Azure Active Directory 中的管理员角色权限Administrator role permissions in Azure Active Directory

使用 Azure Active Directory (Azure AD) 时,可以指定有限的管理员以权限较低的角色来管理标识任务。Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. 可出于以下目的分配管理员:添加或更改用户、分配管理角色、重置用户密码、管理用户许可证,以及管理域名。Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. 只能在 Azure AD 中的用户设置中更改默认用户权限The default user permissions can be changed only in user settings in Azure AD.

限制使用全局管理员Limit use of Global administrator

已分配到全局管理员角色的用户可以读取和修改 Azure AD 组织中的每项管理设置。Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization. 默认情况下,当用户注册 Azure 云服务时,会创建一个 Azure AD 租户,并使该用户成为全局管理员角色的成员。By default, when a user signs up for a Azure cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. 当你向现有租户添加订阅时,不会为你分配全局管理员角色。When you add a subscription to an existing tenant, you aren't assigned to the Global Administrator role. 只有全局管理员和特权角色管理员可以委托管理员角色。Only Global administrators and Privileged Role administrators can delegate administrator roles. 为了降低业务风险,我们建议将此角色分配给组织中尽量少的人员。To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.

建议将此角色分配给组织中五个以下的人员,这是最佳做法。As a best practice, we recommend that you assign this role to fewer than five people in your organization. 如果已将“全局管理员”角色分配给组织中五个以上的管理员,可通过以下方法减少该角色的使用。If you have more than five admins assigned to the Global Administrator role in your organization, here are some ways to reduce its use.

找到所需的角色Find the role you need

如果你很难从包含众多角色的列表中找到所需的角色,Azure AD 可以根据角色类别显示角色的子集。If it's frustrating for you to find the role you need out of a list of many roles, Azure AD can show you subsets of the roles based on role categories. 请查看适用于 Azure AD 角色和管理员的新“类型”筛选器,使用它可以仅显示所选类型的角色。Check out our new Type filter for Azure AD Roles and administrators to show you only the roles in the selected type.

现有的某个角色在之前分配全局管理员角色时并不存在A role exists now that didn't exist when you assigned the Global administrator role

有可能已将一个或多个角色添加到 Azure AD 中以提供更精细的权限,但在将某些用户提升为全局管理员时,这些角色并未作为一个选项列出。It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not an option when you elevated some users to Global administrator. 随着时间的推移,我们会不断推出更多的角色来完成以前只有全局管理员角色才能执行的任务。Over time, we are rolling out additional roles that accomplish tasks that only the Global administrator role could do before. 以下可用的角色中对此做了介绍。You can see these reflected in the following Available roles.

分配或删除管理员角色Assign or remove administrator roles

若要了解如何在 Azure Active Directory 中向用户分配管理角色,请参阅在 Azure Active Directory 中查看和分配管理员角色To learn how to assign administrative roles to a user in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

备注

如果你有 Azure AD Premium P2 许可证,并且已是 Privileged Identity Management (PIM) 用户,则所有角色管理任务都会在 Privilege Identity Management 中执行,而不会在 Azure AD 中执行。If you have an Azure AD premium P2 license and you're already a Privileged Identity Management (PIM) user, all role management tasks are performed in Privilege Identity Management and not in Azure AD.

为已使用 PIM 且具有 Premium P2 许可证的用户在 PIM 中管理的 Azure AD 角色

可用的角色Available roles

提供以下管理员角色:The following administrator roles are available:

应用程序管理员Application Administrator

具有此角色的用户可以创建和管理企业应用程序和应用程序注册的所有方面。Users in this role can create and manage all aspects of enterprise applications and application registrations. 请注意,在创建新应用程序注册或企业应用程序时,不会将分配到此角色的用户添加为所有者。Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

此角色还可以许可委托的权限和应用程序权限,但对 Microsoft Graph API 的权限除外。This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph API.

重要

这种例外情况意味着,你仍可以许可对其他应用(例如,非 Microsoft 应用或已注册应用)的权限,但不能许可 Azure AD 本身的权限。This exception means that you can still consent to permissions for other apps (for example, non-Microsoft apps or apps that you have registered), but not to permissions on Azure AD itself. 仍可以在应用注册过程中请求这些权限,但授予(即许可)这些权限需要拥有 Azure AD 管理员权限。 这意味着,恶意用户无法通过某些方式轻松提升其权限,例如,通过创建并许可可写入整个目录的应用,然后通过该应用的权限将自己提升为全局管理员。You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a global admin.

此角色授予管理应用程序凭据这一功能。This role grants the ability to manage application credentials. 分配有此角色的用户可以将凭据添加到应用程序,并使用这些凭据模拟应用程序的标识。Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. 如果已向应用程序的标识授予资源访问权限,例如创建或更新用户或其他对象,那么分配到此角色的用户在模拟应用程序时可以执行这些操作。If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. 这种模拟应用程序标识的能力可能是用户在角色分配的基础上的权限提升。This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. 请务必了解,向用户分配应用程序管理员角色,会赋予其模拟应用程序标识的能力。It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.

应用程序开发人员Application Developer

在将设置“用户可以注册应用程序”设置为“否”时,充当此角色的用户可以创建应用程序注册。Users in this role can create application registrations when the "Users can register applications" setting is set to No. 当“用户可以同意应用代表他们访问公司数据”设置设为“否”时,此角色还能够代表自己授权同意。This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. 在创建新应用程序注册或企业应用程序时,会将分配到此角色的用户添加为所有者。Users assigned to this role are added as owners when creating new application registrations or enterprise applications.

身份验证管理员Authentication Administrator

具有此角色的用户可以为某些用户设置或重置非密码凭据,并且可以更新所有用户的密码。Users with this role can set or reset non-password credentials for some users and can update passwords for all users. 身份验证管理员可以要求非管理员用户或分配给某些角色的用户使用现有的非密码凭据(例如,MFA 或 FIDO)重新注册,还可以撤销“在设备上记住 MFA”,这样系统就会在用户下次登录时提示其进行 MFA。Authentication administrators can require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in. 这些操作仅适用于非管理员用户或分配了一个或多个以下角色的用户:These actions apply only to users who are non-administrators or who are assigned one or more of the following roles:

  • 身份验证管理员Authentication Administrator
  • 目录读者Directory Readers
  • 来宾邀请者Guest Inviter
  • 消息中心读取者Message Center Reader
  • 报告读者Reports Reader

特权身份验证管理员角色有权强制针对所有用户进行的重新注册和多重身份验证操作。The Privileged authentication administrator role has permission can force re-registration and multi-factor authentication for all users.

重要

具有此角色的用户可以更改可能有权访问 Azure Active Directory 内外敏感或私有信息或关键配置的用户的凭据。Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 更改用户的凭据可能意味着假定用户标识和权限的能力。Changing the credentials of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 应用程序注册和企业应用程序所有者,可以管理他们拥有的应用的凭据。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 这些应用程序可能在 Azure AD 或其他位置拥有未授予身份验证管理员的特权。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. 通过此路径,身份验证管理员可能能够假定应用程序所有者的身份,然后通过更新应用程序的凭据来进一步假定特权应用程序的标识。Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 订阅所有者,可能对 Azure 中的敏感或私有信息或关键配置拥有访问权限。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全组和 Microsoft 365 组所有者,可以管理组成员资格。Security Group and Microsoft 365 group owners, who can manage group membership. 这些组可能会授予对 Azure AD 或其他位置敏感或私有信息或关键配置的访问权限。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 之外的其他服务中的管理员,如 Exchange Online、Office 安全与合规中心以及人力资源系统。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 高级管理人员、法律顾问和人力资源员工之类的非管理员,可能有权访问敏感或私有信息。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

Azure DevOps 管理员Azure DevOps Administrator

具有此角色的用户可以管理 Azure DevOps 策略,这样就可以仅限一组可配置的用户或组新建 Azure DevOps 组织。Users with this role can manage the Azure DevOps policy to restrict new Azure DevOps organization creation to a set of configurable users or groups. 充当此角色的用户可以通过有公司 Azure AD 组织作为保障的 Azure DevOps 组织来管理此策略。Users in this role can manage this policy through any Azure DevOps organization that is backed the company's Azure AD organization.

充当此角色的用户可以管理所有企业 Azure DevOps 策略。All enterprise Azure DevOps policies can be managed by users in this role.

Azure 信息保护管理员Azure Information Protection Administrator

具有此角色的用户拥有 Azure 信息保护服务中的所有权限。Users with this role have all permissions in the Azure Information Protection service. 此角色可以配置 Azure 信息保护策略的标签、管理保护模板,以及激活保护。This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. 此角色不会授予标识保护中心、Privileged Identity Management、监视 Microsoft 365 服务运行状况或 Office 365 安全与合规中心的权限。This role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, or Office 365 Security & Compliance Center.

B2C IEF 密钥集管理员B2C IEF Keyset Administrator

用户可以创建和管理用于令牌加密、令牌签名和声明加密/解密的策略密钥与机密。User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. 通过将新密钥添加到现有密钥容器,此受限管理员可以根据需要滚动更新机密,而不会影响现有的应用程序。 By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. 即使是在创建这些机密之后,此用户也可以查看这些机密的完整内容及其过期日期。 This user can see the full content of these secrets and their expiration dates even after their creation.

重要

这是一个敏感角色。This is a sensitive role. 在生产前与生产期间,应该谨慎地审核和分配密钥集管理员角色。 The keyset administrator role should be carefully audited and assigned with care during pre-production and production.

B2C IEF 策略管理员B2C IEF Policy Administrator

充当此角色的用户可以在 Azure AD B2C 中创建、读取、更新和删除所有自定义策略,因此对相关 Azure AD B2C 组织中的 Identity Experience Framework 拥有完全控制权。Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization. 通过编辑策略,此用户可以直接与外部标识提供者建立联合、更改目录架构、更改所有面向用户的内容(HTML、CSS、JavaScript)、更改完成身份验证所需满足的要求、创建新用户、将用户数据发送到外部系统(包括完整迁移),以及编辑所有用户信息(包括密码和电话号码等敏感字段)。By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. 相比之下,此角色无法更改加密密钥,也不能编辑组织中用于联合身份验证的机密。Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the organization.

重要

B2 IEF 策略管理员是高度敏感的角色,在生产环境中应以极大的限制度将其分配给组织。The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production. 应该密切审核这些用户(尤其是生产环境中的组织的用户)的活动。 Activities by these users should be closely audited, especially for organizations in production.

计费管理员Billing Administrator

进行采购、管理订阅、管理支持票证,以及监视服务运行状况。Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

云应用程序管理员Cloud Application Administrator

充当此角色的用户具有与应用程序管理员角色相同的权限,但不包括管理应用程序代理的权限。Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. 此角色授予创建和管理企业应用程序和应用程序注册的所有方面的权限。This role grants the ability to create and manage all aspects of enterprise applications and application registrations. 此角色还可以同意委派权限,以及除 Microsoft Graph 和 Azure AD Graph 之外的应用程序权限。This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. 在创建新应用程序注册或企业应用程序时,不会将分配到此角色的用户添加为所有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

重要

此角色授予管理应用程序凭据这一功能。This role grants the ability to manage application credentials. 分配有此角色的用户可以将凭据添加到应用程序,并使用这些凭据模拟应用程序的标识。Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. 如果已向应用程序的标识授予资源访问权限,例如创建或更新用户或其他对象,那么分配到此角色的用户在模拟应用程序时可以执行这些操作。If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. 这种模拟应用程序标识的能力可能是用户在角色分配的基础上的权限提升。This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. 请务必了解,向用户分配云应用程序管理员角色,会赋予其模拟应用程序标识的能力。It is important to understand that assigning a user to the Cloud Application Administrator role gives them the ability to impersonate an application’s identity.

云设备管理员Cloud Device Administrator

充当此角色的用户可以在 Azure AD 中启用、禁用和删除设备,并可以在 Azure 门户中读取 Windows 10 BitLocker 密钥(如果有)。Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. 该角色不能授予设备上其他任何属性的管理权限。The role does not grant permissions to manage any other properties on the device.

合规性管理员Compliance Administrator

具有此角色的用户有权管理 Microsoft 365 合规中心、Microsoft 365 管理中心、Azure 和 Office 365 安全与合规中心中的合规性相关功能。Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. 被分配者还可以管理 Exchange 管理中心、Teams 和 Skype for Business 管理中心内的所有功能,并可创建适用于 Azure 和 Microsoft 365 的支持票证。Assignees can also manage all features within the Exchange admin center and Teams & Skype for Business admin centers and create support tickets for Azure and Microsoft 365. 关于 Microsoft 365 管理员角色中提供了详细信息。More information is available at About Microsoft 365 admin roles.

InIn 有权执行的操作Can do
Microsoft 365 合规中心Microsoft 365 compliance center 跨 Microsoft 365 服务保护和管理组织数据Protect and manage your organization's data across Microsoft 365 services
管理合规性警报Manage compliance alerts
合规性管理器Compliance Manager 跟踪、分配并验证组织的法规合规性活动Track, assign, and verify your organization's regulatory compliance activities
Office 365 安全与合规中心Office 365 Security & Compliance Center 管理数据治理Manage data governance
执行法律和数据调查Perform legal and data investigation
管理数据主体请求Manage Data Subject Request

此角色的权限与 Office 365 安全与合规中心基于角色的访问控制中的合规性管理员角色组相同。This role has the same permissions as the Compliance Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control.
IntuneIntune 查看所有 Intune 审核数据View all Intune audit data
Cloud App SecurityCloud App Security 拥有只读权限,可以管理警报Has read-only permissions and can manage alerts
可以创建和修改文件策略并允许执行文件管理操作Can create and modify file policies and allow file governance actions
可以查看数据管理下的所有内置报表Can view all the built-in reports under Data Management

合规性数据管理员Compliance Data Administrator

具有此角色的用户有权在 Microsoft 365 合规中心、Microsoft 365 管理中心和 Azure 中跟踪数据。Users with this role have permissions to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. 这些用户还可以在 Exchange 管理中心、Compliance Manager、Teams 和 Skype for Business 管理中心跟踪合规数据,并可创建适用于 Azure 和 Microsoft 365 的支持票证。Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. 此文档详细介绍了合规性管理员与合规性数据管理员之间的差别。This documentation has details on differences between Compliance Administrator and Compliance Data Administrator.

InIn 有权执行的操作Can do
Microsoft 365 合规中心Microsoft 365 compliance center 跨 Microsoft 365 服务监视与合规性相关的策略Monitor compliance-related policies across Microsoft 365 services
管理合规性警报Manage compliance alerts
合规性管理器Compliance Manager 跟踪、分配并验证组织的法规合规性活动Track, assign, and verify your organization's regulatory compliance activities
Office 365 安全与合规中心Office 365 Security & Compliance Center 管理数据治理Manage data governance
执行法律和数据调查Perform legal and data investigation
管理数据主体请求Manage Data Subject Request

此角色的权限与 Office 365 安全与合规中心基于角色的访问控制中的合规性数据管理员角色组相同。This role has the same permissions as the Compliance Data Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control.
IntuneIntune 查看所有 Intune 审核数据View all Intune audit data
Cloud App SecurityCloud App Security 拥有只读权限,可以管理警报Has read-only permissions and can manage alerts
可以创建和修改文件策略并允许执行文件管理操作Can create and modify file policies and allow file governance actions
可以查看数据管理下的所有内置报表Can view all the built-in reports under Data Management

条件访问管理员Conditional Access Administrator

具有此角色的用户能够管理 Azure Active Directory 条件访问设置。Users with this role have the ability to manage Azure Active Directory Conditional Access settings.

客户密码箱访问审批者Customer Lockbox access approver

管理你的组织中的客户密码箱请求Manages Customer Lockbox requests in your organization. 他们接收客户密码箱请求的电子邮件通知,并且可以批准和拒绝来自 Microsoft 365 管理中心的请求。They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. 他们还可以开启或关闭客户密码箱功能。They can also turn the Customer Lockbox feature on or off. 只有全局管理员可以重置分配到此角色的用户的密码。Only global admins can reset the passwords of people assigned to this role.

桌面分析管理员Desktop Analytics Administrator

充当此角色的用户可以管理桌面分析以及 Office 自定义和策略服务。Users in this role can manage the Desktop Analytics and Office Customization & Policy services. 对于 Desktop Analytics,此权限包括查看资产库存、创建部署计划、查看部署和运行状态。For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. 对于 Office 自定义和策略服务,此角色可让用户管理 Office 策略。For Office Customization & Policy service, this role enables users to manage Office policies.

目录读取者Directory Readers

充当此角色的用户可以读取基本的目录信息。Users in this role can read basic directory information. 应将此角色用于:This role should be used for:

  • 为特定的一组来宾用户授予读取访问权限,而不是将此权限授予所有来宾用户。Granting a specific set of guest users read access instead of granting it to all guest users.
  • 当“仅限管理员访问 Azure AD 门户”设置为“是”时,为特定的一组非管理员用户授予对 Azure 门户的访问权限。Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal to admins only" is set to "Yes".
  • 当“Directory.Read.All”不是可用选项时,为服务主体授予对目录的访问权限。Granting service principals access to directory where Directory.Read.All is not an option.

Dynamics 365 管理员/CRM 管理员Dynamics 365 administrator / CRM Administrator

具有此角色的用户具有 Microsoft Dynamics 365 Online 内的全局权限(如果该服务存在),并且能够管理支持票证和监视服务运行状况。Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. 有关详细信息,请参阅使用服务管理员角色管理 Azure AD 组织More information at Use the service admin role to manage your Azure AD organization.

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色标识为“Dynamics 365 服务管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." 它是 Azure 门户中的“Dynamics 365 管理员”。It is "Dynamics 365 Administrator" in the Azure portal.

Exchange 管理员Exchange Administrator

具有此角色的用户具有 Microsoft Exchange Online 内的全局权限(如果该服务存在)。Users with this role have global permissions within Microsoft Exchange Online, when the service is present. 另外还能够创建和管理所有 Microsoft 365 组,管理支持票证并监视服务运行状况。Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. 有关详细信息,请参阅关于 Microsoft 365 管理员角色More information at About Microsoft 365 admin roles.

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色标识为“Exchange 服务管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." 它是 Azure 门户中的“Exchange 管理员”。It is "Exchange Administrator" in the Azure portal. 它是 Exchange 管理中心内的“Exchange Online 管理员”。It is "Exchange Online administrator" in the Exchange admin center.

外部 ID 用户流管理员External ID User Flow Administrator

具有此角色的用户可以在 Azure 门户中创建和管理用户流(也称为“内置”策略)。Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. 这些用户可以自定义 HTML/CSS/JavaScript 内容、更改 MFA 要求、在令牌中选择声明、管理 API 连接器,以及为 Azure AD 组织中的所有用户流配置会话设置。These users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token, manage API connectors, and configure session settings for all user flows in the Azure AD organization. 但是,此角色无法查看用户数据,也无法对组织架构中包含的属性进行更改。On the other hand, this role does not include the ability to review user data or make changes to the attributes that are included in the organization schema. 对 Identity Experience Framework 策略(也称为自定义策略)的更改也超出了此角色的权限范围。Changes to Identity Experience Framework policies (also known as custom policies) are also outside the scope of this role.

外部 ID 用户流属性管理员External ID User Flow Attribute Administrator

具有此角色的用户可以添加或删除适用于 Azure AD 组织中所有用户流的自定义属性。Users with this role add or delete custom attributes available to all user flows in the Azure AD organization. 因此,具有此角色的用户可以在最终用户架构中更改或新增元素,影响所有用户流的行为,间接导致更改可以请求最终用户提供的并最终作为声明发送到应用程序的数据。 As such, users with this role can change or add new elements to the end-user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. 此角色无法编辑用户流。 This role cannot edit user flows.

外部标识提供者管理员External IDentity Provider Administrator

此管理员可以管理 Azure AD 组织与外部标识提供者之间的联合。This administrator manages federation between Azure AD organizations and external identity providers. 用户可以使用此角色添加新的标识提供者及配置所有可用设置(例如身份验证路径、服务 ID 和分配的密钥容器)。 With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). 此用户可让 Azure AD 组织信任来自外部标识提供者的身份验证。 This user can enable the Azure AD organization to trust authentications from external identity providers. 对最终用户体验造成的影响取决于组织类型: The resulting impact on end-user experiences depends on the type of organization:

  • 员工和合作伙伴的 Azure AD 组织: 添加联合身份验证(例如使用 Gmail)会立即影响所有尚未兑换的来宾邀请。Azure AD organizations for employees and partners: The addition  of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed.
  • Azure Active Directory B2C 组织:在将标识提供者添加为用户流(也称为内置策略)中的一个选项之前,添加联合(例如,与另一个 Azure AD 组织的联合)不会立即影响最终用户流。Azure Active Directory B2C organizations: The addition of a federation (for example, with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). 若要更改用户流,需要使用受限角色“B2C 用户流管理员”。To change user flows, the limited role of "B2C User Flow Administrator" is required.

全局管理员/公司管理员Global Administrator / Company Administrator

具有此角色的用户有权访问 Azure Active Directory 以及使用 Azure Active Directory 标识的服务(例如 Microsoft 365 安全中心、Microsoft 365 合规中心、Exchange Online、SharePoint Online 和 Skype for Business Online)中的所有管理功能。Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. 此外,全局管理员可以提升访问权限,以管理所有 Azure 订阅和管理组。Furthermore, Global Admins can elevate their access to manage all Azure subscriptions and management groups. 这允许全局管理员使用各自的 Azure AD 租户获得对所有 Azure 资源的完全访问权限。This allows Global Admins to get full access to all Azure resources using the respective Azure AD Tenant. 注册 Azure AD 组织的人员将成为全局管理员。The person who signs up for the Azure AD organization becomes a global administrator. 公司中可以有多个全局管理员。There can be more than one global administrator at your company. 全局管理员可以为任何用户和所有其他管理员重置密码。Global admins can reset the password for any user and all other administrators.

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色标识为“公司管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Company Administrator". 它是 Azure 门户中的“全局管理员”。It is "Global Administrator" in the Azure portal.

全局读取者Global Reader

充当此角色的用户可以跨 Microsoft 365 服务读取设置和管理信息,但无法执行管理操作。Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. 全局读取者是对应于全局管理员的只读角色。Global reader is the read-only counterpart to Global administrator. 满足规划、审核或调查目的时,请分配全局读取者,而不要分配全局管理员。Assign Global reader instead of Global administrator for planning, audits, or investigations. 将全局读取者与其他受限管理员角色(例如 Exchange 管理员)结合使用可以更轻松地完成工作,且无需分配全局管理员角色。Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. 全局读取者可使用 Microsoft 365 管理中心、Exchange 管理中心、SharePoint 管理中心、Teams 管理中心、安全中心、合规中心、Azure AD 管理中心和设备管理管理中心。Global reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.

备注

全局读取者角色目前存在一些限制 -Global reader role has a few limitations right now -

  • OneDrive 管理中心 - OneDrive 管理中心不支持全局读取者角色OneDrive admin center - OneDrive admin center does not support the Global reader role
  • M365 管理中心 - 全局读取者无法读取客户密码箱请求。M365 admin center - Global reader can't read customer lockbox requests. 在 M365 管理中心左窗格中的“支持”下,找不到“客户密码箱请求”选项卡。 You won't find the Customer lockbox requests tab under Support in the left pane of M365 Admin Center.
  • Office 安全与合规中心 - 全局读取者无法读取 SCC 审核日志、执行内容搜索或查看安全评分。Office Security & Compliance Center - Global reader can't read SCC audit logs, do content search, or see Secure Score.
  • Teams 管理中心 - 全局读取者无法读取“Teams 生命周期”、“分析和报告”、“IP 电话设备管理”和“应用目录”。 Teams admin center - Global reader cannot read Teams lifecycle, Analytics & reports, IP phone device management and App catalog.
  • Privileged Access Management (PAM) 不支持全局读取者角色。Privileged Access Management (PAM) doesn't support the Global reader role. 这些功能目前正在开发中。These features are currently in development.

组管理员Groups Administrator

此角色中的用户可以创建/管理组及其设置,如命名和过期策略。Users in this role can create/manage groups and its settings like naming and expiration policies. 重要的是要了解,将用户分配到此角色后,他们还可以跨各种工作负荷(如 Teams、SharePoint、Yammer 和 Outlook)管理组织中的所有组。It is important to understand that assigning a user to this role gives them the ability to manage all groups in the organization across various workloads like Teams, SharePoint, Yammer in addition to Outlook. 此外,用户还将能够跨各种管理门户(如Microsoft 管理中心、Azure 门户)以及特定于工作负荷的门户(如 Teams 和 SharePoint 管理中心)管理各种组设置。Also the user will be able to manage the various groups settings across various admin portals like Microsoft Admin Center, Azure portal, as well as workload specific ones like Teams and SharePoint Admin Centers.

来宾邀请者Guest Inviter

此角色的用户可在“成员可以邀请”用户设置设置为“否”时管理 Azure Active Directory B2B 来宾用户邀请。Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can invite user setting is set to No. 关于 Azure AD B2B 协作中提供了有关 B2B 协作的详细信息。More information about B2B collaboration at About Azure AD B2B collaboration. 它不包括任何其他权限。It does not include any other permissions.

支持管理员Helpdesk Administrator

具有此角色的用户可以更改密码、使刷新令牌失效、管理服务请求和监视服务运行状况。Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. 使刷新令牌失效会强制用户重新登录。Invalidating a refresh token forces the user to sign in again. 对于非管理员或仅分配有以下角色的其他用户,支持管理员可以重置其密码,以及使其刷新令牌失效:Helpdesk administrators can reset passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following roles only:

  • 目录读者Directory Readers
  • 来宾邀请者Guest Inviter
  • 支持管理员Helpdesk Administrator
  • 消息中心读取者Message Center Reader
  • 密码管理员Password Administrator
  • 报告读者Reports Reader

重要

具有此角色的用户可以更改可能有权访问 Azure Active Directory 内外敏感或私有信息或关键配置的用户的密码。Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 更改用户的密码可能意味着假定用户标识和权限的能力。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 应用程序注册和企业应用程序所有者,可以管理他们拥有的应用的凭据。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 这些应用程序可能在 Azure AD 或其他位置拥有未授予支持人员管理员的特权。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. 通过此路径,支持人员管理员可能能够假定应用程序所有者的身份,然后通过更新应用程序的凭据来进一步假定特权应用程序的标识。Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 订阅所有者,可能对 Azure 中的敏感或私有信息或关键配置具有访问权限。Azure subscription owners, who might have access to sensitive or private information or critical configuration in Azure.
  • 安全组和 Microsoft 365 组所有者,可以管理组成员资格。Security Group and Microsoft 365 group owners, who can manage group membership. 这些组可能会授予对 Azure AD 或其他位置敏感或私有信息或关键配置的访问权限。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 之外的其他服务中的管理员,如 Exchange Online、Office 安全与合规中心以及人力资源系统。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 高级管理人员、法律顾问和人力资源员工之类的非管理员,可能有权访问敏感或私有信息。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

使用管理单元(现已公开预览),可以委派对一部分用户的管理权限并将策略应用于一部分用户。Delegating administrative permissions over subsets of users and applying policies to a subset of users is possible with Administrative Units (now in public preview).

Azure 门户中,此角色以前称为“密码管理员”。This role was previously called "Password Administrator" in the Azure portal. Azure AD 中的“支持管理员”名称现在与其在 Azure AD PowerShell 和 Microsoft Graph API 中的名称匹配。The "Helpdesk Administrator" name in Azure AD now matches its name in Azure AD PowerShell and the Microsoft Graph API.

混合标识管理员Hybrid Identity Administrator

充当此角色的用户可以启用、配置和管理与在 Azure AD 中启用混合标识相关的服务及设置。Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. 此角色授予将 Azure AD 配置为三种受支持的身份验证方法之一(密码哈希同步 (PHS)、直通身份验证 (PTA),或联合身份验证(AD FS 或第三方联合身份验证提供程序)),以及部署相关本地基础结构来启用这些方法的能力。This role grants the ability to configure Azure AD to one of the three supported authentication methods, Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider), and to deploy related on-premises infrastructure to enable them. 本地基础结构包括预配和 PTA 代理。On-prem infrastructure includes Provisioning and PTA agents. 此角色授予在非 Windows 10 设备或非 Windows Server 2016 计算机上启用无缝单一登录 (SSO) 以实现无缝身份验证的能力。This role grants the ability to enable Seamless Single Sign-On (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. 此外,此角色授予查看登录日志以及访问运行状况和分析数据的能力,以便进行监视和故障排除。In addition, this role grants the ability to see sign-in logs and access to health and analytics for monitoring and troubleshooting purposes.

Insights 管理员Insights Administrator

此角色中的用户可以访问 M365 Insights 应用程序中的全套管理员功能。Users in this role can access the full set of administrative capabilities in the M365 Insights application. 此角色能够读取目录信息,监视服务运行状况,提交支持票证,并访问 Insights 各方面的管理设置。This role has the ability to read directory information, monitor service health, file support tickets, and access the Insights admin settings aspects.

Insights 业务主管Insights Business Leader

此角色中的用户可以通过 M365 Insights 应用程序访问一组仪表板和见解。Users in this role can access a set of dashboards and insights via the M365 Insights application. 其中包括对所有仪表板以及提供的见解和数据探索功能的完全访问权限。This includes full access to all dashboards and presented insights and data exploration functionality. 此角色中的用户无权访问由 Insights 管理员角色负责的产品配置设置。Users in this role do not have access to product configuration settings, which is the responsibility of the Insights Admin role.

Intune 管理员Intune Administrator

具有此角色的用户具有 Microsoft Intune Online 内的全局权限(如果该服务存在)。Users with this role have global permissions within Microsoft Intune Online, when the service is present. 此外,此角色包含管理以关联策略,以及创建和管理组的用户和设备的能力。Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. 有关详细信息,请参阅使用 Microsoft Intune 进行基于角色的管理控制 (RBAC)More information at Role-based administration control (RBAC) with Microsoft Intune.

此角色可创建和管理所有安全组。This role can create and manage all security groups. 但是,Intune 管理员对 Office 组没有管理员权限。However, Intune Admin does not have admin rights over Office groups. 这意味着管理员无法更新组织中所有 Office 组的所有者或成员身份,That means the admin cannot update owners or memberships of all Office groups in the organization. 但可以管理其自己创建的 Office 组,这是其最终用户权限的一部分。However, he/she can manage the Office group that he creates which comes as a part of his/her end-user privileges. 因此,他们创建的任何 Office 组(非安全组)都应计入其 250 的配额。So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250.

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色被标识为“Intune 服务管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Intune Service Administrator." 它是 Azure 门户中的“Intune 管理员”。It is "Intune Administrator" in the Azure portal.

Kaizala 管理员Kaizala Administrator

具有此角色的用户拥有在 Microsoft Kaizala 中管理设置的全局权限(如果该服务存在),并且能够管理支持票证和监视服务运行状况。Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. 此外,用户还可以访问与组织成员采用和使用 Kaizala 有关的报告,以及使用 Kaizala 操作生成的业务报告。Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.

许可证管理员License Administrator

具有此角色的用户可以添加、删除和更新用户、组(使用基于组的许可)的许可分配,以及管理用户的使用位置。Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. 该角色不授予在使用位置之外购买或管理订阅、创建或管理组,或者创建或管理用户的权限。The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

消息中心隐私读取者Message Center Privacy Reader

充当此角色的用户可以监视消息中心的所有通知,包括数据隐私消息。Users in this role can monitor all notifications in the Message Center, including data privacy messages. 消息中心隐私读取者会收到电子邮件通知(包括与数据隐私相关的通知),并可以使用邮件中心首选项取消订阅。Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. 只有全局管理员和消息中心隐私读取者才能阅读数据隐私消息。Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. 此外,此角色还能查看组、域和订阅。Additionally, this role contains the ability to view groups, domains, and subscriptions. 此角色无权查看、创建或管理服务请求。This role has no permission to view, create, or manage service requests.

消息中心读取者Message Center Reader

具有此角色的用户可以在其组织的消息中心监视 Exchange、Intune 和 Microsoft Teams 等已配置服务的通知和公告运行状况更新。Users in this role can monitor notifications and advisory health updates in Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. 消息中心读者会收到包含帖子和更新的每周电子邮件摘要,并能在 Microsoft 365 内共享消息中心帖子。Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Microsoft 365. 在 Azure AD 中,分配到此角色的用户对 Azure AD 服务只拥有只读访问权限,如用户和组。In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

网络管理员Network Administrator

充当此角色的用户可以查看 Microsoft 根据其用户位置发出的网络遥测数据提供的网络外围体系结构建议。Users in this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Microsoft 365 的网络性能依赖于精心规划的企业客户网络外围体系结构,而该体系结构通常特定于用户位置。Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture which is generally user location specific. 利用此角色,可以编辑已发现的用户位置并配置这些位置的网络参数,以促进改善遥测结果并设计建议This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations

Office 应用管理员Office Apps Administrator

充当此角色的用户可以管理 Microsoft 365 应用的云设置。Users in this role can manage Microsoft 365 apps' cloud settings. 这包括云策略管理、自助下载管理,以及查看与 Office 应用相关的报表的功能。This includes managing cloud policies, self-service download management and the ability to view Office apps related report. 此外,该角色还可以在主管理中心管理支持票证和监视服务运行状况。This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. 分配了此角色的用户还可以管理 Office 应用中新功能的通信。Users assigned to this role can also manage communication of new features in Office apps.

密码管理员Password Administrator

具有此角色的用户可以管理密码,但权限受限。Users with this role have limited ability to manage passwords. 此角色不会授予管理服务请求或监视服务运行状况的能力。This role does not grant the ability to manage service requests or monitor service health. 密码管理员只能重置其他非管理员用户的密码,或具有以下角色的成员的密码:Password administrators can reset passwords of other users who are non-administrators or members of the following roles only:

  • 目录读者Directory Readers
  • 来宾邀请者Guest Inviter
  • 密码管理员Password Administrator

Power BI 管理员Power BI Administrator

具有此角色的用户具有 Power BI 内的全局权限(如果该服务存在),并且能够管理支持票证和监视服务运行状况。Users with this role have global permissions within Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. 有关详细信息,请参阅了解 Power BI 管理员角色More information at Understanding the Power BI admin role.

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色标识为“Power BI 服务管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". 它是 Azure 门户中的“Power BI 管理员”。It is "Power BI Administrator" in the Azure portal.

Power Platform 管理员Power Platform Administrator

充当此角色的用户可以创建和管理环境、PowerApps、Flows、数据丢失防护策略的所有方面。Users in this role can create and manage all aspects of environments, PowerApps, Flows, Data Loss Prevention policies. 另外,具有此角色的用户可以管理支持票证并监视服务运行状况。Additionally, users with this role have the ability to manage support tickets and monitor service health.

打印机管理员Printer Administrator

充当此角色的用户可以在 Microsoft 通用打印解决方案中注册打印机和管理所有打印机配置的各个方面,包括“通用打印连接器”设置。Users in this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. 他们可以同意所有委托的打印权限请求。They can consent to all delegated print permission requests. 打印机管理员还有权访问打印报告。Printer Administrators also have access to print reports.

打印机技术人员Printer Technician

具有此角色的用户可以在 Microsoft 通用打印解决方案中注册打印机和管理打印机状态。Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. 他们还可以读取所有连接器信息。They can also read all connector information. 打印机技术人员无法执行的重要任务是设置用户对打印机的权限以及共享打印机。Key task a Printer Technician cannot do is set user permissions on printers and sharing printers.

特权身份验证管理员Privileged Authentication Administrator

具有此角色的用户可以设置或重置所有用户(包括全局管理员)的非密码凭据,并可以更新所有用户的密码。Users with this role can set or reset non-password credentials for all users, including global administrators, and can update passwords for all users. 特权身份验证管理员可以强制用户使用现有的非密码凭据(例如 MFA 或 FIDO)重新注册,以及撤销“在设备上记住 MFA”,让系统在所有用户下次登录时提示其执行 MFA。Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users. 身份验证管理员角色仅可对非管理员用户和分配了以下 Azure AD 角色的用户强制进行重新注册和 MFA:The Authentication administrator role can force re-registration and MFA for only non-admins and users assigned to the following Azure AD roles:

  • 身份验证管理员Authentication Administrator
  • 目录读者Directory Readers
  • 来宾邀请者Guest Inviter
  • 消息中心读取者Message Center Reader
  • 报告读者Reports Reader

特权角色管理员Privileged Role Administrator

具有此角色的用户可以管理 Azure Active Directory 和 Azure AD Privileged Identity Management 中的角色分配。Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. 他们可以创建和管理可被分配给 Azure AD 角色的组。They can create and manage groups that can be assigned to Azure AD roles. 此外,此角色允许管理 Privileged Identity Management 和管理单元的所有方面。In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.

重要

此角色授予管理所有 Azure AD 角色(包括全局管理员角色)的分配的能力。This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. 此角色不包括 Azure AD 中的任何其他权限功能,如创建或更新用户。This role does not include any other privileged abilities in Azure AD like creating or updating users. 但是,分配到此角色的用户可通过分配其他角色,授予自己或其他人额外的特权。However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.

报告读取者Reports Reader

具有此角色的用户可在 Microsoft 365 管理中心和 Power BI 中的采用上下文包内查看使用情况报告数据和报告仪表板。Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. 此外,此角色还提供对 Azure AD 中的登录报告和活动以及 Microsoft Graph 报告 API 返回的数据的访问权限。Additionally, the role provides access to sign-in reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. 分配到“报告读者”角色的用户只能访问相关使用情况和采用指标。A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. 它们没有任何管理员权限,无法配置设置或访问产品特定的管理中心(如 Exchange)。They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

搜索管理员Search Administrator

充当此角色的用户对 Microsoft 365 管理中心内的所有 Microsoft 搜索管理功能拥有完全访问权限。Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. 此外,这些用户可以查看消息中心、监视服务运行状况和创建服务请求。Additionally, these users can view the message center, monitor service health, and create service requests.

搜索编辑员Search Editor

充当此角色的用户可以在 Microsoft 365 管理中心创建、管理和删除 Microsoft 搜索的内容,包括书签、问答和位置。Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.

安全管理员Security Administrator

具有此角色的用户有权管理 Microsoft 365 安全中心、Azure Active Directory 标识保护、Azure Active Directory 身份验证、Azure 信息保护和 Office 365 安全与合规中心内与安全相关的功能。Users with this role have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center. 安全与合规中心内的权限提供了有关 Office 365 权限的详细信息。More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.

InIn 有权执行的操作Can do
Microsoft 365 安全中心Microsoft 365 security center 跨 Microsoft 365 服务监视与安全相关的策略Monitor security-related policies across Microsoft 365 services
管理安全威胁和警报Manage security threats and alerts
查看报表View reports
标识保护中心Identity Protection Center 安全读取者角色的所有权限All permissions of the Security Reader role
此外,还能够执行除了重置密码以外的所有“标识保护中心”操作Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementPrivileged Identity Management 安全读取者角色的所有权限All permissions of the Security Reader role
无法管理 Azure AD 角色分配或设置Cannot manage Azure AD role assignments or settings
Office 365 安全与合规中心Office 365 Security & Compliance Center 管理安全策略Manage security policies
查看、调查和响应安全威胁View, investigate, and respond to security threats
查看报表View reports
Azure 高级威胁防护Azure Advanced Threat Protection 监视和响应可疑安全活动Monitor and respond to suspicious security activity
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 分配角色Assign roles
管理计算机组Manage machine groups
配置终结点威胁检测和自动修正Configure endpoint threat detection and automated remediation
查看、调查并响应警报View, investigate, and respond to alerts
IntuneIntune 视图用户、设备、注册、配置和应用程序信息Views user, device, enrollment, configuration, and application information
无法对 Intune 进行更改Cannot make changes to Intune
Cloud App SecurityCloud App Security 添加管理员、添加策略和设置、上传日志以及执行管理操作Add admins, add policies and settings, upload logs and perform governance actions
Azure 安全中心Azure Security Center 可以查看安全策略、查看安全状态、编辑安全策略、查看警报和建议、关闭警报和建议Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations
Microsoft 365 服务运行状况Microsoft 365 service health 查看 Microsoft 365 服务的运行状况View the health of Microsoft 365 services

安全操作员Security operator

具有此角色的用户可以管理警报,并对安全相关功能(包括 Microsoft 365 安全中心、Azure Active Directory、标识保护、Privileged Identity Management 以及 Office 365 安全与合规中心的所有信息)拥有全局只读访问权限。Users with this role can manage alerts and have global read-only access on security-related features, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management and Office 365 Security & Compliance Center. 安全与合规中心内的权限提供了有关 Office 365 权限的详细信息。More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.

InIn 有权执行的操作Can do
Microsoft 365 安全中心Microsoft 365 security center 安全读取者角色的所有权限All permissions of the Security Reader role
查看、调查和响应安全威胁警报View, investigate, and respond to security threats alerts
标识保护中心Identity Protection Center 安全读取者角色的所有权限All permissions of the Security Reader role
此外,还能够执行除了重置密码以外的所有“标识保护中心”操作Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementPrivileged Identity Management 安全读取者角色的所有权限All permissions of the Security Reader role
Office 365 安全与合规中心Office 365 Security & Compliance Center 安全读取者角色的所有权限All permissions of the Security Reader role
查看、调查和响应安全警报View, investigate, and respond to security alerts
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 安全读取者角色的所有权限All permissions of the Security Reader role
查看、调查和响应安全警报View, investigate, and respond to security alerts
IntuneIntune 安全读取者角色的所有权限All permissions of the Security Reader role
Cloud App SecurityCloud App Security 安全读取者角色的所有权限All permissions of the Security Reader role
Microsoft 365 服务运行状况Microsoft 365 service health 查看 Microsoft 365 服务的运行状况View the health of Microsoft 365 services

安全读取者Security Reader

具有此角色的用户对安全相关的功能具有全局只读访问权限,包括 Microsoft 365 安全中心、Azure Active Directory、标识保护、Privileged Identity Management 中的所有信息,并且能够阅读 Azure Active Directory 登录报告和审核日志,还授予了对 Office 365 安全与合规中心的只读权限。Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. 安全与合规中心内的权限提供了有关 Office 365 权限的详细信息。More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.

InIn 有权执行的操作Can do
Microsoft 365 安全中心Microsoft 365 security center 跨 Microsoft 365 服务查看与安全相关的策略View security-related policies across Microsoft 365 services
查看安全威胁和警报View security threats and alerts
查看报表View reports
标识保护中心Identity Protection Center 读取安全功能的所有安全报告和设置信息Read all security reports and settings information for security features
  • 反垃圾邮件Anti-spam
  • EncryptionEncryption
  • 数据丢失防护Data loss prevention
  • 反恶意软件Anti-malware
  • 高级威胁防护Advanced threat protection
  • 防网络钓鱼Anti-phishing
  • 邮件流规则Mailflow rules
Privileged Identity ManagementPrivileged Identity Management 以只读方式访问 Azure AD Privileged Identity Management 中显示的所有信息:Azure AD 角色分配的策略和报告以及安全评审。Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.
无法注册 Azure AD Privileged Identity Management 或对其进行任何更改。Cannot sign up for Azure AD Privileged Identity Management or make any changes to it. 充当此角色的人员可以在 Privileged Identity Management 门户中或通过 PowerShell 为符合条件的用户激活其他角色(例如,全局管理员或特权角色管理员)。In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is eligible for them.
Office 365 安全与合规中心Office 365 Security & Compliance Center 查看安全策略View security policies
查看并调查安全威胁View and investigate security threats
查看报表View reports
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 查看并调查警报。View and investigate alerts. 在 Windows Defender ATP 中启用基于角色的访问控制后,拥有只读权限的用户(例如 Azure AD 安全读取者角色)在被分配到 Windows Defender ATP 角色之前会失去访问权限。When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security reader role lose access until they are assigned to a Windows Defender ATP role.
IntuneIntune 视图用户、设备、注册、配置和应用程序信息。Views user, device, enrollment, configuration, and application information. 无法对 Intune 进行更改。Cannot make changes to Intune.
Cloud App SecurityCloud App Security 拥有只读权限,可以管理警报Has read-only permissions and can manage alerts
Azure 安全中心Azure Security Center 可以查看建议和警报、查看安全策略、查看安全状态,但不能进行更改Can view recommendations and alerts, view security policies, view security states, but cannot make changes
Microsoft 365 服务运行状况Microsoft 365 service health 查看 Microsoft 365 服务的运行状况View the health of Microsoft 365 services

服务支持管理员Service Support Administrator

具有此角色的用户可以向 Microsoft 提交有关 Azure 和 Microsoft 365 服务的支持请求,还可以在 Azure 门户和 Microsoft 365 管理中心查看服务仪表板和消息中心。Users with this role can open support requests with Microsoft for Azure and Microsoft 365 services, and views the service dashboard and message center in the Azure portal and Microsoft 365 admin center. 有关详细信息,请参阅关于管理员角色More information at About admin roles.

备注

以前,此角色在 Azure 门户和 Microsoft 365 管理中心中称为“服务管理员”。Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. 我们已将其重命名为“服务支持管理员”,以与 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中的现有名称保持一致。We have renamed it to "Service Support Administrator" to align with the exsiting name in Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell.

SharePoint 管理员SharePoint Administrator

具有此角色的用户在 Microsoft SharePoint Online(如果存在此服务)中拥有全局权限,并且能够创建和管理所有 Microsoft 365 组,管理支持票证并监视服务运行状况。Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. 关于管理员角色中了解详细信息。More information at About admin roles.

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色标识为“SharePoint 服务管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." 它是 Azure 门户中的“SharePoint 管理员”。It is "SharePoint Administrator" in the Azure portal.

备注

此角色还将作用域内权限授予用于 Microsoft Intune 的 Microsoft Graph API,从而允许管理和配置与 SharePoint 和 OneDrive 资源相关的策略。This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources.

Skype for Business/Lync 管理员Skype for Business / Lync Administrator

具有此角色的用户具有 Microsoft Skype for Business 中的全局权限,以及管理 Azure Active Directory 中的特定于 Skype 的用户属性。Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. 此外,此角色可授予管理支持票证、监视服务运行状况以及访问 Teams 和 Skype for Business 管理中心的能力。Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. 帐户必须获取 Teams 许可证,否则无法运行 Teams PowerShell cmdlet。The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. 有关详细信息,请参阅关于 Skype for Business 管理员角色;有关 Teams 许可信息,请参阅 Skype for Business 和 Microsoft Teams 附加许可More information at About the Skype for Business admin role and Teams licensing information at Skype for Business and Microsoft Teams add-on licensing

备注

在 Microsoft Graph API 和 Azure AD PowerShell 中,此角色标识为“Lync 服务管理员”。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator." 它是 Azure 门户中的“Skype for Business 管理员”。It is "Skype for Business Administrator" in the Azure portal.

Teams 通信管理员Teams Communications Administrator

充当此角色的用户可以管理 Microsoft Teams 工作负荷的语音与电话相关方面。Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. 这包括用于分配电话号码的管理工具、语音和会议策略,以及通话分析工具集的完全访问权限。This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.

Teams 通信支持工程师Teams Communications Support Engineer

充当此角色的用户可以使用 Microsoft Teams 和 Skype for Business 管理中心的用户通话故障排除工具,来排查 Microsoft Teams 和 Skype for Business 中的通信问题。Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 充当此角色的用户可以查看所有参与方的完整通话记录信息。Users in this role can view full call record information for all participants involved. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

Teams 通信支持专家Teams Communications Support Specialist

充当此角色的用户可以使用 Microsoft Teams 和 Skype for Business 管理中心的用户通话故障排除工具,来排查 Microsoft Teams 和 Skype for Business 中的通信问题。Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 充当此角色的用户只能查看他们所查找的特定用户的通话中的用户详细信息。Users in this role can only view user details in the call for the specific user they have looked up. 此角色无权查看、创建或管理支持票证。This role has no access to view, create, or manage support tickets.

Teams 设备管理员Teams Devices Administrator

具有此角色的用户可以在 Teams 管理中心管理 Teams 认证的设备Users with this role can manage Teams-certified devices from the Teams Admin Center. 此角色允许同时查看所有设备,并能够搜索和筛选设备。This role allows viewing all devices at single glance, with ability to search and filter devices. 用户可以检查每个设备的详细信息,包括设备的登录帐户、品牌和型号。The user can check details of each device including logged-in account, make and model of the device. 用户可以更改设备上的设置并更新软件版本。The user can change the settings on the device and update the software versions. 此角色不会授权检查 Teams 活动和设备的通话质量。This role does not grant permissions to check Teams activity and call quality of the device.

Teams 服务管理员Teams Service Administrator

充当此角色的用户可以通过 Microsoft Teams 和 Skype for Business 管理中心以及相应的 PowerShell 模块来管理 Microsoft Teams 工作负荷的所有方面。Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. 这包括(但不限于)与电话、消息、会议和 Teams 自身相关的所有管理工具。This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. 另外,利用此角色,还可以创建和管理所有 Microsoft 365 组,管理支持票证并监视服务运行状况。This role additionally grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health.

用户管理员User Administrator

具有此角色的用户可以创建用户并管理用户的所有方面(存在一些限制,具体请参阅下表),还可以更新密码过期策略。Users with this role can create users, and manage all aspects of users with some restrictions (see the table), and can update password expiration policies. 此外,具有此角色的用户可以创建和管理所有组。Additionally, users with this role can create and manage all groups. 此角色还能够创建和管理用户视图、管理支持票证和监视服务运行状况。This role also includes the ability to create and manage user views, manage support tickets, and monitor service health. 用户管理员无权管理充当大部分管理员角色的用户的某些用户属性。User administrators don't have permission to manage some user properties for users in most administrator roles. 具有此角色的用户无权管理 MFA。User with this role do not have permissions to manage MFA. 下表列出了不存在这种限制的角色。The roles that are exceptions to this restriction are listed in the following table.

权限Permission 有权执行的操作Can do
常规权限General permissions

创建用户和组Create users and groups

创建和管理用户视图Create and manage user views

管理 Office 支持票证Manage Office support tickets

更新密码过期策略Update password expiration policies

适用于所有用户,包括所有管理员On all users, including all admins

管理许可证Manage licenses

管理除用户主体名称之外的所有用户属性Manage all user properties except User Principal Name

仅适用于不是管理员或具有以下任一管理员角色(权限有限)的用户:Only on users who are non-admins or in any of the following limited admin roles:
  • 目录读者Directory Readers
  • 组管理员Groups Administrator
  • 来宾邀请者Guest Inviter
  • 支持管理员Helpdesk Administrator
  • 消息中心读取者Message Center Reader
  • 密码管理员Password Administrator
  • 报告读者Reports Reader
  • 用户管理员User Administrator

删除和还原Delete and restore

禁用和启用Disable and enable

使刷新令牌失效Invalidate refresh Tokens

管理包括用户主体名称在内的所有用户属性Manage all user properties including User Principal Name

重置密码Reset password

更新 (FIDO) 设备密钥Update (FIDO) device keys

重要

具有此角色的用户可以更改可能有权访问 Azure Active Directory 内外敏感或私有信息或关键配置的用户的密码。Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 更改用户的密码可能意味着假定用户标识和权限的能力。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 应用程序注册和企业应用程序所有者,可以管理他们拥有的应用的凭据。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 这些应用程序可能在 Azure AD 或其他位置拥有未授予用户管理员的特权。Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. 通过此路径,用户管理员可能能够假定应用程序所有者的身份,然后通过更新应用程序的凭据来进一步假定特权应用程序的标识。Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 订阅所有者,可能对 Azure 中的敏感或私有信息或关键配置拥有访问权限。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全组和 Microsoft 365 组所有者,可以管理组成员资格。Security Group and Microsoft 365 group owners, who can manage group membership. 这些组可能会授予对 Azure AD 或其他位置敏感或私有信息或关键配置的访问权限。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 之外的其他服务中的管理员,如 Exchange Online、Office 安全与合规中心以及人力资源系统。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 高级管理人员、法律顾问和人力资源员工之类的非管理员,可能有权访问敏感或私有信息。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

角色权限Role Permissions

下表描述 Azure Active Directory 中授予每个角色的特定权限。The following tables describe the specific permissions in Azure Active Directory given to each role. 某些角色可能在 Azure Active Directory 外部的 Microsoft 服务中拥有其他权限。Some roles may have additional permissions in Microsoft services outside of Azure Active Directory.

应用程序管理员权限Application Administrator permissions

可以创建和管理应用注册和企业应用的所有方面。Can create and manage all aspects of app registrations and enterprise apps.

操作Actions 说明Description
microsoft.directory/Application/appProxyAuthentication/updatemicrosoft.directory/Application/appProxyAuthentication/update 更新 Azure Active Directory 中服务主体的应用程序代理身份验证属性。Update App Proxy authentication properties on service principals in Azure Active Directory.
microsoft.directory/Application/appProxyUrlSettings/updatemicrosoft.directory/Application/appProxyUrlSettings/update 更新 Azure Active Directory 中的应用程序代理内部和外部 URL。Update application proxy internal and external URLS in Azure Active Directory.
microsoft.directory/applications/applicationProxy/readmicrosoft.directory/applications/applicationProxy/read 读取所有应用程序代理属性。Read all of App Proxy properties.
microsoft.directory/applications/applicationProxy/updatemicrosoft.directory/applications/applicationProxy/update 更新所有应用程序代理属性。Update all of App Proxy properties.
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
microsoft.directory/applications/createmicrosoft.directory/applications/create 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory.
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
microsoft.directory/appRoleAssignments/createmicrosoft.directory/appRoleAssignments/create 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/readmicrosoft.directory/appRoleAssignments/read 读取 Azure Active Directory 中的 appRoleAssignments。Read appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/updatemicrosoft.directory/appRoleAssignments/update 更新 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 删除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/connectorGroups/allProperties/readmicrosoft.directory/connectorGroups/allProperties/read 读取 Azure Active Directory 中的应用程序代理连接器组属性。Read application proxy connector group properties in Azure Active Directory.
microsoft.directory/connectorGroups/allProperties/updatemicrosoft.directory/connectorGroups/allProperties/update 更新 Azure Active Directory 中的应用程序代理连接器组属性。Update all application proxy connector group properties in Azure Active Directory.
microsoft.directory/connectorGroups/createmicrosoft.directory/connectorGroups/create 在 Azure Active Directory 中创建应用程序代理连接器组。Create application proxy connector groups in Azure Active Directory.
microsoft.directory/connectorGroups/deletemicrosoft.directory/connectorGroups/delete 在 Azure Active Directory 中删除应用程序代理连接器组。Delete application proxy connector groups in Azure Active Directory.
microsoft.directory/connectors/allProperties/readmicrosoft.directory/connectors/allProperties/read 读取 Azure Active Directory 中的所有应用程序代理连接器属性。Read all application proxy connector properties in Azure Active Directory.
microsoft.directory/connectors/createmicrosoft.directory/connectors/create 在 Azure Active Directory 中创建应用程序代理连接器。Create application proxy connectors in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/readmicrosoft.directory/policies/applicationConfiguration/basic/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/updatemicrosoft.directory/policies/applicationConfiguration/basic/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/createmicrosoft.directory/policies/applicationConfiguration/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/deletemicrosoft.directory/policies/applicationConfiguration/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/readmicrosoft.directory/policies/applicationConfiguration/owners/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/updatemicrosoft.directory/policies/applicationConfiguration/owners/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/policyAppliedTo/readmicrosoft.directory/policies/applicationConfiguration/policyAppliedTo/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 属性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

应用程序开发人员权限Application Developer permissions

可以创建独立于“用户可注册应用程序”设置的应用程序注册。Can create application registrations independent of the 'Users can register applications' setting.

操作Actions 说明Description
microsoft.directory/applications/createAsOwnermicrosoft.directory/applications/createAsOwner 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/appRoleAssignments/createAsOwnermicrosoft.directory/appRoleAssignments/createAsOwner 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/oAuth2PermissionGrants/createAsOwnermicrosoft.directory/oAuth2PermissionGrants/createAsOwner 在 Azure Active Directory 中创建 oAuth2PermissionGrants。Create oAuth2PermissionGrants in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/servicePrincipals/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwner 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.

身份验证管理员权限Authentication Administrator permissions

允许查看、设置和重置任何非管理员用户的身份验证方法信息。Allowed to view, set and reset authentication method information for any non-admin user.

操作Actions 说明Description
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/strongAuthentication/updatemicrosoft.directory/users/strongAuthentication/update 更新强身份验证属性,如 MFA 凭据信息。Update strong authentication properties like MFA credential information.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 更新 Microsoft 365 组织中所有用户的密码。Update passwords for all users in the Microsoft 365 organization. 有关详细信息,请参阅联机文档。See online documentation for more detail.

Azure DevOps 管理员权限Azure DevOps Administrator permissions

可以管理 Azure DevOps 的组织策略和设置。Can manage Azure DevOps organization policy and settings.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明For more information, see role description above.

操作Actions 说明Description
microsoft.azure.devOps/allEntities/allTasksmicrosoft.azure.devOps/allEntities/allTasks 读取和配置 Azure DevOps。Read and configure Azure DevOps.

Azure 信息保护管理员权限Azure Information Protection Administrator permissions

可以管理 Azure 信息保护服务的所有方面。Can manage all aspects of the Azure Information Protection service.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明For more information, see role description above.

操作Actions 说明Description
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 信息保护的各个方面。Manage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

B2C IEF 密钥集管理员权限B2C IEF Keyset Administrator permissions

在 Identity Experience Framework 中管理联合机密和加密机密。Manage secrets for federation and encryption in the Identity Experience Framework.

操作Actions 说明Description
microsoft.aad.b2c/trustFramework/keySets/allTasksmicrosoft.aad.b2c/trustFramework/keySets/allTasks 在 Azure Active Directory B2C 中读取和配置密钥集。Read and configure key sets in  Azure Active Directory B2C.

B2C IEF 策略管理员权限B2C IEF Policy Administrator permissions

在 Identity Experience Framework 中创建和管理信任框架策略。Create and manage trust framework policies in the Identity Experience Framework.

操作Actions 说明Description
microsoft.aad.b2c/trustFramework/policies/allTasksmicrosoft.aad.b2c/trustFramework/policies/allTasks 在 Azure Active Directory B2C 中读取和配置自定义策略。Read and configure custom policies in  Azure Active Directory B2C.

计费管理员权限Billing Administrator permissions

可以执行与常见计费相关的任务,例如更新付款信息。Can perform common billing related tasks like updating payment information.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.directory/organization/basic/updatemicrosoft.directory/organization/basic/update 更新 Azure Active Directory 中组织的基本属性。Update basic properties on organization in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理计费的所有方面。Manage all aspects of billing.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

云应用程序管理员权限Cloud Application Administrator permissions

可以创建和管理应用注册和企业应用的所有方面,应用代理除外。Can create and manage all aspects of app registrations and enterprise apps except App Proxy.

操作Actions 说明Description
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
microsoft.directory/applications/createmicrosoft.directory/applications/create 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory.
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
microsoft.directory/appRoleAssignments/createmicrosoft.directory/appRoleAssignments/create 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/updatemicrosoft.directory/appRoleAssignments/update 更新 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 删除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/createmicrosoft.directory/policies/applicationConfiguration/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/readmicrosoft.directory/policies/applicationConfiguration/basic/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/updatemicrosoft.directory/policies/applicationConfiguration/basic/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/deletemicrosoft.directory/policies/applicationConfiguration/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/readmicrosoft.directory/policies/applicationConfiguration/owners/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/updatemicrosoft.directory/policies/applicationConfiguration/owners/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 属性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/policyAppliedTo/readmicrosoft.directory/policies/applicationConfiguration/policyAppliedTo/read 读取 Azure Active Directory 中的 policies.applicationConfiguration 属性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 属性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

云设备管理员权限Cloud Device Administrator permissions

用于在 Azure AD 中管理设备的完全访问权限。Full access to manage devices in Azure AD.

操作Actions 说明Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/devices/deletemicrosoft.directory/devices/delete 删除 Azure Active Directory 中的设备。Delete devices in Azure Active Directory.
microsoft.directory/devices/disablemicrosoft.directory/devices/disable 禁用 Azure Active Directory 中的设备。Disable devices in Azure Active Directory.
microsoft.directory/devices/enablemicrosoft.directory/devices/enable 启用 Azure Active Directory 中的设备。Enable devices in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.

公司管理员权限Company Administrator permissions

可以管理 Azure AD 和使用 Azure AD 标识的 Microsoft 服务的所有方面。Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. 此角色也称为全局管理员角色。This role is also known as the Global Administrator role.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.aad.cloudAppSecurity/allEntities/allTasksmicrosoft.aad.cloudAppSecurity/allEntities/allTasks 创建和删除所有资源,然后读取并更新 microsoft.aad.cloudAppSecurity 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.aad.cloudAppSecurity.
microsoft.directory/administrativeUnits/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasks 创建和删除 administrativeUnits,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete administrativeUnits, and read and update all properties in Azure Active Directory.
microsoft.directory/applications/allProperties/allTasksmicrosoft.directory/applications/allProperties/allTasks 创建和删除应用程序,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete applications, and read and update all properties in Azure Active Directory.
microsoft.directory/appRoleAssignments/allProperties/allTasksmicrosoft.directory/appRoleAssignments/allProperties/allTasks 创建和删除 appRoleAssignments,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete appRoleAssignments, and read and update all properties in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/contacts/allProperties/allTasksmicrosoft.directory/contacts/allProperties/allTasks 创建和删除联系人,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete contacts, and read and update all properties in Azure Active Directory.
microsoft.directory/contracts/allProperties/allTasksmicrosoft.directory/contracts/allProperties/allTasks 创建和删除协定,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete contracts, and read and update all properties in Azure Active Directory.
microsoft.directory/devices/allProperties/allTasksmicrosoft.directory/devices/allProperties/allTasks 创建和删除设备,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete devices, and read and update all properties in Azure Active Directory.
microsoft.directory/directoryRoles/allProperties/allTasksmicrosoft.directory/directoryRoles/allProperties/allTasks 创建和删除 directoryRoles,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete directoryRoles, and read and update all properties in Azure Active Directory.
microsoft.directory/directoryRoleTemplates/allProperties/allTasksmicrosoft.directory/directoryRoleTemplates/allProperties/allTasks 创建和删除 directoryRoleTemplates,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete directoryRoleTemplates, and read and update all properties in Azure Active Directory.
microsoft.directory/domains/allProperties/allTasksmicrosoft.directory/domains/allProperties/allTasks 创建和删除域,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete domains, and read and update all properties in Azure Active Directory.
microsoft.directory/groups/allProperties/allTasksmicrosoft.directory/groups/allProperties/allTasks 创建和删除组,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete groups, and read and update all properties in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/groupsAssignableToRoles/allProperties/update 更新 Azure Active Directory 中 isAssignableToRole 属性设置为 true 的组。Update groups with isAssignableToRole property set to true in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/createmicrosoft.directory/groupsAssignableToRoles/create 在 Azure Active Directory 中创建 isAssignableToRole 属性设置为 true 的组。Create groups with isAssignableToRole property set to true in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/delete 删除 Azure Active Directory 中 isAssignableToRole 属性设置为 true 的组。Delete groups with isAssignableToRole property set to true in Azure Active Directory.
microsoft.directory/groupSettings/allProperties/allTasksmicrosoft.directory/groupSettings/allProperties/allTasks 创建和删除 groupSettings,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete groupSettings, and read and update all properties in Azure Active Directory.
microsoft.directory/groupSettingTemplates/allProperties/allTasksmicrosoft.directory/groupSettingTemplates/allProperties/allTasks 创建和删除 groupSettingTemplates,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete groupSettingTemplates, and read and update all properties in Azure Active Directory.
microsoft.directory/loginTenantBranding/allProperties/allTasksmicrosoft.directory/loginTenantBranding/allProperties/allTasks 创建和删除 loginTenantBranding,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete loginTenantBranding, and read and update all properties in Azure Active Directory.
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 创建和删除 oAuth2PermissionGrants,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete oAuth2PermissionGrants, and read and update all properties in Azure Active Directory.
microsoft.directory/organization/allProperties/allTasksmicrosoft.directory/organization/allProperties/allTasks 创建和删除组织,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete organization, and read and update all properties in Azure Active Directory.
microsoft.directory/policies/allProperties/allTasksmicrosoft.directory/policies/allProperties/allTasks 创建和删除策略,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete policies, and read and update all properties in Azure Active Directory.
microsoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 创建和删除 roleAssignments,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete roleAssignments, and read and update all properties in Azure Active Directory.
microsoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 创建和删除 roleDefinitions,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete roleDefinitions, and read and update all properties in Azure Active Directory.
microsoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasks 创建和删除 scopedRoleMemberships,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete scopedRoleMemberships, and read and update all properties in Azure Active Directory.
microsoft.directory/serviceAction/activateServicemicrosoft.directory/serviceAction/activateService 可以在 Azure Active Directory 中执行 Activateservice 服务操作Can perform the Activateservice service action in Azure Active Directory
microsoft.directory/serviceAction/disableDirectoryFeaturemicrosoft.directory/serviceAction/disableDirectoryFeature 可以在 Azure Active Directory 中执行 Disabledirectoryfeature 服务操作Can perform the Disabledirectoryfeature service action in Azure Active Directory
microsoft.directory/serviceAction/enableDirectoryFeaturemicrosoft.directory/serviceAction/enableDirectoryFeature 可以在 Azure Active Directory 中执行 Enabledirectoryfeature 服务操作Can perform the Enabledirectoryfeature service action in Azure Active Directory
microsoft.directory/serviceAction/getAvailableExtentionPropertiesmicrosoft.directory/serviceAction/getAvailableExtentionProperties 可以在 Azure Active Directory 中执行 Getavailableextentionproperties 服务操作Can perform the Getavailableextentionproperties service action in Azure Active Directory
microsoft.directory/servicePrincipals/allProperties/allTasksmicrosoft.directory/servicePrincipals/allProperties/allTasks 创建和删除 servicePrincipals,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete servicePrincipals, and read and update all properties in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.directory/subscribedSkus/allProperties/allTasksmicrosoft.directory/subscribedSkus/allProperties/allTasks 创建和删除 subscribedSkus,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete subscribedSkus, and read and update all properties in Azure Active Directory.
microsoft.directory/users/allProperties/allTasksmicrosoft.directory/users/allProperties/allTasks 创建和删除用户,然后读取和更新 Azure Active Directory 中的所有属性。Create and delete users, and read and update all properties in Azure Active Directory.
microsoft.directorySync/allEntities/allTasksmicrosoft.directorySync/allEntities/allTasks 在 Azure AD Connect 中执行所有操作。Perform all actions in Azure AD Connect.
microsoft.aad.identityProtection/allEntities/allTasksmicrosoft.aad.identityProtection/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.aad.identityProtection 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.advancedThreatProtection/allEntities/readmicrosoft.azure.advancedThreatProtection/allEntities/read 读取 microsoft.azure.advancedThreatProtection 中的所有资源。Read all resources in microsoft.azure.advancedThreatProtection.
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 信息保护的各个方面。Manage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理计费的所有方面。Manage all aspects of billing.
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的各个方面。Manage all aspects of Intune.
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合规性管理器的各个方面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理桌面分析的各个方面。Manage all aspects of Desktop Analytics.
microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的各个方面。Manage all aspects of Exchange Online.
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理 Office 365 客户密码箱的各个方面Manage all aspects of Office 365 Customer Lockbox
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 读取 microsoft.office365.messageCenter 中的安全消息。Read securityMessages in microsoft.office365.messageCenter.
microsoft.office365.protectionCenter/allEntities/allTasksmicrosoft.office365.protectionCenter/allEntities/allTasks 管理 Office 365 防护中心的各个方面。Manage all aspects of Office 365 Protection Center.
microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.securityComplianceCenter 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.securityComplianceCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.sharepoint 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理 Skype for Business Online 的各个方面。Manage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.powerApps.dynamics365/allEntities/allTasksmicrosoft.powerApps.dynamics365/allEntities/allTasks 管理 Dynamics 365 的各个方面。Manage all aspects of Dynamics 365.
microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的各个方面。Manage all aspects of Power BI.
microsoft.windows.defenderAdvancedThreatProtection/allEntities/readmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/read 读取 microsoft.windows.defenderAdvancedThreatProtection 中的所有资源。Read all resources in microsoft.windows.defenderAdvancedThreatProtection.

合规性管理员权限Compliance Administrator permissions

可以读取和管理 Azure AD 和 Microsoft 365 中的合规性配置和报表。Can read and manage compliance configuration and reports in Azure AD and Microsoft 365.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合规性管理器的各个方面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

合规性数据管理员权限Compliance Data Administrator permissions

创建和管理合规性内容。Creates and manages compliance content.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.directory.cloudAppSecurity/allEntities/allTasksmicrosoft.directory.cloudAppSecurity/allEntities/allTasks 读取和配置 Microsoft Cloud App Security。Read and configure Microsoft Cloud App Security.
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 信息保护的各个方面。Manage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合规性管理器的各个方面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

条件访问管理员权限Conditional Access Administrator permissions

可以管理条件访问功能。Can manage Conditional Access capabilities.

操作Actions 说明Description
microsoft.directory/policies/conditionalAccess/basic/readmicrosoft.directory/policies/conditionalAccess/basic/read 读取 Azure Active Directory 中的 policies.conditionalAccess 属性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/basic/updatemicrosoft.directory/policies/conditionalAccess/basic/update 更新 Azure Active Directory 中的 policies.conditionalAccess 属性。Update policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/createmicrosoft.directory/policies/conditionalAccess/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/deletemicrosoft.directory/policies/conditionalAccess/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/owners/readmicrosoft.directory/policies/conditionalAccess/owners/read 读取 Azure Active Directory 中的 policies.conditionalAccess 属性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/owners/updatemicrosoft.directory/policies/conditionalAccess/owners/update 更新 Azure Active Directory 中的 policies.conditionalAccess 属性。Update policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/policiesAppliedTo/readmicrosoft.directory/policies/conditionalAccess/policiesAppliedTo/read 读取 Azure Active Directory 中的 policies.conditionalAccess 属性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/tenantDefault/updatemicrosoft.directory/policies/conditionalAccess/tenantDefault/update 更新 Azure Active Directory 中的 policies.conditionalAccess 属性。Update policies.conditionalAccess property in Azure Active Directory.

CRM 服务管理员权限CRM Service Administrator permissions

可以管理 Dynamics 365 产品的所有方面。Can manage all aspects of the Dynamics 365 product.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.powerApps.dynamics365/allEntities/allTasksmicrosoft.powerApps.dynamics365/allEntities/allTasks 管理 Dynamics 365 的各个方面。Manage all aspects of Dynamics 365.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

客户密码箱访问审批者权限Customer LockBox Access Approver permissions

可以批准 Microsoft 支持人员访问客户组织数据的请求。Can approve Microsoft support requests to access customer organizational data.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理 Office 365 客户密码箱的各个方面Manage all aspects of Office 365 Customer Lockbox

桌面分析管理员权限Desktop Analytics Administrator permissions

可以管理桌面分析以及 Office 自定义和策略服务。Can manage the Desktop Analytics and Office Customization & Policy services. 对于 Desktop Analytics,此权限包括查看资产库存、创建部署计划、查看部署和运行状态。For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. 对于 Office 自定义和策略服务,此角色可让用户管理 Office 策略。For Office Customization & Policy service, this role enables users to manage Office policies.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理桌面分析的各个方面。Manage all aspects of Desktop Analytics.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

目录读取者权限Directory Readers permissions

可以读取基本目录信息。Can read basic directory information. 用于授予对应用程序的访问权限,不针对用户。For granting access to applications, not intended for users.

操作Actions 说明Description
microsoft.directory/administrativeUnits/basic/readmicrosoft.directory/administrativeUnits/basic/read 读取 Azure Active Directory 中 administrativeUnits 的基本属性。Read basic properties on administrativeUnits in Azure Active Directory.
microsoft.directory/administrativeUnits/members/readmicrosoft.directory/administrativeUnits/members/read 读取 Azure Active Directory 中的 administrativeUnits.members 属性。Read administrativeUnits.members property in Azure Active Directory.
microsoft.directory/applications/basic/readmicrosoft.directory/applications/basic/read 读取 Azure Active Directory 中应用程序的基本属性。Read basic properties on applications in Azure Active Directory.
microsoft.directory/applications/owners/readmicrosoft.directory/applications/owners/read 读取 Azure Active Directory 中的 applications.owners 属性。Read applications.owners property in Azure Active Directory.
microsoft.directory/applications/policies/readmicrosoft.directory/applications/policies/read 读取 Azure Active Directory 中的 applications.policies 属性。Read applications.policies property in Azure Active Directory.
microsoft.directory/contacts/basic/readmicrosoft.directory/contacts/basic/read 读取 Azure Active Directory 中联系人的基本属性。Read basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/memberOf/readmicrosoft.directory/contacts/memberOf/read 读取 Azure Active Directory 中的 contacts.memberOf 属性。Read contacts.memberOf property in Azure Active Directory.
microsoft.directory/contracts/basic/readmicrosoft.directory/contracts/basic/read 读取 Azure Active Directory 中协定的基本属性。Read basic properties on contracts in Azure Active Directory.
microsoft.directory/devices/basic/readmicrosoft.directory/devices/basic/read 读取 Azure Active Directory 中设备的基本属性。Read basic properties on devices in Azure Active Directory.
microsoft.directory/devices/memberOf/readmicrosoft.directory/devices/memberOf/read 读取 Azure Active Directory 中的 devices.memberOf 属性。Read devices.memberOf property in Azure Active Directory.
microsoft.directory/devices/registeredOwners/readmicrosoft.directory/devices/registeredOwners/read 读取 Azure Active Directory 中的 devices.registeredOwners 属性。Read devices.registeredOwners property in Azure Active Directory.
microsoft.directory/devices/registeredUsers/readmicrosoft.directory/devices/registeredUsers/read 读取 Azure Active Directory 中的 devices.registeredUsers 属性。Read devices.registeredUsers property in Azure Active Directory.
microsoft.directory/directoryRoles/basic/readmicrosoft.directory/directoryRoles/basic/read 读取 Azure Active Directory 中 directoryRoles 的基本属性。Read basic properties on directoryRoles in Azure Active Directory.
microsoft.directory/directoryRoles/eligibleMembers/readmicrosoft.directory/directoryRoles/eligibleMembers/read 读取 Azure Active Directory 中的 directoryRoles.eligibleMembers 属性。Read directoryRoles.eligibleMembers property in Azure Active Directory.
microsoft.directory/directoryRoles/members/readmicrosoft.directory/directoryRoles/members/read 读取 Azure Active Directory 中的 directoryRoles.members 属性。Read directoryRoles.members property in Azure Active Directory.
microsoft.directory/domains/basic/readmicrosoft.directory/domains/basic/read 读取 Azure Active Directory 中域的基本属性。Read basic properties on domains in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/readmicrosoft.directory/groups/appRoleAssignments/read 读取 Azure Active Directory 中的 groups.appRoleAssignments 属性。Read groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/readmicrosoft.directory/groups/basic/read 读取 Azure Active Directory 中组的基本属性。Read basic properties on groups in Azure Active Directory.
microsoft.directory/groups/memberOf/readmicrosoft.directory/groups/memberOf/read 读取 Azure Active Directory 中的 groups.memberOf 属性。Read groups.memberOf property in Azure Active Directory.
microsoft.directory/groups/members/readmicrosoft.directory/groups/members/read 读取 Azure Active Directory 中的 groups.members 属性。Read groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/readmicrosoft.directory/groups/owners/read 读取 Azure Active Directory 中的 groups.owners 属性。Read groups.owners property in Azure Active Directory.
microsoft.directory/groups/settings/readmicrosoft.directory/groups/settings/read 读取 Azure Active Directory 中的 groups.settings 属性。Read groups.settings property in Azure Active Directory.
microsoft.directory/groupSettings/basic/readmicrosoft.directory/groupSettings/basic/read 读取 Azure Active Directory 中 groupSettings 的基本属性。Read basic properties on groupSettings in Azure Active Directory.
microsoft.directory/groupSettingTemplates/basic/readmicrosoft.directory/groupSettingTemplates/basic/read 读取 Azure Active Directory 中 groupSettingTemplates 的基本属性。Read basic properties on groupSettingTemplates in Azure Active Directory.
microsoft.directory/oAuth2PermissionGrants/basic/readmicrosoft.directory/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中 oAuth2PermissionGrants 的基本属性。Read basic properties on oAuth2PermissionGrants in Azure Active Directory.
microsoft.directory/organization/basic/readmicrosoft.directory/organization/basic/read 读取 Azure Active Directory 中组织的基本属性。Read basic properties on organization in Azure Active Directory.
microsoft.directory/organization/trustedCAsForPasswordlessAuth/readmicrosoft.directory/organization/trustedCAsForPasswordlessAuth/read 读取 Azure Active Directory 中的 organization.trustedCAsForPasswordlessAuth 属性。Read organization.trustedCAsForPasswordlessAuth property in Azure Active Directory.
microsoft.directory/roleAssignments/basic/readmicrosoft.directory/roleAssignments/basic/read 读取 Azure Active Directory 中 roleAssignments 上的基本属性。Read basic properties on roleAssignments in Azure Active Directory.
microsoft.directory/roleDefinitions/basic/readmicrosoft.directory/roleDefinitions/basic/read 读取 Azure Active Directory 中 roleDefinitions 上的基本属性。Read basic properties on roleDefinitions in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 读取 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 读取 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 属性。Read servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/readmicrosoft.directory/servicePrincipals/basic/read 读取 Azure Active Directory 中 servicePrincipals 的基本属性。Read basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 读取 Azure Active Directory 中的 servicePrincipals.memberOf 属性。Read servicePrincipals.memberOf property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中的 servicePrincipals.oAuth2PermissionGrants 属性。Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 读取 Azure Active Directory 中的 servicePrincipals.ownedObjects 属性。Read servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/owners/read 读取 Azure Active Directory 中的 servicePrincipals.owners 属性。Read servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/readmicrosoft.directory/servicePrincipals/policies/read 读取 Azure Active Directory 中的 servicePrincipals.policies 属性。Read servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/subscribedSkus/basic/readmicrosoft.directory/subscribedSkus/basic/read 读取 Azure Active Directory 中 subscribedSkus 的基本属性。Read basic properties on subscribedSkus in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/appRoleAssignments/read 读取 Azure Active Directory 中的 users.appRoleAssignments 属性。Read users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/readmicrosoft.directory/users/basic/read 读取 Azure Active Directory 中用户的基本属性。Read basic properties on users in Azure Active Directory.
microsoft.directory/users/directReports/readmicrosoft.directory/users/directReports/read 读取 Azure Active Directory 中的 users.directReports 属性。Read users.directReports property in Azure Active Directory.
microsoft.directory/users/manager/readmicrosoft.directory/users/manager/read 读取 Azure Active Directory 中的 users.manager 属性。Read users.manager property in Azure Active Directory.
microsoft.directory/users/memberOf/readmicrosoft.directory/users/memberOf/read 读取 Azure Active Directory 中的 users.memberOf 属性。Read users.memberOf property in Azure Active Directory.
microsoft.directory/users/oAuth2PermissionGrants/basic/readmicrosoft.directory/users/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中的 users.oAuth2PermissionGrants 属性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedDevices/read 读取 Azure Active Directory 中的 users.ownedDevices 属性。Read users.ownedDevices property in Azure Active Directory.
microsoft.directory/users/ownedObjects/readmicrosoft.directory/users/ownedObjects/read 读取 Azure Active Directory 中的 users.ownedObjects 属性。Read users.ownedObjects property in Azure Active Directory.
microsoft.directory/users/registeredDevices/readmicrosoft.directory/users/registeredDevices/read 读取 Azure Active Directory 中的 users.registeredDevices 属性。Read users.registeredDevices property in Azure Active Directory.

Exchange Service Administrator permissionsExchange Service Administrator permissions

可以管理 Exchange 产品的所有方面。Can manage all aspects of the Exchange product.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.directory/groups/unified/appRoleAssignments/updatemicrosoft.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 属性。Update groups.unified property in Azure Active Directory.
microsoft.directory/groups/unified/basic/updatemicrosoft.directory/groups/unified/basic/update 更新 Microsoft 365 组的基本属性。Update basic properties of Microsoft 365 groups.
microsoft.directory/groups/unified/createmicrosoft.directory/groups/unified/create 创建 Microsoft 365 组。Create Microsoft 365 groups.
microsoft.directory/groups/unified/deletemicrosoft.directory/groups/unified/delete 删除 Microsoft 365 组。Delete Microsoft 365 groups.
microsoft.directory/groups/unified/members/updatemicrosoft.directory/groups/unified/members/update 更新 Microsoft 365 组的成员资格。Update membership of Microsoft 365 groups.
microsoft.directory/groups/unified/owners/updatemicrosoft.directory/groups/unified/owners/update 更新 Microsoft 365 组的所有权。Update ownership of Microsoft 365 groups.
microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的各个方面。Manage all aspects of Exchange Online.
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 读取 Microsoft 365 管理中心内的网络性能页。Read network performance pages in Microsoft 365 Admin Center.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

外部 ID 用户流管理员权限External ID User Flow Administrator permissions

创建和管理用户流的所有方面。Create and manage all aspects of user flows.

操作Actions 说明Description
microsoft.aad.b2c/userFlows/allTasksmicrosoft.aad.b2c/userFlows/allTasks 在 Azure Active Directory B2C 中读取和配置用户流。Read and configure user flows in  Azure Active Directory B2C.

外部 ID 用户流属性管理员权限External ID User Flow Attribute Administrator permissions

创建和管理可用于所有用户流的属性架构。Create and manage the attribute schema available to all user flows.

操作Actions 说明Description
microsoft.aad.b2c/userAttributes/allTasksmicrosoft.aad.b2c/userAttributes/allTasks 在 Azure Active Directory B2C 中读取和配置用户属性。Read and configure user attributes in  Azure Active Directory B2C.

外部标识提供者管理员权限External Identity Provider Administrator permissions

配置要在直接联合中使用的标识提供者。Configure identity providers for use in direct federation.

操作Actions 说明Description
microsoft.aad.b2c/identityProviders/allTasksmicrosoft.aad.b2c/identityProviders/allTasks 在 Azure Active Directory B2C 中读取和配置标识提供者。Read and configure identity providers in  Azure Active Directory B2C.

全局读取者权限Global Reader permissions

可以读取全局管理员可以读取的所有内容,但不能编辑任何内容。Can read everything that a Global Administrator can, but not edit anything.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明For more information, see role description above.

操作Actions 说明Description
microsoft.commerce.billing/allEntities/readmicrosoft.commerce.billing/allEntities/read 读取计费的所有方面。Read all aspects of billing.
microsoft.directory/administrativeUnits/basic/readmicrosoft.directory/administrativeUnits/basic/read 读取 Azure Active Directory 中 administrativeUnits 的基本属性。Read basic properties on administrativeUnits in Azure Active Directory.
microsoft.directory/administrativeUnits/members/readmicrosoft.directory/administrativeUnits/members/read 读取 Azure Active Directory 中的 administrativeUnits.members 属性。Read administrativeUnits.members property in Azure Active Directory.
microsoft.directory/applications/basic/readmicrosoft.directory/applications/basic/read 读取 Azure Active Directory 中应用程序的基本属性。Read basic properties on applications in Azure Active Directory.
microsoft.directory/applications/owners/readmicrosoft.directory/applications/owners/read 读取 Azure Active Directory 中的 applications.owners 属性。Read applications.owners property in Azure Active Directory.
microsoft.directory/applications/policies/readmicrosoft.directory/applications/policies/read 读取 Azure Active Directory 中的 applications.policies 属性。Read applications.policies property in Azure Active Directory.
microsoft.directory/contacts/basic/readmicrosoft.directory/contacts/basic/read 读取 Azure Active Directory 中联系人的基本属性。Read basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/memberOf/readmicrosoft.directory/contacts/memberOf/read 读取 Azure Active Directory 中的 contacts.memberOf 属性。Read contacts.memberOf property in Azure Active Directory.
microsoft.directory/contracts/basic/readmicrosoft.directory/contracts/basic/read 读取 Azure Active Directory 中协定的基本属性。Read basic properties on contracts in Azure Active Directory.
microsoft.directory/devices/basic/readmicrosoft.directory/devices/basic/read 读取 Azure Active Directory 中设备的基本属性。Read basic properties on devices in Azure Active Directory.
microsoft.directory/devices/memberOf/readmicrosoft.directory/devices/memberOf/read 读取 Azure Active Directory 中的 devices.memberOf 属性。Read devices.memberOf property in Azure Active Directory.
microsoft.directory/devices/registeredOwners/readmicrosoft.directory/devices/registeredOwners/read 读取 Azure Active Directory 中的 devices.registeredOwners 属性。Read devices.registeredOwners property in Azure Active Directory.
microsoft.directory/devices/registeredUsers/readmicrosoft.directory/devices/registeredUsers/read 读取 Azure Active Directory 中的 devices.registeredUsers 属性。Read devices.registeredUsers property in Azure Active Directory.
microsoft.directory/directoryRoles/basic/readmicrosoft.directory/directoryRoles/basic/read 读取 Azure Active Directory 中 directoryRoles 的基本属性。Read basic properties on directoryRoles in Azure Active Directory.
microsoft.directory/directoryRoles/eligibleMembers/readmicrosoft.directory/directoryRoles/eligibleMembers/read 读取 Azure Active Directory 中的 directoryRoles.eligibleMembers 属性。Read directoryRoles.eligibleMembers property in Azure Active Directory.
microsoft.directory/directoryRoles/members/readmicrosoft.directory/directoryRoles/members/read 读取 Azure Active Directory 中的 directoryRoles.members 属性。Read directoryRoles.members property in Azure Active Directory.
microsoft.directory/domains/basic/readmicrosoft.directory/domains/basic/read 读取 Azure Active Directory 中域的基本属性。Read basic properties on domains in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/readmicrosoft.directory/groups/appRoleAssignments/read 读取 Azure Active Directory 中的 groups.appRoleAssignments 属性。Read groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/readmicrosoft.directory/groups/basic/read 读取 Azure Active Directory 中组的基本属性。Read basic properties on groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/memberOf/readmicrosoft.directory/groups/memberOf/read 读取 Azure Active Directory 中的 groups.memberOf 属性。Read groups.memberOf property in Azure Active Directory.
microsoft.directory/groups/members/readmicrosoft.directory/groups/members/read 读取 Azure Active Directory 中的 groups.members 属性。Read groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/readmicrosoft.directory/groups/owners/read 读取 Azure Active Directory 中的 groups.owners 属性。Read groups.owners property in Azure Active Directory.
microsoft.directory/groups/settings/readmicrosoft.directory/groups/settings/read 读取 Azure Active Directory 中的 groups.settings 属性。Read groups.settings property in Azure Active Directory.
microsoft.directory/groupSettings/basic/readmicrosoft.directory/groupSettings/basic/read 读取 Azure Active Directory 中 groupSettings 的基本属性。Read basic properties on groupSettings in Azure Active Directory.
microsoft.directory/groupSettingTemplates/basic/readmicrosoft.directory/groupSettingTemplates/basic/read 读取 Azure Active Directory 中 groupSettingTemplates 的基本属性。Read basic properties on groupSettingTemplates in Azure Active Directory.
microsoft.directory/oAuth2PermissionGrants/basic/readmicrosoft.directory/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中 oAuth2PermissionGrants 的基本属性。Read basic properties on oAuth2PermissionGrants in Azure Active Directory.
microsoft.directory/organization/basic/readmicrosoft.directory/organization/basic/read 读取 Azure Active Directory 中组织的基本属性。Read basic properties on organization in Azure Active Directory.
microsoft.directory/organization/trustedCAsForPasswordlessAuth/readmicrosoft.directory/organization/trustedCAsForPasswordlessAuth/read 读取 Azure Active Directory 中的 organization.trustedCAsForPasswordlessAuth 属性。Read organization.trustedCAsForPasswordlessAuth property in Azure Active Directory.
microsoft.directory/policies/standard/readmicrosoft.directory/policies/standard/read 读取 Azure Active Directory 中的标准策略。Read standard policies in Azure Active Directory.
microsoft.directory/roleAssignments/basic/readmicrosoft.directory/roleAssignments/basic/read 读取 Azure Active Directory 中 roleAssignments 上的基本属性。Read basic properties on roleAssignments in Azure Active Directory.
microsoft.directory/roleDefinitions/basic/readmicrosoft.directory/roleDefinitions/basic/read 读取 Azure Active Directory 中 roleDefinitions 上的基本属性。Read basic properties on roleDefinitions in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 读取 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 属性。Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 读取 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 属性。Read servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/readmicrosoft.directory/servicePrincipals/basic/read 读取 Azure Active Directory 中 servicePrincipals 的基本属性。Read basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 读取 Azure Active Directory 中的 servicePrincipals.memberOf 属性。Read servicePrincipals.memberOf property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中的 servicePrincipals.oAuth2PermissionGrants 属性。Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 读取 Azure Active Directory 中的 servicePrincipals.ownedObjects 属性。Read servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/owners/read 读取 Azure Active Directory 中的 servicePrincipals.owners 属性。Read servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/readmicrosoft.directory/servicePrincipals/policies/read 读取 Azure Active Directory 中的 servicePrincipals.policies 属性。Read servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.directory/subscribedSkus/basic/readmicrosoft.directory/subscribedSkus/basic/read 读取 Azure Active Directory 中 subscribedSkus 的基本属性。Read basic properties on subscribedSkus in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/appRoleAssignments/read 读取 Azure Active Directory 中的 users.appRoleAssignments 属性。Read users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/readmicrosoft.directory/users/basic/read 读取 Azure Active Directory 中用户的基本属性。Read basic properties on users in Azure Active Directory.
microsoft.directory/users/directReports/readmicrosoft.directory/users/directReports/read 读取 Azure Active Directory 中的 users.directReports 属性。Read users.directReports property in Azure Active Directory.
microsoft.directory/users/manager/readmicrosoft.directory/users/manager/read 读取 Azure Active Directory 中的 users.manager 属性。Read users.manager property in Azure Active Directory.
microsoft.directory/users/memberOf/readmicrosoft.directory/users/memberOf/read 读取 Azure Active Directory 中的 users.memberOf 属性。Read users.memberOf property in Azure Active Directory.
microsoft.directory/users/oAuth2PermissionGrants/basic/readmicrosoft.directory/users/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中的 users.oAuth2PermissionGrants 属性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedDevices/read 读取 Azure Active Directory 中的 users.ownedDevices 属性。Read users.ownedDevices property in Azure Active Directory.
microsoft.directory/users/ownedObjects/readmicrosoft.directory/users/ownedObjects/read 读取 Azure Active Directory 中的 users.ownedObjects 属性。Read users.ownedObjects property in Azure Active Directory.
microsoft.directory/users/registeredDevices/readmicrosoft.directory/users/registeredDevices/read 读取 Azure Active Directory 中的 users.registeredDevices 属性。Read users.registeredDevices property in Azure Active Directory.
microsoft.directory/users/strongAuthentication/readmicrosoft.directory/users/strongAuthentication/read 读取强身份验证属性,如 MFA 凭据信息。Read strong authentication properties like MFA credential information.
microsoft.office365.exchange/allEntities/readmicrosoft.office365.exchange/allEntities/read 读取 Exchange Online 的各个方面。Read all aspects of Exchange Online.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 读取 microsoft.office365.messageCenter 中的安全消息。Read securityMessages in microsoft.office365.messageCenter.
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 读取 Microsoft 365 管理中心内的网络性能页。Read network performance pages in Microsoft 365 Admin Center.
microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 读取 Office 365 防护中心的各个方面。Read all aspects of Office 365 Protection Center.
microsoft.office365.securityComplianceCenter/allEntities/readmicrosoft.office365.securityComplianceCenter/allEntities/read 读取 microsoft.office365.securityComplianceCenter 中的所有标准属性。Read all standard properties in microsoft.office365.securityComplianceCenter.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 读取 microsoft.office365.webPortal 中所有资源的标准属性。Read standard properties on all resources in microsoft.office365.webPortal.

组管理员权限Groups Administrator permissions

可以管理组和组设置的所有方面,如命名策略和过期策略。Can manage all aspects of groups and group settings like naming and expiration policies.

操作Actions 说明Description
microsoft.directory/groups/basic/readmicrosoft.directory/groups/basic/read 读取 Azure Active Directory 中组的标准属性。Read standard properties on Groups in Azure Active Directory.
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
microsoft.directory/groups/createmicrosoft.directory/groups/create 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

来宾邀请者权限Guest Inviter permissions

可以无视“成员可邀请来宾”设置而邀请来宾用户。Can invite guest users independent of the 'members can invite guests' setting.

操作Actions 说明Description
microsoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/appRoleAssignments/read 读取 Azure Active Directory 中的 users.appRoleAssignments 属性。Read users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/readmicrosoft.directory/users/basic/read 读取 Azure Active Directory 中用户的基本属性。Read basic properties on users in Azure Active Directory.
microsoft.directory/users/directReports/readmicrosoft.directory/users/directReports/read 读取 Azure Active Directory 中的 users.directReports 属性。Read users.directReports property in Azure Active Directory.
microsoft.directory/users/inviteGuestmicrosoft.directory/users/inviteGuest 邀请 Azure Active Directory 中的来宾用户。Invite guest users in Azure Active Directory.
microsoft.directory/users/manager/readmicrosoft.directory/users/manager/read 读取 Azure Active Directory 中的 users.manager 属性。Read users.manager property in Azure Active Directory.
microsoft.directory/users/memberOf/readmicrosoft.directory/users/memberOf/read 读取 Azure Active Directory 中的 users.memberOf 属性。Read users.memberOf property in Azure Active Directory.
microsoft.directory/users/oAuth2PermissionGrants/basic/readmicrosoft.directory/users/oAuth2PermissionGrants/basic/read 读取 Azure Active Directory 中的 users.oAuth2PermissionGrants 属性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedDevices/read 读取 Azure Active Directory 中的 users.ownedDevices 属性。Read users.ownedDevices property in Azure Active Directory.
microsoft.directory/users/ownedObjects/readmicrosoft.directory/users/ownedObjects/read 读取 Azure Active Directory 中的 users.ownedObjects 属性。Read users.ownedObjects property in Azure Active Directory.
microsoft.directory/users/registeredDevices/readmicrosoft.directory/users/registeredDevices/read 读取 Azure Active Directory 中的 users.registeredDevices 属性。Read users.registeredDevices property in Azure Active Directory.

支持管理员权限Helpdesk Administrator permissions

可以重置非管理员和支持理员的密码。Can reset passwords for non-administrators and Helpdesk Administrators.

操作Actions 说明Description
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 更新 Azure Active Directory 中所有用户的密码。Update passwords for all users in Azure Active Directory. 有关详细信息,请参阅联机文档。See online documentation for more detail.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

混合标识管理员权限Hybrid Identity Administrator permissions

启用、部署、配置、管理、监视云配置和身份验证服务,并排除它们的故障。Enable, deploy, configure, manage, monitor and troubleshoot cloud provisioning and authentication services.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新 Azure Active Directory 中的 applications.audience 属性。Update applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新 Azure Active Directory 中的 applications.authentication 属性。Update applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新 Azure Active Directory 中应用程序的基本属性。Update basic properties on applications in Azure Active Directory.
microsoft.directory/applications/createmicrosoft.directory/applications/create 在 Azure Active Directory 中创建应用程序。Create applications in Azure Active Directory.
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新 Azure Active Directory 中的 applications.credentials 属性。Update applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 删除 Azure Active Directory 中的应用程序。Delete applications in Azure Active Directory.
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 属性。Update applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新 Azure Active Directory 中的 applications.permissions 属性。Update applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate 从应用程序模板实例化库应用程序。Instantiate gallery applications from application templates.
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/cloudProvisioning/allProperties/allTasksmicrosoft.directory/cloudProvisioning/allProperties/allTasks 读取和配置 Azure AD 云配置服务的所有属性。Read and configure all properties of Azure AD Cloud Provisioning service.
microsoft.directory/federatedAuthentication/allProperties/allTasksmicrosoft.directory/federatedAuthentication/allProperties/allTasks 在 Azure AD 中管理 Active Directory 联合身份验证服务 (ADFS) 或第三方联合身份验证提供程序的所有方面。Manage all aspects of Active Directory Federated Services (ADFS) or 3rd party federation provider in Azure AD.
microsoft.directory/organization/dirSync/updatemicrosoft.directory/organization/dirSync/update 更新 Azure Active Directory 中的 organization.dirSync 属性。Update organization.dirSync property in Azure Active Directory.
microsoft.directory/passwordHashSync/allProperties/allTasksmicrosoft.directory/passwordHashSync/allProperties/allTasks 在 Azure AD 中管理密码哈希同步 (PHS) 的所有方面。Manage all aspects of Password Hash Sync (PHS) in Azure AD.
microsoft.directory/passThroughAuthentication/allProperties/allTasksmicrosoft.directory/passThroughAuthentication/allProperties/allTasks 在 Azure AD 中管理直通身份验证 (PTA) 的所有方面。Manage all aspects of Pass-through Authentication (PTA) in Azure AD.
microsoft.directory/seamlessSSO/allProperties/allTasksmicrosoft.directory/seamlessSSO/allProperties/allTasks 在 Azure AD 中管理无缝单一登录 (SSO) 的所有方面。Manage all aspects of seamless single sign-on (SSO) in Azure AD.
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 属性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 属性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本属性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 在 Azure Active Directory 中创建 servicePrincipals。Create servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 属性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 删除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 属性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 属性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage 在 Azure AD 中管理同步作业的所有方面。Manage all aspects of synchronization jobs in Azure AD.
microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage 在 Azure AD 中管理同步架构的所有方面。Manage all aspects of synchronization schema in Azure AD.
microsoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationCredentials/manage 在 Azure AD 中管理同步凭据的所有方面。Manage all aspects of synchronization credentials in Azure AD.
microsoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/tag/update 更新 Azure Active Directory 中的 servicePrincipals.tag 属性。Update servicePrincipals.tag property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

Insights 管理员权限Insights Administrator permissions

在 Microsoft 365 Insights 应用中具有管理访问权限。Has administrative access in the Microsoft 365 Insights app.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.insights/allEntities/allTasksmicrosoft.insights/allEntities/allTasks 管理 Insights 的所有方面。Manage all aspects of Insights.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

Insights 业务主管权限Insights Business Leader permissions

可通过 M365 Insights 应用来查看和共享仪表板和见解。Can view and share dashboards and insights via the M365 Insights app.

操作Actions 说明Description
microsoft.insights/reports/readmicrosoft.insights/reports/read 在 Insights 应用中查看报表和面板。View reports and dashboard in Insights app.
microsoft.insights/programs/updatemicrosoft.insights/programs/update 在 Insights 应用中部署和管理计划。Deploy and manage programs in Insights app.

Intune 服务管理员权限Intune Service Administrator permissions

可以管理 Intune 产品的所有方面。Can manage all aspects of the Intune product.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.directory/contacts/basic/updatemicrosoft.directory/contacts/basic/update 更新 Azure Active Directory 中联系人的基本属性。Update basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/createmicrosoft.directory/contacts/create 在 Azure Active Directory 中创建联系人。Create contacts in Azure Active Directory.
microsoft.directory/contacts/deletemicrosoft.directory/contacts/delete 删除 Azure Active Directory 中的联系人。Delete contacts in Azure Active Directory.
microsoft.directory/devices/basic/updatemicrosoft.directory/devices/basic/update 更新 Azure Active Directory 中设备的基本属性。Update basic properties on devices in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/devices/createmicrosoft.directory/devices/create 在 Azure Active Directory 中创建设备。Create devices in Azure Active Directory.
microsoft.directory/devices/deletemicrosoft.directory/devices/delete 删除 Azure Active Directory 中的设备。Delete devices in Azure Active Directory.
microsoft.directory/devices/registeredOwners/updatemicrosoft.directory/devices/registeredOwners/update 更新 Azure Active Directory 中的 devices.registeredOwners 属性。Update devices.registeredOwners property in Azure Active Directory.
microsoft.directory/devices/registeredUsers/updatemicrosoft.directory/devices/registeredUsers/update 更新 Azure Active Directory 中的 devices.registeredUsers 属性。Update devices.registeredUsers property in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/updatemicrosoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 属性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
microsoft.directory/groups/createmicrosoft.directory/groups/create 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updatemicrosoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 属性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新 Azure Active Directory 中用户的基本属性。Update basic properties on users in Azure Active Directory.
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 属性。Update users.manager property in Azure Active Directory.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的各个方面。Manage all aspects of Intune.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

Kaizala 管理员权限Kaizala Administrator permissions

可以管理 Microsoft Kaizala 的设置。Can manage settings for Microsoft Kaizala.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 Microsoft 365 管理中心。Read Microsoft 365 admin center.

许可证管理员权限License Administrator permissions

可以管理用户和组的产品许可证。Can manage product licenses on users and groups.

操作Actions 说明Description
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中用户的许可证。Manage licenses on users in Azure Active Directory.
microsoft.directory/users/usageLocation/updatemicrosoft.directory/users/usageLocation/update 更新 Azure Active Directory 中的 users.usageLocation 属性。Update users.usageLocation property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.

Lync 服务管理员权限Lync Service Administrator permissions

可以管理 Skype for Business 产品的所有方面。Can manage all aspects of the Skype for Business product.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 创建和管理 Azure 支持票证。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理 Skype for Business Online 的各个方面。Manage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

消息中心隐私读取者权限Message Center Privacy Reader permissions

可以读取消息中心帖子、数据隐私消息、组、域和订阅。Can read Message Center posts, data privacy messages, groups, domains and subscriptions.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 读取 microsoft.office365.messageCenter 中的安全消息。Read securityMessages in microsoft.office365.messageCenter.

消息中心读取者权限Message Center Reader permissions

只能读取消息中心内有关其组织的消息和更新。Can read messages and updates for their organization in Message Center only.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.

网络管理员权限Network Administrator permissions

可以管理网络位置,并审阅有关 Microsoft 365 软件即服务应用程序的企业网络设计见解。Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 在 M365 管理中心内读取网络性能页。Read network performance pages in M365 Admin Center.
microsoft.office365.network/locations/allProperties/allTasksmicrosoft.office365.network/locations/allProperties/allTasks 读取和配置每个位置的网络位置属性。Read and configure network locations properties for each location.

Office 应用管理员权限Office Apps Administrator permissions

可以管理 Office 应用的云服务(包括策略和设置管理),并管理选择、取消选择和向最终用户的设备发布“新增功能”功能内容的权限。Can manage Office apps' cloud services, including policy and settings management, and manage the ability to select, unselect and publish "what's new" feature content to end-user's devices.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.userCommunication/allEntities/allTasksmicrosoft.office365.userCommunication/allEntities/allTasks 读取和更新新增功能消息的可见性。Read and update What's New messages visibility.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

密码管理员权限Password Administrator permissions

可以为非管理员和密码管理员重置密码。Can reset passwords for non-administrators and Password administrators.

操作Actions 说明Description
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 更新 Azure Active Directory 中所有用户的密码。Update passwords for all users in Azure Active Directory. 有关详细信息,请参阅联机文档。See online documentation for more detail.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

Power BI 服务管理员权限Power BI Service Administrator permissions

可以管理 Power BI 产品的所有方面。Can manage all aspects of the Power BI product.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的各个方面。Manage all aspects of Power BI.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

Power Platform 管理员权限Power Platform Administrator permissions

可以创建和管理 Microsoft Dynamics 365、PowerApps 和 Microsoft Flow 的所有方面。Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.dynamics365/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasks 管理 Dynamics 365 的各个方面。Manage all aspects of Dynamics 365.
microsoft.flow/allEntities/allTasksmicrosoft.flow/allEntities/allTasks 管理 Microsoft Flow 的所有方面。Manage all aspects of Microsoft Flow.
microsoft.powerApps/allEntities/allTasksmicrosoft.powerApps/allEntities/allTasks 管理 PowerApps 的各个方面。Manage all aspects of PowerApps.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

打印机管理员权限Printer Administrator permissions

可以管理打印机和打印机连接器的所有方面。Can manage all aspects of printers and printer connectors.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.print/allEntities/allProperties/allTasksmicrosoft.azure.print/allEntities/allProperties/allTasks 在 Microsoft Print 中创建和删除打印机和连接器,并读取和更新所有属性。Create and delete printers and connectors, and read and update all properties in Microsoft Print.

打印机技术人员权限Printer Technician permissions

可以注册和取消注册打印机,并更新打印机状态。Can register and unregister printers and update printer status.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.print/connectors/allProperties/readmicrosoft.azure.print/connectors/allProperties/read 在 Microsoft Print 中读取连接器的所有属性。Read all properties of connectors in Microsoft Print.
microsoft.azure.print/printers/allProperties/readmicrosoft.azure.print/printers/allProperties/read 在 Microsoft Print 中读取打印机的所有属性。Read all properties of printers in Microsoft Print.
microsoft.azure.print/printers/basic/updatemicrosoft.azure.print/printers/basic/update 在 Microsoft Print 中更新打印机的基本属性。Update basic properties of printers in Microsoft Print.
microsoft.azure.print/printers/registermicrosoft.azure.print/printers/register 在 Microsoft Print 中注册打印机。Register printers in Microsoft Print.
microsoft.azure.print/printers/unregistermicrosoft.azure.print/printers/unregister 在 Microsoft Print 中取消注册打印机。Unregister printers in Microsoft Print.

特权身份验证管理员权限Privileged Authentication Administrator permissions

可以查看、设置和重置任何用户(管理员或非管理员)的身份验证方法信息。Allowed to view, set and reset authentication method information for any user (admin or non-admin).

操作Actions 说明Description
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/strongAuthentication/updatemicrosoft.directory/users/strongAuthentication/update 更新强身份验证属性,如 MFA 凭据信息。Update strong authentication properties like MFA credential information.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 更新 Microsoft 365 组织中所有用户的密码。Update passwords for all users in the Microsoft 365 organization. 有关详细信息,请参阅联机文档。See online documentation for more detail.

特权角色管理员权限Privileged Role Administrator permissions

可以管理 Azure AD 中的角色分配和 Privileged Identity Management 的所有方面。Can manage role assignments in Azure AD,and all aspects of Privileged Identity Management.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/groupsAssignableToRoles/allProperties/update 更新 Azure Active Directory 中 isAssignableToRole 属性设置为 true 的组。Update groups with isAssignableToRole property set to true in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/createmicrosoft.directory/groupsAssignableToRoles/create 在 Azure Active Directory 中创建 isAssignableToRole 属性设置为 true 的组。Create groups with isAssignableToRole property set to true in Azure Active Directory.
microsoft.directory/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/delete 删除 Azure Active Directory 中 isAssignableToRole 属性设置为 true 的组。Delete groups with isAssignableToRole property set to true in Azure Active Directory.
microsoft.directory/privilegedIdentityManagement/allEntities/allTasksmicrosoft.directory/privilegedIdentityManagement/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.aad.privilegedIdentityManagement 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.aad.privilegedIdentityManagement.
microsoft.directory/servicePrincipals/appRoleAssignedTo/allTasksmicrosoft.directory/servicePrincipals/appRoleAssignedTo/allTasks 在 Azure Active Directory 中读取和配置 servicePrincipals.appRoleAssignedTo 属性。Read and configure servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/allTasksmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/allTasks 在 Azure Active Directory 中读取和配置 servicePrincipals.oAuth2PermissionGrants 属性。Read and configure servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/administrativeUnits/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasks 创建和管理管理单元(包括成员)Create and manage administrative units (including members)
microsoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 创建和管理角色分配。Create and manage role assignments.
microsoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 创建和管理角色定义。Create and manage role definitions.

报告读取者权限Reports Reader permissions

可以读取登录和审核报告。Can read sign-in and audit reports.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.

搜索管理员权限Search Administrator permissions

可以创建和管理 Microsoft 搜索设置的所有方面。Can create and manage all aspects of Microsoft Search settings.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.search/allEntities/allProperties/allTasksmicrosoft.office365.search/allEntities/allProperties/allTasks 创建和删除所有资源,以及读取和更新 microsoft.office365.search 中的所有属性。Create and delete all resources, and read and update all properties in microsoft.office365.search.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

搜索编辑员权限Search Editor permissions

可以创建和管理书签、问答、位置、平面布置图等编辑内容。Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 读取 microsoft.office365.messageCenter 中的消息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.search/content/allProperties/allTasksmicrosoft.office365.search/content/allProperties/allTasks 创建和删除内容,以及读取和更新 microsoft.office365.search 中的所有属性。Create and delete content, and read and update all properties in microsoft.office365.search.

安全管理员权限Security Administrator permissions

可以读取安全信息和报表,以及管理 Azure AD 和 Microsoft 365 中的配置。Can read security information and reports,and manage configuration in Azure AD and Microsoft 365.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 属性。Update applications.policies property in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/identityProtection/allProperties/readmicrosoft.directory/identityProtection/allProperties/read 读取 microsoft.aad.identityProtection 中的所有资源。Read all resources in microsoft.aad.identityProtection.
microsoft.directory/identityProtection/allProperties/updatemicrosoft.directory/identityProtection/allProperties/update 更新 microsoft.aad.identityProtection 中的所有资源。Update all resources in microsoft.aad.identityProtection.
microsoft.directory/policies/basic/updatemicrosoft.directory/policies/basic/update 更新 Azure Active Directory 中策略的基本属性。Update basic properties on policies in Azure Active Directory.
microsoft.directory/policies/createmicrosoft.directory/policies/create 在 Azure Active Directory 中创建策略。Create policies in Azure Active Directory.
microsoft.directory/policies/deletemicrosoft.directory/policies/delete 删除 Azure Active Directory 中的策略。Delete policies in Azure Active Directory.
microsoft.directory/policies/owners/updatemicrosoft.directory/policies/owners/update 更新 Azure Active Directory 中的 policies.owners 属性。Update policies.owners property in Azure Active Directory.
microsoft.directory/policies/tenantDefault/updatemicrosoft.directory/policies/tenantDefault/update 更新 Azure Active Directory 中的 policies.tenantDefault 属性。Update policies.tenantDefault property in Azure Active Directory.
microsoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/privilegedIdentityManagement/allProperties/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 属性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 读取 Office 365 防护中心的各个方面。Read all aspects of Office 365 Protection Center.
microsoft.office365.protectionCenter/allEntities/updatemicrosoft.office365.protectionCenter/allEntities/update 更新 microsoft.office365.protectionCenter 中的所有资源。Update all resources in microsoft.office365.protectionCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

安全操作员权限Security Operator permissions

创建和管理安全事件。Creates and manages security events.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.advancedThreatProtection/allEntities/readmicrosoft.azure.advancedThreatProtection/allEntities/read 读取和配置 Azure AD 高级威胁防护。Read and configure Azure AD Advanced Threat Protection.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.directory/cloudAppSecurity/allProperties/allTasksmicrosoft.directory/cloudAppSecurity/allProperties/allTasks 读取和配置 Microsoft Cloud App Security。Read and configure Microsoft Cloud App Security.
microsoft.directory/identityProtection/allProperties/readmicrosoft.directory/identityProtection/allProperties/read 读取 microsoft.aad.identityProtection 中的所有资源。Read all resources in microsoft.aad.identityProtection.
microsoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/privilegedIdentityManagement/allProperties/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的各个方面。Manage all aspects of Intune.
microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 读取和配置安全与合规中心。Read and configure Security & Compliance Center.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.windows.defenderAdvancedThreatProtection/allEntities/readmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/read 读取和配置 Windows Defender 高级威胁防护。Read and configure Windows Defender Advanced Threat Protection.

安全读取者权限Security Reader permissions

可以读取 Azure AD 和 Microsoft 365 中的安全信息和报表。Can read security information and reports in Azure AD and Microsoft 365.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 读取 Azure Active Directory 中 auditLogs 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readmicrosoft.directory/devices/bitLockerRecoveryKeys/read 读取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 属性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/basic/readmicrosoft.directory/policies/conditionalAccess/basic/read 读取 Azure Active Directory 中的 policies.conditionalAccess 属性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 读取 Azure Active Directory 中 signInReports 上的所有属性(包括特权属性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.aad.identityProtection/allEntities/readmicrosoft.aad.identityProtection/allEntities/read 读取 microsoft.aad.identityProtection 中的所有资源。Read all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 读取 microsoft.aad.privilegedIdentityManagement 中的所有资源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 读取 Office 365 防护中心的各个方面。Read all aspects of Office 365 Protection Center.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.

服务支持管理员权限Service Support Administrator permissions

可以读取服务运行状况信息和管理支持票证。Can read service health information and manage support tickets.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

SharePoint 服务管理员权限SharePoint Service Administrator permissions

可以管理 SharePoint 服务的所有方面。Can manage all aspects of the SharePoint service.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.directory/groups/unified/appRoleAssignments/updatemicrosoft.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 属性。Update groups.unified property in Azure Active Directory.
microsoft.directory/groups/unified/basic/updatemicrosoft.directory/groups/unified/basic/update 更新 Microsoft 365 组的基本属性。Update basic properties of Microsoft 365 groups.
microsoft.directory/groups/unified/createmicrosoft.directory/groups/unified/create 创建 Microsoft 365 组。Create Microsoft 365 groups.
microsoft.directory/groups/unified/deletemicrosoft.directory/groups/unified/delete 删除 Microsoft 365 组。Delete Microsoft 365 groups.
microsoft.directory/groups/unified/members/updatemicrosoft.directory/groups/unified/members/update 更新 Microsoft 365 组的成员资格。Update membership of Microsoft 365 groups.
microsoft.directory/groups/unified/owners/updatemicrosoft.directory/groups/unified/owners/update 更新 Microsoft 365 组的所有权。Update ownership of Microsoft 365 groups.
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 在 M365 管理中心内读取网络性能页。Read network performance pages in M365 Admin Center.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 创建和删除所有资源,然后读取和更新 microsoft.office365.sharepoint 中的标准属性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.

Teams 通信管理员权限Teams Communications Administrator permissions

可以管理 Microsoft Teams 服务中的通话和会议功能。Can manage calling and meetings features within the Microsoft Teams service.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.teams/meetings/allProperties/allTasksmicrosoft.teams/meetings/allProperties/allTasks 管理会议,包括会议策略、配置和会议网桥。Manage meetings, including meeting policies, configurations, and conference bridges.
microsoft.teams/voice/allProperties/allTasksmicrosoft.teams/voice/allProperties/allTasks 管理语音,包括呼叫策略以及电话号码清单和分配。Manage voice, including calling policies and phone number inventory and assignment.
microsoft.teams/callQuality/allProperties/readmicrosoft.teams/callQuality/allProperties/read 读取通话质量仪表板 (CQD) 中的所有数据。Read all data in Call Quality Dashboard (CQD).

Teams 通信支持工程师权限Teams Communications Support Engineer permissions

可以使用高级工具排查 Teams 中的通信问题。Can troubleshoot communications issues within Teams using advanced tools.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.teams/callQuality/allProperties/readmicrosoft.teams/callQuality/allProperties/read 读取通话质量仪表板 (CQD) 中的所有数据。Read all data in Call Quality Dashboard (CQD).

Teams 通信支持专家权限Teams Communications Support Specialist permissions

可以使用基本工具排查 Teams 中的通信问题。Can troubleshoot communications issues within Teams using basic tools.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.teams/callQuality/basic/readmicrosoft.teams/callQuality/basic/read 读取通话质量仪表板 (CQD) 中的基本数据。Read basic data in Call Quality Dashboard (CQD).

Teams 设备管理员权限Teams Devices Administrator permissions

可在 Teams 认证的设备上执行管理相关任务。Can perform management related tasks on Teams certified devices.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.teams/devices/basic/readmicrosoft.teams/devices/basic/read 管理经 Teams 认证的设备的所有方面,包括配置策略。Manage all aspects of Teams-certified devices including configuration policies.

Teams 服务管理员权限Teams Service Administrator permissions

可以管理 Microsoft Teams 服务。Can manage the Microsoft Teams service.

备注

此角色拥有 Azure Active Directory 外部的其他权限。This role has additional permissions outside of Azure Active Directory. 有关详细信息,请参阅上面的角色说明。For more information, see role description above.

操作Actions 说明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/unified/appRoleAssignments/updatemicrosoft.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 属性。Update groups.unified property in Azure Active Directory.
microsoft.directory/groups/unified/basic/updatemicrosoft.directory/groups/unified/basic/update 更新 Microsoft 365 组的基本属性。Update basic properties of Microsoft 365 groups.
microsoft.directory/groups/unified/createmicrosoft.directory/groups/unified/create 创建 Microsoft 365 组。Create Microsoft 365 groups.
microsoft.directory/groups/unified/deletemicrosoft.directory/groups/unified/delete 删除 Microsoft 365 组。Delete Microsoft 365 groups.
microsoft.directory/groups/unified/members/updatemicrosoft.directory/groups/unified/members/update 更新 Microsoft 365 组的成员资格。Update membership of Microsoft 365 groups.
microsoft.directory/groups/unified/owners/updatemicrosoft.directory/groups/unified/owners/update 更新 Microsoft 365 组的所有权。Update ownership of Microsoft 365 groups.
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 在 M365 管理中心内读取网络性能页。Read network performance pages in M365 Admin Center.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 阅读 Office 365 使用情况报告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.teams/allEntities/allProperties/allTasksmicrosoft.teams/allEntities/allProperties/allTasks 管理 Teams 中的所有资源。Manage all resources in Teams.

用户管理员权限User Administrator permissions

可以管理用户和组的所有方面,包括重置有限管理员的密码。Can manage all aspects of users and groups, including resetting passwords for limited admins.

操作Actions 说明Description
microsoft.directory/appRoleAssignments/createmicrosoft.directory/appRoleAssignments/create 在 Azure Active Directory 中创建 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 删除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/updatemicrosoft.directory/appRoleAssignments/update 更新 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
microsoft.directory/contacts/basic/updatemicrosoft.directory/contacts/basic/update 更新 Azure Active Directory 中联系人的基本属性。Update basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/createmicrosoft.directory/contacts/create 在 Azure Active Directory 中创建联系人。Create contacts in Azure Active Directory.
microsoft.directory/contacts/deletemicrosoft.directory/contacts/delete 删除 Azure Active Directory 中的联系人。Delete contacts in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/updatemicrosoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 属性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新 Azure Active Directory 中组的基本属性。Update basic properties on groups in Azure Active Directory.
microsoft.directory/groups/createmicrosoft.directory/groups/create 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中创建组。Create groups in Azure Active Directory. 添加创建者作为第一个所有者,创建的对象根据创建者的 250 个创建对象配额计数。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 删除 Azure Active Directory 中的组。Delete groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 读取 Azure Active Directory 中的 groups.hiddenMembers 属性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 属性。Update groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 属性。Update groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 还原 Azure Active Directory 中的组。Restore groups in Azure Active Directory.
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 属性。Update groups.settings property in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updatemicrosoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 属性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中用户的许可证。Manage licenses on users in Azure Active Directory.
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新 Azure Active Directory 中用户的基本属性。Update basic properties on users in Azure Active Directory.
microsoft.directory/users/createmicrosoft.directory/users/create 在 Azure Active Directory 中创建用户。Create users in Azure Active Directory.
microsoft.directory/users/deletemicrosoft.directory/users/delete 删除 Azure Active Directory 中的用户。Delete users in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有用户刷新令牌无效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 属性。Update users.manager property in Azure Active Directory.
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 更新 Azure Active Directory 中所有用户的密码。Update passwords for all users in Azure Active Directory. 有关详细信息,请参阅联机文档。See online documentation for more detail.
microsoft.directory/users/restoremicrosoft.directory/users/restore 还原 Azure Active Directory 中已删除的用户。Restore deleted users in Azure Active Directory.
microsoft.directory/users/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新 Azure Active Directory 中的 users.userPrincipalName 属性。Update users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 读取和配置 Azure 服务运行状况。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 为目录级服务创建和管理 Azure 支持票证。Create and manage Azure support tickets for directory-level services.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 读取 microsoft.office365.webPortal 中所有资源的基本属性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 读取和配置 Microsoft 365 服务运行状况。Read and configure Microsoft 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 创建和管理 Office 365 支持票证。Create and manage Office 365 support tickets.

角色模板 IDRole template IDs

角色模板 ID 主要由 Microsoft Graph API 或 PowerShell 用户使用。Role template IDs are used mainly by the Microsoft Graph API or PowerShell users.

Graph displayNameGraph displayName Azure 门户显示名称Azure portal display name directoryRoleTemplateIddirectoryRoleTemplateId
应用程序管理员Application Administrator 应用程序管理员Application administrator 9B895D92-2CD3-44C7-9D02-A6AC2D5EA5C39B895D92-2CD3-44C7-9D02-A6AC2D5EA5C3
应用程序开发人员Application Developer 应用程序开发人员Application developer CF1C38E5-3621-4004-A7CB-879624DCED7CCF1C38E5-3621-4004-A7CB-879624DCED7C
身份验证管理员Authentication Administrator 身份验证管理员Authentication administrator c4e39bd9-1100-46d3-8c65-fb160da0071fc4e39bd9-1100-46d3-8c65-fb160da0071f
Azure DevOps 管理员Azure DevOps Administrator Azure DevOps 管理员Azure DevOps administrator e3973bdf-4987-49ae-837a-ba8e231c7286e3973bdf-4987-49ae-837a-ba8e231c7286
Azure 信息保护管理员Azure Information Protection Administrator Azure 信息保护管理员Azure Information Protection administrator 7495fdc4-34c4-4d15-a289-98788ce399fd7495fdc4-34c4-4d15-a289-98788ce399fd
B2C IEF 密钥集管理员B2C IEF Keyset Administrator B2C IEF 密钥集管理员B2C IEF Keyset Administrator aaf43236-0c0d-4d5f-883a-6955382ac081aaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF 策略管理员B2C IEF Policy Administrator B2C IEF 策略管理员B2C IEF Policy Administrator 3edaf663-341e-4475-9f94-5c398ef6c0703edaf663-341e-4475-9f94-5c398ef6c070
计费管理员Billing Administrator 计费管理员Billing administrator b0f54661-2d74-4c50-afa3-1ec803f12efeb0f54661-2d74-4c50-afa3-1ec803f12efe
云应用管理员Cloud Application Administrator 云应用程序管理员Cloud application administrator 158c047a-c907-4556-b7ef-446551a6b5f7158c047a-c907-4556-b7ef-446551a6b5f7
云设备管理员Cloud Device Administrator 云设备管理员Cloud device administrator 7698a772-787b-4ac8-901f-60d6b08affd27698a772-787b-4ac8-901f-60d6b08affd2
公司管理员Company Administrator 全局管理员Global administrator 62e90394-69f5-4237-9190-012177145e1062e90394-69f5-4237-9190-012177145e10
符合性管理员Compliance Administrator 法规管理员Compliance administrator 17315797-102d-40b4-93e0-432062caca1817315797-102d-40b4-93e0-432062caca18
合规性数据管理员Compliance Data Administrator 合规性数据管理员Compliance data administrator e6d1a23a-da11-4be4-9570-befc86d067a7e6d1a23a-da11-4be4-9570-befc86d067a7
条件访问管理员Conditional Access Administrator 条件访问管理员Conditional Access administrator b1be1c3e-b65d-4f19-8427-f6fa0d97feb9b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
CRM 服务管理员CRM Service Administrator Dynamics 365 管理员Dynamics 365 administrator 44367163-eba1-44c3-98af-f5787879f96a44367163-eba1-44c3-98af-f5787879f96a
客户密码箱访问审批者Customer LockBox Access Approver 客户密码箱访问审批者Customer Lockbox access approver 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc915c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
桌面分析管理员Desktop Analytics Administrator 桌面分析管理员Desktop Analytics Administrator 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a438a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
设备管理员Device Administrators 设备管理员Device administrators 9f06204d-73c1-4d4c-880a-6edb90606fd89f06204d-73c1-4d4c-880a-6edb90606fd8
设备联接Device Join 已放弃Deprecated 9c094953-4995-41c8-84c8-3ebb9b32c93f9c094953-4995-41c8-84c8-3ebb9b32c93f
设备管理器Device Managers 已放弃Deprecated 2b499bcd-da44-4968-8aec-78e1674fa64d2b499bcd-da44-4968-8aec-78e1674fa64d
设备用户Device Users 已放弃Deprecated d405c6df-0af8-4e3b-95e4-4d06e542189ed405c6df-0af8-4e3b-95e4-4d06e542189e
目录读者Directory Readers 目录读者Directory readers 88d8e3e3-8f55-4a1e-953a-9b9898b8876b88d8e3e3-8f55-4a1e-953a-9b9898b8876b
目录同步帐户Directory Synchronization Accounts 不显示,因为不应使用它Not shown because it shouldn't be used d29b2b05-8046-44ba-8758-1e26182fcf32d29b2b05-8046-44ba-8758-1e26182fcf32
目录编写人员Directory Writers 目录编写人员Directory Writers 9360feb5-f418-4baa-8175-e2a00bac43019360feb5-f418-4baa-8175-e2a00bac4301
Exchange 服务管理员Exchange Service Administrator Exchange 管理员Exchange administrator 29232cdf-9323-42fd-ade2-1d097af3e4de29232cdf-9323-42fd-ade2-1d097af3e4de
外部 ID 用户流管理员External Id User flow Administrator 外部 ID 用户流管理员External Id User flow Administrator 6e591065-9bad-43ed-90f3-e9424366d2f06e591065-9bad-43ed-90f3-e9424366d2f0
外部 ID 用户流属性管理员External Id User Flow Attribute Administrator 外部 ID 用户流属性管理员External Id User Flow Attribute Administrator 0f971eea-41eb-4569-a71e-57bb8a3eff1e0f971eea-41eb-4569-a71e-57bb8a3eff1e
外部标识提供者管理员External Identity Provider Administrator 外部标识提供者管理员External Identity Provider Administrator be2f45a1-457d-42af-a067-6ec1fa63bc45be2f45a1-457d-42af-a067-6ec1fa63bc45
全局读取者Global Reader 全局读取者Global reader f2ef992c-3afb-46b9-b7cf-a126ee74c451f2ef992c-3afb-46b9-b7cf-a126ee74c451
组管理员Groups Administrator 组管理员Groups administrator fdd7a751-b60b-444a-984c-02652fe8fa1cfdd7a751-b60b-444a-984c-02652fe8fa1c
来宾邀请者Guest Inviter 来宾邀请者Guest inviter 95e79109-95c0-4d8e-aee3-d01accf2d47b95e79109-95c0-4d8e-aee3-d01accf2d47b
支持管理员Helpdesk Administrator 支持管理员Helpdesk administrator 729827e3-9c14-49f7-bb1b-9608f156bbb8729827e3-9c14-49f7-bb1b-9608f156bbb8
混合标识管理员Hybrid Identity Administrator 混合标识管理员Hybrid identity administrator 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb28ac3fc64-6eca-42ea-9e69-59f4c7b60eb2
Insights 管理员Insights Administrator Insights 管理员Insights administrator eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7ceb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c
Insights 业务主管Insights Business Leader Insights 业务主管Insights business leader 31e939ad-9672-4796-9c2e-873181342d2d31e939ad-9672-4796-9c2e-873181342d2d
Intune 服务管理员Intune Service Administrator Intune 管理员Intune administrator 3a2c62db-5318-420d-8d74-23affee5d9d53a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala 管理员Kaizala Administrator Kaizala 管理员Kaizala administrator 74ef975b-6605-40af-a5d2-b9539d83635374ef975b-6605-40af-a5d2-b9539d836353
许可证管理员License Administrator 许可证管理员License administrator 4d6ac14f-3453-41d0-bef9-a3e0c569773a4d6ac14f-3453-41d0-bef9-a3e0c569773a
Lync 服务管理员Lync Service Administrator Skype for Business 管理员Skype for Business administrator 75941009-915a-4869-abe7-691bff18279e75941009-915a-4869-abe7-691bff18279e
消息中心隐私读取者Message Center Privacy Reader 消息中心隐私读取者Message center privacy reader ac16e43d-7b2d-40e0-ac05-243ff356ab5bac16e43d-7b2d-40e0-ac05-243ff356ab5b
消息中心读取者Message Center Reader 消息中心读取者Message center reader 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
现代商业用户Modern Commerce User 现代商业用户Modern Commerce User d24aef57-1500-4070-84db-2666f29cf966d24aef57-1500-4070-84db-2666f29cf966
网络管理员Network Administrator 网络管理员Network administrator d37c8bed-0711-4417-ba38-b4abe66ce4c2d37c8bed-0711-4417-ba38-b4abe66ce4c2
Office 应用管理员Office Apps Administrator Office 应用管理员Office apps administrator 2b745bdf-0803-4d80-aa65-822c4493daac2b745bdf-0803-4d80-aa65-822c4493daac
合作伙伴一线支持人员Partner Tier1 Support 不显示,因为不应使用它Not shown because it shouldn't be used 4ba39ca4-527c-499a-b93d-d9b492c502464ba39ca4-527c-499a-b93d-d9b492c50246
合作伙伴二线支持人员Partner Tier2 Support 不显示,因为不应使用它Not shown because it shouldn't be used e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
密码管理员Password Administrator 密码管理员Password administrator 966707d0-3269-4727-9be2-8c3a10f19b9d966707d0-3269-4727-9be2-8c3a10f19b9d
Power BI 服务管理员Power BI Service Administrator Power BI 管理员Power BI administrator a9ea8996-122f-4c74-9520-8edcd192826ca9ea8996-122f-4c74-9520-8edcd192826c
Power Platform 管理员Power Platform Administrator Power Platform 管理员Power platform administrator 11648597-926c-4cf3-9c36-bcebb0ba8dcc11648597-926c-4cf3-9c36-bcebb0ba8dcc
打印机管理员Printer Administrator 打印机管理员Printer administrator 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f644ef478-e28f-4e28-b9dc-3fdde9aa0b1f
打印机技术人员Printer Technician 打印机技术人员Printer technician e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
特权身份验证管理员Privileged Authentication Administrator 特权身份验证管理员Privileged authentication administrator 7be44c8a-adaf-4e2a-84d6-ab2649e08a137be44c8a-adaf-4e2a-84d6-ab2649e08a13
特权角色管理员Privileged Role Administrator 特权角色管理员Privileged role administrator e8611ab8-c189-46e8-94e1-60213ab1f814e8611ab8-c189-46e8-94e1-60213ab1f814
报告读者Reports Reader 报告读者Reports reader 4a5d8f65-41da-4de4-8968-e035b65339cf4a5d8f65-41da-4de4-8968-e035b65339cf
搜索管理员Search Administrator 搜索管理员Search administrator 0964bb5e-9bdb-4d7b-ac29-58e794862a400964bb5e-9bdb-4d7b-ac29-58e794862a40
搜索编辑员Search Editor 搜索编辑员Search editor 8835291a-918c-4fd7-a9ce-faa49f0cf7d98835291a-918c-4fd7-a9ce-faa49f0cf7d9
安全管理员Security Administrator 安全管理员Security administrator 194ae4cb-b126-40b2-bd5b-6091b380977d194ae4cb-b126-40b2-bd5b-6091b380977d
安全操作员Security Operator 安全操作员Security operator 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
安全读取者Security Reader 安全读取者Security reader 5d6b6bb7-de71-4623-b4af-96380a3525095d6b6bb7-de71-4623-b4af-96380a352509
服务支持管理员Service Support Administrator 服务支持管理员Service support administrator f023fd81-a637-4b56-95fd-791ac0226033f023fd81-a637-4b56-95fd-791ac0226033
SharePoint 服务管理员SharePoint Service Administrator SharePoint 管理员SharePoint administrator f28a1f50-f6e7-4571-818b-6a12f2af6b6cf28a1f50-f6e7-4571-818b-6a12f2af6b6c
Teams 通信管理员Teams Communications Administrator Teams 通信管理员Teams Communications Administrator baf37b3a-610e-45da-9e62-d9d1e5e8914bbaf37b3a-610e-45da-9e62-d9d1e5e8914b
Teams 通信支持工程师Teams Communications Support Engineer Teams 通信支持工程师Teams Communications Support Engineer f70938a0-fc10-4177-9e90-2178f8765737f70938a0-fc10-4177-9e90-2178f8765737
Teams 通信支持专家Teams Communications Support Specialist Teams 通信支持专家Teams Communications Support Specialist fcf91098-03e3-41a9-b5ba-6f0ec8188a12fcf91098-03e3-41a9-b5ba-6f0ec8188a12
Teams 设备管理员Teams Devices Administrator Teams 设备管理员Teams Devices Administrator 3d762c5a-1b6c-493f-843e-55a3b42923d43d762c5a-1b6c-493f-843e-55a3b42923d4
Teams 服务管理员Teams Service Administrator Teams 服务管理员Teams Service Administrator 69091246-20e8-4a56-aa4d-066075b2a7a869091246-20e8-4a56-aa4d-066075b2a7a8
用户User 未显示,因为无法使用它Not shown because it can't be used a0b1b346-4d3e-4e8b-98f8-753987be4970a0b1b346-4d3e-4e8b-98f8-753987be4970
用户帐户管理员User Account Administrator 用户管理员User administrator fe930be7-5e62-47db-91af-98c3a49a38b1fe930be7-5e62-47db-91af-98c3a49a38b1
工作区设备联接Workplace Device Join 已放弃Deprecated c34f683f-4d5a-4403-affd-6615e00e3a7fc34f683f-4d5a-4403-affd-6615e00e3a7f

已弃用的角色Deprecated roles

不应使用以下角色。The following roles should not be used. 这些角色已弃用,并将从 Azure AD 中删除。They have been deprecated and will be removed from Azure AD in the future.

  • 即席许可证管理员AdHoc License Administrator
  • 设备联接Device Join
  • 设备管理器Device Managers
  • 设备用户Device Users
  • 经电子邮件验证的用户创建者Email Verified User Creator
  • 邮箱管理员Mailbox Administrator
  • 工作区设备联接Workplace Device Join

门户中未显示的角色Roles not shown in the portal

Azure 门户中不一定会显示 PowerShell 或 MS Graph API 返回的每个角色。Not every role returned by PowerShell or MS Graph API is visible in Azure portal. 下表整理了这些差异。The following table organizes those differences.

API 名称API name Azure 门户中的名称Azure portal name 说明Notes
公司管理员Company Administrator 全局管理员角色Global Administrator 为便于阅读,名称已更改Name changed for better clarity
CRM 服务管理员CRM Service Administrator Dynamics 365 管理员Dynamics 365 administrator 反映当前产品品牌Reflects current product branding
设备联接Device Join 已放弃Deprecated 已弃用角色的文档Deprecated roles documentation
设备管理器Device Managers 已放弃Deprecated 已弃用角色的文档Deprecated roles documentation
设备用户Device Users 已放弃Deprecated 已弃用角色的文档Deprecated roles documentation
目录同步帐户Directory Synchronization Accounts 未显示,因为不应使用它Not shown because it shouldn't be used 目录同步帐户文档Directory Synchronization Accounts documentation
目录编写人员Directory Writers 未显示,因为不应使用它Not shown because it shouldn't be used 目录写入者文档Directory Writers documentation
来宾用户Guest User 未显示,因为无法使用它Not shown because it can't be used NANA
Lync 服务管理员Lync Service Administrator Skype for Business 管理员Skype for Business administrator 反映当前产品品牌Reflects current product branding
合作伙伴层 1 支持Partner Tier 1 Support 未显示,因为不应使用它Not shown because it shouldn't be used 合作伙伴一线支持人员文档Partner Tier1 Support documentation
合作伙伴层 2 支持Partner Tier 2 Support 未显示,因为不应使用它Not shown because it shouldn't be used 合作伙伴二线支持人员文档Partner Tier2 Support documentation
受限来宾用户Restricted Guest User 未显示,因为无法使用它Not shown because it can't be used NANA
用户User 未显示,因为无法使用它Not shown because it can't be used NANA
工作区设备联接Workplace Device Join 已放弃Deprecated 已弃用角色的文档Deprecated roles documentation

后续步骤Next steps