:具有此角色的用户可以更改可能有权访问 Azure Active Directory 内外敏感或私有信息或关键配置的用户的密码。Important: Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 更改用户的密码可能意味着假定用户标识和权限的能力。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

    • 应用程序注册和企业应用程序所有者,可以管理他们拥有的应用的凭据。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 这些应用程序可能在 Azure AD 或其他位置拥有未授予用户管理员的特权。Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. 通过此路径,用户管理员可能能够假定应用程序所有者的身份,然后通过更新应用程序的凭据来进一步假定特权应用程序的标识。Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
    • Azure 订阅所有者,可能对 Azure 中的敏感或私有信息或关键配置拥有访问权限。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
    • 安全组和 Office 365 组所有者,可以管理组成员身份。Security Group and Office 365 Group owners, who can manage group membership. 这些组可能会授予对 Azure AD 或其他位置敏感或私有信息或关键配置的访问权限。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
    • Azure AD 之外的其他服务中的管理员,如 Exchange Online、Office 安全与合规中心以及人力资源系统。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
    • 高级管理人员、法律顾问和人力资源员工之类的非管理员,可能有权访问敏感或私有信息。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

    角色权限Role Permissions

    下表描述 Azure Active Directory 中授予每个角色的特定权限。The following tables describe the specific permissions in Azure Active Directory given to each role. 某些角色可能在 Azure Active Directory 外部的 Microsoft 服务中拥有其他权限。Some roles may have additional permissions in Microsoft services outside of Azure Active Directory.

    应用程序管理员Application Administrator

    可以创建和管理应用注册和企业应用的所有方面。Can create and manage all aspects of app registrations and enterprise apps.

    操作Actions 说明Description
    microsoft.aad.directory/applications/audience/updatemicrosoft.aad.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
    microsoft.aad.directory/applications/authentication/updatemicrosoft.aad.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
    microsoft.aad.directory/applications/basic/updatemicrosoft.aad.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
    microsoft.aad.directory/applications/createmicrosoft.aad.directory/applications/create 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory.
    microsoft.aad.directory/applications/credentials/updatemicrosoft.aad.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
    microsoft.aad.directory/applications/deletemicrosoft.aad.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
    microsoft.aad.directory/applications/owners/updatemicrosoft.aad.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
    microsoft.aad.directory/applications/permissions/updatemicrosoft.aad.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
    microsoft.aad.directory/applications/policies/updatemicrosoft.aad.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/createmicrosoft.aad.directory/appRoleAssignments/create 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/readmicrosoft.aad.directory/appRoleAssignments/read 读取 Azure Active Directory 中的 appRoleAssignments。Read appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/updatemicrosoft.aad.directory/appRoleAssignments/update 更新 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/deletemicrosoft.aad.directory/appRoleAssignments/delete 删除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/auditLogs/allProperties/readmicrosoft.aad.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/basic/readmicrosoft.aad.directory/policies/applicationConfiguration/basic/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/basic/updatemicrosoft.aad.directory/policies/applicationConfiguration/basic/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/createmicrosoft.aad.directory/policies/applicationConfiguration/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/deletemicrosoft.aad.directory/policies/applicationConfiguration/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/owners/readmicrosoft.aad.directory/policies/applicationConfiguration/owners/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/owners/updatemicrosoft.aad.directory/policies/applicationConfiguration/owners/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/policyAppliedTo/readmicrosoft.aad.directory/policies/applicationConfiguration/policyAppliedTo/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.aad.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/appRoleAssignments/updatemicrosoft.aad.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 属性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/audience/updatemicrosoft.aad.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/authentication/updatemicrosoft.aad.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/basic/updatemicrosoft.aad.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/createmicrosoft.aad.directory/servicePrincipals/create 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/credentials/updatemicrosoft.aad.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/deletemicrosoft.aad.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/owners/updatemicrosoft.aad.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/permissions/updatemicrosoft.aad.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/policies/updatemicrosoft.aad.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
    microsoft.aad.directory/signInReports/allProperties/readmicrosoft.aad.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    应用程序开发人员Application Developer

    可以创建独立于“用户可注册应用程序”设置的应用程序注册。Can create application registrations independent of the ‘Users can register applications’ setting.

    操作Actions 说明Description
    microsoft.aad.directory/applications/createAsOwnermicrosoft.aad.directory/applications/createAsOwner 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
    microsoft.aad.directory/appRoleAssignments/createAsOwnermicrosoft.aad.directory/appRoleAssignments/createAsOwner 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
    microsoft.aad.directory/oAuth2PermissionGrants/createAsOwnermicrosoft.aad.directory/oAuth2PermissionGrants/createAsOwner 在 Azure Active Directory 中创建 oAuth2PermissionGrants。Create oAuth2PermissionGrants in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
    microsoft.aad.directory/servicePrincipals/createAsOwnermicrosoft.aad.directory/servicePrincipals/createAsOwner 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.

    身份验证管理员Authentication Administrator

    允许查看、设置和重置任何非管理员用户的身份验证方法信息。Allowed to view, set and reset authentication method information for any non-admin user.

    操作Actions 说明Description
    microsoft.aad.directory/users/invalidateAllRefreshTokensmicrosoft.aad.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
    microsoft.aad.directory/users/strongAuthentication/updatemicrosoft.aad.directory/users/strongAuthentication/update 更新强身份验证属性,如 MFA 凭据信息。Update strong authentication properties like MFA credential information.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    B2C 用户流管理员B2C User Flow Administrator

    创建和管理用户流的所有方面。Create and manage all aspects of user flows.

    操作Actions 说明Description
    microsoft.aad.b2c/userFlows/allTasksmicrosoft.aad.b2c/userFlows/allTasks 读取和配置 Azure Active Directory B2C 中的用户流。Read and configure user flows in  Azure Active Directory B2C.

    B2C 用户流属性管理员B2C User Flow Attribute Administrator

    创建和管理适用于所有用户流的属性架构。Create and manage the attribute schema available to all user flows.

    操作Actions 说明Description
    microsoft.aad.b2c/userAttributes/allTasksmicrosoft.aad.b2c/userAttributes/allTasks 读取和配置 Azure Active Directory B2C 中的用户属性。Read and configure user attributes in  Azure Active Directory B2C.

    B2C IEF 密钥集管理员B2C IEF Keyset Administrator

    管理 Identity Experience Framework 中的联合身份验证和加密所用的机密。Manage secrets for federation and encryption in the Identity Experience Framework.

    操作Actions 说明Description
    microsoft.aad.b2c/trustFramework/keySets/allTasksmicrosoft.aad.b2c/trustFramework/keySets/allTasks 读取和配置 Azure Active Directory B2C 中的密钥集。Read and configure key sets in  Azure Active Directory B2C.

    B2C IEF 策略管理员B2C IEF Policy Administrator

    在 Identity Experience Framework 中创建和管理信任框架策略。Create and manage trust framework policies in the Identity Experience Framework.

    操作Actions 说明Description
    microsoft.aad.b2c/trustFramework/policies/allTasksmicrosoft.aad.b2c/trustFramework/policies/allTasks 读取和配置 Azure Active Directory B2C 中的自定义策略。Read and configure custom policies in  Azure Active Directory B2C.

    计费管理员Billing Administrator

    可以执行与常见计费相关的任务,例如更新付款信息。Can perform common billing related tasks like updating payment information.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/organization/basic/updatemicrosoft.aad.directory/organization/basic/update 更新 Azure Active Directory 中组织的基本属性。Update basic properties on organization in Azure Active Directory.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理 Office 365 计费的各个方面。Manage all aspects of Office 365 billing.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    桌面分析管理员Desktop Analytics Administrator

    可以访问和管理桌面管理工具和服务,包括 Intune。Can access and manage Desktop management tools and services including Intune.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理桌面分析的各个方面。Manage all aspects of Desktop Analytics.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    云应用管理员Cloud Application Administrator

    可以创建和管理应用注册和企业应用的所有方面,应用代理除外。Can create and manage all aspects of app registrations and enterprise apps except App Proxy.

    操作Actions 说明Description
    microsoft.aad.directory/applications/audience/updatemicrosoft.aad.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
    microsoft.aad.directory/applications/authentication/updatemicrosoft.aad.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
    microsoft.aad.directory/applications/basic/updatemicrosoft.aad.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
    microsoft.aad.directory/applications/createmicrosoft.aad.directory/applications/create 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory.
    microsoft.aad.directory/applications/credentials/updatemicrosoft.aad.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
    microsoft.aad.directory/applications/deletemicrosoft.aad.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
    microsoft.aad.directory/applications/owners/updatemicrosoft.aad.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
    microsoft.aad.directory/applications/permissions/updatemicrosoft.aad.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
    microsoft.aad.directory/applications/policies/updatemicrosoft.aad.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/createmicrosoft.aad.directory/appRoleAssignments/create 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/updatemicrosoft.aad.directory/appRoleAssignments/update 更新 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/deletemicrosoft.aad.directory/appRoleAssignments/delete 删除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/auditLogs/allProperties/readmicrosoft.aad.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/createmicrosoft.aad.directory/policies/applicationConfiguration/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/basic/readmicrosoft.aad.directory/policies/applicationConfiguration/basic/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/basic/updatemicrosoft.aad.directory/policies/applicationConfiguration/basic/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/deletemicrosoft.aad.directory/policies/applicationConfiguration/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/owners/readmicrosoft.aad.directory/policies/applicationConfiguration/owners/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/owners/updatemicrosoft.aad.directory/policies/applicationConfiguration/owners/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/policies/applicationConfiguration/policyAppliedTo/readmicrosoft.aad.directory/policies/applicationConfiguration/policyAppliedTo/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.aad.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/appRoleAssignments/updatemicrosoft.aad.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 属性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/audience/updatemicrosoft.aad.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/authentication/updatemicrosoft.aad.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/basic/updatemicrosoft.aad.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/createmicrosoft.aad.directory/servicePrincipals/create 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/credentials/updatemicrosoft.aad.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/deletemicrosoft.aad.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/owners/updatemicrosoft.aad.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/permissions/updatemicrosoft.aad.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/policies/updatemicrosoft.aad.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
    microsoft.aad.directory/signInReports/allProperties/readmicrosoft.aad.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    公司管理员Company Administrator

    可以管理 Azure AD 和使用 Azure AD 标识的 Microsoft 服务的所有方面。Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.cloudAppSecurity/allEntities/allTasksmicrosoft.aad.cloudAppSecurity/allEntities/allTasks 创建和删除所有资源,然后读取并更新 microsoft.aad.cloudAppSecurity 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.aad.cloudAppSecurity.
    microsoft.aad.directory/administrativeUnits/allProperties/allTasksmicrosoft.aad.directory/administrativeUnits/allProperties/allTasks 创建和删除 administrativeUnits,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete administrativeUnits, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/applications/allProperties/allTasksmicrosoft.aad.directory/applications/allProperties/allTasks 创建和删除应用程序,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete applications, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/allProperties/allTasksmicrosoft.aad.directory/appRoleAssignments/allProperties/allTasks 创建和删除 appRoleAssignments,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete appRoleAssignments, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/auditLogs/allProperties/readmicrosoft.aad.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
    microsoft.aad.directory/contacts/allProperties/allTasksmicrosoft.aad.directory/contacts/allProperties/allTasks 创建和删除联系人,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete contacts, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/contracts/allProperties/allTasksmicrosoft.aad.directory/contracts/allProperties/allTasks 创建和删除协定,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete contracts, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/devices/allProperties/allTasksmicrosoft.aad.directory/devices/allProperties/allTasks 创建和删除设备,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete devices, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/directoryRoles/allProperties/allTasksmicrosoft.aad.directory/directoryRoles/allProperties/allTasks 创建和删除 directoryRoles,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete directoryRoles, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/directoryRoleTemplates/allProperties/allTasksmicrosoft.aad.directory/directoryRoleTemplates/allProperties/allTasks 创建和删除 directoryRoleTemplates,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete directoryRoleTemplates, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/domains/allProperties/allTasksmicrosoft.aad.directory/domains/allProperties/allTasks 创建和删除域,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete domains, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/groups/allProperties/allTasksmicrosoft.aad.directory/groups/allProperties/allTasks 创建和删除组,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete groups, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/groupSettings/allProperties/allTasksmicrosoft.aad.directory/groupSettings/allProperties/allTasks 创建和删除 groupSettings,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete groupSettings, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/groupSettingTemplates/allProperties/allTasksmicrosoft.aad.directory/groupSettingTemplates/allProperties/allTasks 创建和删除 groupSettingTemplates,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete groupSettingTemplates, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/loginTenantBranding/allProperties/allTasksmicrosoft.aad.directory/loginTenantBranding/allProperties/allTasks 创建和删除 loginTenantBranding,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete loginTenantBranding, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.aad.directory/oAuth2PermissionGrants/allProperties/allTasks 创建和删除 oAuth2PermissionGrants,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete oAuth2PermissionGrants, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/organization/allProperties/allTasksmicrosoft.aad.directory/organization/allProperties/allTasks 创建和删除组织,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete organization, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/policies/allProperties/allTasksmicrosoft.aad.directory/policies/allProperties/allTasks 创建和删除策略,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete policies, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/roleAssignments/allProperties/allTasksmicrosoft.aad.directory/roleAssignments/allProperties/allTasks 创建和删除 roleAssignments,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete roleAssignments, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/roleDefinitions/allProperties/allTasksmicrosoft.aad.directory/roleDefinitions/allProperties/allTasks 创建和删除 roleDefinitions,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete roleDefinitions, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.aad.directory/scopedRoleMemberships/allProperties/allTasks 创建和删除 scopedRoleMemberships,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete scopedRoleMemberships, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/serviceAction/activateServicemicrosoft.aad.directory/serviceAction/activateService 可以在 Azure Active Directory 中执行 Activateservice 服务操作Can perform the Activateservice service action in Azure Active Directory
    microsoft.aad.directory/serviceAction/disableDirectoryFeaturemicrosoft.aad.directory/serviceAction/disableDirectoryFeature 可以在 Azure Active Directory 中执行 Disabledirectoryfeature 服务操作Can perform the Disabledirectoryfeature service action in Azure Active Directory
    microsoft.aad.directory/serviceAction/enableDirectoryFeaturemicrosoft.aad.directory/serviceAction/enableDirectoryFeature 可以在 Azure Active Directory 中执行 Enabledirectoryfeature 服务操作Can perform the Enabledirectoryfeature service action in Azure Active Directory
    microsoft.aad.directory/serviceAction/getAvailableExtentionPropertiesmicrosoft.aad.directory/serviceAction/getAvailableExtentionProperties 可以在 Azure Active Directory 中执行 Getavailableextentionproperties 服务操作Can perform the Getavailableextentionproperties service action in Azure Active Directory
    microsoft.aad.directory/servicePrincipals/allProperties/allTasksmicrosoft.aad.directory/servicePrincipals/allProperties/allTasks 创建和删除 servicePrincipals,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete servicePrincipals, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/signInReports/allProperties/readmicrosoft.aad.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
    microsoft.aad.directory/subscribedSkus/allProperties/allTasksmicrosoft.aad.directory/subscribedSkus/allProperties/allTasks 创建和删除 subscribedSkus,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete subscribedSkus, and read and update all properties in Azure Active Directory.
    microsoft.aad.directory/users/allProperties/allTasksmicrosoft.aad.directory/users/allProperties/allTasks 创建和删除用户,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete users, and read and update all properties in Azure Active Directory.
    microsoft.aad.directorySync/allEntities/allTasksmicrosoft.aad.directorySync/allEntities/allTasks 在 Azure AD Connect 中执行所有操作。Perform all actions in Azure AD Connect.
    microsoft.aad.identityProtection/allEntities/allTasksmicrosoft.aad.identityProtection/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.aad.identityProtection 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.aad.identityProtection.
    microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
    microsoft.azure.advancedThreatProtection/allEntities/readmicrosoft.azure.advancedThreatProtection/allEntities/read 读取 microsoft.azure.advancedThreatProtection 中的所有资源。Read all resources in microsoft.azure.advancedThreatProtection.
    microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 信息保护的各个方面。Manage all aspects of Azure Information Protection.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理 Office 365 计费的各个方面。Manage all aspects of Office 365 billing.
    microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的各个方面。Manage all aspects of Intune.
    microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合规性管理器的各个方面Manage all aspects of Office 365 Compliance Manager
    microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理桌面分析的各个方面。Manage all aspects of Desktop Analytics.
    microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的各个方面。Manage all aspects of Exchange Online.
    microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理 Office 365 客户密码箱的各个方面Manage all aspects of Office 365 Customer Lockbox
    microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
    microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 读取 microsoft.office365.messageCenter 中的安全消息。Read securityMessages in microsoft.office365.messageCenter.
    microsoft.office365.protectionCenter/allEntities/allTasksmicrosoft.office365.protectionCenter/allEntities/allTasks 管理 Office 365 防护中心的各个方面。Manage all aspects of Office 365 Protection Center.
    microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.securityComplianceCenter 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.securityComplianceCenter.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.sharepoint 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
    microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理 Skype for Business Online 的各个方面。Manage all aspects of Skype for Business Online.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
    microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.powerApps.dynamics365/allEntities/allTasksmicrosoft.powerApps.dynamics365/allEntities/allTasks 管理 Dynamics 365 的各个方面。Manage all aspects of Dynamics 365.
    microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的各个方面。Manage all aspects of Power BI.
    microsoft.windows.defenderAdvancedThreatProtection/allEntities/readmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/read 读取 microsoft.windows.defenderAdvancedThreatProtection 中的所有资源。Read all resources in microsoft.windows.defenderAdvancedThreatProtection.

    符合性管理员Compliance Administrator

    可以读取和管理 Azure AD 和 Office 365 中的符合性配置和报表。Can read and manage compliance configuration and reports in Azure AD and Office 365.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合规性管理器的各个方面Manage all aspects of Office 365 Compliance Manager
    microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的各个方面。Manage all aspects of Exchange Online.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.sharepoint 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
    microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理 Skype for Business Online 的各个方面。Manage all aspects of Skype for Business Online.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    CRM 服务管理员CRM Service Administrator

    可以管理 Dynamics 365 产品的所有方面。Can manage all aspects of the Dynamics 365 product.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.powerApps.dynamics365/allEntities/allTasksmicrosoft.powerApps.dynamics365/allEntities/allTasks 管理 Dynamics 365 的各个方面。Manage all aspects of Dynamics 365.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    客户密码箱访问审批者Customer LockBox Access Approver

    可以批准 Microsoft 支持人员访问客户组织数据的请求。Can approve Microsoft support requests to access customer organizational data.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理 Office 365 客户密码箱的各个方面Manage all aspects of Office 365 Customer Lockbox

    Exchange 服务管理员Exchange Service Administrator

    可以管理 Exchange 产品的所有方面。Can manage all aspects of the Exchange product.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/groups/unified/appRoleAssignments/updatemicrosoft.aad.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 属性。Update groups.unified property in Azure Active Directory.
    microsoft.aad.directory/groups/unified/basic/updatemicrosoft.aad.directory/groups/unified/basic/update 更新 Office 365 组的基本属性。Update basic properties of Office 365 Groups.
    microsoft.aad.directory/groups/unified/createmicrosoft.aad.directory/groups/unified/create 创建 Office 365 组。Create Office 365 Groups.
    microsoft.aad.directory/groups/unified/deletemicrosoft.aad.directory/groups/unified/delete 删除 Office 365 组。Delete Office 365 Groups.
    microsoft.aad.directory/groups/unified/members/updatemicrosoft.aad.directory/groups/unified/members/update 更新 Office 365 组的成员身份。Update membership of Office 365 Groups.
    microsoft.aad.directory/groups/unified/owners/updatemicrosoft.aad.directory/groups/unified/owners/update 更新 Office 365 组的所有权。Update ownership of Office 365 Groups.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的各个方面。Manage all aspects of Exchange Online.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    外部标识提供者管理员External Identity Provider Administrator

    配置直接联合身份验证中使用的标识提供者。Configure identity providers for use in direct federation.

    操作Actions 说明Description
    microsoft.aad.b2c/identityProviders/allTasksmicrosoft.aad.b2c/identityProviders/allTasks 读取和配置 Azure Active Directory B2C 中的标识提供者。Read and configure identity providers in  Azure Active Directory B2C.

    来宾邀请者Guest Inviter

    可以邀请与“成员可邀请来宾”设置无关的来宾用户。Can invite guest users independent of the ‘members can invite guests’ setting.

    操作Actions 说明Description
    microsoft.aad.directory/users/appRoleAssignments/readmicrosoft.aad.directory/users/appRoleAssignments/read 读取 Azure Active Directory 中的 users.appRoleAssignments 属性。Read users.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/users/basic/readmicrosoft.aad.directory/users/basic/read 读取 Azure Active Directory 中用户的基本属性。Read basic properties on users in Azure Active Directory.
    microsoft.aad.directory/users/directReports/readmicrosoft.aad.directory/users/directReports/read 读取 Azure Active Directory 中的 users.directReports 属性。Read users.directReports property in Azure Active Directory.
    microsoft.aad.directory/users/inviteGuestmicrosoft.aad.directory/users/inviteGuest 邀请 Azure Active Directory 中的来宾用户。Invite guest users in Azure Active Directory.
    microsoft.aad.directory/users/manager/readmicrosoft.aad.directory/users/manager/read 读取 Azure Active Directory 中的 users.manager 属性。Read users.manager property in Azure Active Directory.
    microsoft.aad.directory/users/memberOf/readmicrosoft.aad.directory/users/memberOf/read 读取 Azure Active Directory 中的 users.memberOf 属性。Read users.memberOf property in Azure Active Directory.
    microsoft.aad.directory/users/oAuth2PermissionGrants/basic/readmicrosoft.aad.directory/users/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中的 users.oAuth2PermissionGrants 属性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
    microsoft.aad.directory/users/ownedDevices/readmicrosoft.aad.directory/users/ownedDevices/read 读取 Azure Active Directory 中的 users.ownedDevices 属性。Read users.ownedDevices property in Azure Active Directory.
    microsoft.aad.directory/users/ownedObjects/readmicrosoft.aad.directory/users/ownedObjects/read 读取 Azure Active Directory 中的 users.ownedObjects 属性。Read users.ownedObjects property in Azure Active Directory.
    microsoft.aad.directory/users/registeredDevices/readmicrosoft.aad.directory/users/registeredDevices/read 读取 Azure Active Directory 中的 users.registeredDevices 属性。Read users.registeredDevices property in Azure Active Directory.

    支持管理员Helpdesk Administrator

    可以重置非管理员和支持理员的密码。Can reset passwords for non-administrators and Helpdesk Administrators.

    操作Actions 说明Description
    microsoft.aad.directory/devices/bitLockerRecoveryKeys/readmicrosoft.aad.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
    microsoft.aad.directory/users/invalidateAllRefreshTokensmicrosoft.aad.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
    microsoft.aad.directory/users/password/updatemicrosoft.aad.directory/users/password/update 更新 Azure Active Directory 中所有用户的密码。Update passwords for all users in Azure Active Directory. 有关详细信息,请参阅联机文档。See online documentation for more detail.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    Intune 服务管理员Intune Service Administrator

    可以管理 Intune 产品的所有方面。Can manage all aspects of the Intune product.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/contacts/basic/updatemicrosoft.aad.directory/contacts/basic/update 更新 Azure Active Directory 中联系人的基本属性。Update basic properties on contacts in Azure Active Directory.
    microsoft.aad.directory/contacts/createmicrosoft.aad.directory/contacts/create 在 Azure Active Directory 中创建联系人。Create contacts in Azure Active Directory.
    microsoft.aad.directory/contacts/deletemicrosoft.aad.directory/contacts/delete 删除 Azure Active Directory 中的联系人。Delete contacts in Azure Active Directory.
    microsoft.aad.directory/devices/basic/updatemicrosoft.aad.directory/devices/basic/update 更新 Azure Active Directory 中设备的基本属性。Update basic properties on devices in Azure Active Directory.
    microsoft.aad.directory/devices/bitLockerRecoveryKeys/readmicrosoft.aad.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
    microsoft.aad.directory/devices/createmicrosoft.aad.directory/devices/create 在 Azure Active Directory 中创建设备。Create devices in Azure Active Directory.
    microsoft.aad.directory/devices/deletemicrosoft.aad.directory/devices/delete 删除 Azure Active Directory 中的设备。Delete devices in Azure Active Directory.
    microsoft.aad.directory/devices/registeredOwners/updatemicrosoft.aad.directory/devices/registeredOwners/update 更新 Azure Active Directory 中的 devices.registeredOwners 属性。Update devices.registeredOwners property in Azure Active Directory.
    microsoft.aad.directory/devices/registeredUsers/updatemicrosoft.aad.directory/devices/registeredUsers/update 更新 Azure Active Directory 中的 devices.registeredUsers 属性。Update devices.registeredUsers property in Azure Active Directory.
    microsoft.aad.directory/groups/appRoleAssignments/updatemicrosoft.aad.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 属性。Update groups.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/groups/basic/updatemicrosoft.aad.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
    microsoft.aad.directory/groups/createmicrosoft.aad.directory/groups/create 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory.
    microsoft.aad.directory/groups/createAsOwnermicrosoft.aad.directory/groups/createAsOwner 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
    microsoft.aad.directory/groups/deletemicrosoft.aad.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
    microsoft.aad.directory/groups/hiddenMembers/readmicrosoft.aad.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
    microsoft.aad.directory/groups/members/updatemicrosoft.aad.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
    microsoft.aad.directory/groups/owners/updatemicrosoft.aad.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
    microsoft.aad.directory/groups/restoremicrosoft.aad.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
    microsoft.aad.directory/groups/settings/updatemicrosoft.aad.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.
    microsoft.aad.directory/users/appRoleAssignments/updatemicrosoft.aad.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 属性。Update users.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/users/basic/updatemicrosoft.aad.directory/users/basic/update 更新 Azure Active Directory 中用户的基本属性。Update basic properties on users in Azure Active Directory.
    microsoft.aad.directory/users/manager/updatemicrosoft.aad.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 属性。Update users.manager property in Azure Active Directory.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的各个方面。Manage all aspects of Intune.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

    Lync 服务管理员Lync Service Administrator

    可以管理 Skype for Business 产品的所有方面。Can manage all aspects of the Skype for Business product.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理 Skype for Business Online 的各个方面。Manage all aspects of Skype for Business Online.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    Power BI 服务管理员Power BI Service Administrator

    可以管理 Power BI 产品的所有方面。Can manage all aspects of the Power BI product.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的各个方面。Manage all aspects of Power BI.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    特权身份验证管理员Privileged Authentication Administrator

    允许查看、设置和重置任何用户(管理员或非管理员)的身份验证方法信息。Allowed to view, set and reset authentication method information for any user (admin or non-admin).

    操作Actions 说明Description
    microsoft.aad.directory/users/invalidateAllRefreshTokensmicrosoft.aad.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
    microsoft.aad.directory/users/strongAuthentication/updatemicrosoft.aad.directory/users/strongAuthentication/update 更新强身份验证属性,如 MFA 凭据信息。Update strong authentication properties like MFA credential information.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    特权角色管理员Privileged Role Administrator

    可以管理 Azure AD 中的角色分配和 Privileged Identity Management 的所有方面。Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/directoryRoles/updatemicrosoft.aad.directory/directoryRoles/update 更新 Azure Active Directory 中的 directoryRoles。Update directoryRoles in Azure Active Directory.
    microsoft.aad.privilegedIdentityManagement/allEntities/allTasksmicrosoft.aad.privilegedIdentityManagement/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.aad.privilegedIdentityManagement 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.aad.privilegedIdentityManagement.

    安全管理员Security Administrator

    可以读取安全信息和报表,以及管理 Azure AD 和 Office 365 中的配置。Can read security information and reports, and manage configuration in Azure AD and Office 365.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/applications/policies/updatemicrosoft.aad.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
    microsoft.aad.directory/auditLogs/allProperties/readmicrosoft.aad.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
    microsoft.aad.directory/devices/bitLockerRecoveryKeys/readmicrosoft.aad.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
    microsoft.aad.directory/policies/basic/updatemicrosoft.aad.directory/policies/basic/update 更新 Azure Active Directory 中策略的基本属性。Update basic properties on policies in Azure Active Directory.
    microsoft.aad.directory/policies/createmicrosoft.aad.directory/policies/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
    microsoft.aad.directory/policies/deletemicrosoft.aad.directory/policies/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
    microsoft.aad.directory/policies/owners/updatemicrosoft.aad.directory/policies/owners/update 更新 Azure Active Directory 中的 policies.owners 属性。Update policies.owners property in Azure Active Directory.
    microsoft.aad.directory/policies/tenantDefault/updatemicrosoft.aad.directory/policies/tenantDefault/update 更新 Azure Active Directory 中的 policies.tenantDefault 属性。Update policies.tenantDefault property in Azure Active Directory.
    microsoft.aad.directory/servicePrincipals/policies/updatemicrosoft.aad.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
    microsoft.aad.directory/signInReports/allProperties/readmicrosoft.aad.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
    microsoft.aad.identityProtection/allEntities/readmicrosoft.aad.identityProtection/allEntities/read 读取 microsoft.aad.identityProtection 中的所有资源。Read all resources in microsoft.aad.identityProtection.
    microsoft.aad.identityProtection/allEntities/updatemicrosoft.aad.identityProtection/allEntities/update 更新 microsoft.aad.identityProtection 中的所有资源。Update all resources in microsoft.aad.identityProtection.
    microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 读取 Office 365 防护中心的各个方面。Read all aspects of Office 365 Protection Center.
    microsoft.office365.protectionCenter/allEntities/updatemicrosoft.office365.protectionCenter/allEntities/update 更新 microsoft.office365.protectionCenter 中的所有资源。Update all resources in microsoft.office365.protectionCenter.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.

    安全读取者Security Reader

    可以读取 Azure AD 和 Office 365 中的安全信息和报表。Can read security information and reports in Azure AD and Office 365.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/auditLogs/allProperties/readmicrosoft.aad.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
    microsoft.aad.directory/devices/bitLockerRecoveryKeys/readmicrosoft.aad.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
    microsoft.aad.directory/signInReports/allProperties/readmicrosoft.aad.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
    microsoft.aad.identityProtection/allEntities/readmicrosoft.aad.identityProtection/allEntities/read 读取 microsoft.aad.identityProtection 中的所有资源。Read all resources in microsoft.aad.identityProtection.
    microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 读取 Office 365 防护中心的各个方面。Read all aspects of Office 365 Protection Center.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.

    服务支持管理员Service Support Administrator

    可以读取服务运行状况信息和管理支持票证。Can read service health information and manage support tickets.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    SharePoint 服务管理员SharePoint Service Administrator

    可以管理 SharePoint 服务的所有方面。Can manage all aspects of the SharePoint service.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/groups/unified/appRoleAssignments/updatemicrosoft.aad.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 属性。Update groups.unified property in Azure Active Directory.
    microsoft.aad.directory/groups/unified/basic/updatemicrosoft.aad.directory/groups/unified/basic/update 更新 Office 365 组的基本属性。Update basic properties of Office 365 Groups.
    microsoft.aad.directory/groups/unified/createmicrosoft.aad.directory/groups/unified/create 创建 Office 365 组。Create Office 365 Groups.
    microsoft.aad.directory/groups/unified/deletemicrosoft.aad.directory/groups/unified/delete 删除 Office 365 组。Delete Office 365 Groups.
    microsoft.aad.directory/groups/unified/members/updatemicrosoft.aad.directory/groups/unified/members/update 更新 Office 365 组的成员身份。Update membership of Office 365 Groups.
    microsoft.aad.directory/groups/unified/owners/updatemicrosoft.aad.directory/groups/unified/owners/update 更新 Office 365 组的所有权。Update ownership of Office 365 Groups.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.sharepoint 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    Teams 通信管理员Teams Communications Administrator

    可以管理 Microsoft Teams 服务中的通话和会议功能。Can manage calling and meetings features within the Microsoft Teams service.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
    microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.

    Teams 通信支持工程师Teams Communications Support Engineer

    可以使用高级工具排查 Teams 中的通信问题。Can troubleshoot communications issues within Teams using advanced tools.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.

    Teams 通信支持专家Teams Communications Support Specialist

    可以使用基本工具排查 Teams 中的通信问题。Can troubleshoot communications issues within Teams using basic tools.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.

    Teams 服务管理员Teams Service Administrator

    可以管理 Microsoft Teams 服务。Can manage the Microsoft Teams service.

    Note

    此角色拥有 Azure Active Directory 之外的其他权限。This role has additonal permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

    操作Actions 说明Description
    microsoft.aad.directory/groups/hiddenMembers/readmicrosoft.aad.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
    microsoft.aad.directory/groups/unified/appRoleAssignments/updatemicrosoft.aad.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 属性。Update groups.unified property in Azure Active Directory.
    microsoft.aad.directory/groups/unified/basic/updatemicrosoft.aad.directory/groups/unified/basic/update 更新 Office 365 组的基本属性。Update basic properties of Office 365 Groups.
    microsoft.aad.directory/groups/unified/createmicrosoft.aad.directory/groups/unified/create 创建 Office 365 组。Create Office 365 Groups.
    microsoft.aad.directory/groups/unified/deletemicrosoft.aad.directory/groups/unified/delete 删除 Office 365 组。Delete Office 365 Groups.
    microsoft.aad.directory/groups/unified/members/updatemicrosoft.aad.directory/groups/unified/members/update 更新 Office 365 组的成员身份。Update membership of Office 365 Groups.
    microsoft.aad.directory/groups/unified/owners/updatemicrosoft.aad.directory/groups/unified/owners/update 更新 Office 365 组的所有权。Update ownership of Office 365 Groups.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
    microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.

    用户管理员User Administrator

    可以管理用户和组的所有方面,包括重置有限管理员的密码。Can manage all aspects of users and groups, including resetting passwords for limited admins.

    操作Actions 说明Description
    microsoft.aad.directory/appRoleAssignments/createmicrosoft.aad.directory/appRoleAssignments/create 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/deletemicrosoft.aad.directory/appRoleAssignments/delete 删除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/appRoleAssignments/updatemicrosoft.aad.directory/appRoleAssignments/update 更新 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
    microsoft.aad.directory/contacts/basic/updatemicrosoft.aad.directory/contacts/basic/update 更新 Azure Active Directory 中联系人的基本属性。Update basic properties on contacts in Azure Active Directory.
    microsoft.aad.directory/contacts/createmicrosoft.aad.directory/contacts/create 在 Azure Active Directory 中创建联系人。Create contacts in Azure Active Directory.
    microsoft.aad.directory/contacts/deletemicrosoft.aad.directory/contacts/delete 删除 Azure Active Directory 中的联系人。Delete contacts in Azure Active Directory.
    microsoft.aad.directory/groups/appRoleAssignments/updatemicrosoft.aad.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 属性。Update groups.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/groups/basic/updatemicrosoft.aad.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
    microsoft.aad.directory/groups/createmicrosoft.aad.directory/groups/create 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory.
    microsoft.aad.directory/groups/createAsOwnermicrosoft.aad.directory/groups/createAsOwner 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
    microsoft.aad.directory/groups/deletemicrosoft.aad.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
    microsoft.aad.directory/groups/hiddenMembers/readmicrosoft.aad.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
    microsoft.aad.directory/groups/members/updatemicrosoft.aad.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
    microsoft.aad.directory/groups/owners/updatemicrosoft.aad.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
    microsoft.aad.directory/groups/restoremicrosoft.aad.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
    microsoft.aad.directory/groups/settings/updatemicrosoft.aad.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.
    microsoft.aad.directory/users/appRoleAssignments/updatemicrosoft.aad.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 属性。Update users.appRoleAssignments property in Azure Active Directory.
    microsoft.aad.directory/users/assignLicensemicrosoft.aad.directory/users/assignLicense 管理 Azure Active Directory 中用户的许可证。Manage licenses on users in Azure Active Directory.
    microsoft.aad.directory/users/basic/updatemicrosoft.aad.directory/users/basic/update 更新 Azure Active Directory 中用户的基本属性。Update basic properties on users in Azure Active Directory.
    microsoft.aad.directory/users/createmicrosoft.aad.directory/users/create 在 Azure Active Directory 中创建用户。Create users in Azure Active Directory.
    microsoft.aad.directory/users/deletemicrosoft.aad.directory/users/delete 删除 Azure Active Directory 中的用户。Delete users in Azure Active Directory.
    microsoft.aad.directory/users/invalidateAllRefreshTokensmicrosoft.aad.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
    microsoft.aad.directory/users/manager/updatemicrosoft.aad.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 属性。Update users.manager property in Azure Active Directory.
    microsoft.aad.directory/users/password/updatemicrosoft.aad.directory/users/password/update 更新 Azure Active Directory 中所有用户的密码。Update passwords for all users in Azure Active Directory. 有关详细信息,请参阅联机文档。See online documentation for more detail.
    microsoft.aad.directory/users/restoremicrosoft.aad.directory/users/restore 还原 Azure Active Directory 中已删除的用户。Restore deleted users in Azure Active Directory.
    microsoft.aad.directory/users/userPrincipalName/updatemicrosoft.aad.directory/users/userPrincipalName/update 更新 Azure Active Directory 中的 users.userPrincipalName 属性。Update users.userPrincipalName property in Azure Active Directory.
    microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
    microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
    microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
    microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Office 365 服务运行状况。Read and configure Office 365 Service Health.
    microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

    角色模板 IDRole template IDs

    角色模板 ID 主要由图形 API 或 PowerShell 用户使用。Role template IDs are used mainly by Graph API or PowerShell users.

    图形 displayNameGraph displayName Azure 门户显示名称Azure portal display name directoryRoleTemplateIddirectoryRoleTemplateId
    应用程序管理员Application Administrator 应用程序管理员Application administrator 9B895D92-2CD3-44C7-9D02-A6AC2D5EA5C39B895D92-2CD3-44C7-9D02-A6AC2D5EA5C3
    应用程序开发人员Application Developer 应用程序开发人员Application developer CF1C38E5-3621-4004-A7CB-879624DCED7CCF1C38E5-3621-4004-A7CB-879624DCED7C
    身份验证管理员Authentication Administrator 身份验证管理员Authentication administrator c4e39bd9-1100-46d3-8c65-fb160da0071fc4e39bd9-1100-46d3-8c65-fb160da0071f
    计费管理员Billing Administrator 计费管理员Billing administrator b0f54661-2d74-4c50-afa3-1ec803f12efeb0f54661-2d74-4c50-afa3-1ec803f12efe
    桌面分析管理员Desktop Analytics Administrator 桌面分析管理员Desktop Analytics Administrator 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a438a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
    云应用管理员Cloud Application Administrator 云应用程序管理员Cloud application administrator 158c047a-c907-4556-b7ef-446551a6b5f7158c047a-c907-4556-b7ef-446551a6b5f7
    公司管理员Company Administrator 全局管理员Global administrator 62e90394-69f5-4237-9190-012177145e1062e90394-69f5-4237-9190-012177145e10
    符合性管理员Compliance Administrator 法规管理员Compliance administrator 17315797-102d-40b4-93e0-432062caca1817315797-102d-40b4-93e0-432062caca18
    CRM 服务管理员CRM Service Administrator Dynamics 365 管理员Dynamics 365 administrator 44367163-eba1-44c3-98af-f5787879f96a44367163-eba1-44c3-98af-f5787879f96a
    客户密码箱访问审批者Customer LockBox Access Approver 客户密码箱访问审批者Customer Lockbox access approver 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc915c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
    设备管理员Device Administrators 设备管理员Device administrators 9f06204d-73c1-4d4c-880a-6edb90606fd89f06204d-73c1-4d4c-880a-6edb90606fd8
    设备联接Device Join 设备加入Device join 9c094953-4995-41c8-84c8-3ebb9b32c93f9c094953-4995-41c8-84c8-3ebb9b32c93f
    设备管理器Device Managers 设备管理员Device managers 2b499bcd-da44-4968-8aec-78e1674fa64d2b499bcd-da44-4968-8aec-78e1674fa64d
    设备用户Device Users 设备用户Device users d405c6df-0af8-4e3b-95e4-4d06e542189ed405c6df-0af8-4e3b-95e4-4d06e542189e
    目录读者Directory Readers 目录读者Directory readers 88d8e3e3-8f55-4a1e-953a-9b9898b8876b88d8e3e3-8f55-4a1e-953a-9b9898b8876b
    目录同步帐户Directory Synchronization Accounts 目录同步帐户Directory synchronization accounts d29b2b05-8046-44ba-8758-1e26182fcf32d29b2b05-8046-44ba-8758-1e26182fcf32
    目录编写人员Directory Writers 目录写入者Directory writers 9360feb5-f418-4baa-8175-e2a00bac43019360feb5-f418-4baa-8175-e2a00bac4301
    Exchange 服务管理员Exchange Service Administrator Exchange 管理员Exchange administrator 29232cdf-9323-42fd-ade2-1d097af3e4de29232cdf-9323-42fd-ade2-1d097af3e4de
    来宾邀请者Guest Inviter 来宾邀请者Guest inviter 95e79109-95c0-4d8e-aee3-d01accf2d47b95e79109-95c0-4d8e-aee3-d01accf2d47b
    支持管理员Helpdesk Administrator 密码管理员Password administrator 729827e3-9c14-49f7-bb1b-9608f156bbb8729827e3-9c14-49f7-bb1b-9608f156bbb8
    Intune 服务管理员Intune Service Administrator Intune 管理员Intune administrator 3a2c62db-5318-420d-8d74-23affee5d9d53a2c62db-5318-420d-8d74-23affee5d9d5
    Lync 服务管理员Lync Service Administrator Skype for Business 管理员Skype for Business administrator 75941009-915a-4869-abe7-691bff18279e75941009-915a-4869-abe7-691bff18279e
    Power BI 服务管理员Power BI Service Administrator Power BI 管理员Power BI administrator a9ea8996-122f-4c74-9520-8edcd192826ca9ea8996-122f-4c74-9520-8edcd192826c
    特权身份验证管理员Privileged Authentication Administrator 特权身份验证管理员Privileged authentication administrator 7be44c8a-adaf-4e2a-84d6-ab2649e08a137be44c8a-adaf-4e2a-84d6-ab2649e08a13
    特权角色管理员Privileged Role Administrator 特权角色管理员Privileged role administrator e8611ab8-c189-46e8-94e1-60213ab1f814e8611ab8-c189-46e8-94e1-60213ab1f814
    安全管理员Security Administrator 安全管理员Security administrator 194ae4cb-b126-40b2-bd5b-6091b380977d194ae4cb-b126-40b2-bd5b-6091b380977d
    安全读取者Security Reader 安全读取者Security reader 5d6b6bb7-de71-4623-b4af-96380a3525095d6b6bb7-de71-4623-b4af-96380a352509
    服务支持管理员Service Support Administrator 服务管理员Service administrator f023fd81-a637-4b56-95fd-791ac0226033f023fd81-a637-4b56-95fd-791ac0226033
    SharePoint 服务管理员SharePoint Service Administrator SharePoint 管理员Sharepoint administrator f28a1f50-f6e7-4571-818b-6a12f2af6b6cf28a1f50-f6e7-4571-818b-6a12f2af6b6c
    Teams 通信管理员Teams Communications Administrator Teams 通信管理员Teams Communications Administrator baf37b3a-610e-45da-9e62-d9d1e5e8914bbaf37b3a-610e-45da-9e62-d9d1e5e8914b
    Teams 通信支持工程师Teams Communications Support Engineer Teams 通信支持工程师Teams Communications Support Engineer f70938a0-fc10-4177-9e90-2178f8765737f70938a0-fc10-4177-9e90-2178f8765737
    Teams 通信支持专家Teams Communications Support Specialist Teams 通信支持专家Teams Communications Support Specialist fcf91098-03e3-41a9-b5ba-6f0ec8188a12fcf91098-03e3-41a9-b5ba-6f0ec8188a12
    Teams 服务管理员Teams Service Administrator Teams 服务管理员Teams Service Administrator 69091246-20e8-4a56-aa4d-066075b2a7a869091246-20e8-4a56-aa4d-066075b2a7a8
    UserUser UserUser a0b1b346-4d3e-4e8b-98f8-753987be4970a0b1b346-4d3e-4e8b-98f8-753987be4970
    用户帐户管理员User Account Administrator 用户管理员User administrator fe930be7-5e62-47db-91af-98c3a49a38b1fe930be7-5e62-47db-91af-98c3a49a38b1
    工作区设备联接Workplace Device Join 工作区设备加入Workplace device join c34f683f-4d5a-4403-affd-6615e00e3a7fc34f683f-4d5a-4403-affd-6615e00e3a7f

    已弃用的角色Deprecated roles

    不应使用以下角色。The following roles should not be used. 这些角色已弃用,并将从 Azure AD 中删除。They have been deprecated and will be removed from Azure AD in the future.

    • 即席许可证管理员AdHoc License Administrator
    • 设备联接Device Join
    • 设备管理器Device Managers
    • 设备用户Device Users
    • 经电子邮件验证的用户创建者Email Verified User Creator
    • 邮箱管理员Mailbox Administrator
    • 工作区设备联接Workplace Device Join

    后续步骤Next steps