Tell us about your PDF experience.

Azure AD roles documentation - Azure

AD
Azure AD role-based access control manages access to Azure AD resources. Create
custom roles, assign roles that use administrative units to restrict scope of control,
assign application access to groups or users, manage eligibility with Privileged Identity
Management (PIM), or delegate permissions to distribute identity management tasks.

About Azure AD roles

ｅ OVERVIEW

What is Azure AD RBAC?

ｐ CONCEPT

Understand Azure AD roles

Understand administrative units

Use groups to manage role assignments

Choose roles

ｃ HOW-TO GUIDE

List role definitions

ｉ REFERENCE

Built-in roles

Least privileged roles by task

List role assignments

ｃ HOW-TO GUIDE

List role assignments

Assign roles

ｃ HOW-TO GUIDE

Assign roles to users

Assign roles at different scopes

Assign roles to groups

ｃ HOW-TO GUIDE

Create a role-assignable group

Assign roles to groups

Create custom roles

ｃ HOW-TO GUIDE

Create a custom role

Create custom roles for enterprise apps

Manage scope with administrative units

ｃ HOW-TO GUIDE

Create administrative units

Add members

Assign roles with scope

Overview of role-based access control in
Azure Active Directory
Article • 08/21/2022 • 5 minutes to read

This article describes how to understand Azure Active Directory (Azure AD) role-based
access control. Azure AD roles allow you to grant granular permissions to your admins,
abiding by the principle of least privilege. Azure AD built-in and custom roles operate
on concepts similar to those you will find in the role-based access control system for
Azure resources (Azure roles). The difference between these two role-based access
control systems is:

Azure AD roles control access to Azure AD resources such as users, groups, and
applications using the Microsoft Graph API
Azure roles control access to Azure resources such as virtual machines or storage
using Azure Resource Management

Both systems contain similarly used role definitions and role assignments. However,
Azure AD role permissions can't be used in Azure custom roles and vice versa.

Understand Azure AD role-based access control

Azure AD supports 2 types of roles definitions:

Built-in roles
Custom roles

Built-in roles are out of box roles that have a fixed set of permissions. These role
definitions cannot be modified. There are many built-in roles that Azure AD supports,
and the list is growing. To round off the edges and meet your sophisticated
requirements, Azure AD also supports custom roles. Granting permission using custom
Azure AD roles is a two-step process that involves creating a custom role definition and
then assigning it using a role assignment. A custom role definition is a collection of
permissions that you add from a preset list. These permissions are the same permissions
used in the built-in roles.

Once you’ve created your custom role definition (or using a built-in role), you can assign
it to a user by creating a role assignment. A role assignment grants the user the
permissions in a role definition at a specified scope. This two-step process allows you to
create a single role definition and assign it many times at different scopes. A scope
defines the set of Azure AD resources the role member has access to. The most
common scope is organization-wide (org-wide) scope. A custom role can be assigned at
org-wide scope, meaning the role member has the role permissions over all resources in
the organization. A custom role can also be assigned at an object scope. An example of
an object scope would be a single application. The same role can be assigned to one
user over all applications in the organization and then to another user with a scope of
only the Contoso Expense Reports app.

How Azure AD determines if a user has access to a

resource
The following are the high-level steps that Azure AD uses to determine if you have
access to a management resource. Use this information to troubleshoot access issues.

1. A user (or service principal) acquires a token to the Microsoft Graph endpoint.
2. The user makes an API call to Azure Active Directory (Azure AD) via Microsoft
Graph using the issued token.
3. Depending on the circumstance, Azure AD takes one of the following actions:

Evaluates the user’s role memberships based on the wids claim in the user’s
access token.
Retrieves all the role assignments that apply for the user, either directly or via
group membership, to the resource on which the action is being taken.

4. Azure AD determines if the action in the API call is included in the roles the user
has for this resource.
5. If the user doesn't have a role with the action at the requested scope, access is not
granted. Otherwise access is granted.

Role assignment
A role assignment is an Azure AD resource that attaches a role definition to a security
principal at a particular scope to grant access to Azure AD resources. Access is granted
by creating a role assignment, and access is revoked by removing a role assignment. At
its core, a role assignment consists of three elements:

Security principal - An identity that gets the permissions. It could be a user, group,
or a service principal.
Role definition - A collection of permissions.
Scope - A way to constrain where those permissions are applicable.

You can create role assignments and list the role assignments using the Azure portal,
Azure AD PowerShell, or Microsoft Graph API. Azure CLI is not supported for Azure AD
role assignments.

The following diagram shows an example of a role assignment. In this example, Chris
has been assigned the App Registration Administrator custom role at the scope of the
Contoso Widget Builder app registration. The assignment grants Chris the permissions
of the App Registration Administrator role for only this specific app registration.

Security principal
A security principal represents a user, group, or service principal that is assigned access
to Azure AD resources. A user is an individual who has a user profile in Azure Active
Directory. A group is a new Microsoft 365 or security group with the isAssignableToRole
property set to true (currently in preview). A service principal is an identity created for
use with applications, hosted services, and automated tools to access Azure AD
resources.

Role definition
A role definition, or role, is a collection of permissions. A role definition lists the
operations that can be performed on Azure AD resources, such as create, read, update,
and delete. There are two types of roles in Azure AD:

Built-in roles created by Microsoft that can't be changed.

Custom roles created and managed by your organization.

Scope
A scope is a way to limit the permitted actions to a particular set of resources as part of
a role assignment. For example, if you want to assign a custom role to a developer, but
only to manage a specific application registration, you can include the specific
application registration as a scope in the role assignment.

When you assign a role, you specify one of the following types of scope:

Tenant
Administrative unit
Azure AD resource

If you specify an Azure AD resource as a scope, it can be one of the following:

Azure AD groups
Enterprise applications
Application registrations

For more information, see Assign Azure AD roles at different scopes.

License requirements
Using built-in roles in Azure AD is free, while custom roles requires an Azure AD
Premium P1 license. To find the right license for your requirements, see Comparing
generally available features of the Free and Premium editions .

Next steps
Understand Azure AD roles
Assign Azure AD roles to users
Create and assign a custom role

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign user roles with Azure Active
Directory
Article • 11/15/2022 • 2 minutes to read

The ability to manage Azure resources is granted by assigning roles that provide the
required permissions. Roles can be assigned to individual users or groups. To align with
the Zero Trust guiding principles, use Just-In-Time and Just-Enough-Access policies
when assigning roles.

Before assigning roles to users, review the following Microsoft Learn articles:

Learn about Azure AD roles

Learn about role based access control
Explore the Azure built-in roles

Assign roles
There are two main steps to the role assignment process. First you'll select the role to
assign. Then you'll adjust the role settings and duration.

Select the role to assign

1. Sign in to the Azure portal using the Privileged Role Administrator role for the
directory.

2. Go to Azure Active Directory > Users.

3. Search for and select the user getting the role assignment.
 4. Select Assigned roles from the side menu, then select Add assignments.

5. Select a role to assign from the dropdown list and select the Next button.

Adjust the role settings

You can assign roles as either eligible or active. Eligible roles are assigned to a user but
must be elevated Just-In-Time by the user through Privileged Identity Management
(PIM). For more information about how to use PIM, see Privileged Identity Management.
1. From the Setting section of the Add assignments page, select an Assignment type
option.

2. Leave the Permanently eligible option selected if the role should always be
available to elevate for the user.

If you uncheck this option, you can specify a date range for the role eligibility.

3. Select the Assign button.

Assigned roles appear in the associated section for the user, so eligible and active
roles are listed separately.
Update roles
You can change the settings of a role assignment, for example to change an active role
to eligible.

1. Go to Azure Active Directory > Users.

2. Search for and select the user getting their role updated.

3. Go to the Assigned roles page and select the Update link for the role that needs
to be changed.

4. Change the settings as needed and select the Save button.

Remove roles
You can remove role assignments from the Administrative roles page for a selected
user.

1. Go to Azure Active Directory > Users.

2. Search for and select the user getting the role assignment removed.

3. Go to the Assigned roles page and select the Remove link for the role that needs
to be removed. Confirm the change in the pop-up message.

Next steps
Add or delete users

Add or change profile information

Add guest users from another directory

Explore other user management tasks

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Understand roles in Azure Active
Directory
Article • 08/21/2022 • 4 minutes to read

There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with
a fixed set of role permissions. To supplement the built-in roles, Azure AD also supports
custom roles. Use custom roles to select the role permissions that you want. For
example, you could create one to manage particular Azure AD resources such as
applications or service principals.

This article explains what Azure AD roles are and how they can be used.

How Azure AD roles are different from other

Microsoft 365 roles
There are many different services in Microsoft 365, such as Azure AD and Intune. Some
of these services have their own role-based access control systems, specifically:

Azure Active Directory (Azure AD)

Microsoft Exchange
Microsoft Intune
Microsoft Defender for Cloud Apps
Microsoft 365 Defender portal
Compliance portal
Cost Management + Billing

Other services such as Teams, SharePoint, and Managed Desktop don’t have separate
role-based access control systems. They use Azure AD roles for their administrative
access. Azure has its own role-based access control system for Azure resources such as
virtual machines, and this system is not the same as Azure AD roles.
When we say separate role-based access control system. it means there is a different
data store where role definitions and role assignments are stored. Similarly, there is a
different policy decision point where access checks happen. For more information, see
Roles for Microsoft 365 services in Azure AD and Classic subscription administrator
roles, Azure roles, and Azure AD roles.

Why some Azure AD roles are for other services

Microsoft 365 has a number of role-based access control systems that developed
independently over time, each with its own service portal. To make it convenient for you
to manage identity across Microsoft 365 from the Azure portal, we have added some
service-specific built-in roles, each of which grants administrative access to a Microsoft
365 service. An example of this addition is the Exchange Administrator role in Azure AD.
This role is equivalent to the Organization Management role group in the Exchange
role-based access control system, and can manage all aspects of Exchange. Similarly, we
added the Intune Administrator role, Teams Administrator, SharePoint Administrator,
and so on. Service-specific roles is one category of Azure AD built-in roles in the
following section.

Categories of Azure AD roles

Azure AD built-in roles differ in where they can be used, which fall into the following
three broad categories.

Azure AD-specific roles: These roles grant permissions to manage resources within
Azure AD only. For example, User Administrator, Application Administrator, Groups
Administrator all grant permissions to manage resources that live in Azure AD.
Service-specific roles: For major Microsoft 365 services (non-Azure AD), we have
built service-specific roles that grant permissions to manage all features within the
service. For example, Exchange Administrator, Intune Administrator, SharePoint
 Administrator, and Teams Administrator roles can manage features with their
respective services. Exchange Administrator can manage mailboxes, Intune
Administrator can manage device policies, SharePoint Administrator can manage
site collections, Teams Administrator can manage call qualities and so on.
Cross-service roles: There are some roles that span services. We have two global
roles - Global Administrator and Global Reader. All Microsoft 365 services honor
these two roles. Also, there are some security-related roles like Security
Administrator and Security Reader that grant access across multiple security
services within Microsoft 365. For example, using Security Administrator roles in
Azure AD, you can manage Microsoft 365 Defender portal, Microsoft Defender
Advanced Threat Protection, and Microsoft Defender for Cloud Apps. Similarly, in
the Compliance Administrator role you can manage Compliance-related settings in
Compliance portal, Exchange, and so on.

The following table is offered as an aid to understanding these role categories. The
categories are named arbitrarily, and aren't intended to imply any other capabilities
beyond the documented Azure AD role permissions.

Category Role
Category Role

Azure AD-specific roles Application Administrator

Application Developer
Authentication Administrator
B2C IEF Keyset Administrator
B2C IEF Policy Administrator
Cloud Application Administrator
Cloud Device Administrator
Conditional Access Administrator
Device Administrators
Directory Readers
Directory Synchronization Accounts
Directory Writers
External ID User Flow Administrator
External ID User Flow Attribute Administrator
External Identity Provider Administrator
Groups Administrator
Guest Inviter
Helpdesk Administrator
Hybrid Identity Administrator
License Administrator
Partner Tier1 Support
Partner Tier2 Support
Password Administrator
Privileged Authentication Administrator
Privileged Role Administrator
Reports Reader
User Administrator

Cross-service roles Global Administrator

Compliance Administrator
Compliance Data Administrator
Global Reader
Security Administrator
Security Operator
Security Reader
Service Support Administrator
 Category Role

Service-specific roles Azure DevOps Administrator

Azure Information Protection Administrator
Billing Administrator
CRM Service Administrator
Customer Lockbox Access Approver
Desktop Analytics Administrator
Exchange Service Administrator
Insights Administrator
Insights Business Leader
Intune Service Administrator
Kaizala Administrator
Lync Service Administrator
Message Center Privacy Reader
Message Center Reader
Modern Commerce User
Network Administrator
Office Apps Administrator
Power BI Service Administrator
Power Platform Administrator
Printer Administrator
Printer Technician
Search Administrator
Search Editor
SharePoint Service Administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
Teams Devices Administrator
Teams Administrator

Next steps
Overview of Azure AD role-based access control
Create role assignments using the Azure portal, Azure AD PowerShell, and
Microsoft Graph API
List role assignments

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Classic subscription administrator roles,
Azure roles, and Azure AD roles
Article • 08/29/2022 • 7 minutes to read

If you are new to Azure, you may find it a little challenging to understand all the
different roles in Azure. This article helps explain the following roles and when you
would use each:

Classic subscription administrator roles

Azure roles
Azure Active Directory (Azure AD) roles

How the roles are related

To better understand roles in Azure, it helps to know some of the history. When Azure
was initially released, access to resources was managed with just three administrator
roles: Account Administrator, Service Administrator, and Co-Administrator. Later, Azure
role-based access control (Azure RBAC) was added. Azure RBAC is a newer authorization
system that provides fine-grained access management to Azure resources. Azure RBAC
includes many built-in roles, can be assigned at different scopes, and allows you to
create your own custom roles. To manage resources in Azure AD, such as users, groups,
and domains, there are several Azure AD roles.

The following diagram is a high-level view of how the classic subscription administrator
roles, Azure roles, and Azure AD roles are related.
Classic subscription administrator roles
Account Administrator, Service Administrator, and Co-Administrator are the three classic
subscription administrator roles in Azure. Classic subscription administrators have full
access to the Azure subscription. They can manage resources using the Azure portal,
Azure Resource Manager APIs, and the classic deployment model APIs. The account that
is used to sign up for Azure is automatically set as both the Account Administrator and
Service Administrator. Then, additional Co-Administrators can be added. The Service
Administrator and the Co-Administrators have the equivalent access of users who have
been assigned the Owner role (an Azure role) at the subscription scope. The following
table describes the differences between these three classic subscription administrative
roles.

Classic Limit Permissions Notes

subscription
administrator
 Classic Limit Permissions Notes
subscription
administrator

Account 1 per Azure Can access the Azure Conceptually, the billing
Administrator account portal and manage owner of the subscription.
billing
Manage billing for all
subscriptions in the
account
Create new subscriptions
Cancel subscriptions
Change the billing for a
subscription
Change the Service
Administrator
Can't cancel subscriptions
unless they have the
Service Administrator or
subscription Owner role

Service 1 per Azure Manage services in the By default, for a new

Administrator subscription Azure portal subscription, the Account
Cancel the subscription Administrator is also the
Assign users to the Co- Service Administrator.
Administrator role The Service Administrator has
the equivalent access of a
user who is assigned the
Owner role at the subscription
scope.
The Service Administrator has
full access to the Azure portal.

Co- 200 per Same access privileges as The Co-Administrator has the
Administrator subscription the Service Administrator, equivalent access of a user
but can’t change the who is assigned the Owner
association of role at the subscription scope.
subscriptions to Azure AD
directories
Assign users to the Co-
Administrator role, but
cannot change the Service
Administrator

In the Azure portal, you can manage Co-Administrators or view the Service
Administrator by using the Classic administrators tab.
In the Azure portal, you can view or change the Service Administrator or view the
Account Administrator on the properties blade of your subscription.

For more information, see Azure classic subscription administrators.

Azure account and Azure subscriptions

An Azure account is used to establish a billing relationship. An Azure account is a user
identity, one or more Azure subscriptions, and an associated set of Azure resources. The
person who creates the account is the Account Administrator for all subscriptions
created in that account. That person is also the default Service Administrator for the
subscription.
Azure subscriptions help you organize access to Azure resources. They also help you
control how resource usage is reported, billed, and paid for. Each subscription can have
a different billing and payment setup, so you can have different subscriptions and
different plans by office, department, project, and so on. Every service belongs to a
subscription, and the subscription ID may be required for programmatic operations.

Each subscription is associated with an Azure AD directory. To find the directory the
subscription is associated with, open Subscriptions in the Azure portal and then select a
subscription to see the directory.

Accounts and subscriptions are managed in the Azure portal .

Azure roles
Azure RBAC is an authorization system built on Azure Resource Manager that provides
fine-grained access management to Azure resources, such as compute and storage.
Azure RBAC includes over 70 built-in roles. There are four fundamental Azure roles. The
first three apply to all resource types:

Azure role Permissions Notes

Owner Full access to all The Service Administrator and Co-Administrators

resources are assigned the Owner role at the subscription
Delegate access to scope
others Applies to all resource types.

Contributor Create and manage Applies to all resource types.

all of types of Azure
resources
Create a new tenant
in Azure Active
Directory
Cannot grant access
to others

Reader View Azure resources Applies to all resource types.

User Access Manage user access

Administrator to Azure resources

The rest of the built-in roles allow management of specific Azure resources. For
example, the Virtual Machine Contributor role allows the user to create and manage
virtual machines. For a list of all the built-in roles, see Azure built-in roles.
Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. Users,
groups, and applications that are assigned Azure roles cannot use the Azure classic
deployment model APIs.

In the Azure portal, role assignments using Azure RBAC appear on the Access control
(IAM) blade. This blade can be found throughout the portal, such as management
groups, subscriptions, resource groups, and various resources.

When you click the Roles tab, you will see the list of built-in and custom roles.
For more information, see Assign Azure roles using the Azure portal.

Azure AD roles
Azure AD roles are used to manage Azure AD resources in a directory such as create or
edit users, assign administrative roles to others, reset user passwords, manage user
licenses, and manage domains. The following table describes a few of the more
important Azure AD roles.

Azure AD Permissions Notes

role

Global Manage access to all administrative The person who signs up for the
Administrator features in Azure Active Directory, as Azure Active Directory tenant
well as services that federate to Azure becomes a Global Administrator.
Active Directory
Assign administrator roles to others
Reset the password for any user and all
other administrators

User Create and manage all aspects of users

Administrator and groups
Manage support tickets
Monitor service health
Change passwords for users, Helpdesk
administrators, and other User
Administrators

Billing Make purchases

Administrator Manage subscriptions
Manage support tickets
Monitors service health

In the Azure portal, you can see the list of Azure AD roles on the Roles and
administrators blade. For a list of all the Azure AD roles, see Administrator role
permissions in Azure Active Directory.
Differences between Azure roles and Azure AD
roles
At a high level, Azure roles control permissions to manage Azure resources, while Azure
AD roles control permissions to manage Azure Active Directory resources. The following
table compares some of the differences.

Azure roles Azure AD roles

Manage access to Azure resources Manage access to Azure Active Directory resources

Supports custom roles Supports custom roles

Scope can be specified at multiple levels Scope can be specified at the tenant level
(management group, subscription, resource (organization-wide), administrative unit, or on an
group, resource) individual object (for example, a specific
application)

Role information can be accessed in Azure Role information can be accessed in Azure admin
portal, Azure CLI, Azure PowerShell, Azure portal, Microsoft 365 admin center, Microsoft
Resource Manager templates, REST API Graph, AzureAD PowerShell

Do Azure roles and Azure AD roles overlap?

By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if
a Global Administrator elevates their access by choosing the Access management for
Azure resources switch in the Azure portal, the Global Administrator will be granted the
User Access Administrator role (an Azure role) on all subscriptions for a particular
tenant. The User Access Administrator role enables the user to grant other users access
to Azure resources. This switch can be helpful to regain access to a subscription. For
more information, see Elevate access to manage all Azure subscriptions and
management groups.

Several Azure AD roles span Azure AD and Microsoft 365, such as the Global
Administrator and User Administrator roles. For example, if you are a member of the
Global Administrator role, you have global administrator capabilities in Azure AD and
Microsoft 365, such as making changes to Microsoft Exchange and Microsoft
SharePoint. However, by default, the Global Administrator doesn't have access to Azure
resources.

Next steps
What is Azure role-based access control (Azure RBAC)?
Administrator role permissions in Azure Active Directory
Azure classic subscription administrators
Roles for Microsoft 365 services in
Azure Active Directory
Article • 08/21/2022 • 2 minutes to read

All products in Microsoft 365 can be managed with administrative roles in Azure Active
Directory (Azure AD). Some products also provide additional roles that are specific to
that product. For information on the roles supported by each product, see the table
below. For guidelines about role security planning, see Securing privileged access for
hybrid and cloud deployments in Azure AD.

Where to find content

Microsoft 365 service Role content API content

Admin roles in Office 365 and Microsoft 365 admin roles Not available
Microsoft 365 business plans

Azure Active Directory (Azure Azure AD built-in roles Graph API

AD) and Azure AD Identity Fetch role assignments
Protection

Exchange Online Exchange role-based access PowerShell for Exchange

control Fetch role assignments

SharePoint Online Azure AD built-in roles Graph API

Also About the SharePoint Fetch role assignments
admin role in Microsoft 365

Teams/Skype for Business Azure AD built-in roles Graph API

Fetch role assignments

Security & Compliance Center Office 365 admin roles Exchange PowerShell
(Office 365 Advanced Threat Fetch role assignments
Protection, Exchange Online
Protection, Information
Protection)

Secure Score Azure AD built-in roles Graph API

Fetch role assignments

Compliance Manager Compliance Manager roles Not available

Azure Information Protection Azure AD built-in roles Graph API

Fetch role assignments
 Microsoft 365 service Role content API content

Microsoft Defender for Cloud Role-based access control API reference

Apps

Azure Advanced Threat Azure ATP role groups Not available

Protection

Windows Defender Advanced Windows Defender ATP role- Not available

Threat Protection based access control

Privileged Identity Azure AD built-in roles Graph API

Management Fetch role assignments

Intune Intune role-based access Graph API

control Fetch role assignments

Managed Desktop Azure AD built-in roles Graph API

Fetch role assignments

Next steps
How to assign or remove Azure AD administrator roles
Azure AD built-in roles

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use Azure AD groups to manage role
assignments
Article • 01/11/2023 • 4 minutes to read

Azure Active Directory (Azure AD) lets you target Azure AD groups for role assignments.
Assigning roles to groups can simplify the management of role assignments in Azure AD
with minimal effort from your Global Administrators and Privileged Role Administrators.

Why assign roles to groups?

Consider the example where the Contoso company has hired people across geographies
to manage and reset passwords for employees in its Azure AD organization. Instead of
asking a Privileged Role Administrator or Global Administrator to assign the Helpdesk
Administrator role to each person individually, they can create a
Contoso_Helpdesk_Administrators group and assign the role to the group. When people
join the group, they are assigned the role indirectly. Your existing governance workflow
can then take care of the approval process and auditing of the group's membership to
ensure that only legitimate users are members of the group and are thus assigned the
Helpdesk Administrator role.

How role assignments to groups work

To assign a role to a group, you must create a new security or Microsoft 365 group with
the isAssignableToRole property set to true . In the Azure portal, you set the Azure AD
roles can be assigned to the group option to Yes. Either way, you can then assign one
or more Azure AD roles to the group in the same way as you assign roles to users.
Restrictions for role-assignable groups
Role-assignable groups have the following restrictions:

You can only set the isAssignableToRole property or the Azure AD roles can be
assigned to the group option for new groups.
The isAssignableToRole property is immutable. Once a group is created with this
property set, it can't be changed.
You can't make an existing group a role-assignable group.
A maximum of 500 role-assignable groups can be created in a single Azure AD
organization (tenant).
You can't assign licenses to a role-assignable group.

How are role-assignable groups protected?

If a group is assigned a role, any IT administrator who can manage group membership
could also indirectly manage the membership of that role. For example, assume that a
group named Contoso_User_Administrators is assigned the User Administrator role. An
Exchange administrator who can modify group membership could add themselves to
the Contoso_User_Administrators group and in that way become a User Administrator.
As you can see, an administrator could elevate their privilege in a way you did not
intend.

Only groups that have the isAssignableToRole property set to true at creation time can
be assigned a role. This property is immutable. Once a group is created with this
property set, it can't be changed. You can't set the property on an existing group.
Role-assignable groups are designed to help prevent potential breaches by having the
following restrictions:

Only Global Administrators and Privileged Role Administrators can create a role-
assignable group.
The membership type for role-assignable groups must be Assigned and can't be
an Azure AD dynamic group. Automated population of dynamic groups could lead
to an unwanted account being added to the group and thus assigned to the role.
By default, only Global Administrators and Privileged Role Administrators can
manage the membership of a role-assignable group, but you can delegate the
management of role-assignable groups by adding group owners.
For Microsoft Graph, the [Link] permission is
required to be able to manage the membership of role-assignable groups. The
[Link] permission won't work.
To prevent elevation of privilege, only a Privileged Authentication Administrator or
a Global Administrator can change the credentials or reset MFA or modify sensitive
attributes for members and owners of a role-assignable group.
Group nesting is not supported. A group can't be added as a member of a role-
assignable group.

Use PIM to make a group eligible for a role

assignment
If you do not want members of the group to have standing access to a role, you can use
Azure AD Privileged Identity Management (PIM) to make a group eligible for a role
assignment. Each member of the group is then eligible to activate the role assignment
for a fixed time duration.

７ Note

For privileged access groups that are used to elevate into Azure AD roles, we
recommend that you require an approval process for eligible member assignments.
Assignments that can be activated without approval might create a security risk
from administrators who have a lower level of permissions. For example, the
Helpdesk Administrator has permissions to reset an eligible user's password.

Scenarios not supported

The following scenarios are not supported:
 Assign Azure AD roles (built-in or custom) to on-premises groups.

Known issues
The following are known issues with role-assignable groups:

Azure AD P2 licensed customers only: Even after deleting the group, it is still shown
an eligible member of the role in PIM UI. Functionally there's no problem; it's just a
cache issue in the Azure portal.
Use the new Exchange admin center for role assignments via group membership.
The old Exchange admin center doesn't support this feature. If accessing the old
Exchange admin center is required, assign the eligible role directly to the user (not
via role-assignable groups). Exchange PowerShell cmdlets will work as expected.
If an administrator role is assigned to a role-assignable group instead of individual
users, members of the group will not be able to access Rules, Organization, or
Public Folders in the new Exchange admin center. The workaround is to assign the
role directly to users instead of the group.
Azure Information Protection Portal (the classic portal) doesn't recognize role
membership via group yet. You can migrate to the unified sensitivity labeling
platform and then use the Office 365 Security & Compliance center to use group
assignments to manage roles.

License requirements
Using this feature requires an Azure AD Premium P1 license. To also use Privileged
Identity Management for just-in-time role activation, requires an Azure AD Premium P2
license. To find the right license for your requirements, see Comparing generally
available features of the Free and Premium editions .

Next steps
Create a role-assignable group
Assign Azure AD roles to groups

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Administrative units in Azure Active
Directory
Article • 11/11/2022 • 6 minutes to read

This article describes administrative units in Azure Active Directory (Azure AD). An
administrative unit is an Azure AD resource that can be a container for other Azure AD
resources. An administrative unit can contain only users, groups, or devices.

Administrative units restrict permissions in a role to any portion of your organization

that you define. You could, for example, use administrative units to delegate the
Helpdesk Administrator role to regional support specialists, so they can manage users
only in the region that they support.

Users can be members of multiple administrative units. For example, you might add
users to administrative units by geography and division; Megan Bowen might be in the
"Seattle" and "Marketing" administrative units.

Deployment scenario
It can be useful to restrict administrative scope by using administrative units in
organizations that are made up of independent divisions of any kind. Consider the
example of a large university that's made up of many autonomous schools (School of
Business, School of Engineering, and so on). Each school has a team of IT admins who
control access, manage users, and set policies for their school.

A central administrator could:

Create an administrative unit for the School of Business.

Populate the administrative unit with only students and staff within the School of
Business.
Create a role with administrative permissions over only Azure AD users in the
School of Business administrative unit.
Add the business school IT team to the role, along with its scope.
Constraints
Here are some of the constraints for administrative units.

Administrative units can't be nested.

Administrative unit-scoped user account administrators can't create or delete
users.
Administrative units are currently not available in Azure AD Identity Governance.

Groups
Adding a group to an administrative unit brings the group itself into the management
scope of the administrative unit, but not the members of the group. In other words, an
administrator scoped to the administrative unit can manage properties of the group,
such as group name or membership, but they cannot manage properties of the users or
devices within that group (unless those users and devices are separately added as
members of the administrative unit).

For example, a User Administrator scoped to an administrative unit that contains a

group can and can't do the following:

Permissions Can do

Manage the name of the group ✔️

Manage the membership of the group ✔️

Manage the user properties for individual members of the group ❌

Manage the user authentication methods of individual members of the group ❌

 Permissions Can do

Reset the passwords of individual members of the group ❌

In order for the User Administrator to manage the user properties or user authentication
methods of individual members of the group, the group members (users) must be
added directly as members of the administrative unit.

License requirements
Using administrative units requires an Azure AD Premium P1 license for each
administrative unit administrator, and an Azure AD Free license for each administrative
unit member. If you are using dynamic membership rules for administrative units, each
administrative unit member requires an Azure AD Premium P1 license. To find the right
license for your requirements, see Comparing generally available features of the Free
and Premium editions .

Manage administrative units

You can manage administrative units by using the Azure portal, PowerShell cmdlets and
scripts, or Microsoft Graph API. For more information, see:

Create or delete administrative units

Add users, groups, or devices to an administrative unit
Manage users or devices for an administrative unit with dynamic membership rules
(Preview)
Assign Azure AD roles with administrative unit scope
Work with administrative units: Covers how to work with administrative units by
using PowerShell.
Administrative unit Graph support: Provides detailed documentation on Microsoft
Graph for administrative units.

Plan your administrative units

You can use administrative units to logically group Azure AD resources. An organization
whose IT department is scattered globally might create administrative units that define
relevant geographical boundaries. In another scenario, where a global organization has
suborganizations that are semi-autonomous in their operations, administrative units
could represent the suborganizations.
The criteria on which administrative units are created are guided by the unique
requirements of an organization. Administrative units are a common way to define
structure across Microsoft 365 services. We recommend that you prepare your
administrative units with their use across Microsoft 365 services in mind. You can get
maximum value out of administrative units when you can associate common resources
across Microsoft 365 under an administrative unit.

You can expect the creation of administrative units in the organization to go through the
following stages:

1. Initial adoption: Your organization will start creating administrative units based on
initial criteria, and the number of administrative units will increase as the criteria
are refined.
2. Pruning: After the criteria are defined, administrative units that are no longer
required will be deleted.
3. Stabilization: Your organizational structure is defined, and the number of
administrative units isn't going to change significantly in the short term.

Currently supported scenarios

As a Global Administrator or a Privileged Role Administrator, you can use the Azure
portal to:

Create administrative units

Add users, groups, or devices as members of administrative units
Manage users or devices for an administrative unit with dynamic membership rules
(Preview)
Assign IT staff to administrative unit-scoped administrator roles.

Administrative unit-scoped admins can use the Microsoft 365 admin center for basic
management of users in their administrative units. A group administrator with
administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and
the Microsoft 365 admin centers.

Administrative units apply scope only to management permissions. They don't prevent
members or administrators from using their default user permissions to browse other
users, groups, or resources outside the administrative unit. In the Microsoft 365 admin
center, users outside a scoped admin's administrative units are filtered out. But you can
browse other users in the Azure portal, PowerShell, and other Microsoft services.

７ Note
 Only the features described in this section are available in the Microsoft 365 admin
center. No organization-level features are available for an Azure AD role with
administrative unit scope.

The following sections describe current support for administrative unit scenarios.

Administrative unit management

Permissions Microsoft Azure Microsoft 365

Graph/PowerShell portal admin center

Create or delete administrative units ✔️ ✔️ ✔️

Add or remove members ✔️ ✔️ ✔️

Assign administrative unit-scoped ✔️ ✔️ ✔️

administrators

Add or remove users or devices dynamically ✔️ ✔️ ❌

based on rules (Preview)

Add or remove groups dynamically based ❌ ❌ ❌

on rules

User management

Permissions Microsoft Azure Microsoft

Graph/PowerShell portal 365 admin
center

Administrative unit-scoped management of user ✔️ ✔️ ✔️

properties, passwords

Administrative unit-scoped management of user ✔️ ✔️ ✔️

licenses

Administrative unit-scoped blocking and ✔️ ✔️ ✔️

unblocking of user sign-ins

Administrative unit-scoped management of user ✔️ ✔️ ❌

multi-factor authentication credentials

Group management
 Permissions Microsoft Azure Microsoft 365
Graph/PowerShell portal admin center

Administrative unit-scoped creation and ✔️ ✔️ ✔️

deletion of groups

Administrative unit-scoped management of ✔️ ✔️ ✔️

group properties and membership

Administrative unit-scoped management of ✔️ ✔️ ❌

group licensing

Device management

Permissions Microsoft Azure Microsoft 365 admin

Graph/PowerShell portal center

Enable, disable, or delete ✔️ ✔️ ❌

devices

Read BitLocker recovery ✔️ ✔️ ❌

keys

Managing devices in Intune is not supported at this time.

Next steps
Create or delete administrative units
Add users, groups, or devices to an administrative unit
Assign Azure AD roles with administrative unit scope
Administrative unit limits

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Best practices for Azure AD roles
Article • 01/23/2023 • 5 minutes to read

This article describes some of the best practices for using Azure Active Directory role-
based access control (Azure AD RBAC). These best practices are derived from our
experience with Azure AD RBAC and the experiences of customers like yourself. We
encourage you to also read our detailed security guidance at Securing privileged access
for hybrid and cloud deployments in Azure AD.

1. Manage to least privilege

When planning your access control strategy, it's a best practice to manage to least
privilege. Least privilege means you grant your administrators exactly the permission
they need to do their job. There are three aspects to consider when you assign a role to
your administrators: a specific set of permissions, over a specific scope, for a specific
period of time. Avoid assigning broader roles at broader scopes even if it initially seems
more convenient to do so. By limiting roles and scopes, you limit what resources are at
risk if the security principal is ever compromised. Azure AD RBAC supports over 65 built-
in roles. There are Azure AD roles to manage directory objects like users, groups, and
applications, and also to manage Microsoft 365 services like Exchange, SharePoint, and
Intune. To better understand Azure AD built-in roles, see Understand roles in Azure
Active Directory. If there isn't a built-in role that meets your need, you can create your
own custom roles.

Finding the right roles

Follow these steps to help you find the right role.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators to see the list of Azure
AD roles.

3. Use the Service filter to narrow down the list of roles.

 4. Refer to the Azure AD built-in roles documentation. Permissions associated with
each role are listed together for better readability. To understand the structure and
meaning of role permissions, see How to understand role permissions.

5. Refer to the Least privileged role by task documentation.

2. Use Privileged Identity Management to grant

just-in-time access
One of the principles of least privilege is that access should be granted only for a
specific period of time. Azure AD Privileged Identity Management (PIM) lets you grant
just-in-time access to your administrators. Microsoft recommends that you enable PIM
in Azure AD. Using PIM, a user can be made an eligible member of an Azure AD role
where they can then activate the role for a limited time when needed. Privileged access
is automatically removed when the timeframe expires. You can also configure PIM
settings to require approval or receive notification emails when someone activates their
role assignment. Notifications provide an alert when new users are added to highly
privileged roles.

3. Turn on multi-factor authentication for all

your administrator accounts
Based on our studies , your account is 99.9% less likely to be compromised if you use
multi-factor authentication (MFA).
You can enable MFA on Azure AD roles using two methods:

Role settings in Privileged Identity Management

Conditional Access

4. Configure recurring access reviews to revoke

unneeded permissions over time
Access reviews enable organizations to review administrator's access regularly to make
sure only the right people have continued access. Regular auditing your administrators
is crucial because of following reasons:

A malicious actor can compromise an account.

People move teams within a company. If there is no auditing, they can amass
unnecessary access over time.

For information about access reviews for roles, see Create an access review of Azure AD
roles in PIM. For information about access reviews of groups that are assigned roles, see
Create an access review of groups and applications in Azure AD access reviews.

5. Limit the number of Global Administrators to

less than 5
As a best practice, Microsoft recommends that you assign the Global Administrator role
to fewer than five people in your organization. Global Administrators hold keys to the
kingdom, and it is in your best interest to keep the attack surface low. As stated
previously, all of these accounts should be protected with multi-factor authentication.

By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is
created and the user is made a member of the Global Administrators role. Users who are
assigned the Global Administrator role can read and modify every administrative setting
in your Azure AD organization. With a few exceptions, Global Administrators can also
read and modify all configuration settings in your Microsoft 365 organization. Global
Administrators also have the ability to elevate their access to read data.

Microsoft recommends that you keep two break glass accounts that are permanently
assigned to the Global Administrator role. Make sure that these accounts don't require
the same multi-factor authentication mechanism as your normal administrative accounts
to sign in, as described in Manage emergency access accounts in Azure AD.
6. Use groups for Azure AD role assignments
and delegate the role assignment
If you have an external governance system that takes advantage of groups, then you
should consider assigning roles to Azure AD groups, instead of individual users. You can
also manage role-assignable groups in PIM to ensure that there are no standing owners
or members in these privileged groups. For more information, see Privileged Identity
Management (PIM) for Groups (preview).

You can assign an owner to role-assignable groups. That owner decides who is added to
or removed from the group, so indirectly, decides who gets the role assignment. In this
way, a Global Administrator or Privileged Role Administrator can delegate role
management on a per-role basis by using groups. For more information, see Use Azure
AD groups to manage role assignments.

7. Activate multiple roles at once using

privileged access groups
It may be the case that an individual has five or six eligible assignments to Azure AD
roles through PIM. They will have to activate each role individually, which can reduce
productivity. Worse still, they can also have tens or hundreds of Azure resources
assigned to them, which aggravates the problem.

In this case, you should use Privileged Identity Management (PIM) for Groups (preview).
Create a privileged access group and grant it permanent access to multiple roles (Azure
AD and/or Azure). Make that user an eligible member or owner of this group. With just
one activation, they will have access to all the linked resources.
8. Use cloud native accounts for Azure AD roles
Avoid using on-premises synced accounts for Azure AD role assignments. If your on-
premises account is compromised, it can compromise your Azure AD resources as well.

Next steps
Securing privileged access for hybrid and cloud deployments in Azure AD

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources
 Documentation

MFA or 2FA and Privileged Identity Management - Azure AD - Microsoft Entra

Learn how Azure AD Privileged Identity Management (PIM) validates multifactor authentication
(MFA).
Roles you cannot manage in Privileged Identity Management - Azure Active Directory
- Microsoft Entra
Describes the roles you cannot manage in Azure AD Privileged Identity Management (PIM).

Plan a Privileged Identity Management deployment - Azure AD - Microsoft Entra

Learn how to deploy Privileged Identity Management (PIM) in your Azure AD organization.

Manage emergency access admin accounts - Azure AD - Microsoft Entra

This article describes how to use emergency access accounts to help prevent being inadvertently
locked out of your Azure Active Directory (Azure AD) organization.

Secure access practices for administrators in Azure AD - Microsoft Entra

Ensure that your organization's administrative access and administrator accounts are secure. For
system architects and IT pros who configure Azure AD, Azure, and Microsoft Online Services.

Best practices to secure with Azure Active Directory - Microsoft Entra

Best practices we recommend you follow to secure your isolated environments in Azure Active
Directory.

Assign Azure AD roles in PIM - Azure Active Directory - Microsoft Entra

Learn how to assign Azure AD roles in Azure AD Privileged Identity Management (PIM).

Managing Privileged Access groups in Privileged Identity Management (PIM) -

Microsoft Entra
How to manage members and owners of privileged access groups in Privileged Identity Management
(PIM)

Show 5 more

 Training

Learning paths and modules

Manage administrator roles - Training
Manage administrator roles

Learning certificate
Microsoft Certified: Identity and Access Administrator Associate - Certifications
The Microsoft identity and access administrator designs, implements, and operates an organization’s
identity and access management systems by using Microsoft Azure Active Directory (Azure AD), part
of Microsoft Entra. They configure and manage authentication and authorization of identities for…
Securing privileged access for hybrid
and cloud deployments in Azure AD
Article • 08/21/2022 • 23 minutes to read

The security of business assets depends on the integrity of the privileged accounts that
administer your IT systems. Cyber-attackers use credential theft attacks to target
administrator accounts and other privileged access to try to gain access to sensitive
data.

For cloud services, prevention and response are the joint responsibilities of the cloud
service provider and the customer. For more information about the latest threats to
endpoints and the cloud, see the Microsoft Security Intelligence Report . This article
can help you develop a roadmap toward closing the gaps between your current plans
and the guidance described here.

７ Note

Microsoft is committed to the highest levels of trust, transparency, standards

conformance, and regulatory compliance. Learn more about how the Microsoft
global incident response team mitigates the effects of attacks against cloud
services, and how security is built into Microsoft business products and cloud
services at Microsoft Trust Center - Security and Microsoft compliance targets at
Microsoft Trust Center - Compliance .

Traditionally, organizational security was focused on the entry and exit points of a
network as the security perimeter. However, SaaS apps and personal devices on the
Internet have made this approach less effective. In Azure AD, we replace the network
security perimeter with authentication in your organization's identity layer, with users
assigned to privileged administrative roles in control. Their access must be protected,
whether the environment is on-premises, cloud, or a hybrid.

Securing privileged access requires changes to:

Processes, administrative practices, and knowledge management

Technical components such as host defenses, account protections, and identity
management

Secure your privileged access in a way that is managed and reported in the Microsoft
services you care about. If you have on-premises administrator accounts, see the
guidance for on-premises and hybrid privileged access in Active Directory at Securing
Privileged Access.

７ Note

The guidance in this article refers primarily to features of Azure Active Directory
that are included in Azure AD Premium P1 and P2. Azure AD Premium P2 is
included in the EMS E5 suite and Microsoft 365 E5 suite. This guidance assumes
your organization already has Azure AD Premium P2 licenses purchased for your
users. If you do not have these licenses, some of the guidance might not apply to
your organization. Also, throughout this article, the term Global Administrator
means the same thing as "company administrator" or "tenant administrator."

Develop a roadmap
Microsoft recommends that you develop and follow a roadmap to secure privileged
access against cyber attackers. You can always adjust your roadmap to accommodate
your existing capabilities and specific requirements within your organization. Each stage
of the roadmap should raise the cost and difficulty for adversaries to attack privileged
access for your on-premises, cloud, and hybrid assets. Microsoft recommends the
following four roadmap stages. Schedule the most effective and the quickest
implementations first. This article can be your guide, based on Microsoft's experiences
with cyber-attack incident and response implementation. The timelines for this roadmap
are approximations.

Stage 1 (24-48 hours): Critical items that we recommend you do right away

Stage 2 (2-4 weeks): Mitigate the most frequently used attack techniques

Stage 3 (1-3 months): Build visibility and build full control of administrator activity

Stage 4 (six months and beyond): Continue building defenses to further harden
your security platform

This roadmap framework is designed to maximize the use of Microsoft technologies that
you may have already deployed. Consider tying in to any security tools from other
vendors that you have already deployed or are considering deploying.
Stage 1: Critical items to do right now

Stage 1 of the roadmap is focused on critical tasks that are fast and easy to implement.
We recommend that you do these few items right away within the first 24-48 hours to
ensure a basic level of secure privileged access. This stage of the Secured Privileged
Access roadmap includes the following actions:

General preparation

Use Azure AD Privileged Identity Management

We recommend that you start using Azure AD Privileged Identity Management (PIM) in
your Azure AD production environment. After you start using PIM, you'll receive
notification email messages for privileged access role changes. Notifications provide
early warning when additional users are added to highly privileged roles.

Azure AD Privileged Identity Management is included in Azure AD Premium P2 or EMS

E5. To help you protect access to applications and resources on-premises and in the
cloud, sign up for the Enterprise Mobility + Security free 90-day trial . Azure AD
Privileged Identity Management and Azure AD Identity Protection monitor security
activity using Azure AD reporting, auditing, and alerts.

After you start using Azure AD Privileged Identity Management:

1. Sign in to the Azure portal with an account that is a Global Administrator of your
Azure AD production organization.

2. To select the Azure AD organization where you want to use Privileged Identity
Management, select your user name in the upper right-hand corner of the Azure
portal.
 3. On the Azure portal menu, select All services and filter the list for Azure AD
Privileged Identity Management.

4. Open Privileged Identity Management from the All services list and pin it to your
dashboard.

Make sure the first person to use PIM in your organization is assigned to the Security
Administrator and Privileged Role Administrator roles. Only Privileged Role
Administrators can manage the Azure AD directory role assignments of users. The PIM
security wizard walks you through the initial discovery and assignment experience. You
can exit the wizard without making any additional changes at this time.

Identify and categorize accounts that are in highly privileged roles

After starting to use Azure AD Privileged Identity Management, view the users who are
in the following Azure AD roles:

Global Administrator
Privileged Role Administrator
Exchange Administrator
SharePoint Administrator

If you don't have Azure AD Privileged Identity Management in your organization, you
can use the PowerShell API. Start with the Global Administrator role because a Global
Administrator has the same permissions across all cloud services for which your
organization has subscribed. These permissions are granted no matter where they were
assigned: in the Microsoft 365 admin center, the Azure portal, or by the Azure AD
module for Microsoft PowerShell.

Remove any accounts that are no longer needed in those roles. Then, categorize the
remaining accounts that are assigned to administrator roles:

Assigned to administrative users, but also used for non-administrative purposes

(for example, personal email)
Assigned to administrative users and used for administrative purposes only
Shared across multiple users
For break-glass emergency access scenarios
For automated scripts
For external users

Define at least two emergency access accounts

It's possible for a user to be accidentally locked out of their role. For example, if a
federated on-premises identity provider isn't available, users can't sign in or activate an
existing administrator account. You can prepare for accidental lack of access by storing
two or more emergency access accounts.

Emergency access accounts help restrict privileged access within an Azure AD

organization. These accounts are highly privileged and aren't assigned to specific
individuals. Emergency access accounts are limited to emergency for "break glass"
scenarios where normal administrative accounts can't be used. Ensure that you control
and reduce the emergency account's usage to only that time for which it's necessary.

Evaluate the accounts that are assigned or eligible for the Global Administrator role. If
you don't see any cloud-only accounts using the *.[Link] domain (for "break
glass" emergency access), create them. For more information, see Managing emergency
access administrative accounts in Azure AD.

Turn on multi-factor authentication and register all other highly

privileged single-user non-federated administrator accounts

Require Azure AD Multi-Factor Authentication (MFA) at sign-in for all individual users
who are permanently assigned to one or more of the Azure AD administrator roles:
Global Administrator, Privileged Role Administrator, Exchange Administrator, and
SharePoint Administrator. Use the guidance at Enforce multifactor authentication on
your administrators and ensure that all those users have registered at
[Link] . More information can be found under step 2 and step 3 of
the guide Protect user and device access in Microsoft 365.

Stage 2: Mitigate frequently used attacks

Stage 2 of the roadmap focuses on mitigating the most frequently used attack
techniques of credential theft and abuse and can be implemented in approximately 2-4
weeks. This stage of the Secured Privileged Access roadmap includes the following
actions.

General preparation

Conduct an inventory of services, owners, and administrators

The increase in "bring your own device" and work from home policies and the growth of
wireless connectivity make it critical to monitor who is connecting to your network. A
security audit can reveal devices, applications, and programs on your network that your
organization doesn't support and that represent high risk. For more information, see
Azure security management and monitoring overview. Ensure that you include all of the
following tasks in your inventory process.

Identify the users who have administrative roles and the services where they can
manage.

Use Azure AD PIM to find out which users in your organization have administrator
access to Azure AD.

Beyond the roles defined in Azure AD, Microsoft 365 comes with a set of
administrator roles that you can assign to users in your organization. Each
administrator role maps to common business functions, and gives people in your
organization permissions to do specific tasks in the Microsoft 365 admin center .
Use the Microsoft 365 admin center to find out which users in your organization
have administrator access to Microsoft 365, including via roles not managed in
Azure AD. For more information, see About Microsoft 365 administrator roles
and Security practices for Office 365.

Do the inventory in services your organization relies on, such as Azure, Intune, or
Dynamics 365.

Ensure that your accounts that are used for administration purposes:
Have working email addresses attached to them
Have registered for Azure AD Multi-Factor Authentication or use MFA on-
premises

Ask users for their business justification for administrative access.

Remove administrator access for those individuals and services that don't need it.
Identify Microsoft accounts in administrative roles that need to be
switched to work or school accounts

If your initial Global Administrators reuse their existing Microsoft account credentials
when they began using Azure AD, replace the Microsoft accounts with individual cloud-
based or synchronized accounts.

Ensure separate user accounts and mail forwarding for Global

Administrator accounts

Personal email accounts are regularly phished by cyber attackers, a risk that makes
personal email addresses unacceptable for Global Administrator accounts. To help
separate internet risks from administrative privileges, create dedicated accounts for each
user with administrative privileges.

Be sure to create separate accounts for users to do Global Administrator tasks.

Make sure that your Global Administrators don't accidentally open emails or run
programs with their administrator accounts.
Be sure those accounts have their email forwarded to a working mailbox.
Global Administrator (and other privileged groups) accounts should be cloud-only
accounts with no ties to on-premises Active Directory.

Ensure the passwords of administrative accounts have recently

changed
Ensure all users have signed into their administrative accounts and changed their
passwords at least once in the last 90 days. Also, verify that any shared accounts have
had their passwords changed recently.

Turn on password hash synchronization

Azure AD Connect synchronizes a hash of the hash of a user's password from on-
premises Active Directory to a cloud-based Azure AD organization. You can use
password hash synchronization as a backup if you use federation with Active Directory
Federation Services (AD FS). This backup can be useful if your on-premises Active
Directory or AD FS servers are temporarily unavailable.

Password hash sync enables users to sign in to a service by using the same password
they use to sign in to their on-premises Active Directory instance. Password hash sync
allows Identity Protection to detect compromised credentials by comparing password
hashes with passwords known to be compromised. For more information, see
Implement password hash synchronization with Azure AD Connect sync.

Require multi-factor authentication for users in privileged roles and

exposed users
Azure AD recommends that you require multi-factor authentication (MFA) for all of your
users. Be sure to consider users who would have a significant impact if their account
were compromised (for example, financial officers). MFA reduces the risk of an attack
because of a compromised password.

Turn on:

MFA using Conditional Access policies for all users in your organization.

If you use Windows Hello for Business, the MFA requirement can be met using the
Windows Hello sign-in experience. For more information, see Windows Hello.

Configure Identity Protection

Azure AD Identity Protection is an algorithm-based monitoring and reporting tool that
detects potential vulnerabilities affecting your organization's identities. You can
configure automated responses to those detected suspicious activities, and take
appropriate action to resolve them. For more information, see Azure Active Directory
Identity Protection.

Obtain your Microsoft 365 Secure Score (if using Microsoft 365)

Secure Score looks at your settings and activities for the Microsoft 365 services you're
using and compares them to a baseline established by Microsoft. You'll get a score
based on how aligned you are with security practices. Anyone who has the administrator
permissions for a Microsoft 365 Business Standard or Enterprise subscription can access
the Secure Score at [Link] .

Review the Microsoft 365 security and compliance guidance (if

using Microsoft 365)

The plan for security and compliance outlines the approach for an Office 365
customer to configure Office 365 and enable other EMS capabilities. Then, review steps
3-6 of how to Protect access to data and services in Microsoft 365 and the guide for
how to monitor security and compliance in Microsoft 365 .
Configure Microsoft 365 Activity Monitoring (if using Microsoft
365)

Monitor your organization for users who are using Microsoft 365 to identify staff who
have an administrator account but might not need Microsoft 365 access because they
don't sign in to those portals. For more information, see Activity reports in the Microsoft
365 admin center .

Establish incident/emergency response plan owners

Establishing a successful incident response capability requires considerable planning

and resources. You must continually monitor for cyber-attacks and establish priorities
for incident handling. Collect, analyze, and report incident data to build relationships
and establish communication with other internal groups and plan owners. For more
information, see Microsoft Security Response Center .

Secure on-premises privileged administrative accounts, if not

already done

If your Azure Active Directory organization is synchronized with on-premises Active

Directory, then follow the guidance in Security Privileged Access Roadmap: This stage
includes:

Creating separate administrator accounts for users who need to conduct on-
premises administrative tasks
Deploying Privileged Access Workstations for Active Directory administrators
Creating unique local administrator passwords for workstations and servers

Additional steps for organizations managing access to

Azure

Complete an inventory of subscriptions

Use the Enterprise portal and the Azure portal to identify the subscriptions in your
organization that host production applications.

Remove Microsoft accounts from administrator roles

Microsoft accounts from other programs, such as Xbox, Live, and Outlook, shouldn't be
used as administrator accounts for your organization's subscriptions. Remove
administrator status from all Microsoft accounts, and replace with Azure AD (for
example, chris@[Link]) work or school accounts. For administrator purposes,
depend on accounts that are authenticated in Azure AD and not in other services.

Monitor Azure activity

The Azure Activity Log provides a history of subscription-level events in Azure. It offers
information about who created, updated, and deleted what resources, and when these
events occurred. For more information, see Audit and receive notifications about
important actions in your Azure subscription.

Additional steps for organizations managing access to

other cloud apps via Azure AD

Configure Conditional Access policies

Prepare Conditional Access policies for on-premises and cloud-hosted applications. If

you have users workplace joined devices, get more information from Setting up on-
premises Conditional Access by using Azure Active Directory device registration.

Stage 3: Take control of administrator activity

Stage 3 builds on the mitigations from Stage 2 and should be implemented in

approximately 1-3 months. This stage of the Secured Privileged Access roadmap
includes the following components.

General preparation
Complete an access review of users in administrator roles
More corporate users are gaining privileged access through cloud services, which can
lead to un-managed access. Users today can become Global Administrators for
Microsoft 365, Azure subscription administrators, or have administrator access to VMs
or via SaaS apps.

Your organization should have all employees handle ordinary business transactions as
unprivileged users, and then grant administrator rights only as needed. Complete access
reviews to identify and confirm the users who are eligible to activate administrator
privileges.

We recommend that you:

1. Determine which users are Azure AD administrators, enable on-demand, just-in-

time administrator access, and role-based security controls.
2. Convert users who have no clear justification for administrator privileged access to
a different role (if no eligible role, remove them).

Continue rollout of stronger authentication for all users

Require highly exposed users to have modern, strong authentication such as Azure AD
MFA or Windows Hello. Examples of highly exposed users include:

C-suite executives
High-level managers
Critical IT and security personnel

Use dedicated workstations for administration for Azure AD

Attackers might try to target privileged accounts so that they can disrupt the integrity
and authenticity of data. They often use malicious code that alters the program logic or
snoops the administrator entering a credential. Privileged Access Workstations (PAWs)
provide a dedicated operating system for sensitive tasks that is protected from Internet
attacks and threat vectors. Separating these sensitive tasks and accounts from the daily
use workstations and devices provides strong protection from:

Phishing attacks
Application and operating system vulnerabilities
Impersonation attacks
Credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-
Ticket
By deploying privileged access workstations, you can reduce the risk that administrators
enter their credentials in a desktop environment that hasn't been hardened. For more
information, see Privileged Access Workstations.

Review National Institute of Standards and Technology

recommendations for handling incidents

The National Institute of Standards and Technology's (NIST) provides guidelines for
incident handling, particularly for analyzing incident-related data and determining the
appropriate response to each incident. For more information, see The (NIST) Computer
Security Incident Handling Guide (SP 800-61, Revision 2) .

Implement Privileged Identity Management (PIM) for JIT to

additional administrative roles
For Azure Active Directory, use Azure AD Privileged Identity Management capability.
Time-limited activation of privileged roles works by enabling you to:

Activate administrator privileges to do a specific task

Enforce MFA during the activation process

Use alerts to inform administrators about out-of-band changes

Enable users to keep their privileged access for a pre-configured amount of time

Allow security administrators to:

Discover all privileged identities
View audit reports
Create access reviews to identify every user who is eligible to activate
administrator privileges

If you're already using Azure AD Privileged Identity Management, adjust timeframes for
time-bound privileges as necessary (for example, maintenance windows).

Determine exposure to password-based sign-in protocols (if using

Exchange Online)

We recommend you identify every potential user who could be catastrophic to the
organization if their credentials were compromised. For those users, put in place strong
authentication requirements and use Azure AD Conditional Access to keep them from
signing in to their email using username and password. You can block legacy
authentication using Conditional Access, and you can block basic authentication
through Exchange online.

Complete a roles review assessment for Microsoft 365 roles (if

using Microsoft 365)
Assess whether all administrators users are in the correct roles (delete and reassign
according to this assessment).

Review the security incident management approach used in

Microsoft 365 and compare with your own organization
You can download this report from Security Incident Management in Microsoft 365 .

Continue to secure on-premises privileged administrative accounts

If your Azure Active Directory is connected to on-premises Active Directory, then follow
the guidance in the Security Privileged Access Roadmap: Stage 2. In this stage, you:

Deploy Privileged Access Workstations for all administrators

Require MFA
Use Just Enough Admin for domain controller maintenance, lowering the attack
surface of domains
Deploy Advanced Threat Assessment for attack detection

Additional steps for organizations managing access to

Azure

Establish integrated monitoring

The Microsoft Defender for Cloud:

Provides integrated security monitoring and policy management across your Azure
subscriptions
Helps detect threats that may otherwise go unnoticed
Works with a broad array of security solutions

Inventory your privileged accounts within hosted Virtual Machines

You don't usually need to give users unrestricted permissions to all your Azure
subscriptions or resources. Use Azure AD administrator roles to grant only the access
that your users who need to do their jobs. You can use Azure AD administrator roles to
let one administrator manage only VMs in a subscription, while another can manage
SQL databases within the same subscription. For more information, see What is Azure
role-based access control.

Implement PIM for Azure AD administrator roles

Use Privileged identity Management with Azure AD administrator roles to manage,
control, and monitor access to Azure resources. Using PIM protects by lowering the
exposure time of privileges and increasing your visibility into their use through reports
and alerts. For more information, see What is Azure AD Privileged Identity Management.

Use Azure log integrations to send relevant Azure logs to your

SIEM systems
Azure log integration enables you to integrate raw logs from your Azure resources to
your organization's existing Security Information and Event Management (SIEM)
systems. Azure log integration collects Windows events from Windows Event Viewer
logs and Azure resources from:

Azure activity Logs

Microsoft Defender for Cloud alerts
Azure resource logs

Additional steps for organizations managing access to

other cloud apps via Azure AD

Implement user provisioning for connected apps

Azure AD allows you to automate creating and maintaining user identities in cloud apps
like Dropbox, Salesforce, and ServiceNow. For more information, see Automate user
provisioning and deprovisioning to SaaS applications with Azure AD.

Integrate information protection

Microsoft Defender for Cloud Apps allows you to investigate files and set policies based
on Azure Information Protection classification labels, enabling greater visibility and
control of your cloud data. Scan and classify files in the cloud and apply Azure
information protection labels. For more information, see Azure Information Protection
integration.

Configure Conditional Access

Configure Conditional Access based on a group, location, and application sensitivity for
SaaS apps and Azure AD connected apps.

Monitor activity in connected cloud apps

We recommend using Microsoft Defender for Cloud Apps to ensure that user access is
also protected in connected applications. This feature secures the enterprise access to
cloud apps and secures your administrator accounts, allowing you to:

Extend visibility and control to cloud apps

Create policies for access, activities, and data sharing
Automatically identify risky activities, abnormal behaviors, and threats
Prevent data leakage
Minimize risk and automated threat prevention and policy enforcement

The Defender for Cloud Apps SIEM agent integrates Defender for Cloud Apps with your
SIEM server to enable centralized monitoring of Microsoft 365 alerts and activities. It
runs on your server and pulls alerts and activities from Defender for Cloud Apps and
streams them into the SIEM server. For more information, see SIEM integration.

Stage 4: Continue building defenses

Stage 4 of the roadmap should be implemented at six months and beyond. Complete
your roadmap to strengthen your privileged access protections from potential attacks
that are known today. For the security threats of tomorrow, we recommend viewing
security as an ongoing process to raise the costs and reduce the success rate of
adversaries targeting your environment.

Securing privileged access is important to establish security assurances for your business
assets. However, it should be part of a complete security program that provides ongoing
security assurances. This program should include elements such as:

Policy
Operations
Information security
Servers
Applications
PCs
Devices
Cloud fabric

We recommend the following practices when you're managing privileged access

accounts:

Ensure that administrators are doing their day-to-day business as unprivileged

users
Grant privileged access only when needed, and remove it afterward (just-in-time)
Keep audit activity logs relating to privileged accounts

For more information on building a complete security roadmap, see Microsoft cloud IT
architecture resources . To engage with Microsoft services to help you implement any
part of your roadmap, contact your Microsoft representative or see Build critical cyber
defenses to protect your enterprise .

This final ongoing stage of the Secured Privileged Access roadmap includes the
following components.

General preparation

Review administrator roles in Azure AD

Determine if current built-in Azure AD administrator roles are still up to date and ensure
that users are in only the roles they need. With Azure AD, you can assign separate
administrators to serve different functions. For more information, see Azure AD built-in
roles.

Review users who have administration of Azure AD joined devices

For more information, see How to configure hybrid Azure Active Directory joined
devices.

Review members of built-in Microsoft 365 admin roles

Skip this step if you're not using Microsoft 365. ‎

Validate incident response plan

To improve upon your plan, Microsoft recommends you regularly validate that your plan
operates as expected:

Go through your existing road map to see what was missed

Based on the postmortem analysis, revise existing or define new practices
Ensure that your updated incident response plan and practices are distributed
throughout your organization

Additional steps for organizations managing access to

Azure
Determine if you need to transfer ownership of an Azure subscription to another
account. ‎

"Break glass": what to do in an emergency

1. Notify key managers and security officers with information about the incident.

2. Review your attack playbook.

3. Access your "break glass" account username and password combination to sign in
to Azure AD.

4. Get help from Microsoft by opening an Azure support request.

 5. Look at the Azure AD sign-in reports. There might be some time between an event
occurring and when it's included in the report.

6. For hybrid environments, if your on-premises infrastructure federated and your AD

FS server aren't available, you can temporarily switch from federated
authentication to use password hash sync. This switch reverts the domain
federation back to managed authentication until the AD FS server becomes
available.

7. Monitor email for privileged accounts.

8. Make sure you save backups of relevant logs for potential forensic and legal
investigation.

For more information about how Microsoft Office 365 handles security incidents, see
Security Incident Management in Microsoft Office 365.

FAQ: Answers for securing privileged access

Q: What do I do if I haven't implemented any secure access components yet?

Answer: Define at least two break-glass account, assign MFA to your privileged
administrator accounts, and separate user accounts from Global Administrator accounts.

Q: After a breach, what is the top issue that needs to be addressed first?

Answer: Be sure you're requiring the strongest authentication for highly exposed
individuals.

Q: What happens if our privileged administrators have been deactivated?

Answer: Create a Global Administrator account that is always kept up to date.

Q: What happens if there's only one Global Administrator left and they can't be
reached?

Answer: Use one of your break-glass accounts to gain immediate privileged access.

Q: How can I protect administrators within my organization?

Answer: Have administrators always do their day-to-day business as standard

"unprivileged" users.

Q: What are the best practices for creating administrator accounts within Azure AD?

Answer: Reserve privileged access for specific administrator tasks.

Q: What tools exist for reducing persistent administrator access?

Answer: Privileged Identity Management (PIM) and Azure AD administrator roles.

Q: What is the Microsoft position on synchronizing administrator accounts to Azure AD?

Answer: Tier 0 administrator accounts are used only for on-premises AD accounts. Such
accounts aren't typically synchronized with Azure AD in the cloud. Tier 0 administrator
accounts include accounts, groups, and other assets that have direct or indirect
administrative control of the on-premises Active Directory forest, domains, domain
controllers, and assets.

Q: How do we keep administrators from assigning random administrator access in the

portal?

Answer: Use non-privileged accounts for all users and most administrators. Start by
developing a footprint of the organization to determine which few administrator
accounts should be privileged. And monitor for newly created administrative users.

Next steps
Microsoft Trust Center for Product Security – Security features of Microsoft cloud
products and services

Microsoft Trust Center - Compliance – Microsoft's comprehensive set of

compliance offerings for cloud services

Guidance on how to do a risk assessment - Manage security and compliance

requirements for Microsoft cloud services

Other Microsoft Online Services

Microsoft Intune Security – Intune provides mobile device management, mobile
application management, and PC management capabilities from the cloud.

Microsoft Dynamics 365 security – Dynamics 365 is the Microsoft cloud-based

solution that unifies customer relationship management (CRM) and enterprise
resource planning (ERP) capabilities.

Feedback

 Yes  No
  Yes  No
Was this page helpful?

Provide product feedback | Get help at Microsoft Q&A

Manage emergency access accounts in
Azure AD
Article • 01/20/2023 • 9 minutes to read

It is important that you prevent being accidentally locked out of your Azure Active
Directory (Azure AD) organization because you can't sign in or activate another user's
account as an administrator. You can mitigate the impact of accidental lack of
administrative access by creating two or more emergency access accounts in your
organization.

Emergency access accounts are highly privileged, and they are not assigned to specific
individuals. Emergency access accounts are limited to emergency or "break glass"'
scenarios where normal administrative accounts can't be used. We recommend that you
maintain a goal of restricting emergency account use to only the times when it is
absolutely necessary.

This article provides guidelines for managing emergency access accounts in Azure AD.

Why use an emergency access account

An organization might need to use an emergency access account in the following
situations:

The user accounts are federated, and federation is currently unavailable because of
a cell-network break or an identity-provider outage. For example, if the identity
provider host in your environment has gone down, users might be unable to sign
in when Azure AD redirects to their identity provider.
The administrators are registered through Azure AD Multi-Factor Authentication,
and all their individual devices are unavailable or the service is unavailable. Users
might be unable to complete Multi-Factor Authentication to activate a role. For
example, a cell network outage is preventing them from answering phone calls or
receiving text messages, the only two authentication mechanisms that they
registered for their device.
The person with the most recent Global Administrator access has left the
organization. Azure AD prevents the last Global Administrator account from being
deleted, but it does not prevent the account from being deleted or disabled on-
premises. Either situation might make the organization unable to recover the
account.
Unforeseen circumstances such as a natural disaster emergency, during which a
mobile phone or other networks might be unavailable.
Create emergency access accounts
Create two or more emergency access accounts. These accounts should be cloud-only
accounts that use the *.[Link] domain and that are not federated or
synchronized from an on-premises environment.

How to create an emergency access account

1. Sign in to the Azure portal or Azure AD admin center as an existing Global
Administrator.

2. Select Azure Active Directory > Users.

3. Select New user.

4. Select Create user.

5. Give the account a User name.

6. Give the account a Name.

7. Create a long and complex password for the account.

8. Under Roles, assign the Global Administrator role.

9. Under Usage location, select the appropriate location.

 

10. Select Create.

11. Store account credentials safely.

12. Monitor sign-in and audit logs.

13. Validate accounts regularly.

When configuring these accounts, the following requirements must be met:

The emergency access accounts should not be associated with any individual user
in the organization. Make sure that your accounts are not connected with any
employee-supplied mobile phones, hardware tokens that travel with individual
employees, or other employee-specific credentials. This precaution covers
instances where an individual employee is unreachable when the credential is
needed. It is important to ensure that any registered devices are kept in a known,
secure location that has multiple means of communicating with Azure AD.
Use strong authentication for your emergency access accounts and make sure it
doesn’t use the same authentication methods as your other administrative
accounts. For example, if your normal administrator account uses the Microsoft
Authenticator app for strong authentication, use a FIDO2 security key for your
emergency accounts. Consider the dependencies of various authentication
methods, to avoid adding external requirements into the authentication process.
The device or credential must not expire or be in scope of automated cleanup due
to lack of use.
In Azure AD Privileged Identity Management, you should make the Global
Administrator role assignment permanent rather than eligible for your emergency
access accounts.

Exclude at least one account from phone-based multi-

factor authentication
To reduce the risk of an attack resulting from a compromised password, Azure AD
recommends that you require multi-factor authentication for all individual users. This
group includes administrators and all others (for example, financial officers) whose
compromised account would have a significant impact.

However, at least one of your emergency access accounts should not have the same
multi-factor authentication mechanism as your other non-emergency accounts. This
includes third-party multi-factor authentication solutions. If you have a Conditional
Access policy to require multi-factor authentication for every administrator for Azure AD
and other connected software as a service (SaaS) apps, you should exclude emergency
access accounts from this requirement, and configure a different mechanism instead.
Additionally, you should make sure the accounts do not have a per-user multi-factor
authentication policy.

Exclude at least one account from Conditional Access

policies
During an emergency, you do not want a policy to potentially block your access to fix an
issue. If you use Conditional Access, at least one emergency access account needs to be
excluded from all Conditional Access policies.

Federation guidance
Some organizations use AD Domain Services and AD FS or similar identity provider to
federate to Azure AD. The emergency access for on-premises systems and the
emergency access for cloud services should be kept distinct, with no dependency of one
on the other. Mastering and or sourcing authentication for accounts with emergency
access privileges from other systems adds unnecessary risk in the event of an outage of
those system(s).

Store account credentials safely

Organizations need to ensure that the credentials for emergency access accounts are
kept secure and known only to individuals who are authorized to use them. Some
customers use a smartcard for Windows Server AD, a FIDO2 security key for Azure AD
and others use passwords. A password for an emergency access account is usually
separated into two or three parts, written on separate pieces of paper, and stored in
secure, fireproof safes that are in secure, separate locations.

If using passwords, make sure the accounts have strong passwords that do not expire.
Ideally, the passwords should be at least 16 characters long and randomly generated.

Monitor sign-in and audit logs

Organizations should monitor sign-in and audit log activity from the emergency
accounts and trigger notifications to other administrators. When you monitor the
activity on break glass accounts, you can verify these accounts are only used for testing
or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and
trigger email and SMS alerts to your admins whenever break glass accounts sign in.

Prerequisites
1. Send Azure AD sign-in logs to Azure Monitor.

Obtain Object IDs of the break glass accounts

 1. Sign in to the Azure portal or Azure AD admin center with an account
assigned to the User Administrator role.

2. Select Azure Active Directory > Users.

3. Search for the break-glass account and select the user’s name.

4. Copy and save the Object ID attribute so that you can use it later.

5. Repeat previous steps for second break-glass account.

Create an alert rule

1. Sign in to the Azure portal with an account assigned to the Monitoring
Contributor role in Azure Monitor.
2. Select All services", enter "log analytics" in Search and then select Log Analytics
workspaces.
3. Select a workspace.
4. In your workspace, select Alerts > New alert rule.

a. Under Resource, verify that the subscription is the one with which you want to
associate the alert rule.

b. Under Condition, select Add.

c. Select Custom log search under Signal name.

d. Under Search query, enter the following query, inserting the object IDs of the
two break glass accounts.

７ Note

For each additional break glass account you want to include, add another
"or UserId == "ObjectGuid"" to the query.

Sample queries:

Kusto

// Search for a single Object ID (UserID)

SigninLogs
| project UserId
| where UserId == "f66e7317-2ad4-41e9-8238-3acf413f7448"
 Kusto

// Search for multiple Object IDs (UserIds)

SigninLogs
| project UserId
| where UserId == "f66e7317-2ad4-41e9-8238-3acf413f7448" or UserId ==
"0383eb26-1cbc-4be7-97fd-e8a0d8f4e62b"

Kusto

// Search for a single UserPrincipalName

SigninLogs
| project UserPrincipalName
| where UserPrincipalName == "user@[Link]"

e. Under Alert logic, enter the following:

Based on: Number of results

Operator: Greater than
Threshold value: 0

f. Under Evaluated based on, select the Period (in minutes) for how long you
want the query to run, and the Frequency (in minutes) for how often you want
the query to run. The frequency should be less than or equal to the period.
 g. Select Done. You may now view the estimated monthly cost of this alert.
5. Select an action group of users to be notified by the alert. If you want to create
one, see Create an action group.
6. To customize the email notification sent to the members of the action group, select
actions under Customize Actions.
7. Under Alert Details, specify the alert rule name and add an optional description.
8. Set the Severity level of the event. We recommend that you set it to Critical(Sev
0).
9. Under Enable rule upon creation, leave it set as yes.
10. To turn off alerts for a while, select the Suppress Alerts check box and enter the
wait duration before alerting again, and then select Save.
11. Click Create alert rule.

Create an action group

1. Select Create an action group.
 2. Enter the action group name and a short name.

3. Verify the subscription and resource group.

4. Under action type, select Email/SMS/Push/Voice.

5. Enter an action name such as Notify global admin.

6. Select the Action Type as Email/SMS/Push/Voice.

7. Select Edit details to select the notification methods you want to configure and
enter the required contact information, and then select Ok to save the details.

8. Add any additional actions you want to trigger.

9. Select OK.

Validate accounts regularly

When you train staff members to use emergency access accounts and validate the
emergency access accounts, at minimum do the following steps at regular intervals:

Ensure that security-monitoring staff are aware that the account-check activity is
ongoing.
Ensure that the emergency break glass process to use these accounts is
documented and current.
Ensure that administrators and security officers who might need to perform these
steps during an emergency are trained on the process.
 Update the account credentials, in particular any passwords, for your emergency
access accounts, and then validate that the emergency access accounts can sign-in
and perform administrative tasks.
Ensure that users have not registered Multi-Factor Authentication or self-service
password reset (SSPR) to any individual user’s device or personal details.
If the accounts are registered for Multi-Factor Authentication to a device, for use
during sign-in or role activation, ensure that the device is accessible to all
administrators who might need to use it during an emergency. Also verify that the
device can communicate through at least two network paths that do not share a
common failure mode. For example, the device can communicate to the internet
through both a facility's wireless network and a cell provider network.

These steps should be performed at regular intervals and for key changes:

At least every 90 days

When there has been a recent change in IT staff, such as a job change, a departure,
or a new hire
When the Azure AD subscriptions in the organization have changed

Next steps
Securing privileged access for hybrid and cloud deployments in Azure AD
Add users using Azure AD and assign the new user to the Global Administrator
role
Sign up for Azure AD Premium, if you haven’t signed up already
How to require two-step verification for a user
Configure additional protections for Global Administrators in Microsoft 365, if you
are using Microsoft 365
Start an access review of Global Administrators and transition existing Global
Administrators to more specific administrator roles

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources
 Documentation

Configure the MFA registration policy - Azure Active Directory Identity Protection -
Microsoft Entra
Learn how to configure the Azure AD Identity Protection multifactor authentication registration
policy.

Secure your Azure AD identity infrastructure - Azure Active Directory

This document outlines a list of important actions administrators should implement to help them
secure their organization using Azure AD capabilities

Risk-based user sign-in protection in Azure Active Directory

In this tutorial, you learn how to enable Azure Identity Protection to protect users when risky sign-in
behavior is detected on their account.

Require MFA for guest users with Conditional Access - Azure Active Directory -
Microsoft Entra
Create a custom Conditional Access policy requiring guest users perform multifactor authentication

Overview of Azure Active Directory authentication strength (preview) - Microsoft

Entra
Learn how admins can use Azure AD Conditional Access to distinguish which authentication methods
can be used based on relevant security factors.

What is identity secure score? - Azure Active Directory - Microsoft Entra

Learn how to use the identity secure score to improve the security posture of your directory.

User experiences with Azure AD Identity Protection - Microsoft Entra

User experience of Azure AD Identity Protection

Conditional Access - Authentication strength for external users - Azure Active

Directory - Microsoft Entra
Create a custom Conditional Access policy with authentication strength to require specific multifactor
authentication (MFA) methods for external users.

Show 5 more

 Training

Learning certificate
Microsoft Certified: Identity and Access Administrator Associate - Certifications
The Microsoft identity and access administrator designs, implements, and operates an organization’s
identity and access management systems by using Microsoft Azure Active Directory (Azure AD), part
of Microsoft Entra. They configure and manage authentication and authorization of identities for…
Prerequisites to use PowerShell or
Graph Explorer for Azure AD roles
Article • 09/23/2022 • 2 minutes to read

If you want to manage Azure Active Directory (Azure AD) roles using PowerShell or
Graph Explorer, you must have the required prerequisites. This article describes the
PowerShell and Graph Explorer prerequisites for different Azure AD role features.

Microsoft Graph PowerShell

To use PowerShell commands to do the following:

Add users, groups, or devices to an administrative unit

Create a new group in an administrative unit

You must have the Microsoft Graph PowerShell SDK installed:

Microsoft Graph PowerShell SDK

AzureAD module
To use PowerShell commands to do the following:

List role assignments

Create a role-assignable group
Manage administrative units

You must have the following module installed:

AzureAD (current version)

Check AzureAD version

To check which version of AzureAD you have installed, use Get-InstalledModule.

PowerShell

Get-InstalledModule -Name AzureAD

You should see output similar to the following:

 PowerShell

Version Name Repository

Description
------- ---- ---------- --------
---
[Link] AzureAD PSGallery Azure
Active Directory V2 General Availability M...

Install AzureAD
If you don't have AzureAD installed, use Install-Module to install AzureAD.

PowerShell

Install-Module -Name AzureAD

Update AzureAD
To update AzureAD to the latest version, re-run Install-Module.

PowerShell

Install-Module -Name AzureAD

Use AzureAD
To use AzureAD, follow these steps to make sure it is imported into the current session.

1. Use Get-Module to check if AzureAD is loaded into memory.

PowerShell

Get-Module -Name AzureAD

2. If you don't see any output in the previous step, use Import-Module to import
AzureAD. The -Force parameter removes the loaded module and then imports it
again.

PowerShell

Import-Module -Name AzureAD -Force

 3. Run Get-Module again.

PowerShell

Get-Module -Name AzureAD

You should see output similar to the following:

PowerShell

ModuleType Version Name

ExportedCommands
---------- ------- ---- -------------
---
Binary [Link] AzureAD {Add-
AzureADApplicationOwner, Add-AzureADDeviceRegisteredO...

AzureADPreview module
To use PowerShell commands to do the following:

Assign roles to users or groups

Remove a role assignment
Make a group eligible for a role using Privileged Identity Management
Create custom roles

You must have the following module installed:

AzureADPreview (current version)

Check AzureADPreview version

To check which version of AzureADPreview you have installed, use Get-InstalledModule.

PowerShell

Get-InstalledModule -Name AzureADPreview

You should see output similar to the following:

PowerShell

Version Name Repository

Description
------- ---- ---------- --------
 ---
[Link] AzureADPreview PSGallery Azure
Active Directory V2 Preview Module. ...

Install AzureADPreview
If you don't have AzureADPreview installed, use Install-Module to install
AzureADPreview.

PowerShell

Install-Module -Name AzureADPreview

Update AzureADPreview
To update AzureADPreview to the latest version, re-run Install-Module.

PowerShell

Install-Module -Name AzureADPreview

Use AzureADPreview
To use AzureADPreview, follow these steps to make sure it is imported into the current
session.

1. Use Get-Module to check if AzureADPreview is loaded into memory.

PowerShell

Get-Module -Name AzureADPreview

2. If you don't see any output in the previous step, use Import-Module to import
AzureADPreview. The -Force parameter removes the loaded module and then
imports it again.

PowerShell

Import-Module -Name AzureADPreview -Force

3. Run Get-Module again.

 PowerShell

Get-Module -Name AzureADPreview

You should see output similar to the following:

PowerShell

ModuleType Version Name

ExportedCommands
---------- ------- ---- -------------
---
Binary [Link] AzureADPreview {Add-
AzureADAdministrativeUnitMember, Add-AzureADApplicati...

Graph Explorer
To manage Azure AD roles using the Microsoft Graph API and Graph Explorer, you must
do the following:

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Enterprise applications.

3. In the applications list, find and select Graph explorer.

4. Select Permissions.

5. Select Grant admin consent for Graph explorer.

 6. Use Graph Explorer tool .

Next steps
Install Azure Active Directory PowerShell for Graph
AzureAD module docs
Graph Explorer

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

List Azure AD role definitions
Article • 08/21/2022 • 2 minutes to read

A role definition is a collection of permissions that can be performed, such as read,

write, and delete. It's typically just called a role. Azure Active Directory has over 60 built-
in roles or you can create your own custom roles. If you ever wondered "What the do
these roles really do?", you can see a detailed list of permissions for each of the roles.

This article describes how to list the Azure AD built-in and custom roles along with their
permissions.

Prerequisites
AzureADPreview module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators to see the list of all
available roles.
 3. On the right, select the ellipsis and then Description to see the complete list of
permissions for a role.

The page includes links to relevant documentation to help guide you through
managing roles.

PowerShell
Follow these steps to list Azure AD roles using PowerShell.

1. Open a PowerShell window and use Import-Module to import the AzureADPreview

module. For more information, see Prerequisites to use PowerShell or Graph
Explorer.

PowerShell

Import-Module -Name AzureADPreview -Force

2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

PowerShell

Connect-AzureAD

3. Use Get-AzureADMSRoleDefinition to get all roles.

PowerShell

Get-AzureADMSRoleDefinition
 4. To view the list of permissions of a role, use the following cmdlet.

PowerShell

# Do this avoid truncation of the list of permissions

$FormatEnumerationLimit = -1

(Get-AzureADMSRoleDefinition -Filter "displayName eq 'Conditional

Access Administrator'").RolePermissions | Format-list

Microsoft Graph API

Follow these instructions to list Azure AD roles using the Microsoft Graph API in Graph
Explorer .

1. Sign in to the Graph Explorer .

2. Select GET as the HTTP method from the dropdown.

3. Select the API version to v1.0.

4. Add the following query to use the List unifiedRoleDefinitions API.

HTTP

GET
[Link]
ns

5. Select Run query to list the roles.

6. To view permissions of a role, use the following API.

HTTP

GET
[Link]
ns?$filter=DisplayName eq 'Conditional Access
Administrator'&$select=rolePermissions

Next steps
List Azure AD role assignments.
Assign Azure AD roles to users.
Azure AD built-in roles.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

List Azure AD role assignments
Article • 08/21/2022 • 3 minutes to read

This article describes how to list roles you have assigned in Azure Active Directory
(Azure AD). In Azure Active Directory (Azure AD), roles can be assigned at an
organization-wide scope or with a single-application scope.

Role assignments at the organization-wide scope are added to and can be seen in
the list of single application role assignments.
Role assignments at the single application scope aren't added to and can't be seen
in the list of organization-wide scoped assignments.

Prerequisites
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
This procedure describes how to list role assignments with organization-wide scope.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators and then select a role to
open it and view its properties.

3. Select Assignments to list the role assignments.

List my role assignments

It's easy to list your own permissions as well. Select Your Role on the Roles and
administrators page to see the roles that are currently assigned to you.

Download role assignments

To download all active role assignments across all roles, including built-in and custom
roles, follow these steps (currently in Preview).

1. On the Roles and administrators page, select All roles.

2. Select Download assignments.

A CSV file that lists assignments at all scopes for all roles is downloaded.

To download all assignments for a specific role, follow these steps.

 1. On the Roles and administrators page, select a role.

2. Select Download assignments.

A CSV file that lists assignments at all scopes for that role is downloaded.

List role assignments with single-application scope

This section describes how to list role assignments with single-application scope. This
feature is currently in public preview.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > App registrations, and then select the app
registration to view its properties. You might have to select All applications to see
the complete list of app registrations in your Azure AD organization.
 3. In the app registration, select Roles and administrators, and then select a role to
view its properties.

4. Select Assignments to list the role assignments. Opening the assignments page
from within the app registration shows you the role assignments that are scoped
to this Azure AD resource.

PowerShell
This section describes viewing assignments of a role with organization-wide scope. This
article uses the Azure Active Directory PowerShell Version 2 module. To view single-
application scope assignments using PowerShell, you can use the cmdlets in Assign
custom roles with PowerShell.

Use the Get-AzureADMSRoleDefinition and Get-AzureADMSRoleAssignment commands

to list role assignments.
The following example shows how to list the role assignments for the Groups
Administrator role.

PowerShell

# Fetch list of all directory roles with template ID

Get-AzureADMSRoleDefinition

# Fetch a specific directory role by ID

$role = Get-AzureADMSRoleDefinition -Id "fdd7a751-b60b-444a-984c-
02652fe8fa1c"

# Fetch membership for a role

Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '$($[Link])'"

Example

RoleDefinitionId PrincipalId
DirectoryScopeId
---------------- ----------- --
--------------
fdd7a751-b60b-444a-984c-02652fe8fa1c 04f632c3-8065-4466-9e30-e71ec81b3c36
/administrativeUnits/3883b136-67f0-412c-9b...

The following example shows how to list all active role assignments across all roles,
including built-in and custom roles (currently in Preview).

PowerShell

$roles = Get-AzureADMSRoleDefinition
foreach ($role in $roles)
{
Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '$($[Link])'"
}

Example

RoleDefinitionId PrincipalId
DirectoryScopeId Id
---------------- ----------- --
-------------- --
e8611ab8-c189-46e8-94e1-60213ab1f814 9f9fb383-3148-46a7-9cec-5bf93f8a879c /
uB2o6InB6EaU4WAhOrH4FHwni...
e8611ab8-c189-46e8-94e1-60213ab1f814 027c8aba-2e94-49a8-974b-401e5838b2a0 /
uB2o6InB6EaU4WAhOrH4FEqdn...
fdd7a751-b60b-444a-984c-02652fe8fa1c 04f632c3-8065-4466-9e30-e71ec81b3c36
/administrati... UafX_Qu2SkSYTAJlL-j6HL5Dr...
...
Microsoft Graph API
This section describes how to list role assignments with organization-wide scope. To list
single-application scope role assignments using Graph API, you can use the operations
in Assign custom roles with Graph API.

Use the List unifiedRoleAssignments API to get the role assignments for a specific role
definition. The following example shows how to list the role assignments for a specific
role definition with the ID 3671d40a-1aac-426c-a0c1-a3821ebd8218 .

HTTP

GET
[Link]
ilter=roleDefinitionId eq ‘<template-id-of-role-definition>’

Response

HTTP

HTTP/1.1 200 OK
{
"id": "CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1",
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "3671d40a-1aac-426c-a0c1-a3821ebd8218",
"directoryScopeId": "/"
}

Next steps
Feel free to share with us on the Azure AD administrative roles forum .
For more about role permissions, see Azure AD built-in roles.
For default user permissions, see a comparison of default guest and member user
permissions.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

List Azure AD role assignments for a
user
Article • 08/21/2022 • 2 minutes to read

A role can be assigned to a user directly or transitively via a group. This article describes
how to list the Azure AD roles assigned to a user. For information about assigning roles
to groups, see Use Azure AD groups to manage role assignments.

Prerequisites
AzureADPreview module when using PowerShell
[Link] module when using PowerShell
Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
Follow these steps to list Azure AD roles for a user using the Azure portal. Your
experience will be different depending on whether you have Azure AD Privileged
Identity Management (PIM) enabled.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Users > user name > Assigned roles.

You can see the list of roles assigned to the user at different scopes. Additionally,
you can see whether the role has been assigned directly or via group.
 If you have a Premium P2 license, you will see the PIM experience, which has
eligible, active, and expired role assignment details.

PowerShell
Follow these steps to list Azure AD roles assigned to a user using PowerShell.

1. Install [Link] module using Install-module.

PowerShell

Install-module -name [Link]

2. In a PowerShell window, Use Connect-MgGraph to sign into and use Microsoft

Graph PowerShell cmdlets.

PowerShell

Connect-MgGraph

3. Use the List transitiveRoleAssignments API to get roles assigned directly and
transitively to a user.

PowerShell

$response = $null
$uri =
"[Link]
leAssignments?`$count=true&`$filter=principalId eq '6b937a9d-c731-465b-
a844-2d5b5368c161'"
$method = 'GET'
$headers = @{'ConsistencyLevel' = 'eventual'}
 $response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method
$method -Body $null).value

Microsoft Graph API

Follow these steps to list Azure AD roles assigned to a user using the Microsoft Graph
API in Graph Explorer .

1. Sign in to the Graph Explorer .

2. Use the List transitiveRoleAssignments API to get roles assigned directly and
transitively to a user. Add following query to the URL.

HTTP

GET
[Link]
eAssignments?$count=true&$filter=principalId eq '6b937a9d-c731-465b-
a844-2d5b5368c161'

3. Navigate to Request headers tab. Add ConsistencyLevel as key and Eventual as

its value.

4. Select Run query.

Next steps
List Azure AD role assignments.
Assign Azure AD roles to users.
Assign Azure AD roles to groups

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

View roles assigned to a group in Azure
Active Directory
Article • 08/21/2022 • 2 minutes to read

This section describes how the roles assigned to a group can be viewed using the Azure
portal. Viewing groups and assigned roles are default user permissions.

Prerequisites
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Groups.

3. Select a role-assignable group that you are interested in.

4. Select Assigned roles. You can now see all the Azure AD roles assigned to this
group.

PowerShell
Get object ID of the group
PowerShell

Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators"

View role assignment to a group

PowerShell

Get-AzureADMSRoleAssignment -Filter "principalId eq '<object id of group>"

Microsoft Graph API

Get object ID of the group

Use the Get group API to get a group.

HTTP

GET [Link]
$filter=displayName+eq+'Contoso_Helpdesk_Administrator'

Get role assignments to a group

Use the List unifiedRoleAssignments API to get the role assignment.

HTTP

GET
[Link]
$filter=principalId eq

Next steps
Use Azure AD groups to manage role assignments
Troubleshoot Azure AD roles assigned to groups
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign Azure AD roles to users
Article • 08/21/2022 • 5 minutes to read

To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles.
A role is a collection of permissions. This article describes how to assign Azure AD roles
using the Azure portal and PowerShell.

Prerequisites
Privileged Role Administrator or Global Administrator. To know who your
Privileged Role Administrator or Global Administrator is, see List Azure AD role
assignments
Azure AD Premium P2 license when using Privileged Identity Management (PIM)
AzureADPreview module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
Follow these steps to assign Azure AD roles using the Azure portal. Your experience will
be different depending on whether you have Azure AD Privileged Identity Management
(PIM) enabled.

Assign a role
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators to see the list of all
available roles.
 3. Select a role to see its assignments.

To help you find the role you need, use Add filters to filter the roles.

4. Select Add assignments and then select the users you want to assign to this role.

If you see something different from the following picture, you might have PIM
enabled. See the next section.

5. Select Add to assign the role.

Assign a role using PIM

If you have Azure AD Privileged Identity Management (PIM) enabled, you have
additional role assignment capabilities. For example, you can make a user eligible for a
role or set the duration. When PIM is enabled, there are two ways that you can assign
roles using the Azure portal. You can use the Roles and administrators page or the PIM
experience. Either way uses the same PIM service.

Follow these steps to assign roles using the Roles and administrators page. If you
want to assign roles using the Privileged Identity Management page, see Assign Azure
AD roles in Privileged Identity Management.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators to see the list of all
available roles.

3. Select a role to see its eligible, active, and expired role assignments.

To help you find the role you need, use Add filters to filter the roles.

4. Select Add assignments.

5. Select No member selected and then select the users you want to assign to this
role.
6. Select Next.

7. On the Setting tab, select whether you wan to make this role assignment Eligible
or Active.

An eligible role assignment means that the user must perform one or more actions
to use the role. An active role assignment means that the user doesn't have to
perform any action to use the role. For more information about what these settings
mean, see PIM terminology.

8. Use the remaining options to set the duration for the assignment.
 9. Select Assign to assign the role.

PowerShell
Follow these steps to assign Azure AD roles using PowerShell.

Setup
1. Open a PowerShell window and use Import-Module to import the AzureADPreview
module. For more information, see Prerequisites to use PowerShell or Graph
Explorer.

Import-Module -Name AzureADPreview -Force

2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

Connect-AzureAD

3. Use Get-AzureADUser to get the user you want to assign a role to.

$user = Get-AzureADUser -Filter "userPrincipalName eq

'user@[Link]'"

Assign a role
1. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'Billing Administrator'"

2. Use New-AzureADMSRoleAssignment to assign the role.

 $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -
RoleDefinitionId $[Link] -PrincipalId $[Link]

Assign a role as eligible using PIM

If PIM is enabled, you have additional capabilities, such as making a user eligible for a
role assignment or defining the start and end time for a role assignment. These
capabilities use a different set of PowerShell commands. For more information about
using PowerShell and PIM, see PowerShell for Azure AD roles in Privileged Identity
Management.

1. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'Billing Administrator'"

2. Use Get-AzureADMSPrivilegedResource to get the privileged resource. In this case,

your tenant.

$aadTenant = Get-AzureADMSPrivilegedResource -ProviderId aadRoles

3. Use New-Object to create a new AzureADMSPrivilegedSchedule object to define the

start and end time of the role assignment.

$schedule = New-Object
[Link]
$[Link] = "Once"
$[Link] = (Get-Date).ToUniversalTime().ToString("yyyy-
MM-ddTHH:mm:[Link]")
$[Link] = "2021-07-25T[Link].000Z"

4. Use Open-AzureADMSPrivilegedRoleAssignmentRequest to assign the role as

eligible.

$roleAssignmentEligible = Open-AzureADMSPrivilegedRoleAssignmentRequest
-ProviderId 'aadRoles' -ResourceId $[Link] -RoleDefinitionId
$[Link] -SubjectId $[Link] -Type 'AdminAdd' -
 AssignmentState 'Eligible' -schedule $schedule -reason "Review billing
info"

Microsoft Graph API

Follow these instructions to assign a role using the Microsoft Graph API.

Assign a role
In this example, a security principal with objectID f8ca5a85-489a-49a0-b555-0a6d81e56f0d
is assigned the Billing Administrator role (role definition ID b0f54661-2d74-4c50-afa3-
1ec803f12efe ) at tenant scope. To see the list of immutable role template IDs of all built-

in roles, see Azure AD built-in roles.

POST
[Link]
Content-type: application/json

{
"@[Link]": "#[Link]",
"roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
"principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
"directoryScopeId": "/"
}

Assign a role using PIM

Assign a time-bound eligible role assignment

In this example, a security principal with objectID f8ca5a85-489a-49a0-b555-0a6d81e56f0d
is assigned a time-bound eligible role assignment to Billing Administrator (role
definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe ) for 180 days.

POST
[Link]
eduleRequests
Content-type: application/json

{
"action": "adminAssign",
 "justification": "for managing admin tasks",
"directoryScopeId": "/",
"principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
"roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
"scheduleInfo": {
"startDateTime": "2021-07-15T[Link].941Z",
"expiration": {
"type": "afterDuration",
"duration": "PT180D"
}
}
}

Assign a permanent eligible role assignment

In the following example, a security principal is assigned a permanent eligible role
assignment to Billing Administrator.

POST
[Link]
eduleRequests
Content-type: application/json

{
"action": "adminAssign",
"justification": "for managing admin tasks",
"directoryScopeId": "/",
"principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
"roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
"scheduleInfo": {
"startDateTime": "2021-07-15T[Link].941Z",
"expiration": {
"type": "noExpiration"
}
}
}

Activate a role assignment

To activate the role assignment, use the Create roleAssignmentScheduleRequests API.

POST
[Link]
duleRequests
Content-type: application/json
 {
"action": "selfActivate",
"justification": "activating role assignment for admin privileges",
"roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
"directoryScopeId": "/",
"principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
}

For more information about managing Azure AD roles through the PIM API in Microsoft
Graph, see Overview of role management through the privileged identity management
(PIM) API.

Next steps
List Azure AD role assignments
Assign custom roles with resource scope using PowerShell
Azure AD built-in roles

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign Azure AD roles at different
scopes
Article • 08/21/2022 • 6 minutes to read

In Azure Active Directory (Azure AD), you typically assign Azure AD roles so that they
apply to the entire tenant. However, you can also assign Azure AD roles for different
resources, such as administrative units or application registrations. For example, you
could assign the Helpdesk Administrator role so that it just applies to a particular
administrative unit and not the entire tenant. The resources that a role assignment
applies to is also call the scope. This article describes how to assign Azure AD roles at
tenant, administrative unit, and application registration scopes. For more information
about scope, see Overview of RBAC in Azure AD.

Prerequisites
Privileged Role Administrator or Global Administrator.
AzureADPreview module when using PowerShell.
Admin consent when using Graph explorer for Microsoft Graph API.

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Assign roles scoped to the tenant

This section describes how to assign roles at the tenant scope.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators to see the list of all
available roles.
 3. Select a role to see its assignments. To help you find the role you need, use Add
filters to filter the roles.

4. Select Add assignments and then select the users you want to assign to this role.

5. Select Add to assign the role.

PowerShell
Follow these steps to assign Azure AD roles using PowerShell.

1. Open a PowerShell window and use Import-Module to import the AzureADPreview

module. For more information, see Prerequisites to use PowerShell or Graph
Explorer.
 PowerShell

Import-Module -Name AzureADPreview -Force

2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

PowerShell

Connect-AzureAD

3. Use Get-AzureADUser to get the user.

PowerShell

$user = Get-AzureADUser -Filter "userPrincipalName eq

'alice@[Link]'"

4. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

PowerShell

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'Billing Administrator'"

5. Set tenant as scope of role assignment.

PowerShell

$directoryScope = '/'

6. Use New-AzureADMSRoleAssignment to assign the role.

PowerShell

$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId

$directoryScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

Microsoft Graph API

Follow these instructions to assign a role using the Microsoft Graph API in Graph
Explorer .

1. Sign in to the Graph Explorer .

 2. Use List users API to get the user.

HTTP

GET [Link] eq
'alice@[Link]'

3. Use the List unifiedRoleDefinitions API to get the role you want to assign.

HTTP

GET
[Link]
ns?$filter=displayName eq 'Billing Administrator'

4. Use the Create unifiedRoleAssignment API to assign the role.

HTTP

POST
[Link]
ts
{
"@[Link]": "#[Link]",
"principalId": "<provide objectId of the user obtained above>",
"roleDefinitionId": "<provide templateId of the role obtained
above>",
"directoryScopeId": "/"
}

Assign roles scoped to an administrative unit

This section describes how to assign roles at an administrative unit scope.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Administrative units to see the list of all
administrative units.

3. Select an administrative unit.

 4. Select Roles and administrators from the left nav menu to see the list of all roles
available to be assigned over an administrative unit.

5. Select the desired role.

6. Select Add assignments and then select the users or group you want to assign this
role to.

7. Select Add to assign the role scoped over the administrative unit.

７ Note

You will not see the entire list of Azure AD built-in or custom roles here. This is
expected. We show the roles which have permissions related to the objects that are
supported within the administrative unit. Refer to this documentation to see the
list of objects supported within an administrative unit.

PowerShell
Follow these steps to assign Azure AD roles at administrative unit scope using
PowerShell.

1. Open a PowerShell window and use Import-Module to import the AzureADPreview

module. For more information, see Prerequisites to use PowerShell or Graph
 Explorer.

PowerShell

Import-Module -Name AzureADPreview -Force

2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

PowerShell

Connect-AzureAD

3. Use Get-AzureADUser to get the user.

PowerShell

$user = Get-AzureADUser -Filter "userPrincipalName eq

'alice@[Link]'"

4. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

PowerShell

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'User Administrator'"

5. Use Get-AzureADMSAdministrativeUnit to get the administrative unit you want the

role assignment to be scoped to.

PowerShell

$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayName eq

'Seattle Admin Unit'"
$directoryScope = '/administrativeUnits/' + $[Link]

6. Use New-AzureADMSRoleAssignment to assign the role.

PowerShell

$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId

$directoryScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

Microsoft Graph API

Follow these instructions to assign a role at administrative unit scope using the
Microsoft Graph API in Graph Explorer .

1. Sign in to the Graph Explorer .

2. Use List users API to get the user.

HTTP

GET [Link] eq
'alice@[Link]'

3. Use the List unifiedRoleDefinitions API to get the role you want to assign.

HTTP

GET
[Link]
ns?$filter=displayName eq 'User Administrator'

4. Use the List administrativeUnits API to get the administrative unit you want the
role assignment to be scoped to.

HTTP

GET [Link]
$filter=displayName eq 'Seattle Admin Unit'

5. Use the Create unifiedRoleAssignment API to assign the role.

HTTP

POST
[Link]
ts
{
"@[Link]": "#[Link]",
"principalId": "<provide objectId of the user obtained above>",
"roleDefinitionId": "<provide templateId of the role obtained
above>",
"directoryScopeId": "/administrativeUnits/<provide objectId of the
admin unit obtained above>"
}

７ Note
 Here directoryScopeId is specified as /administrativeUnits/foo, instead of /foo. It is
by design. The scope /administrativeUnits/foo means the principal can manage the
members of the administrative unit (based on the role that she is assigned), not the
administrative unit itself. The scope of /foo means the principal can manage that
Azure AD object itself. In the subsequent section, you will see that the scope is /foo
because a role scoped over an app registration grants the privilege to manage the
object itself.

Assign roles scoped to an app registration

This section describes how to assign roles at an application registration scope.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > App registrations to see the list of all app
registrations.

3. Select an application. You can use search box to find the desired app.

4. Select Roles and administrators from the left nav menu to see the list of all roles
available to be assigned over the app registration.
5. Select the desired role.

6. Select Add assignments and then select the users or group you want to assign this
role to.

7. Select Add to assign the role scoped over the app registration.
 ７ Note

You will not see the entire list of Azure AD built-in or custom roles here. This is
expected. We show the roles which have permissions related to managing app
registrations only.

PowerShell
Follow these steps to assign Azure AD roles at application scope using PowerShell.

1. Open a PowerShell window and use Import-Module to import the AzureADPreview

module. For more information, see Prerequisites to use PowerShell or Graph
Explorer.

PowerShell

Import-Module -Name AzureADPreview -Force

2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

PowerShell

Connect-AzureAD

3. Use Get-AzureADUser to get the user.

PowerShell

$user = Get-AzureADUser -Filter "userPrincipalName eq

'alice@[Link]'"
 4. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

PowerShell

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'Application Administrator'"

5. Use Get-AzureADApplication to get the app registration you want the role
assignment to be scoped to.

PowerShell

$appRegistration = Get-AzureADApplication -Filter "displayName eq

'f/128 Filter Photos'"
$directoryScope = '/' + $[Link]

6. Use New-AzureADMSRoleAssignment to assign the role.

PowerShell

$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId

$directoryScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

Microsoft Graph API

Follow these instructions to assign a role at application scope using the Microsoft Graph
API in Graph Explorer .

1. Sign in to the Graph Explorer .

2. Use List users API to get the user.

HTTP

GET [Link] eq
'alice@[Link]'

3. Use the List unifiedRoleDefinitions API to get the role you want to assign.

HTTP

GET
[Link]
ns?$filter=displayName eq 'Application Administrator'
 4. Use the List applications API to get the administrative unit you want the role
assignment to be scoped to.

HTTP

GET [Link]
eq 'f/128 Filter Photos'

5. Use the Create unifiedRoleAssignment API to assign the role.

HTTP

POST
[Link]
ts

{
"@[Link]": "#[Link]",
"principalId": "<provide objectId of the user obtained above>",
"roleDefinitionId": "<provide templateId of the role obtained
above>",
"directoryScopeId": "/<provide objectId of the app registration
obtained above>"
}

７ Note

Here directoryScopeId is specified as /foo, unlike the section above. It is by design.

The scope of /foo means the principal can manage that Azure AD object. The scope
/administrativeUnits/foo means the principal can manage the members of the
administrative unit (based on the role that she is assigned), not the administrative
unit itself.

Next steps
List Azure AD role assignments.
Assign Azure AD roles to users.
Assign Azure AD roles to groups

Feedback
Was this page helpful?  Yes  No
Provide product feedback | Get help at Microsoft Q&A
Create a role-assignable group in Azure
Active Directory
Article • 08/21/2022 • 2 minutes to read

You can only assign a role to a group that was created with the ‘isAssignableToRole’
property set to True, or was created in the Azure portal with Azure AD roles can be
assigned to the group turned on. This group attribute makes the group one that can be
assigned to a role in Azure Active Directory (Azure AD). This article describes how to
create this special kind of group. Note: A group with isAssignableToRole property set to
true cannot be of dynamic membership type. For more information, see Use Azure AD
groups to manage role assignments.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Groups > All groups > New group.
3. On the New Group tab, provide group type, name and description.

4. Turn on Azure AD roles can be assigned to the group. This switch is visible to only
Privileged Role Administrators and Global Administrators because these are only
two roles that can set the switch.

5. Select the members and owners for the group. You also have the option to assign
roles to the group, but assigning a role isn't required here.
 6. After the members and owners are specified, select Create.

The group is created with any roles you might have assigned to it.

PowerShell

Create a group that can be assigned to role

PowerShell

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -

Description "This group is assigned to Helpdesk Administrator built-in role
in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName
"contosohelpdeskadministrators" -IsAssignableToRole $true
For this type of group, isPublic will always be false and isSecurityEnabled will always
be true.

Copy one group's users and service principals into a role-

assignable group
PowerShell

#Basic set up
Install-Module -Name AzureAD
Import-Module -Name AzureAD
Get-Module -Name AzureAD

#Connect to Azure AD. Sign in as Privileged Role Administrator or Global

Administrator. Only these two roles can create a role-assignable group.
Connect-AzureAD

#Input variabled: Existing group

$idOfExistingGroup = "14044411-d170-4cb0-99db-263ca3740a0c"

#Input variables: New role-assignable group

$groupName = "Contoso_Bellevue_Admins"
$groupDescription = "This group is assigned to Helpdesk Administrator built-
in role in Azure AD."
$mailNickname = "contosobellevueadmins"

#Create new security group which is a role assignable group. For creating a
Microsoft 365 group, set GroupTypes="Unified" and MailEnabled=$true
$roleAssignablegroup = New-AzureADMSGroup -DisplayName $groupName -
Description $groupDescription -MailEnabled $false -MailNickname
$mailNickname -SecurityEnabled $true -IsAssignableToRole $true

#Get details of existing group

$existingGroup = Get-AzureADMSGroup -Id $idOfExistingGroup
$membersOfExistingGroup = Get-AzureADGroupMember -ObjectId $[Link]

#Copy users and service principals from existing group to new group
foreach($member in $membersOfExistingGroup){
if($[Link] -eq 'User' -or $[Link] -eq
'ServicePrincipal'){
Add-AzureADGroupMember -ObjectId $[Link] -RefObjectId
$[Link]
}
}

Microsoft Graph API

Create a role-assignable group in Azure AD
HTTP

POST [Link]
{
"description": "This group is assigned to Helpdesk Administrator built-in
role of Azure AD.",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"isAssignableToRole": true,
"mailEnabled": true,
"securityEnabled": true,
"mailNickname": "contosohelpdeskadministrators",
"visibility" : "Private"
}

For this type of group, isPublic will always be false and isSecurityEnabled will always
be true.

Next steps
Assign Azure AD roles to groups
Use Azure AD groups to manage role assignments
Troubleshoot Azure AD roles assigned to groups

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign Azure AD roles to groups
Article • 08/21/2022 • 2 minutes to read

This section describes how an IT admin can assign Azure Active Directory (Azure AD)
role to an Azure AD group.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
Assigning a group to an Azure AD role is similar to assigning users and service principals
except that only groups that are role-assignable can be used. In the Azure portal, only
groups that are role-assignable are displayed.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators and select the role you
want to assign.

3. On the role name page, select > Add assignment.

 4. Select the group. Only the groups that can be assigned to Azure AD roles are
displayed.

5. Select Add.

For more information on assigning role permissions, see Assign administrator and non-
administrator roles to users.

PowerShell

Create a group that can be assigned to role

PowerShell

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -

Description "This group is assigned to Helpdesk Administrator built-in role
in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName
"contosohelpdeskadministrators" -IsAssignableToRole $true

Get the role definition for the role you want to assign
PowerShell

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'Helpdesk Administrator'"

Create a role assignment

PowerShell
 $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -
RoleDefinitionId $[Link] -PrincipalId $[Link]

Microsoft Graph API

Create a group that can be assigned Azure AD role

Use the Create group API to create a group.

HTTP

POST [Link]

{
"description": "This group is assigned to Helpdesk Administrator built-
in role of Azure AD.",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"isAssignableToRole": true,
"mailEnabled": true,
"mailNickname": "contosohelpdeskadministrators",
"securityEnabled": true
}

Get the role definition

Use the List unifiedRoleDefinitions API to get a role definition.

HTTP

GET
[Link]
$filter = displayName eq 'Helpdesk Administrator'

Create the role assignment

Use the Create unifiedRoleAssignment API to assign the role.

HTTP

POST
[Link]
 {
"@[Link]": "#[Link]",
"principalId": "<Object Id of Group>",
"roleDefinitionId": "<ID of role definition>",
"directoryScopeId": "/"
}

Next steps
Use Azure AD groups to manage role assignments
Troubleshoot Azure AD roles assigned to groups

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign a role to a group using Privileged
Identity Management
Article • 08/21/2022 • 2 minutes to read

This article describes how you can assign an Azure Active Directory (Azure AD) role to a
group using Azure AD Privileged Identity Management (PIM).

７ Note

You must be using the updated version of Privileged Identity Management to be

able to assign a group to an Azure AD role using PIM. You might be on older
version of PIM if your Azure AD organization leverages the Privileged Identity
Management API. If so, please reach out to the alias pim_preview@[Link]
to move your organization and update your API. Learn more at Azure AD roles and
features in PIM.

Prerequisites
Azure AD Premium P2 license
Privileged Role Administrator or Global Administrator
AzureADPreview module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
1. Sign in to Azure AD Privileged Identity Management .

2. Select Privileged Identity Management > Azure AD roles > Roles > Add
assignments

3. Select a role, and then select a group. Only groups that are eligible for role
assignment (role-assignable groups) are displayed, not all groups.
4. Select the desired membership setting. For roles requiring activation, choose
eligible. By default, the user would be permanently eligible, but you could also set
a start and end time for the user's eligibility. Once you are complete, hit Save and
Add to complete the role assignment.
PowerShell

Assign a group as an eligible member of a role

 PowerShell

$schedule = New-Object
[Link]
$[Link] = "Once"
$[Link] = "2019-04-26T[Link].770Z"
$[Link] = "2019-07-25T[Link].770Z"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -Schedule
$schedule -ResourceId "[YOUR TENANT ID]" -RoleDefinitionId "9f8c1837-f885-
4dfd-9a75-990f9222b21d" -SubjectId "[YOUR GROUP ID]" -AssignmentState
"Eligible" -Type "AdminAdd"

Microsoft Graph API

HTTP

POST
[Link]
uests
{
"roleDefinitionId": {roleDefinitionId},
"resourceId": {tenantId},
"subjectId": {GroupId},
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "reason string",
"schedule": {
"startDateTime": {DateTime},
"endDateTime": {DateTime},
"type": "Once"
}
}

Next steps
Use Azure AD groups to manage role assignments
Troubleshoot Azure AD roles assigned to groups
Configure Azure AD admin role settings in Privileged Identity Management
Assign Azure resource roles in Privileged Identity Management

Feedback
Was this page helpful?  Yes  No
Provide product feedback | Get help at Microsoft Q&A
Assign custom roles with resource scope
using PowerShell in Azure Active
Directory
Article • 08/21/2022 • 3 minutes to read

This article describes how to create a role assignment at organization-wide scope in

Azure Active Directory (Azure AD). Assigning a role at organization-wide scope grants
access across the Azure AD organization. To create a role assignment with a scope of a
single Azure AD resource, see How to create a custom role and assign it at resource
scope. This article uses the Azure Active Directory PowerShell Version 2 module.

For more information about Azure AD roles, see Azure AD built-in roles.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureADPreview module when using PowerShell

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Assign a directory role to a user or service

principal with resource scope
1. Load the Azure AD PowerShell (Preview) module.
2. Sign in by executing the command Connect-AzureAD .
3. Create a new role using the following PowerShell script.

PowerShell

## Assign a role to a user or service principal with resource scope

# Get the user and role definition you want to link
$user = Get-AzureADUser -Filter "userPrincipalName eq 'cburl@[Link]'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq
'Application Support Administrator'"

# Get app registration and construct resource scope for assignment.

$appRegistration = Get-AzureADApplication -Filter "displayName eq 'f/128
Filter Photos'"
$directoryScope = '/' + $[Link]
 # Create a scoped role assignment
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId
$directoryScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

To assign the role to a service principal instead of a user, use the Get-
AzureADMSServicePrincipal cmdlet.

Role definitions
Role definition objects contain the definition of the built-in or custom role, along with
the permissions that are granted by that role assignment. This resource displays both
custom role definitions and built-in directory roles (which are displayed in roleDefinition
equivalent form). For information about the maximum number of custom roles that can
be created in an Azure AD organization, see Azure AD service limits and restrictions.

Create a role definition

PowerShell

# Basic information
$description = "Can manage credentials of application registrations"
$displayName = "Application Registration Credential Administrator"
$templateId = (New-Guid).Guid

# Set of actions to include

$rolePermissions = @{
"allowedResourceActions" = @(
"[Link]/applications/standard/read",
"[Link]/applications/credentials/update"
)
}

# Create new custom directory role

$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions
-DisplayName $displayName -Description $description -TemplateId $templateId
-IsEnabled $true

Read and list role definitions

PowerShell

# Get all role definitions

Get-AzureADMSRoleDefinitions

# Get single role definition by ID

 Get-AzureADMSRoleDefinition -Id 86593cfc-114b-4a15-9954-97c3494ef49b

# Get single role definition by templateId

Get-AzureADMSRoleDefinition -Filter "templateId eq 'c4e39bd9-1100-46d3-8c65-
fb160da0071f'"

Update a role definition

PowerShell

# Update role definition

# This works for any writable property on role definition. You can replace
display name with other
# valid properties.
Set-AzureADMSRoleDefinition -Id c4e39bd9-1100-46d3-8c65-fb160da0071f -
DisplayName "Updated DisplayName"

Delete a role definition

PowerShell

# Delete role definition

Remove-AzureADMSRoleDefinitions -Id c4e39bd9-1100-46d3-8c65-fb160da0071f

Role assignments
Role assignments contain information linking a given security principal (a user or
application service principal) to a role definition. If required, you can add a scope of a
single Azure AD resource for the assigned permissions. Restricting the scope of a role
assignment is supported for built-in and custom roles.

Create a role assignment

PowerShell

# Get the user and role definition you want to link

$user = Get-AzureADUser -Filter "userPrincipalName eq 'cburl@[Link]'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq
'Application Support Administrator'"

# Get app registration and construct resource scope for assignment.

$appRegistration = Get-AzureADApplication -Filter "displayName eq 'f/128
Filter Photos'"
$directoryScope = '/' + $[Link]
 # Create a scoped role assignment
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId
$directoryScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

Read and list role assignments

PowerShell

# Get role assignments for a given principal

Get-AzureADMSRoleAssignment -Filter "principalId eq '27c8ca78-ab1c-40ae-
bd1b-eaeebd6f68ac'"

# Get role assignments for a given role definition

Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '355aed8a-864b-
4e2b-b225-ea95482e7570'"

Remove a role assignment

PowerShell

# Remove role assignment

Remove-AzureADMSRoleAssignment -Id
'qiho4WOb9UKKgng_LbPV7tvKaKRCD61PkJeKMh7Y458-1'

Next steps
Share with us on the Azure AD administrative roles forum
For more about roles and Azure AD administrator role assignments, see Assign
administrator roles
For default user permissions, see a comparison of default guest and member user
permissions

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign custom admin roles using the
Microsoft Graph API in Azure Active
Directory
Article • 08/21/2022 • 3 minutes to read

You can automate how you assign roles to user accounts using the Microsoft Graph API.
This article covers POST, GET, and DELETE operations on roleAssignments.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

POST Operations on RoleAssignment

Use the Create unifiedRoleAssignment API to assign the role.

Example 1: Create a role assignment between a user and a

role definition
HTTP

POST
[Link]
Content-type: application/json

Body

HTTP

{
"@[Link]": "#[Link]",
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d",
"directoryScopeId": "/" // Don't use "resourceScope" attribute in Azure
AD role assignments. It will be deprecated soon.
}
Response

HTTP

HTTP/1.1 201 Created

Example 2: Create a role assignment where the principal

or role definition does not exist
HTTP

POST
[Link]

Body

HTTP

{
"@[Link]": "#[Link]",
"principalId": "2142743c-a5b3-4983-8486-4532ccba12869",
"roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d",
"directoryScopeId": "/" //Don't use "resourceScope" attribute in Azure
AD role assignments. It will be deprecated soon.
}

Response

HTTP

HTTP/1.1 404 Not Found

Example 3: Create a role assignment on a single resource

scope
HTTP

POST
[Link]

Body

HTTP
 {
"@[Link]": "#[Link]",
"principalId": "2142743c-a5b3-4983-8486-4532ccba12869",
"roleDefinitionId": "e9b2b976-1dea-4229-a078-b08abd6c4f84", //role
template ID of a custom role
"directoryScopeId": "/13ff0c50-18e7-4071-8b52-a6f08e17c8cc" //object ID
of an application
}

Response

HTTP

HTTP/1.1 201 Created

Example 4: Create an administrative unit scoped role

assignment on a built-in role definition which is not
supported
HTTP

POST
[Link]

Body

HTTP

{
"@[Link]": "#[Link]",
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de", //role
template ID of Exchange Administrator
"directoryScopeId": "/administrativeUnits/13ff0c50-18e7-4071-8b52-
a6f08e17c8cc" //object ID of an administrative unit
}

Response

HTTP

HTTP/1.1 400 Bad Request

{
"[Link]":
{
"code":"Request_BadRequest",
 "message":
{
"message":"The given built-in role is not supported to be
assigned to a single resource scope."
}
}
}

Only a subset of built-in roles are enabled for Administrative Unit scoping. Refer to this
documentation for the list of built-in roles supported over an administrative unit.

GET Operations on RoleAssignment

Use the List unifiedRoleAssignments API to get the role assignment.

Example 5: Get role assignments for a given principal

HTTP

GET
[Link]
$filter=principalId+eq+'<object-id-of-principal>'

Response

HTTP

HTTP/1.1 200 OK
{
"value":[
{
"id": "mhxJMipY4UanIzy2yE-r7JIiSDKQoTVJrLE9etXyrY0-1"
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "10dae51f-b6af-4016-8d66-8c2a99b929b3",
"directoryScopeId": "/"
} ,
{
"id": "CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
"directoryScopeId": "/"
}
]
}
Example 6: Get role assignments for a given role
definition.
HTTP

GET
[Link]
$filter=roleDefinitionId+eq+'<object-id-or-template-id-of-role-definition>'

Response

HTTP

HTTP/1.1 200 OK
{
"value":[
{
"id": "CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
"directoryScopeId": "/"
}
]
}

Example 7: Get a role assignment by ID.

HTTP

GET
[Link]
PpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1

Response

HTTP

HTTP/1.1 200 OK
{
"id": "mhxJMipY4UanIzy2yE-r7JIiSDKQoTVJrLE9etXyrY0-1",
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "10dae51f-b6af-4016-8d66-8c2a99b929b3",
"directoryScopeId": "/"
}
Example 8: Get role assignments for a given scope
HTTP

GET
[Link]
$filter=directoryScopeId+eq+'/d23998b1-8853-4c87-b95f-be97d6c6b610'

Response

HTTP

HTTP/1.1 200 OK
{
"value":[
{
"id": "mhxJMipY4UanIzy2yE-r7JIiSDKQoTVJrLE9etXyrY0-1"
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "10dae51f-b6af-4016-8d66-8c2a99b929b3",
"directoryScopeId": "/d23998b1-8853-4c87-b95f-be97d6c6b610"
} ,
{
"id": "CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
"principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
"roleDefinitionId": "3671d40a-1aac-426c-a0c1-a3821ebd8218",
"directoryScopeId": "/d23998b1-8853-4c87-b95f-be97d6c6b610"
}
]
}

DELETE Operations on RoleAssignment

Use the Delete unifiedRoleAssignment API to delete the role assignment.

Example 9: Delete a role assignment between a user and

a role definition.
HTTP

DELETE
[Link]
PpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1

Response

HTTP
 HTTP/1.1 204 No Content

Example 10: Delete a role assignment that no longer

exists
HTTP

DELETE
[Link]
PpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1

Response

HTTP

HTTP/1.1 404 Not Found

Example 11: Delete a role assignment between self and

Global Administrator role definition
HTTP

DELETE
[Link]
PpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1

Response

HTTP

HTTP/1.1 400 Bad Request

{
"[Link]":
{
"code":"Request_BadRequest",
"message":
{
"lang":"en",
"value":"Removing self from Global Administrator built-in role
is not allowed"},
"values":null
}
}
}
We prevent users from deleting their own Global Administrator role to avoid a scenario
where a tenant has zero Global Administrators. Removing other roles assigned to self is
allowed.

Next steps
Feel free to share with us on the Azure AD administrative roles forum
For more about role permissions, see Azure AD built-in roles
For default user permissions, see a comparison of default guest and member user
permissions

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Remove role assignments from a group
in Azure Active Directory
Article • 08/21/2022 • 2 minutes to read

This article describes how an IT admin can remove Azure AD roles assigned to groups. In
the Azure portal, you can now remove both direct and indirect role assignments to a
user. If a user is assigned a role by a group membership, remove the user from the
group to remove the role assignment.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators > role name.

3. Select the group from which you want to remove the role assignment and select
Remove assignment.

4. When asked to confirm your action, select Yes.

PowerShell

Create a group that can be assigned to role

PowerShell

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -

Description "This group is assigned to Helpdesk Administrator built-in role
in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName
"contosohelpdeskadministrators" -IsAssignableToRole $true

Get the role definition you want to assign the group to

PowerShell

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq

'Helpdesk Administrator'"

Create a role assignment

PowerShell

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope '/' -

RoleDefinitionId $[Link] -PrincipalId $[Link]

Remove the role assignment

PowerShell

Remove-AzureAdMSRoleAssignment -Id $[Link]

Microsoft Graph API

Create a group that can be assigned an Azure AD role

Use the Create group API to create a group.

HTTP
 POST [Link]

{
"description": "This group is assigned to Helpdesk Administrator built-
in role of Azure AD",
"displayName": "Contoso_Helpdesk_Administrators",
"groupTypes": [
"Unified"
],
"isAssignableToRole": true,
"mailEnabled": true,
"mailNickname": "contosohelpdeskadministrators",
"securityEnabled": true
}

Get the role definition

Use the List unifiedRoleDefinitions API to get a role definition.

HTTP

GET
[Link]
$filter=displayName+eq+'Helpdesk Administrator'

Create the role assignment

Use the Create unifiedRoleAssignment API to assign the role.

HTTP

POST
[Link]
{
"@[Link]": "#[Link]",
"principalId": "{object-id-of-group}",
"roleDefinitionId": "{role-definition-id}",
"directoryScopeId": "/"
}

Delete role assignment

Use the Delete unifiedRoleAssignment API to delete the role assignment.

HTTP
 DELETE
[Link]
ole-assignment-id}

Next steps
Use Azure AD groups to manage role assignments
Troubleshoot Azure AD roles assigned to groups

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Create and assign a custom role in
Azure Active Directory
Article • 12/09/2022 • 3 minutes to read

This article describes how to create new custom roles in Azure Active Directory (Azure
AD). For the basics of custom roles, see the custom roles overview. The role can be
assigned either at the directory-level scope or an app registration resource scope only.

Custom roles can be created in the Roles and administrators tab on the Azure AD
overview page.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureADPreview module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Create a role in the Azure portal

Create a new custom role to grant access to manage app

registrations
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators > New custom role.
3. On the Basics tab, provide a name and description for the role and then click Next.
4. On the Permissions tab, select the permissions necessary to manage basic
properties and credential properties of app registrations. For a detailed description
of each permission, see Application registration subtypes and permissions in Azure
Active Directory.

a. First, enter "credentials" in the search bar and select the

[Link]/applications/credentials/update permission.
 b. Next, enter "basic" in the search bar, select the
[Link]/applications/basic/update permission, and then click

Next.

5. On the Review + create tab, review the permissions and select Create.

Your custom role will show up in the list of available roles to assign.

Create a role using PowerShell

Connect to Azure
To connect to Azure Active Directory, use the following command:

PowerShell

Connect-AzureAD

Create the custom role

Create a new role using the following PowerShell script:

PowerShell

# Basic role information

$displayName = "Application Support Administrator"
$description = "Can manage basic aspects of application registrations."
$templateId = (New-Guid).Guid

# Set of permissions to grant

 $allowedResourceAction =
@(
"[Link]/applications/basic/update",
"[Link]/applications/credentials/update"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}

# Create new custom admin role

$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions
-DisplayName $displayName -Description $description -TemplateId $templateId
-IsEnabled $true

Assign the custom role using PowerShell

Assign the role using the below PowerShell script:

PowerShell

# Get the user and role definition you want to link

$user = Get-AzureADUser -Filter "userPrincipalName eq 'cburl@[Link]'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq
'Application Support Administrator'"

# Get app registration and construct resource scope for assignment.

$appRegistration = Get-AzureADApplication -Filter "displayName eq 'f/128
Filter Photos'"
$resourceScope = '/' + $[Link]

# Create a scoped role assignment

$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId
$resourceScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

Create a role with the Microsoft Graph API

1. Use the Create unifiedRoleDefinition API to create a custom role.

HTTP

POST
[Link]
ns

Body

HTTP
 {
"description": "Can manage basic aspects of application
registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "<GUID>",
"rolePermissions": [
{
"allowedResourceActions": [
"[Link]/applications/basic/update",
"[Link]/applications/credentials/update"
]
}
]
}

７ Note

The "templateId": "GUID" is an optional parameter that's sent in the body

depending on the requirement. If you have a requirement to create multiple
different custom roles with common parameters, it's best to create a template
and define a templateId value. You can generate a templateId value
beforehand by using the PowerShell cmdlet (New-Guid).Guid .

2. Use the Create unifiedRoleAssignment API to assign the custom role.

HTTP

POST
[Link]
ts

Body

HTTP

{
"principalId":"<GUID OF USER>",
"roleDefinitionId":"<GUID OF ROLE DEFINITION>",
"directoryScopeId":"/<GUID OF APPLICATION REGISTRATION>"
}

Assign a custom role scoped to a resource

Like built-in roles, custom roles are assigned by default at the default organization-wide
scope to grant access permissions over all app registrations in your organization.
Additionally, custom roles and some relevant built-in roles (depending on the type of
Azure AD resource) can also be assigned at the scope of a single Azure AD resource.
This allows you to give the user the permission to update credentials and basic
properties of a single app without having to create a second custom role.

1. Sign in to the Azure portal or Azure AD admin center with Application

Developer permissions.

2. Select Azure Active Directory > App registrations.

3. Select the app registration to which you are granting access to manage. You might
have to select All applications to see the complete list of app registrations in your
Azure AD organization.

4. In the app registration, select Roles and administrators. If you haven't already
created one, instructions are in the preceding procedure.

5. Select the role to open the Assignments page.

6. Select Add assignment to add a user. The user will be granted any permissions
over only the selected app registration.

Next steps
Feel free to share with us on the Azure AD administrative roles forum .
For more about role permissions, see Azure AD built-in roles.
 For default user permissions, see a comparison of default guest and member user
permissions.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources
 Documentation

Overview of Azure Active Directory role-based access control (RBAC) - Microsoft

Entra
Learn how to understand the parts of a role assignment and restricted scope in Azure Active
Directory.

List Azure AD role assignments - Microsoft Entra

You can now see and manage members of an Azure Active Directory administrator role in the Azure
Active Directory admin center.

List Azure AD role definitions - Azure AD - Microsoft Entra

Learn how to list Azure built-in and custom roles.

Assign Azure AD roles to groups - Azure Active Directory - Microsoft Entra

Assign Azure AD roles to role-assignable groups in the Azure portal, PowerShell, or Graph API.

User management permissions for Azure AD custom roles (preview) - Azure Active
Directory - Microsoft Entra
User management permissions for Azure AD custom roles in the Azure portal, PowerShell, or
Microsoft Graph API.

Create a group for assigning roles in Azure Active Directory - Microsoft Entra
Learn how to create a role-assignable group in Azure AD. Manage Azure roles in the Azure portal,
PowerShell, or Graph API.

Create custom roles to manage enterprise apps in Azure Active Directory - Microsoft
Entra
Create and assign custom Azure AD roles for enterprise apps access in Azure Active Directory

Understand Azure Active Directory role concepts - Microsoft Entra

Learn how to understand Azure Active Directory built-in and custom roles with resource scope in
Azure Active Directory.
Show 5 more
Create custom roles to manage
enterprise apps in Azure Active
Directory
Article • 08/21/2022 • 4 minutes to read

This article explains how to create a custom role with permissions to manage enterprise
app assignments for users and groups in Azure Active Directory (Azure AD). For the
elements of roles assignments and the meaning of terms such as subtype, permission,
and property set, see the custom roles overview.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureADPreview module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Enterprise app role permissions

There are two enterprise app permissions discussed in this article. All examples use the
update permission.

To read the user and group assignments at scope, grant the

[Link]/servicePrincipals/appRoleAssignedTo/read permission

To manage the user and group assignments at scope, grant the

[Link]/servicePrincipals/appRoleAssignedTo/update permission

Granting the update permission results in the assignee being able to manage
assignments of users and groups to enterprise apps. The scope of user and/or group
assignments can be granted for a single application or granted for all applications. If
granted at an organization-wide level, the assignee can manage assignments for all
applications. If made at an application level, the assignee can manage assignments for
only the specified application.

Granting the update permission is done in two steps:

 1. Create a custom role with permission
[Link]/servicePrincipals/appRoleAssignedTo/update
2. Grant users or groups permissions to manage user and group assignments to
enterprise apps. This is when you can set the scope to the organization-wide level
or to a single application.

Azure portal

Create a new custom role

７ Note

Custom roles are created and managed at an organization-wide level and are
available only from the organization's Overview page.

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators and then select New
custom role.

3. On the Basics tab, provide "Manage user and group assignments" for the name of
the role and "Grant permissions to manage user and group assignments" for the
role description, and then select Next.
4. On the Permissions tab, enter
"[Link]/servicePrincipals/appRoleAssignedTo/update" in the search
box, and then select the checkboxes next to the desired permissions, and then
select Next.
 5. On the Review + create tab, review the permissions and select Create.

Assign the role to a user using the Azure portal

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators.

3. Select the Grant permissions to manage user and group assignments role.

4. Select Add assignment, select the desired user, and then click Select to add role
assignment to the user.
Assignment tips

To grant permissions to assignees to manage users and group access for all
enterprise apps organization-wide, start from the organization-wide Roles and
Administrators list on the Azure AD Overview page for your organization.

To grant permissions to assignees to manage users and group access for a specific
enterprise app, go to that app in Azure AD and open in the Roles and
Administrators list for that app. Select the new custom role and complete the user
or group assignment. The assignees can manage users and group access only for
the specific app.

To test your custom role assignment, sign in as the assignee and open an
application’s Users and groups page to verify that the Add user option is enabled.
PowerShell
For more detail, see Create and assign a custom role and Assign custom roles with
resource scope using PowerShell.

Create a custom role

Create a new role using the following PowerShell script:

PowerShell

# Basic role information

$description = "Manage user and group assignments"
$displayName = "Can manage user and group assignments for Applications"
$templateId = (New-Guid).Guid

# Set of permissions to grant

$allowedResourceAction =
@("[Link]/servicePrincipals/appRoleAssignedTo/update")
$resourceActions = @{'allowedResourceActions'= $allowedResourceAction}
$rolePermission = @{'resourceActions' = $resourceActions}
$rolePermissions = $rolePermission

# Create new custom admin role

$customRole = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions
-DisplayName $displayName -Description $description -TemplateId $templateId
-IsEnabled $true
Assign the custom role
Assign the role using this PowerShell script.

PowerShell

# Get the user and role definition you want to link

$user = Get-AzureADUser -Filter "userPrincipalName eq 'chandra@[Link]'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq
'Manage user and group assignments'"

# Get app registration and construct resource scope for assignment.

$appRegistration = Get-AzureADApplication -Filter "displayName eq 'My Filter
Photos'"
$resourceScope = '/' + $[Link]

# Create a scoped role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope
-RoleDefinitionId $[Link] -PrincipalId $[Link]

Microsoft Graph API

Use the Create unifiedRoleDefinition API to create a custom role. For more information,
see Create and assign a custom role and Assign custom admin roles using the Microsoft
Graph API.

HTTP

POST
[Link]

{
"description": "Can manage user and group assignments for
Applications.",
"displayName": "Manage user and group assignments",
"isEnabled": true,
"rolePermissions":
[
{
"allowedResourceActions":
[

"[Link]/servicePrincipals/appRoleAssignedTo/update"
]
}
],
"templateId": "<PROVIDE NEW GUID HERE>",
"version": "1"
}
Assign the custom role using the Microsoft Graph API
Use the Create unifiedRoleAssignment API to assign the custom role. The role
assignment combines a security principal ID (which can be a user or service principal), a
role definition ID, and an Azure AD resource scope. For more information on the
elements of a role assignment, see the custom roles overview

HTTP

POST
[Link]

{
"@[Link]": "#[Link]",
"principalId": "<PROVIDE OBJECTID OF USER TO ASSIGN HERE>",
"roleDefinitionId": "<PROVIDE OBJECTID OF ROLE DEFINITION HERE>",
"directoryScopeId": "/"
}

Next steps
Explore the available custom role permissions for enterprise apps

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Quickstart: Grant permission to create
unlimited app registrations
Article • 08/21/2022 • 3 minutes to read

In this quick start guide, you will create a custom role with permission to create an
unlimited number of app registrations, and then assign that role to a user. The assigned
user can then use the Azure portal, Azure AD PowerShell, or Microsoft Graph API to
create application registrations. Unlike the built-in Application Developer role, this
custom role grants the ability to create an unlimited number of application registrations.
The Application Developer role grants the ability, but the total number of created
objects is limited to 250 to prevent hitting the directory-wide object quota. The least
privileged role required to create and assign Azure AD custom roles is the Privileged
Role Administrator.

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites
Azure AD Premium P1 or P2 license
Privileged Role Administrator or Global Administrator
AzureADPreview module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

Create a custom role

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators and then select New
custom role.
3. On the Basics tab, provide "Application Registration Creator" for the name of the
role and "Can create an unlimited number of application registrations" for the role
description, and then select Next.
4. On the Permissions tab, enter "[Link]/applications/create" in the
search box, and then select the checkboxes next to the desired permissions, and
then select Next.
 5. On the Review + create tab, review the permissions and select Create.

Assign the role

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Roles and administrators.

3. Select the Application Registration Creator role and select Add assignment.

4. Select the desired user and click Select to add the user to the role.

Done! In this quickstart, you successfully created a custom role with permission to create
an unlimited number of app registrations, and then assign that role to a user.

 Tip

To assign the role to an application using the Azure portal, enter the name of the
application into the search box of the assignment page. Applications are not shown
in the list by default, but are returned in search results.

App registration permissions

There are two permissions available for granting the ability to create application
registrations, each with different behavior.

[Link]/applications/createAsOwner: Assigning this permission results

in the creator being added as the first owner of the created app registration, and
the created app registration will count against the creator's 250 created objects
quota.
 [Link]/applications/create: Assigning this permission results in the
creator not being added as the first owner of the created app registration, and the
created app registration will not count against the creator's 250 created objects
quota. Use this permission carefully, because there is nothing preventing the
assignee from creating app registrations until the directory-level quota is hit. If
both permissions are assigned, this permission takes precedence.

PowerShell

Create a custom role

Create a new role using the following PowerShell script:

PowerShell

# Basic role information

$displayName = "Application Registration Creator"
$description = "Can create an unlimited number of application
registrations."
$templateId = (New-Guid).Guid

# Set of permissions to grant

$allowedResourceAction =
@(
"[Link]/applications/create"
"[Link]/applications/createAsOwner"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}

# Create new custom admin role

$customRole = New-AzureAdMSRoleDefinition -RolePermissions $rolePermissions
-DisplayName $displayName -Description $description -TemplateId $templateId
-IsEnabled $true

Assign the role

Assign the role using the following PowerShell script:

PowerShell

# Get the user and role definition you want to link

$user = Get-AzureADUser -Filter "userPrincipalName eq 'Adam@[Link]'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq
'Application Registration Creator'"
 # Get resource scope for assignment
$resourceScope = '/'

# Create a scoped role assignment

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope
-RoleDefinitionId $[Link] -PrincipalId $[Link]

Microsoft Graph API

Create a custom role

Use the Create unifiedRoleDefinition API to create a custom role.

HTTP

POST
[Link]

Body

HTTP

{
"description": "Can create an unlimited number of application
registrations.",
"displayName": "Application Registration Creator",
"isEnabled": true,
"rolePermissions":
[
{
"allowedResourceActions":
[
"[Link]/applications/create"
"[Link]/applications/createAsOwner"
]
}
],
"templateId": "<PROVIDE NEW GUID HERE>",
"version": "1"
}

Assign the role

Use the Create unifiedRoleAssignment API to assign the custom role. The role
assignment combines a security principal ID (which can be a user or service principal), a
role definition (role) ID, and an Azure AD resource scope.
 HTTP

POST
[Link]

Body

HTTP

{
"@[Link]": "#[Link]",
"principalId": "<PROVIDE OBJECTID OF USER TO ASSIGN HERE>",
"roleDefinitionId": "<PROVIDE OBJECTID OF ROLE DEFINITION HERE>",
"directoryScopeId": "/"
}

Next steps
Feel free to share with us on the Azure AD administrative roles forum .
For more about Azure AD roles, see Azure AD built-in roles.
For more about default user permissions, see comparison of default guest and
member user permissions.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Create or delete administrative units
Article • 01/25/2023 • 2 minutes to read

Administrative units let you subdivide your organization into any unit that you want, and
then assign specific administrators that can manage only the members of that unit. For
example, you could use administrative units to delegate permissions to administrators
of each school at a large university, so they could control access, manage users, and set
policies only in the School of Engineering.

This article describes how to create or delete administrative units to restrict the scope of
role permissions in Azure Active Directory (Azure AD).

Prerequisites
Azure AD Premium P1 or P2 license for each administrative unit administrator
Azure AD Free licenses for administrative unit members
Privileged Role Administrator or Global Administrator
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Create an administrative unit

You can create a new administrative unit by using either the Azure portal, PowerShell or
Microsoft Graph.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Administrative units.

3. Select Add.

4. In the Name box, enter the name of the administrative unit. Optionally, add a
description of the administrative unit.

5. Optionally, on the Assign roles tab, select a role and then select the users to assign
the role to with this administrative unit scope.
 6. On the Review + create tab, review the administrative unit and any role
assignments.

7. Select the Create button.

PowerShell
Use the New-AzureADMSAdministrativeUnit command to create a new administrative
unit.

PowerShell

New-AzureADMSAdministrativeUnit -Description "West Coast region" -

DisplayName "West Coast"

Microsoft Graph PowerShell

Use the New-MgDirectoryAdministrativeUnit command to create a new administrative
unit.

PowerShell

Import-Module [Link]
$params = @{
 DisplayName = "Seattle District Technical Schools"
Description = "Seattle district technical schools administration"
Visibility = "HiddenMembership"
}
New-MgDirectoryAdministrativeUnit -BodyParameter $params

Microsoft Graph API

Use the Create administrativeUnit API to create a new administrative unit.

Request

HTTP

POST [Link]

Body

HTTP

{
"displayName": "North America Operations",
"description": "North America Operations administration"
}

Delete an administrative unit

In Azure AD, you can delete an administrative unit that you no longer need as a unit of
scope for administrative roles. Before you delete the administrative unit, you should
remove any role assignments with that administrative unit scope.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Administrative units and then select the
administrative unit you want to delete.

3. Select Roles and administrators, and then open a role to view the role
assignments.

4. Remove all the role assignments with the administrative unit scope.

5. Select Azure Active Directory > Administrative units.

 6. Add a check mark next to the administrative unit you want to delete.

7. Select Delete.

8. To confirm that you want to delete the administrative unit, select Yes.

PowerShell
Use the Remove-AzureADMSAdministrativeUnit command to delete an administrative
unit.

PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'DeleteMe Admin Unit'"
Remove-AzureADMSAdministrativeUnit -Id $[Link]

Microsoft Graph API

Use the Delete administrativeUnit API to delete an administrative unit.

HTTP

DELETE
[Link]
id}

Next steps
 Add users, groups, or devices to an administrative unit
Assign Azure AD roles with administrative unit scope

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources
 Documentation

Add users, groups, or devices to an administrative unit - Azure Active Directory -

Microsoft Entra
Add users, groups, or devices to an administrative unit in Azure Active Directory

Administrative units in Azure Active Directory - Microsoft Entra

Use administrative units for more granular delegation of permissions in Azure Active Directory.

Assign or list Azure AD roles with administrative unit scope - Azure Active Directory -
Microsoft Entra
Use administrative units to restrict the scope of role assignments in Azure Active Directory.

Tutorial for bulk inviting B2B collaboration users - Azure AD - Microsoft Entra
In this tutorial, you learn how to send bulk invitations using a CSV file to external Azure AD B2B
collaboration users.

Manage users or devices for an administrative unit with dynamic membership rules
(Preview) - Azure Active Directory - Microsoft Entra
Manage users or devices for an administrative unit with dynamic membership rules (Preview) in
Azure Active Directory

Administrative units troubleshooting and FAQ - Azure Active Directory - Microsoft

Entra
Investigate administrative units to grant permissions with restricted scope in Azure Active Directory.

Bulk create users in the Azure Active Directory portal - Microsoft Entra
Add users in bulk in the Azure AD admin center in Azure Active Directory

Use Azure AD groups to manage role assignments - Azure Active Directory -

Microsoft Entra
Use Azure AD groups to simplify role assignment management in Azure Active Directory.
Show 5 more

 Training

Learning certificate
Microsoft 365 Certified: Enterprise Administrator Expert - Certifications
The Microsoft 365 enterprise administrator functions as the integrating hub for all Microsoft 365
workloads. This role coordinates across multiple Microsoft 365 workloads and advises the architects
and workload administrators.
Add users, groups, or devices to an
administrative unit
Article • 10/05/2022 • 3 minutes to read

In Azure Active Directory (Azure AD), you can add users, groups, or devices to an
administrative unit to restrict the scope of role permissions. Adding a group to an
administrative unit brings the group itself into the management scope of the
administrative unit, but not the members of the group. For additional details on what
scoped administrators can do, see Administrative units in Azure Active Directory.

This article describes how to add users, groups, or devices to administrative units
manually. For information about how to add users or devices to administrative units
dynamically using rules, see Manage users or devices for an administrative unit with
dynamic membership rules.

Prerequisites
Azure AD Premium P1 or P2 license for each administrative unit administrator
Azure AD Free licenses for administrative unit members
To add existing users, groups, or devices:
Privileged Role Administrator or Global Administrator
To create new groups:
Groups Administrator (scoped to the administrative unit or entire directory) or
Global Administrator
Microsoft Graph PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
You can add users, groups, or devices to administrative units using the Azure portal. You
can also add users in a bulk operation or create a new group in an administrative unit.

Add a single user, group, or device to administrative units

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

 3. Select one of the following:

Users
Groups
Devices > All devices

4. Select the user, group, or device you want to add to administrative units.

5. Select Administrative units.

6. Select Assign to administrative unit.

7. In the Select pane, select the administrative units and then select Select.

Add users, groups, or devices to a single administrative

unit
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit you want to
add users, groups, or devices to.

4. Select one of the following:

Users
Groups
Devices

5. Select Add member, Add, or Add device.

 6. In the Select pane, select the users, groups, or devices you want to add to the
administrative unit and then select Select.

Add users to an administrative unit in a bulk operation

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit you want to
add users to.

4. Select the administrative unit to which you want to add users.

5. Select Users > Bulk operations > Bulk add members.

6. In the Bulk add members pane, download the comma-separated values (CSV)
template.
 7. Edit the downloaded CSV template with the list of users you want to add.

Add one user principal name (UPN) in each row. Don't remove the first two rows of
the template.

8. Save your changes and upload the CSV file.

9. Select Submit.

Create a new group in an administrative unit

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit you want to
create a new group in.

4. Select Groups.

5. Select New group and complete the steps to create a new group.

PowerShell
Use the Invoke-MgGraphRequest command to add user, groups, or devices to an
administrative unit or create a new group in an administrative unit.
Add users to an administrative unit
PowerShell

Invoke-MgGraphRequest -Method POST -Uri

[Link]
D}/members/ -Body '{
"@[Link]": "[Link]
}'

Add groups to an administrative unit

PowerShell

Invoke-MgGraphRequest -Method POST -Uri

[Link]
D}/members/ -Body '{
"@[Link]": [Link]
}'

Add devices to an administrative unit

PowerShell

Invoke-MgGraphRequest -Method POST -Uri

[Link]
D}/members/ -Body '{
"@[Link]": [Link]
}'

Create a new group in an administrative unit

PowerShell

$exampleGroup = Invoke-MgGraphRequest -Method POST -Uri

[Link]
D}/members/ -Body '{
"@[Link]": "#[Link]",
"description": "{Example group description}",
"displayName": "{Example group name}",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "{exampleGroup}",
 "securityEnabled": false
}'

Microsoft Graph API

Use the Add a member API to add users, groups, or devices to an administrative unit or
create a new group in an administrative unit.

Add users to an administrative unit

Request

HTTP

POST [Link]
unit-id}/members/$ref

Body

HTTP

{
"@[Link]":"[Link]
}

Example

HTTP

{
"@[Link]":"[Link]
}

Add groups to an administrative unit

Request

HTTP

POST [Link]
unit-id}/members/$ref

Body
 HTTP

{
"@[Link]":"[Link]
}

Example

HTTP

{
"@[Link]":"[Link]
b257-ba27827628f3"
}

Add devices to an administrative unit

Request

HTTP

POST [Link]
unit-id}/members/$ref

Body

HTTP

{
"@[Link]":"[Link]
}

Create a new group in an administrative unit

Request

HTTP

POST [Link]
unit-id}/members/

Body

HTTP
 {
"@[Link]": "#[Link]",
"description": "{Example group description}",
"displayName": "{Example group name}",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "{examplegroup}",
"securityEnabled": false
}

Next steps
Administrative units in Azure Active Directory
Assign Azure AD roles with administrative unit scope
Manage users or devices for an administrative unit with dynamic membership rules
Remove users, groups, or devices from an administrative unit

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

List users, groups, or devices in an
administrative unit
Article • 08/21/2022 • 2 minutes to read

In Azure Active Directory (Azure AD), you can list the users, groups, or devices in
administrative units.

Prerequisites
Azure AD Premium P1 or P2 license for each administrative unit administrator
Azure AD Free licenses for administrative unit members
AzureAD module when using PowerShell
AzureADPreview module when using PowerShell for devices
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
You can list the users, groups, or devices in administrative units using the Azure portal.

List the administrative units for a single user, group, or

device
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select one of the following:

Users
Groups
Devices > All devices

4. Select the user, group, or device you want to list their administrative units.

5. Select Administrative units to list all the administrative units where the user,
group, or device is a member.
List the users, groups, or devices for a single
administrative unit
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit that you want
to list the users, groups, or devices for.

4. Select one of the following:

Users
Groups
Devices

List the devices for an administrative unit by using the All

devices page
 1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Devices > All devices.

4. Select the filter for administrative unit.

5. Select the administrative unit whose devices you want to list.

PowerShell
Use the Get-AzureADMSAdministrativeUnit and Get-
AzureADMSAdministrativeUnitMember commands to list users or groups for an
administrative unit.

Use the Get-AzureADMSAdministrativeUnit (Preview) and Get-

AzureADMSAdministrativeUnitMember (Preview) commands to list devices for an
administrative unit.

７ Note

By default, Get-AzureADMSAdministrativeUnitMember returns only top members

of an administrative unit. To retrieve all members, add the -All $true parameter.

List the administrative units for a user

PowerShell
 $userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@[Link]'"
Get-AzureADMSAdministrativeUnit | where { Get-
AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq
$[Link]} }

List the administrative units for a group

PowerShell

$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"

Get-AzureADMSAdministrativeUnit | where { Get-
AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq
$[Link]} }

List the administrative units for a device

PowerShell

Get-AzureADMSAdministrativeUnit | where { Get-

AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId
-eq $deviceObjId} }

List the users, groups, and devices for an administrative

unit
PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'Test administrative unit 2'"
Get-AzureADMSAdministrativeUnitMember -Id $[Link]

List the groups for an administrative unit

PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'Test administrative unit 2'"
foreach ($member in (Get-AzureADMSAdministrativeUnitMember -Id
$[Link]))
{
if($[Link] -eq "#[Link]")
{
Get-AzureADGroup -ObjectId $[Link]
 }
}

List the devices for an administrative unit

PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'Test administrative unit 2'"
foreach ($member in (Get-AzureADMSAdministrativeUnitMember -Id
$[Link]))
{
if($[Link] -eq "Device")
{
Get-AzureADDevice -ObjectId $[Link]
}
}

Microsoft Graph API

Use the List members API to list users or groups for an administrative unit.

Use the List members (Beta) API to list devices for an administrative unit.

List the administrative units for a user

HTTP

GET [Link]
id}/memberOf/$/[Link]

List the administrative units for a group

HTTP

GET [Link]
id}/memberOf/$/[Link]

List the administrative units for a device

HTTP
 GET [Link]
id}/memberOf/$/[Link]

List the groups for an administrative unit

HTTP

GET [Link]
unit-id}/members/$/[Link]

List the devices for an administrative unit

HTTP

GET [Link]
id}/members/$/[Link]

Next steps
Add users, groups, or devices to an administrative unit
Assign Azure AD roles with administrative unit scope

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Remove users, groups, or devices from
an administrative unit
Article • 08/21/2022 • 2 minutes to read

When users, groups, or devices in an administrative unit no longer need access, you can
remove them.

Prerequisites
Azure AD Premium P1 or P2 license for each administrative unit administrator
Azure AD Free licenses for administrative unit members
Privileged Role Administrator or Global Administrator
AzureAD module when using PowerShell
AzureADPreview module when using PowerShell for devices
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal
You can remove users, groups, or devices from administrative units individually using
the Azure portal. You can also remove users in a bulk operation.

Remove a single user, group, or device from

administrative units
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select one of the following:

Users
Groups
Devices > All devices

4. Select the user, group, or device you want to remove from an administrative unit.

5. Select Administrative units.

 6. Add check marks next to the administrative units you want to remove the user,
group, or device from.

7. Select Remove from administrative unit.

Remove users, groups, or devices from a single

administrative unit
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit that you want
to remove users, groups, or devices from.

4. Select one of the following:

Users
Groups
Devices

5. Add check marks next to the users, groups, or devices you want to remove.

6. Select Remove member, Remove, or Remove device.

Remove users from an administrative unit in a bulk
operation
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit that you want
to remove users from.

4. Select Users > Bulk operations > Bulk remove members.

5. In the Bulk remove members pane, download the comma-separated values (CSV)
template.

6. Edit the downloaded CSV template with the list of users you want to remove.

Add one user principal name (UPN) in each row. Don't remove the first two rows of
the template.
 7. Save your changes and upload the CSV file.

8. Select Submit.

PowerShell
Use the Remove-AzureADMSAdministrativeUnitMember command to remove users or
groups from an administrative unit.

Use the Remove-AzureADMSAdministrativeUnitMember (Preview) command to remove

devices from an administrative unit.

Remove users from an administrative unit

PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'Test administrative unit 2'"
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@[Link]'"
Remove-AzureADMSAdministrativeUnitMember -Id $[Link] -MemberId
$[Link]

Remove groups from an administrative unit

PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'Test administrative unit 2'"
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Remove-AzureADMSAdministrativeUnitMember -Id $[Link] -MemberId
$[Link]

Remove devices from an administrative unit

PowerShell

Remove-AzureADMSAdministrativeUnitMember -ObjectId $adminUnitId -MemberId

$deviceObjId

Microsoft Graph API

Use the Remove a member API to remove users or groups from an administrative unit.
Use the Remove a member (Beta) API to remove devices from an administrative unit.

Remove users from an administrative unit

HTTP

DELETE
[Link]
id}/members/{user-id}/$ref

Remove groups from an administrative unit

HTTP

DELETE
[Link]
id}/members/{group-id}/$ref

Remove devices from an administrative unit

HTTP

DELETE [Link]
id}/members/{device-id}/$ref

Next steps
Add users, groups, or devices to an administrative unit
Assign Azure AD roles with administrative unit scope

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Manage users or devices for an
administrative unit with dynamic
membership rules (Preview)
Article • 08/21/2022 • 5 minutes to read

） Important

Dynamic membership rules for administrative units are currently in PREVIEW. See
the Supplemental Terms of Use for Microsoft Azure Previews for legal terms
that apply to Azure features that are in beta, preview, or otherwise not yet released
into general availability.

You can add or remove users or devices for administrative units manually. With this
preview, you can add or remove users or devices for administrative units dynamically
using rules. This article describes how to create administrative units with dynamic
membership rules using the Azure portal, PowerShell, or Microsoft Graph API.

７ Note

Dynamic membership rules for administrative units can be created using the same
attributes available for dynamic groups. For more information about the specific
attributes available and examples on how to use them, see Dynamic membership
rules for groups in Azure Active Directory.

Although administrative units with members assigned manually support multiple object
types, such as user, group, and devices, it is currently not possible to create an
administrative unit with dynamic membership rules that includes more than one object
type. For example, you can create administrative units with dynamic membership rules
for users or devices, but not both. Administrative units with dynamic membership rules
for groups are currently not supported.

Prerequisites
Azure AD Premium P1 or P2 license for each administrative unit administrator
Azure AD Premium P1 or P2 license for each administrative unit member
Privileged Role Administrator or Global Administrator
AzureADPreview module when using PowerShell
 Admin consent when using Graph explorer for Microsoft Graph API
Global Azure cloud (not available in specialized clouds, such as Azure Government
or Azure China)

７ Note

Dynamic membership rules for administrative units requires an Azure AD Premium

P1 license for each unique user that is a member of one or more dynamic
administrative units. You don't have to assign licenses to users for them to be
members of dynamic administrative units, but you must have the minimum number
of licenses in the Azure AD organization to cover all such users. For example, if you
had a total of 1,000 unique users in all dynamic administrative units in your
organization, you would need at least 1,000 licenses for Azure AD Premium P1 to
meet the license requirement. No license is required for devices that are members
of a dynamic device administrative unit.

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Add dynamic membership rules

Follow these steps to create administrative units with dynamic membership rules for
users or devices.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit that you want
to add users or devices to.

4. Select Properties.

5. In the Membership type list, select Dynamic User or Dynamic Device, depending
on the type of rule you want to add.
6. Select Add dynamic query.

7. Use the rule builder to specify the dynamic membership rule. For more
information, see Rule builder in the Azure portal.

8. When finished, select Save to save the dynamic membership rule.

9. On the Properties page, select Save to save the membership type and query.

The following message is displayed:

 After changing the administrative unit type, the existing membership may change
based on the dynamic membership rule you provide.

10. Select Yes to continue.

For steps on how to edit your rule, see the following Edit dynamic membership rules
section.

PowerShell
1. Create a dynamic membership rule. For more information, see Dynamic
membership rules for groups in Azure Active Directory.

2. Use the Connect-AzureAD command to connect with Azure Active Directory with a
user that has been assigned the Privileged Role Administrator or Global
Administrator role.

PowerShell

# Connect to Azure AD
Connect-AzureAD

3. Use the New-AzureADMSAdministrativeUnit command to create a new

administrative unit with a dynamic membership rule using the following
parameters:

MembershipType : Dynamic or Assigned

MembershipRule : Dynamic membership rule you created in a previous step

MembershipRuleProcessingState : On or Paused

PowerShell

# Create an administrative unit for users in the United States

$adminUnit = New-AzureADMSAdministrativeUnit -DisplayName "Example
Admin Unit" -Description "Example Dynamic Membership Admin Unit" -
MembershipType "Dynamic" -MembershipRuleProcessingState "On" -
MembershipRule '([Link] -eq "United States")'

Microsoft Graph API

1. Create a dynamic membership rule. For more information, see Dynamic
membership rules for groups in Azure Active Directory.
 2. Use the Create administrativeUnit API to create a new administrative unit with a
dynamic membership rule.

The following shows an example of a dynamic membership rule that applies to

Windows devices.

Request

HTTP

POST [Link]

Body

HTTP

{
"displayName": "Windows Devices",
"description": "All Contoso devices running Windows",
"membershipType": "Dynamic",
"membershipRule": "([Link] -eq \"Windows\")",
"membershipRuleProcessingState": "On"
}

Edit dynamic membership rules

When an administrative unit has been configured for dynamic membership, the usual
commands to add or remove members for the administrative unit are disabled as the
dynamic membership engine retains the sole ownership of adding or removing
members. To make changes to the membership, you can edit the dynamic membership
rules.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit that has the
dynamic membership rules you want to edit.

4. Select Membership rules to edit the dynamic membership rules using the rule
builder.
 You can also open the rule builder by selecting Dynamic membership rules in the
left navigation.

5. When finished, select Save to save the dynamic membership rule changes.

PowerShell
Use the Set-AzureADMSAdministrativeUnit command to edit the dynamic membership
rule.

PowerShell

# Set a new dynamic membership rule for an administrative unit

Set-AzureADMSAdministrativeUnit -Id $[Link] -MembershipRule
'([Link] -eq "Germany")'

Microsoft Graph API

Use the Update administrativeUnit API to edit the dynamic membership rule.

Request

HTTP

PATCH [Link]

Body
 HTTP

{
"membershipRule": "([Link] -eq "Germany")"
}

Change a dynamic administrative unit to

assigned
Follow these steps to change an administrative unit with dynamic membership rules to
an administrative unit where members are manually assigned.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory.

3. Select Administrative units and then select the administrative unit that you want
to change to assigned.

4. Select Properties.

5. In the Membership type list, select Assigned.

6. Select Save to save the membership type.

 The following message is displayed:

After changing the administrative unit type, the dynamic rule will no longer be
processed. Current administrative unit members will remain in the administrative
unit and the administrative unit will have assigned membership.

7. Select Yes to continue.

When the membership type setting is changed from dynamic to assigned, the
current members remain intact in the administrative unit. Additionally, the ability
to add groups to the administrative unit is enabled.

PowerShell
Use the Set-AzureADMSAdministrativeUnit command to change the membership type
setting.

PowerShell

# Change an administrative unit to assigned

Set-AzureADMSAdministrativeUnit -Id $[Link] -MembershipType "Assigned"
-MembershipRuleProcessingState "Paused"

Microsoft Graph API

Use the Update administrativeUnit API to change the membership type setting.

Request

HTTP

PATCH [Link]

Body

HTTP

{
"membershipType": "Assigned"
}

Next steps
 Assign Azure AD roles with administrative unit scope
Add users or groups to an administrative unit
Azure AD administrative units: Troubleshooting and FAQ

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign Azure AD roles with
administrative unit scope
Article • 01/04/2023 • 5 minutes to read

In Azure Active Directory (Azure AD), for more granular administrative control, you can
assign an Azure AD role with a scope that's limited to one or more administrative units.
When an Azure AD role is assigned at the scope of an administrative unit, role
permissions apply only when managing members of the administrative unit itself, and
do not apply to tenant-wide settings or configurations.

For example, an administrator who is assigned the Groups Administrator role at the
scope of an administrative unit can manage groups that are members of the
administrative unit, but they cannot manage other groups in the tenant. They also
cannot manage tenant-level settings related to groups, such as expiration or group
naming policies.

This article describes how to assign Azure AD roles with administrative unit scope.

Prerequisites
Azure AD Premium P1 or P2 license for each administrative unit administrator
Azure AD Free licenses for administrative unit members
Privileged Role Administrator or Global Administrator
AzureAD module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Roles that can be assigned with administrative

unit scope
The following Azure AD roles can be assigned with administrative unit scope.
Additionally, any custom role can be assigned with administrative unit scope as long as
the custom role's permissions include at least one permission relevant to users, groups,
or devices.

Role Description
 Role Description

Authentication Has access to view, set, and reset authentication method information for any
Administrator non-admin user in the assigned administrative unit only.

Cloud Device Limited access to manage devices in Azure AD.

Administrator

Groups Can manage all aspects of groups in the assigned administrative unit only.
Administrator

Helpdesk Can reset passwords for non-administrators in the assigned administrative unit
Administrator only.

License Can assign, remove, and update license assignments within the administrative
Administrator unit only.

Password Can reset passwords for non-administrators within the assigned administrative
Administrator unit only.

Printer Can manage printers and printer connectors. For more information, see Delegate
Administrator administration of printers in Universal Print.

SharePoint Can manage Microsoft 365 groups in the assigned administrative unit only. For
Administrator SharePoint sites associated with Microsoft 365 groups in an administrative unit,
can also update site properties (site name, URL, and external sharing policy)
using the Microsoft 365 admin center. Cannot use the SharePoint admin center
or SharePoint APIs to manage sites.

Teams Can manage Microsoft 365 groups in the assigned administrative unit only. Can
Administrator manage team members in the Microsoft 365 admin center for teams associated
with groups in the assigned administrative unit only. Cannot use the Teams
admin center.

Teams Devices Can perform management related tasks on Teams certified devices.
Administrator

User Can manage all aspects of users and groups, including resetting passwords for
Administrator limited admins within the assigned administrative unit only. Cannot currently
manage users' profile photographs.

<Custom Can perform actions that apply to users, groups, or devices, according to the
role> definition of the custom role.

Certain role permissions apply only to non-administrator users when assigned with the
scope of an administrative unit. In other words, administrative unit scoped Helpdesk
Administrators can reset passwords for users in the administrative unit only if those
users do not have administrator roles. The following list of permissions are restricted
when the target of an action is another administrator:
 Read and modify user authentication methods, or reset user passwords
Modify sensitive user properties such as telephone numbers, alternate email
addresses, or OAuth secret keys
Delete or restore user accounts

Security principals that can be assigned with

administrative unit scope
The following security principals can be assigned to a role with an administrative unit
scope:

Users
Azure AD role-assignable groups
Service principals

Service principals and guest users

Service principals and guest users will not be able to use a role assignment scoped to an
administrative unit unless they are also assigned corresponding permissions to read the
objects. This is because service principals and guest users do not receive directory read
permissions by default, which are required to perform administrative actions. To enable
a service principal or guest user to use a role assignment scoped to an administrative
unit, you must assign the Directory Readers role (or another role that includes read
permissions) at a tenant scope.

It is not currently possible to assign directory read permissions scoped to an

administrative unit. For more information about default permissions for users, see
default user permissions.

Assign a role with an administrative unit scope

You can assign an Azure AD role with an administrative unit scope by using the Azure
portal, PowerShell, or Microsoft Graph.

Azure portal
1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Administrative units and then select the
administrative unit that you want to assign a user role scope to.
 3. On the left pane, select Roles and administrators to list all the available roles.

4. Select the role to be assigned, and then select Add assignments.

5. On the Add assignments pane, select one or more users to be assigned to the
role.

７ Note

To assign a role on an administrative unit by using Azure AD Privileged Identity

Management (PIM), see Assign Azure AD roles in PIM.

PowerShell
Use the New-AzureADMSRoleAssignment command and the DirectoryScopeId
parameter to assign a role with administrative unit scope.

PowerShell

$user = Get-AzureADUser -Filter "userPrincipalName eq 'Example_UPN'"

$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq
'Example_role_name'"
$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayName eq
'Example_admin_unit_name'"
$directoryScope = '/administrativeUnits/' + $[Link]
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId
$directoryScope -RoleDefinitionId $[Link] -PrincipalId
$[Link]

Microsoft Graph API

Use the Add a scopedRoleMember API to assign a role with administrative unit scope.

Request

HTTP

POST /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers

Body

HTTP

{
"roleId": "roleId-value",
"roleMemberInfo": {
"id": "id-value"
}
}

List role assignments with administrative unit

scope
You can view a list of Azure AD role assignments with administrative unit scope by using
the Azure portal, PowerShell, or Microsoft Graph.

Azure portal
You can view all the role assignments created with an administrative unit scope in the
Administrative units section of Azure AD .

1. Sign in to the Azure portal or Azure AD admin center .

2. Select Azure Active Directory > Administrative units and then select the
administrative unit for the list of role assignments you want to view.

3. Select Roles and administrators, and then open a role to view the assignments in
the administrative unit.

PowerShell
Use the Get-AzureADMSScopedRoleMembership command to list role assignments with
administrative unit scope.

PowerShell

$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq

'Example_admin_unit_name'"
Get-AzureADMSScopedRoleMembership -Id $[Link] | fl *

Microsoft Graph API

Use the List scopedRoleMembers API to list role assignments with administrative unit
scope.

Request

HTTP

GET /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers

Body

HTTP

{}

Next steps
Use Azure AD groups to manage role assignments
Troubleshoot Azure AD roles assigned to groups
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Delegate app registration permissions in
Azure Active Directory
Article • 08/21/2022 • 5 minutes to read

This article describes how to use permissions granted by custom roles in Azure Active
Directory (Azure AD) to address your application management needs. In Azure AD, you
can delegate Application creation and management permissions in the following ways:

Restricting who can create applications and manage the applications they create.
By default in Azure AD, all users can register applications and manage all aspects
of applications they create. This can be restricted to only allow selected people
that permission.
Assigning one or more owners to an application. This is a simple way to grant
someone the ability to manage all aspects of Azure AD configuration for a specific
application.
Assigning a built-in administrative role that grants access to manage configuration
in Azure AD for all applications. This is the recommended way to grant IT experts
access to manage broad application configuration permissions without granting
access to manage other parts of Azure AD not related to application configuration.
Creating a custom role defining very specific permissions and assigning it to
someone either to the scope of a single application as a limited owner, or at the
directory scope (all applications) as a limited administrator.

It's important to consider granting access using one of the above methods for two
reasons. First, delegating the ability to perform administrative tasks reduces Global
Administrator overhead. Second, using limited permissions improves your security
posture and reduces the potential for unauthorized access. For guidelines about role
security planning, see Securing privileged access for hybrid and cloud deployments in
Azure AD.

Restrict who can create applications

By default in Azure AD, all users can register applications and manage all aspects of
applications they create. Everyone also has the ability to consent to apps accessing
company data on their behalf. You can choose to selectively grant those permissions by
setting the global switches to 'No' and adding the selected users to the Application
Developer role.
To disable the default ability to create application
registrations or consent to applications
1. Sign in to your Azure AD organization with an account that eligible for the Global
Administrator role in your Azure AD organization.

2. Set one or both of the following:

On the User settings page for your organization , set the Users can register
applications setting to No. This will disable the default ability for users to
create application registrations.
On the user settings for enterprise applications , set the Users can consent
to applications accessing company data on their behalf setting to No. This
will disable the default ability for users to consent to applications accessing
company data on their behalf.

Grant individual permissions to create and consent to

applications when the default ability is disabled
Assign the Application Developer role to grant the ability to create application
registrations when the Users can register applications setting is set to No. This role also
grants permission to consent on one's own behalf when the Users can consent to apps
accessing company data on their behalf setting is set to No.

Assign application owners

Assigning owners is a simple way to grant the ability to manage all aspects of Azure AD
configuration for a specific application registration or enterprise application. For more
information, see Assign enterprise application owners.

Assign built-in application admin roles

Azure AD has a set of built-in admin roles for granting access to manage configuration
in Azure AD for all applications. These roles are the recommended way to grant IT
experts access to manage broad application configuration permissions without granting
access to manage other parts of Azure AD not related to application configuration.

Application Administrator: Users in this role can create and manage all aspects of
enterprise applications, application registrations, and application proxy settings.
This role also grants the ability to consent to delegated permissions, and
application permissions excluding Microsoft Graph. Users assigned to this role are
 not added as owners when creating new application registrations or enterprise
applications.
Cloud Application Administrator: Users in this role have the same permissions as
the Application Administrator role, excluding the ability to manage application
proxy. Users assigned to this role are not added as owners when creating new
application registrations or enterprise applications.

For more information and to view the description for these roles, see Azure AD built-in
roles.

Follow the instructions in the Assign roles to users with Azure Active Directory how-to
guide to assign the Application Administrator or Cloud Application Administrator roles.

） Important

Application Administrators and Cloud Application Administrators can add

credentials to an application and use those credentials to impersonate the
application’s identity. The application may have permissions that are an elevation of
privilege over the admin role's permissions. An admin in this role could potentially
create or update users or other objects while impersonating the application,
depending on the application's permissions. Neither role grants the ability to
manage Conditional Access settings.

Create and assign a custom role (preview)

Creating custom roles and assigning custom roles are separate steps:

Create a custom role definition and add permissions to it from a preset list. These
are the same permissions used in the built-in roles.
Create a role assignment to assign the custom role.

This separation allows you to create a single role definition and then assign it many
times at different scopes. A custom role can be assigned at organization-wide scope, or
it can be assigned at the scope if a single Azure AD object. An example of an object
scope is a single app registration. Using different scopes, the same role definition can be
assigned to Sally over all app registrations in the organization and then to Naveen over
only the Contoso Expense Reports app registration.

Tips when creating and using custom roles for delegating application management:

Custom roles only grant access in the most current app registration blades of the
Azure portal. They do not grant access in the legacy app registrations blades.
 Custom roles do not grant access to the Azure portal when the “Restrict access to
Azure AD administration portal” user setting is set to Yes.
App registrations the user has access to using role assignments only show up in
the ‘All applications’ tab on the App registration page. They do not show up in the
‘Owned applications’ tab.

For more information on the basics of custom roles, see the custom roles overview, as
well as how to create a custom role and how to assign a role.

Next steps
Application registration subtypes and permissions
Azure AD built-in roles

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Manage your users with My Staff
Article • 01/05/2023 • 5 minutes to read

My Staff enables you to delegate permissions to a figure of authority, such as a store

manager or a team lead, to ensure that their staff members are able to access their
Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate
common tasks such as resetting passwords or changing phone numbers to a local team
manager. With My Staff, a user who can't access their account can regain access in just a
couple of clicks, with no helpdesk or IT staff required.

Before you configure My Staff for your organization, we recommend that you review this
documentation as well as the user documentation to ensure you understand how it
works and how it impacts your users. You can leverage the user documentation to train
and prepare your users for the new experience and help to ensure a successful rollout.

How My Staff works

My Staff is based on administrative units, which are a container of resources which can
be used to restrict the scope of a role assignment's administrative control. For more
information, see Administrative units management in Azure Active Directory. In My Staff,
administrative units can be used to contain a group of users in a store or department. A
team manager can then be assigned to an administrative role at a scope of one or more
units.

Before you begin

To complete this article, you need the following resources and privileges:

An active Azure subscription.

If you don't have an Azure subscription, create an account .

An Azure Active Directory tenant associated with your subscription.

If needed, create an Azure Active Directory tenant or associate an Azure
subscription with your account.

You need Global Administrator privileges in your Azure AD tenant to enable SMS-
based authentication.

Each user who's enabled in the text message authentication method policy must
be licensed, even if they don't use it. Each enabled user must have one of the
following Azure AD or Microsoft 365 licenses:
 Azure AD Premium P1 or P2
Microsoft 365 F1 or F3
Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 E3 or E5

How to enable My Staff

Once you have configured administrative units, you can apply this scope to your users
who access My Staff. Only users who are assigned an administrative role can access My
Staff. To enable My Staff, complete the following steps:

1. Sign in to the Azure portal or Azure AD admin center as a Global

Administrator, User Administrator, or Group Administrator.

2. Select Azure Active Directory > User settings > User feature > Manage user
feature settings.

3. Under Administrators can access My Staff, you can choose to enable for all users,
selected users, or no user access.

７ Note

Only users who've been assigned an admin role can access My Staff. If you enable
My Staff for a user who is not assigned an admin role, they won't be able to access
My Staff.

Conditional access
You can protect the My Staff portal using Azure AD Conditional Access policy. Use it for
tasks like requiring multi-factor authentication before accessing My Staff.

We strongly recommend that you protect My Staff using Azure AD Conditional Access
policies. To apply a Conditional Access policy to My Staff, you must first visit the My Staff
site once for a few minutes to automatically provision the service principal in your
tenant for use by Conditional Access.

You'll see the service principal when you create a Conditional Access policy that applies
to the My Staff cloud application.
Using My Staff
When a user goes to My Staff, they are shown the names of the administrative units
over which they have administrative permissions. In the My Staff user documentation ,
we use the term "location" to refer to administrative units. If an administrator's
permissions do not have an administrative unit scope, the permissions apply across the
organization. After My Staff has been enabled, the users who are enabled and have
been assigned an administrative role can access it through
[Link] . They can select an administrative unit to view the users
in that unit, and select a user to open their profile.

Reset a user's password

Before you can reset passwords for on-premises users, you must fulfill the following
prerequisite conditions. For detailed instructions, see Enable self-service password reset
tutorial.

Configure permissions for password writeback

Enable password writeback in Azure AD Connect
Enable password writeback in Azure AD self-service password reset (SSPR)

The following roles have permission to reset a user's password:

 Authentication Administrator
Privileged Authentication Administrator
Global Administrator
Helpdesk Administrator
User Administrator
Password Administrator

From My Staff, open a user's profile. Select Reset password.

If the user is cloud-only, you can see a temporary password that you can give to
the user.

If the user is synced from on-premises Active Directory, you can enter a password
that meets your on-premises AD policies. You can then give that password to the
user.
The user is required to change their password the next time they sign in.

Manage a phone number

From My Staff, open a user's profile.

Select Add phone number section to add a phone number for the user
Select Edit phone number to change the phone number
Select Remove phone number to remove the phone number for the user

Depending on your settings, the user can then use the phone number you set up to sign
in with SMS, perform multi-factor authentication, and perform self-service password
reset.

To manage a user's phone number, you must be assigned one of the following roles:

Authentication Administrator
Privileged Authentication Administrator
Global Administrator

Search
You can search for administrative units and users in your organization using the search
bar in My Staff. You can search across all administrative units and users in your
organization, but you can only make changes to users who are in an administrative unit
over which you have been given admin permissions.

Audit logs
You can view audit logs for actions taken in My Staff in the Azure Active Directory portal.
If an audit log was generated by an action taken in My Staff, you will see this indicated
under ADDITIONAL DETAILS in the audit event.

Next steps
My Staff user documentation Administrative units documentation

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources
 Documentation

Tutorial - Multi-factor authentication for B2B - Azure AD - Microsoft Entra

In this tutorial, learn how to require multi-factor authentication (MFA) when you use Azure AD B2B to
collaborate with external users and partner organizations.

Authentication and Conditional Access for B2B users - Azure AD - Microsoft Entra
Learn how to enforce multi-factor authentication policies for Azure Active Directory B2B users.

How to migrate to the Authentication methods policy - Azure Active Directory -

Microsoft Entra
Learn about how to centrally manage multifactor authentication (MFA) and self-service password
reset (SSPR) settings in the Authentication methods policy.

Manage external access with Azure Active Directory Conditional Access - Microsoft
Entra
How to use Azure Active Directory Conditional Access policies to secure external access to resources.

Least privileged roles by task - Azure Active Directory - Microsoft Entra

Least privileged roles to delegate for tasks in Azure Active Directory

Location condition in Azure Active Directory Conditional Access - Microsoft Entra

Use the location condition to control access based on user physical or network location.

One-time passcode authentication for B2B guest users - Azure AD - Microsoft Entra
How to use Email one-time passcode to authenticate B2B guest users without the need for a
Microsoft account.

Use Azure AD groups to manage role assignments - Azure Active Directory -

Microsoft Entra
Use Azure AD groups to simplify role assignment management in Azure Active Directory.

Show 5 more
Troubleshoot Azure AD roles
assigned to groups
FAQ

Here are some common questions and troubleshooting tips for assigning Azure Active
Directory (Azure AD) roles to Azure AD groups.

I'm a Groups Administrator but I can't

see the 'Azure AD roles can be assigned
to the group' switch.
Only Privileged Role Administrators or Global Administrators can create a group that's
eligible for role assignment. Only users in those roles see this control.

Who can modify the membership of

groups that are assigned to Azure AD
roles?
By default, only Privileged Role Administrator and Global Administrator manage the
membership of a role-assignable group, but you can delegate the management of role-
assignable groups by adding group owners.

I am a Helpdesk Administrator in my
organization but I can't update
password of a user who is a Directory
Readers. Why does that happen?
The user might have gotten Directory Readers by way of a role-assignable group. All
members and owners of a role-assignable groups are protected. Only users in the
Privileged Authentication Administrator or Global Administrator roles can reset
credentials for a protected user.
I can't update password of a user. They
don't have any higher privileged role
assigned. Why is it happening?
The user could be an owner of a role-assignable group. We protect owners of role-
assignable groups to avoid elevation of privilege. An example might be if a group
Contoso_Security_Admins is assigned to Security Administrator role, where Bob is the
group owner and Alice is Password Administrator in the organization. If this protection
weren't present, Alice could reset Bob's credentials and take over his identity. After that,
Alice could add herself or anyone to the group Contoso_Security_Admins group to
become a Security Administrator in the organization. To find out if a user is a group
owner, get the list of owned objects of that user and see if any of the groups have
isAssignableToRole set to true. If yes, then that user is protected and the behavior is by
design. Refer to these documentations for getting owned objects:

Get-AzureADUserOwnedObject
List ownedObjects

Can I create an access review on groups

that can be assigned to Azure AD roles
(specifically, groups with
isAssignableToRole property set to
true)?
Yes, you can. Global Administrators and Privileged Role Administrators can create access
reviews on role-assignable groups.

Can I create an access package and put

groups that can be assigned to Azure
AD roles in it?
Yes, you can. Global Administrator and User Administrator have the power to put any
group in an access package. Nothing changes for Global Administrator, but there's a
slight change in User Administrator role permissions. To put a role-assignable group
into an access package, you must be a User Administrator and also owner of the role-
assignable group. Here's the full table showing who can create access package in
Enterprise License Management:

Azure AD Entitlement Can Can add Can Can add

directory management add Microsoft add SharePoint
role role security 365 app Online site
group* group*

Global n/a ✔️ ✔️ ✔️ ✔️
Administrator

User n/a ✔️ ✔️ ✔️
Administrator

Intune Catalog ✔️ ✔️
Administrator owner

Exchange Catalog ✔️
Administrator owner

Teams service Catalog ✔️

Administrator owner

SharePoint Catalog ✔️ ✔️
Administrator owner

Application Catalog ✔️
Administrator owner

Cloud Catalog ✔️
application owner
Administrator

User Catalog Only if Only if Only

owner group group if app
owner owner owner

*Group isn't role-assignable; that is, isAssignableToRole = false. If a group is role-

assignable, then the person creating the access package must also be owner of the role-
assignable group.
I can't find "Remove assignment" option
in "Assigned Roles". How do I delete
role assignment to a user?
This answer is applicable only to Azure AD Premium P1 organizations.

1. Sign in to the Azure portal or Azure AD admin center and open Azure Active
Directory.
2. Select users and open a user profile.
3. Select Assigned roles.
4. Select the gear icon. A pane opens that can give this information. There's a
"Remove" button beside direct assignments. To remove indirect role assignment,
remove the user from the group that has been assigned the role.

How do I see all groups that are role-

assignable?
Follow these steps:

1. Sign in to the Azure portal or Azure AD admin center and open Azure Active
Directory.
2. Select Groups > All groups.
3. Select Add filters.
4. Filter to Role assignable.

How do I know which role are assigned

to a principal directly and indirectly?
Follow these steps:

1. Sign in to the Azure portal or Azure AD admin center and open Azure Active
Directory.

2. Select users and open a user profile.

3. Select Assigned roles, and then:

In Azure AD Premium P1 licensed organizations: Select the gear icon. A pane

opens that can give this information.
 In Azure AD Premium P2 licensed organizations: You'll find direct and
inherited license information in the Membership column.

Why do we enforce creating a new

group for assigning it to role?
If you assign an existing group to a role, the existing group owner could add other
members to this group without the new members realizing that they'll have the role.
Because role-assignable groups are powerful, we're putting lots of restrictions to protect
them. You don't want changes to the group that would be surprising to the person
managing the group.

Next steps
Use Azure AD groups to manage role assignments
Create a role-assignable group
Azure AD administrative units:
Troubleshooting and FAQ
FAQ

For more granular administrative control in Azure Active Directory (Azure AD), you can
assign users to an Azure AD role with a scope that's limited to one or more
administrative units. For sample PowerShell scripts for common tasks, see Work with
administrative units.

General
Why am I unable to create an administrative
unit?
Only a Global Administrator or Privileged Role Administrator can create an administrative
unit in Azure AD. Check to ensure that the user who's trying to create the administrative
unit is assigned either the Global Administrator or Privileged Role Administrator role.

I added a group to an administrative unit. Why

are the group members still not showing up
there?
When you add a group to an administrative unit, that does not result in all the group's
members being added to it. Users must be directly assigned to the administrative unit.

I just added (or removed) a member of the

administrative unit. Why is the member not
showing up (or still showing up) on the user
interface?
Sometimes, the addition or removal of one or more members of an administrative unit
might take a few minutes to be reflected on the Administrative units pane.
Alternatively, you can go directly to the associated resource's properties and see
whether the action has been completed. For more information about members in
administrative units, see List users, groups, or devices in an administrative unit.
I am a delegated Password Administrator on an
administrative unit. Why am I unable to reset a
specific user's password?
As an administrator of an administrative unit, you can reset passwords only for users
who are assigned to your administrative unit. Make sure that the user whose password
reset is failing belongs to the administrative unit to which you've been assigned. If the
user belongs to the same administrative unit but you still can't reset the user's
password, check the roles that are assigned to the user.

To prevent an elevation of privilege, an administrative unit-scoped administrator can't

reset the password of a user who's assigned to a role with an organization-wide scope.

Why are administrative units necessary? Couldn't

we have used security groups as the way to
define a scope?
Security groups have an existing purpose and authorization model. A User
Administrator, for example, can manage membership of all security groups in the Azure
AD organization. The role might use groups to manage access to applications such as
Salesforce. A User Administrator should not be able to manage the delegation model
itself, which would be the result if security groups were extended to support "resource
grouping" scenarios.

Administrative units, such as organizational units in Windows Server Active Directory,

are intended to provide a way to scope administration of a wide range of directory
objects. Security groups themselves can be members of resource scopes. Using security
groups to define the set of security groups that an administrator can manage could
become confusing.

What does it mean to add a group to an

administrative unit?
Adding a group to an administrative unit brings the group itself into the management
scope of the administrative unit, but not the members of the group. For more
information, see Administrative units in Azure Active Directory.
Can a resource (user, group, or device) be a
member of more than one administrative unit?
Yes, a resource can be a member of more than one administrative unit. The resource can
be managed by all organization-wide and administrative unit-scoped administrators
who have permissions over the resource.

Are administrative units available in B2C

organizations?
No, administrative units are not available for B2C organizations.

Are nested administrative units supported?

No, nested administrative units are not supported.

Are administrative units supported in PowerShell

and the Graph API?
Yes. You'll find support for administrative units in PowerShell cmdlet documentation and
sample scripts.

Find support for the administrativeUnit resource type in Microsoft Graph.

Dynamic administrative units (Preview)

I just saved a dynamic membership rule for an
administrative unit, but I don't see any users
populated yet.
The initial update of an administrative unit can take a few minutes depending on your
tenant size and the current Azure AD load.

After creating a dynamic membership rule in the

Azure portal using the rule builder and
attempting to save, I get the error "Failed to
update administrative unit properties".
This usually means there is a problem with the supplied property values. Confirm that
the property values you have supplied have a proper value type (Boolean, string, or
string collection). For more information, see the allowed values for each operator for
users or devices.

This error can also result if a person without an Azure AD Premium P1 license attempts
to save an update to the administrative unit.

How can I add a single member to an

administrative unit in addition to the current
dynamic membership rule?
To add a single user, add an appropriate expression with the OR query operator to the
dynamic membership rule.

I am a Global Administrator, but I can't add or

remove members for an administrative unit.
When an administrative unit has been configured for dynamic membership, you must
edit the dynamic membership rules to change membership.

How many administrative units with dynamic

membership rules can I create in a tenant?
For the preview, the total number of dynamic groups and dynamic administrative units
combined cannot exceed 5,000.

Is there a limit to the number of characters in a

dynamic membership rule?
Yes. 3,072 characters.

Can I create administrative units with dynamic

membership rules in the Microsoft 365 admin
center?
No.

Next steps
Restrict scope for roles by using administrative units
Create or delete administrative units
Find help and get support for Azure
Active Directory
Article • 09/23/2022 • 5 minutes to read

Microsoft documentation and learning content provide quality support and

troubleshooting information, but if you have a problem not covered in our content,
there are several options to get help and support for Azure Active Directory (Azure AD).
This article provides the options to find support from the Microsoft community and how
to submit a support request with Microsoft.

Ask the Microsoft community

Start with our Microsoft community members who may have an answer to your
question. These communities provide support, feedback, and general discussions on
Microsoft products and services. Before creating a support request, check out the
following resources for answers and information.

For how-to information, quickstarts, or code samples for IT professionals and

developers, see the technical documentation at [Link].
Post a question to Microsoft Q&A to get answers to your identity and access
questions directly from Microsoft engineers, Azure Most Valuable Professionals
(MVPs) and members of our expert community.
The Microsoft Technical Community is the place for our IT pro partners and
customers to collaborate, share, and learn. Join the community to post questions
and submit your ideas.
The Microsoft Technical Community Info Center is used for announcements, blog
posts, ask-me-anything (AMA) interactions with experts, and more.

Microsoft Q&A best practices

Microsoft Q&A is Azure's recommended source for community support. We recommend
using one of the following tags when posting a question. Check out our tips for writing
quality questions.

Component/area Tags

Microsoft Authentication Library (MSAL) [msal]

Open Web Interface for .NET (OWIN) middleware [azure-active-directory]

 Component/area Tags

Azure AD B2B / External Identities [azure-ad-b2b]

Azure AD B2C [azure-ad-b2c]

Microsoft Graph API [azure-ad-graph]

All other authentication and authorization areas [azure-active-directory]

Open a support request in Azure Active

Directory
If you're unable to find answers by using self-help resources, you can open an online
support request. You should open a support request for only a single problem, so that
we can connect you to the support engineers who are subject matter experts for your
problem. Azure AD engineering teams prioritize their work based on incidents that are
generated from support, so you're often contributing to service improvements.

Support is available online and by phone for Microsoft Azure paid and trial subscriptions
on global technical, pre-sales, billing, and subscription issues. Phone support and online
billing support are available in additional languages.

Explore the range of Azure support options and choose the plan that best fits your
scenario, whether you're an IT admin managing your organization's tenant, a developer
just starting your cloud journey, or a large organization deploying business-critical,
strategic applications. Azure customers can create and manage support requests in the
Azure portal.

If you already have an Azure Support Plan, open a support request here .

If you're not an Azure customer, you can open a support request with Microsoft
Support for business .

７ Note

If you're using Azure AD B2C, open a support ticket by first switching to an Azure
AD tenant that has an Azure subscription associated with it. Typically, this is your
employee tenant or the default tenant created for you when you signed up for an
Azure subscription. To learn more, see how an Azure subscription is related to
Azure AD.

1. Sign in to the Azure portal and open Azure Active Directory.

 2. Scroll down to Troubleshooting + Support and select New support request.

3. Follow the prompts to provide us with information about the problem you're
having.

We'll walk you through some steps to gather information about your problem and help
you solve it. Each step is described in the following sections.

1. Problem description
1. Under Problem description, enter a brief description in the Summary field.

2. Select an Issue type.

Options are Billing and Subscription management. Once an option is selected,

Problem type and Problem subtype fields appear, pre-populated with options
associated with the initial selection.

3. Select Next at the bottom of the page.

2. Recommended solution
Based on the information you provided, we'll show you recommended solutions you can
use try to resolve the problem. Solutions are written by Azure engineers and will solve
most common problems.

If you're still unable to resolve the issue, select Next to continue creating the support
request.

3. Additional details
Next, we collect more details about the problem. Providing thorough and detailed
information in this step helps us route your support request to the right engineer.

1. Complete the Problem details section so that we have more information about
your issue. If possible, tell us when the problem started and any steps to reproduce
it. You can upload a file, such as a log file or output from diagnostics. For more
information on file uploads, see File upload guidelines.

2. In the Advanced diagnostic information section, select Yes or No.

Selecting Yes allows Azure support to gather advanced diagnostic

information from your Azure resources.
 If you prefer not to share this information, select No. For more information
about the types of files we might collect, see Advanced diagnostic
information logs section.
In some scenarios, an administrator in your tenant may need to approve
Microsoft Support access to your Azure Active Directory identity data.

3. In the Support method section, select your preferred contact method and support
language.

Some details are pre-selected for you.

The support plan and severity are populated based on your plan.
The maximum severity level depends on your support plan .

4. Next, complete the Contact info section so we know how to contact you.

Select Next when you've completed all of the necessary information.

4. Review + create
Before you create your request, review all of the details that you'll send to support. You
can select Previous to return to any tab if you need to make changes. When you're
satisfied the support request is complete, select Create.

A support engineer will contact you using the method you indicated. For information
about initial response times, see Support scope and responsiveness .

Get Microsoft 365 admin center support

Support for Azure AD in the Microsoft 365 admin center is offered for administrators
through the admin center. Review the support for Microsoft 365 for business article.

Stay informed
Things can change quickly. The following resources provide updates and information on
the latest releases.

Azure Updates : Learn about important product updates, roadmap, and

announcements.

What's new in Azure AD: Get to know what's new in Azure AD including the latest
release notes, known issues, bug fixes, deprecated functionality, and upcoming
changes.
 Azure Active Directory Identity Blog : Get news and information about Azure AD.

Next steps
Post a question to Microsoft Q&A

Join the Microsoft Technical Community ]

Learn about the diagnostic data Azure identity support can access

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure AD built-in roles
Article • 01/10/2023 • 117 minutes to read

In Azure Active Directory (Azure AD), if another administrator or non-administrator

needs to manage Azure AD resources, you assign them an Azure AD role that provides
the permissions they need. For example, you can assign roles to allow adding or
changing users, resetting user passwords, managing user licenses, or managing domain
names.

This article lists the Azure AD built-in roles you can assign to allow management of
Azure AD resources. For information about how to assign roles, see Assign Azure AD
roles to users. If you are looking for roles to manage Azure resources, see Azure built-in
roles.

All roles
Role Description Template ID

Application Administrator Can create and manage all 9b895d92-2cd3-44c7-9d02-

aspects of app registrations a6ac2d5ea5c3
and enterprise apps.

Application Developer Can create application cf1c38e5-3621-4004-a7cb-

registrations independent of 879624dced7c
the 'Users can register
applications' setting.

Attack Payload Author Can create attack payloads 9c6df0f2-1e7c-4dc3-b195-

that an administrator can 66dfbd24aa8f
initiate later.

Attack Simulation Can create and manage all c430b396-e693-46cc-96f3-

Administrator aspects of attack simulation db01bf8bb62a
campaigns.

Attribute Assignment Assign custom security 58a13ea3-c632-46ae-9ee0-

Administrator attribute keys and values to 9c0d43cd7f3d
supported Azure AD objects.

Attribute Assignment Reader Read custom security attribute ffd52fa5-98dc-465c-991d-

keys and values for supported fc073eb59f8f
Azure AD objects.
Role Description Template ID

Attribute Definition Define and manage the 8424c6f0-a189-499e-bbd0-

Administrator definition of custom security 26c1753c96d4
attributes.

Attribute Definition Reader Read the definition of custom 1d336d2c-4ae8-42ef-9711-

security attributes. b3604ce3fc2c

Authentication Administrator Can access to view, set and c4e39bd9-1100-46d3-8c65-

reset authentication method fb160da0071f
information for any non-admin
user.

Authentication Policy Can create and manage the 0526716b-113d-4c15-b2c8-

Administrator authentication methods policy, 68e3c22b9f80
tenant-wide MFA settings,
password protection policy,
and verifiable credentials.

Azure AD Joined Device Local Users assigned to this role are 9f06204d-73c1-4d4c-880a-
Administrator added to the local 6edb90606fd8
administrators group on Azure
AD-joined devices.

Azure DevOps Administrator Can manage Azure DevOps e3973bdf-4987-49ae-837a-

policies and settings. ba8e231c7286

Azure Information Protection Can manage all aspects of the 7495fdc4-34c4-4d15-a289-

Administrator Azure Information Protection 98788ce399fd
product.

B2C IEF Keyset Administrator Can manage secrets for aaf43236-0c0d-4d5f-883a-

federation and encryption in 6955382ac081
the Identity Experience
Framework (IEF).

B2C IEF Policy Administrator Can create and manage trust 3edaf663-341e-4475-9f94-
framework policies in the 5c398ef6c070
Identity Experience Framework
(IEF).

Billing Administrator Can perform common billing b0f54661-2d74-4c50-afa3-

related tasks like updating 1ec803f12efe
payment information.

Cloud App Security Can manage all aspects of the 892c5842-a9a6-463a-8041-

Administrator Defender for Cloud Apps 72aa08ca3cf6
product.
Role Description Template ID

Cloud Application Can create and manage all 158c047a-c907-4556-b7ef-

Administrator aspects of app registrations 446551a6b5f7
and enterprise apps except
App Proxy.

Cloud Device Administrator Limited access to manage 7698a772-787b-4ac8-901f-

devices in Azure AD. 60d6b08affd2

Compliance Administrator Can read and manage 17315797-102d-40b4-93e0-

compliance configuration and 432062caca18
reports in Azure AD and
Microsoft 365.

Compliance Data Creates and manages e6d1a23a-da11-4be4-9570-

Administrator compliance content. befc86d067a7

Conditional Access Can manage Conditional b1be1c3e-b65d-4f19-8427-

Administrator Access capabilities. f6fa0d97feb9

Customer LockBox Access Can approve Microsoft 5c4f9dcd-47dc-4cf7-8c9a-

Approver support requests to access 9e4207cbfc91
customer organizational data.

Desktop Analytics Can access and manage 38a96431-2bdf-4b4c-8b6e-

Administrator Desktop management tools 5d3d8abac1a4
and services.

Directory Readers Can read basic directory 88d8e3e3-8f55-4a1e-953a-

information. Commonly used 9b9898b8876b
to grant directory read access
to applications and guests.

Directory Synchronization Only used by Azure AD d29b2b05-8046-44ba-8758-

Accounts Connect service. 1e26182fcf32

Directory Writers Can read and write basic 9360feb5-f418-4baa-8175-

directory information. For e2a00bac4301
granting access to
applications, not intended for
users.

Domain Name Administrator Can manage domain names in 8329153b-31d0-4727-b945-

cloud and on-premises. 745eb3bc5f31

Dynamics 365 Administrator Can manage all aspects of the 44367163-eba1-44c3-98af-

Dynamics 365 product. f5787879f96a

Edge Administrator Manage all aspects of 3f1acade-1e04-4fbc-9b69-

Microsoft Edge. f0302cd84aef
Role Description Template ID

Exchange Administrator Can manage all aspects of the 29232cdf-9323-42fd-ade2-

Exchange product. 1d097af3e4de

Exchange Recipient Can create or update 31392ffb-586c-42d1-9346-

Administrator Exchange Online recipients e59415a2cc4e
within the Exchange Online
organization.

External ID User Flow Can create and manage all 6e591065-9bad-43ed-90f3-

Administrator aspects of user flows. e9424366d2f0

External ID User Flow Attribute Can create and manage the 0f971eea-41eb-4569-a71e-
Administrator attribute schema available to 57bb8a3eff1e
all user flows.

External Identity Provider Can configure identity be2f45a1-457d-42af-a067-

Administrator providers for use in direct 6ec1fa63bc45
federation.

Global Administrator Can manage all aspects of 62e90394-69f5-4237-9190-

Azure AD and Microsoft 012177145e10
services that use Azure AD
identities.

Global Reader Can read everything that a f2ef992c-3afb-46b9-b7cf-

Global Administrator can, but a126ee74c451
not update anything.

Groups Administrator Members of this role can fdd7a751-b60b-444a-984c-

create/manage groups, 02652fe8fa1c
create/manage groups
settings like naming and
expiration policies, and view
groups activity and audit
reports.

Guest Inviter Can invite guest users 95e79109-95c0-4d8e-aee3-

independent of the 'members d01accf2d47b
can invite guests' setting.

Helpdesk Administrator Can reset passwords for non- 729827e3-9c14-49f7-bb1b-

administrators and Helpdesk 9608f156bbb8
Administrators.
Role Description Template ID

Hybrid Identity Administrator Can manage AD to Azure AD 8ac3fc64-6eca-42ea-9e69-

cloud provisioning, Azure AD 59f4c7b60eb2
Connect, Pass-through
Authentication (PTA), Password
hash synchronization (PHS),
Seamless Single sign-on
(Seamless SSO), and federation
settings.

Identity Governance Manage access using Azure 45d8d3c5-c802-45c6-b32a-

Administrator AD for identity governance 1d70b5e1e86e
scenarios.

Insights Administrator Has administrative access in eb1f4a8d-243a-41f0-9fbd-

the Microsoft 365 Insights app. c7cdf6c5ef7c

Insights Analyst Access the analytical 25df335f-86eb-4119-b717-

capabilities in Microsoft Viva 0ff02de207e9
Insights and run custom
queries.

Insights Business Leader Can view and share 31e939ad-9672-4796-9c2e-

dashboards and insights via 873181342d2d
the Microsoft 365 Insights app.

Intune Administrator Can manage all aspects of the 3a2c62db-5318-420d-8d74-

Intune product. 23affee5d9d5

Kaizala Administrator Can manage settings for 74ef975b-6605-40af-a5d2-

Microsoft Kaizala. b9539d836353

Knowledge Administrator Can configure knowledge, b5a8dcf3-09d5-43a9-a639-

learning, and other intelligent 8e29ef291470
features.

Knowledge Manager Can organize, create, manage, 744ec460-397e-42ad-a462-

and promote topics and 8b3f9747a02c
knowledge.

License Administrator Can manage product licenses 4d6ac14f-3453-41d0-bef9-

on users and groups. a3e0c569773a

Lifecycle Workflows Create and manage all aspects 59d46f88-662b-457b-bceb-

Administrator of workflows and tasks 5c3809e5908f
associated with Lifecycle
Workflows in Azure AD.
Role Description Template ID

Message Center Privacy Can read security messages ac16e43d-7b2d-40e0-ac05-

Reader and updates in Office 365 243ff356ab5b
Message Center only.

Message Center Reader Can read messages and 790c1fb9-7f7d-4f88-86a1-

updates for their organization ef1f95c05c1b
in Office 365 Message Center
only.

Microsoft Hardware Warranty Create and manage all aspects 1501b917-7653-4ff9-a4b5-

Administrator warranty claims and 203eaf33784f
entitlements for Microsoft
manufactured hardware, like
Surface and HoloLens.

Microsoft Hardware Warranty Create and read warranty 281fe777-fb20-4fbb-b7a3-

Specialist claims for Microsoft ccebce5b0d96
manufactured hardware, like
Surface and HoloLens.

Modern Commerce User Can manage commercial d24aef57-1500-4070-84db-

purchases for a company, 2666f29cf966
department or team.

Network Administrator Can manage network locations d37c8bed-0711-4417-ba38-

and review enterprise network b4abe66ce4c2
design insights for Microsoft
365 Software as a Service
applications.

Office Apps Administrator Can manage Office apps cloud 2b745bdf-0803-4d80-aa65-

services, including policy and 822c4493daac
settings management, and
manage the ability to select,
unselect and publish 'what's
new' feature content to end-
user's devices.

Organizational Messages Write, publish, manage, and 507f53e4-4e52-4077-abd3-

Writer review the organizational d2e1558b6ea2
messages for end-users
through Microsoft product
surfaces.

Partner Tier1 Support Do not use - not intended for 4ba39ca4-527c-499a-b93d-

general use. d9b492c50246

Partner Tier2 Support Do not use - not intended for e00e864a-17c5-4a4b-9c06-

general use. f5b95a8d5bd8
Role Description Template ID

Password Administrator Can reset passwords for non- 966707d0-3269-4727-9be2-

administrators and Password 8c3a10f19b9d
Administrators.

Permissions Management Manage all aspects of Entra af78dc32-cf4d-46f9-ba4e-

Administrator Permissions Management. 4428526346b5

Power BI Administrator Can manage all aspects of the a9ea8996-122f-4c74-9520-

Power BI product. 8edcd192826c

Power Platform Administrator Can create and manage all 11648597-926c-4cf3-9c36-

aspects of Microsoft Dynamics bcebb0ba8dcc
365, Power Apps and Power
Automate.

Printer Administrator Can manage all aspects of 644ef478-e28f-4e28-b9dc-

printers and printer 3fdde9aa0b1f
connectors.

Printer Technician Can register and unregister e8cef6f1-e4bd-4ea8-bc07-

printers and update printer 4b8d950f4477
status.

Privileged Authentication Can access to view, set and 7be44c8a-adaf-4e2a-84d6-

Administrator reset authentication method ab2649e08a13
information for any user
(admin or non-admin).

Privileged Role Administrator Can manage role assignments e8611ab8-c189-46e8-94e1-

in Azure AD, and all aspects of 60213ab1f814
Privileged Identity
Management.

Reports Reader Can read sign-in and audit 4a5d8f65-41da-4de4-8968-

reports. e035b65339cf

Search Administrator Can create and manage all 0964bb5e-9bdb-4d7b-ac29-

aspects of Microsoft Search 58e794862a40
settings.

Search Editor Can create and manage the 8835291a-918c-4fd7-a9ce-

editorial content such as faa49f0cf7d9
bookmarks, Q and As,
locations, floorplan.

Security Administrator Can read security information 194ae4cb-b126-40b2-bd5b-

and reports, and manage 6091b380977d
configuration in Azure AD and
Office 365.
Role Description Template ID

Security Operator Creates and manages security 5f2222b1-57c3-48ba-8ad5-

events. d4759f1fde6f

Security Reader Can read security information 5d6b6bb7-de71-4623-b4af-

and reports in Azure AD and 96380a352509
Office 365.

Service Support Administrator Can read service health f023fd81-a637-4b56-95fd-

information and manage 791ac0226033
support tickets.

SharePoint Administrator Can manage all aspects of the f28a1f50-f6e7-4571-818b-

SharePoint service. 6a12f2af6b6c

Skype for Business Can manage all aspects of the 75941009-915a-4869-abe7-

Administrator Skype for Business product. 691bff18279e

Teams Administrator Can manage the Microsoft 69091246-20e8-4a56-aa4d-

Teams service. 066075b2a7a8

Teams Communications Can manage calling and baf37b3a-610e-45da-9e62-

Administrator meetings features within the d9d1e5e8914b
Microsoft Teams service.

Teams Communications Can troubleshoot f70938a0-fc10-4177-9e90-

Support Engineer communications issues within 2178f8765737
Teams using advanced tools.

Teams Communications Can troubleshoot fcf91098-03e3-41a9-b5ba-

Support Specialist communications issues within 6f0ec8188a12
Teams using basic tools.

Teams Devices Administrator Can perform management 3d762c5a-1b6c-493f-843e-

related tasks on Teams 55a3b42923d4
certified devices.

Tenant Creator Create new Azure AD or Azure 112ca1a2-15ad-4102-995e-

AD B2C tenants. 45b0bc479a6a

Usage Summary Reports Can see only tenant level 75934031-6c7e-415a-99d7-

Reader aggregates in Microsoft 365 48dbd49e875e
Usage Analytics and
Productivity Score.

User Administrator Can manage all aspects of fe930be7-5e62-47db-91af-

users and groups, including 98c3a49a38b1
resetting passwords for limited
admins.
 Role Description Template ID

Virtual Visits Administrator Manage and share Virtual e300d9e7-4a2b-4295-9eff-

Visits information and metrics f1c78b36cc98
from admin centers or the
Virtual Visits app.

Windows 365 Administrator Can provision and manage all 11451d60-acb2-45eb-a7d6-

aspects of Cloud PCs. 43d0f0125c13

Windows Update Deployment Can create and manage all 32696413-001a-46ae-978c-

Administrator aspects of Windows Update ce0f6b3620d2
deployments through the
Windows Update for Business
deployment service.

Yammer Administrator Manage all aspects of the 810a2642-a034-447f-a5e8-

Yammer service. 41beaa378541

Application Administrator
Users in this role can create and manage all aspects of enterprise applications,
application registrations, and application proxy settings. Note that users assigned to this
role are not added as owners when creating new application registrations or enterprise
applications.

This role also grants the ability to consent for delegated permissions and application
permissions, with the exception of application permissions for Microsoft Graph.

） Important

This exception means that you can still consent to application permissions for other
apps (for example, non-Microsoft apps or apps that you have registered). You can
still request these permissions as part of the app registration, but granting (that is,
consenting to) these permissions requires a more privileged administrator, such as
Global Administrator.

This role grants the ability to manage application credentials. Users assigned this
role can add credentials to an application, and use those credentials to
impersonate the application’s identity. If the application’s identity has been granted
access to a resource, such as the ability to create or update User or other objects,
then a user assigned to this role could perform those actions while impersonating
the application. This ability to impersonate the application’s identity may be an
elevation of privilege over what the user can do via their role assignments. It is
 important to understand that assigning a user to the Application Administrator role
gives them the ability to impersonate an application’s identity.

Actions Description

[Link]/adminConsentRequestPolic Manage admin consent request policies in

y/allProperties/allTasks Azure AD

[Link]/appConsent/appConsentRe Read all properties of consent requests for

quests/allProperties/read applications registered with Azure AD

[Link]/applications/create Create all types of applications

[Link]/applications/delete Delete all types of applications

[Link]/applications/applicationPro Read all application proxy properties

xy/read

[Link]/applications/applicationPro Update all application proxy properties

xy/update

[Link]/applications/applicationPro Update authentication on all types of

xyAuthentication/update applications

[Link]/applications/applicationPro Update SSL certificate settings for application

xySslCertificate/update proxy

[Link]/applications/applicationPro Update URL settings for application proxy

xyUrlSettings/update

[Link]/applications/appRoles/upd Update the appRoles property on all types of

ate applications

[Link]/applications/audience/upda Update the audience property for applications

te

[Link]/applications/authentication Update authentication on all types of

/update applications

[Link]/applications/basic/update Update basic properties for applications

[Link]/applications/credentials/up Update application credentials

date

[Link]/applications/extensionProp Update extension properties on applications

erties/update

[Link]/applications/notes/update Update notes of applications

[Link]/applications/owners/updat Update owners of applications

e
Actions Description

[Link]/applications/permissions/u Update exposed permissions and required

pdate permissions on all types of applications

[Link]/applications/policies/updat Update policies of applications

e

[Link]/applications/tag/update Update tags of applications

[Link]/applications/verification/up Update applicationsverification property

date

[Link]/applications/synchronizatio Read provisioning settings associated with the

n/standard/read application object

[Link]/applicationTemplates/insta Instantiate gallery applications from application

ntiate templates

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/connectors/create Create application proxy connectors

[Link]/connectors/allProperties/re Read all properties of application proxy

ad connectors

[Link]/connectorGroups/create Create application proxy connector groups

[Link]/connectorGroups/delete Delete application proxy connector groups

[Link]/connectorGroups/allPropert Read all properties of application proxy

ies/read connector groups

[Link]/connectorGroups/allPropert Update all properties of application proxy

ies/update connector groups

[Link]/customAuthenticationExten Create and manage custom authentication

sions/allProperties/allTasks extensions

[Link]/[Link]/d Permanently delete applications, which can no

elete longer be restored

[Link]/[Link]/r Restore soft deleted applications to original

estore state

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/applicationPolicies/create Create application policies

[Link]/applicationPolicies/delete Delete application policies

Actions Description

[Link]/applicationPolicies/standar Read standard properties of application policies

d/read

[Link]/applicationPolicies/owners/ Read owners on application policies

read

[Link]/applicationPolicies/policyA Read application policies applied to objects list

ppliedTo/read

[Link]/applicationPolicies/basic/up Update standard properties of application

date policies

[Link]/applicationPolicies/owners/ Update the owner property of application

update policies

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/servicePrincipals/create Create service principals

[Link]/servicePrincipals/delete Delete service principals

[Link]/servicePrincipals/disable Disable service principals

[Link]/servicePrincipals/enable Enable service principals

[Link]/servicePrincipals/getPasswo Manage password single sign-on credentials on

rdSingleSignOnCredentials service principals

[Link]/servicePrincipals/synchroniz Manage application provisioning secrets and

ationCredentials/manage credentials

[Link]/servicePrincipals/synchroniz Start, restart, and pause application

ationJobs/manage provisioning syncronization jobs

[Link]/servicePrincipals/synchroniz Create and manage application provisioning

ationSchema/manage syncronization jobs and schema

[Link]/servicePrincipals/managePa Read password single sign-on credentials on

sswordSingleSignOnCredentials service principals

[Link]/servicePrincipals/managePe Grant consent for application permissions and

[Link]-application- delegated permissions on behalf of any user or
admin all users, except for application permissions for
Microsoft Graph

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update
Actions Description

[Link]/servicePrincipals/audience/ Update audience properties on service

update principals

[Link]/servicePrincipals/authentica Update authentication properties on service

tion/update principals

[Link]/servicePrincipals/basic/upd Update basic properties on service principals

ate

[Link]/servicePrincipals/credential Update credentials of service principals

s/update

[Link]/servicePrincipals/notes/upd Update notes of service principals

ate

[Link]/servicePrincipals/owners/up Update owners of service principals

date

[Link]/servicePrincipals/permissio Update permissions of service principals

ns/update

[Link]/servicePrincipals/policies/u Update policies of service principals

pdate

[Link]/servicePrincipals/tag/updat Update the tag property for service principals

e

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with your

ation/standard/read service principal

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center
Application Developer
Users in this role can create application registrations when the "Users can register
applications" setting is set to No. This role also grants permission to consent on one's
own behalf when the "Users can consent to apps accessing company data on their
behalf" setting is set to No. Users assigned to this role are added as owners when
creating new application registrations.

Actions Description

[Link]/applications/createAsOwne Create all types of applications, and creator is

r added as the first owner

[Link]/oAuth2PermissionGrants/cr Create OAuth 2.0 permission grants, with

eateAsOwner creator as the first owner

[Link]/servicePrincipals/createAsO Create service principals, with creator as the

wner first owner

Attack Payload Author

Users in this role can create attack payloads but not actually launch or schedule them.
Attack payloads are then available to all administrators in the tenant who can use them
to create a simulation.

Actions Description

[Link]/attackSim Create and manage attack payloads in Attack

ulator/payload/allProperties/allTasks Simulator

[Link]/attackSim Read reports of attack simulation responses

ulator/reports/allProperties/read and associated training

Attack Simulation Administrator

Users in this role can create and manage all aspects of attack simulation creation,
launch/scheduling of a simulation, and the review of simulation results. Members of this
role have this access for all simulations in the tenant.

Actions Description

[Link]/attackSim Create and manage attack payloads in Attack

ulator/payload/allProperties/allTasks Simulator
 Actions Description

[Link]/attackSim Read reports of attack simulation responses

ulator/reports/allProperties/read and associated training

[Link]/attackSim Create and manage attack simulation templates

ulator/simulation/allProperties/allTasks in Attack Simulator

Attribute Assignment Administrator

Users with this role can assign and remove custom security attribute keys and values for
supported Azure AD objects such as users, service principals, and devices.

By default, Global Administrator and other administrator roles do not have permissions
to read, define, or assign custom security attributes. To work with custom security
attributes, you must be assigned one of the custom security attribute roles.

For more information, see Manage access to custom security attributes in Azure AD.

Actions Description

[Link]/attributeSets/allProperties/r Read all properties of attribute sets

ead

[Link]/customSecurityAttributeDef Read all properties of custom security attribute

initions/allProperties/read definitions

[Link]/devices/customSecurityAttri Read custom security attribute values for

butes/read devices

[Link]/devices/customSecurityAttri Update custom security attribute values for

butes/update devices

[Link]/servicePrincipals/customSe Read custom security attribute values for

curityAttributes/read service principals

[Link]/servicePrincipals/customSe Update custom security attribute values for

curityAttributes/update service principals

[Link]/users/customSecurityAttrib Read custom security attribute values for users

utes/read

[Link]/users/customSecurityAttrib Update custom security attribute values for

utes/update users

Attribute Assignment Reader

Users with this role can read custom security attribute keys and values for supported
Azure AD objects.

By default, Global Administrator and other administrator roles do not have permissions
to read, define, or assign custom security attributes. To work with custom security
attributes, you must be assigned one of the custom security attribute roles.

For more information, see Manage access to custom security attributes in Azure AD.

Actions Description

[Link]/attributeSets/allProperties/r Read all properties of attribute sets

ead

[Link]/customSecurityAttributeDef Read all properties of custom security attribute

initions/allProperties/read definitions

[Link]/devices/customSecurityAttri Read custom security attribute values for

butes/read devices

[Link]/servicePrincipals/customSe Read custom security attribute values for

curityAttributes/read service principals

[Link]/users/customSecurityAttrib Read custom security attribute values for users

utes/read

Attribute Definition Administrator

Users with this role can define a valid set of custom security attributes that can be
assigned to supported Azure AD objects. This role can also activate and deactivate
custom security attributes.

By default, Global Administrator and other administrator roles do not have permissions
to read, define, or assign custom security attributes. To work with custom security
attributes, you must be assigned one of the custom security attribute roles.

For more information, see Manage access to custom security attributes in Azure AD.

Actions Description

[Link]/attributeSets/allProperties/ Manage all aspects of attribute sets

allTasks

[Link]/customSecurityAttributeDef Manage all aspects of custom security attribute

initions/allProperties/allTasks definitions
Attribute Definition Reader
Users with this role can read the definition of custom security attributes.

By default, Global Administrator and other administrator roles do not have permissions
to read, define, or assign custom security attributes. To work with custom security
attributes, you must be assigned one of the custom security attribute roles.

For more information, see Manage access to custom security attributes in Azure AD.

Actions Description

[Link]/attributeSets/allProperties/r Read all properties of attribute sets

ead

[Link]/customSecurityAttributeDef Read all properties of custom security attribute

initions/allProperties/read definitions

Authentication Administrator
Assign the Authentication Administrator role to users who need to do the following:

Set or reset any authentication method (including passwords) for non-

administrators and some roles. For a list of the roles that an Authentication
Administrator can read or update authentication methods, see Who can reset
passwords.
Require users who are non-administrators or assigned to some roles to re-register
against existing non-password credentials (for example, MFA or FIDO), and can
also revoke remember MFA on the device, which prompts for MFA on the next
sign-in.
Perform sensitive actions for some users. For more information, see Who can
perform sensitive actions.
Create and manage support tickets in Azure and the Microsoft 365 admin center.

Users with this role cannot do the following:

Cannot change the credentials or reset MFA for members and owners of a role-
assignable group.
Cannot manage MFA settings in the legacy MFA management portal or Hardware
OATH tokens. The same functions can be accomplished using the Set-MsolUser
commandlet Azure AD PowerShell module.

The following table compares the capabilities of this role with related roles.
Role Manage Manage Manage Manage Manage Update Delete
user's per- MFA auth password sensitive and
auth user settings method protection properties restore
methods MFA policy policy users

Authentication Yes for Yes for No No No Yes for Yes for

Administrator some some some some
users users users users

Privileged Yes for Yes for No No No Yes for all Yes for
Authentication all users all users users all
Administrator users

Authentication No No Yes Yes Yes No No

Policy
Administrator

User No No No No No Yes for Yes for

Administrator some some
users users

） Important

Users with this role can change credentials for people who may have access to
sensitive or private information or critical configuration inside and outside of Azure
Active Directory. Changing the credentials of a user may mean the ability to assume
that user's identity and permissions. For example:

Application Registration and Enterprise Application owners, who can manage

credentials of apps they own. Those apps may have privileged permissions in
Azure AD and elsewhere not granted to Authentication Administrators.
Through this path an Authentication Administrator can assume the identity of
an application owner and then further assume the identity of a privileged
application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private
information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group
membership. Those groups may grant access to sensitive or private
information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online,
Office 365 Security & Compliance Center, and human resources systems.
Non-administrators like executives, legal counsel, and human resources
employees who may have access to sensitive or private information.
Actions Description

[Link]/users/authenticationMetho Create authentication methods for users

ds/create

[Link]/users/authenticationMetho Delete authentication methods for users

ds/delete

[Link]/users/authenticationMetho Read standard properties of authentication

ds/standard/restrictedRead methods that do not include personally
identifiable information for users

[Link]/users/authenticationMetho Update basic properties of authentication

ds/basic/update methods for users

[Link]/[Link]/restore Restore soft deleted users to original state

[Link]/users/delete Delete users

[Link]/users/disable Disable users

[Link]/users/enable Enable users

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/restore Restore deleted users

[Link]/users/basic/update Update basic properties on users

[Link]/users/manager/update Update manager for users

[Link]/users/password/update Reset passwords for all users

[Link]/users/userPrincipalName/u Update User Principal Name of users

pdate

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center
Authentication Policy Administrator
Assign the Authentication Policy Administrator role to users who need to do the
following:

Configure the authentication methods policy, tenant-wide MFA settings, and

password protection policy that determine which methods each user can register
and use.
Manage Password Protection settings: smart lockout configurations and updating
the custom banned passwords list.
Create and manage verifiable credentials.
Create and manage Azure support tickets.

Users with this role cannot do the following:

Cannot update sensitive properties. For more information, see Who can perform
sensitive actions.
Cannot delete or restore users. For more information, see Who can perform
sensitive actions.
Cannot manage MFA settings in the legacy MFA management portal or Hardware
OATH tokens.

The following table compares the capabilities of this role with related roles.

Role Manage Manage Manage Manage Manage Update Delete

user's per- MFA auth password sensitive and
auth user settings method protection properties restore
methods MFA policy policy users

Authentication Yes for Yes for No No No Yes for Yes for

Administrator some some some some
users users users users

Privileged Yes for Yes for No No No Yes for all Yes for
Authentication all users all users users all
Administrator users

Authentication No No Yes Yes Yes No No

Policy
Administrator

User No No No No No Yes for Yes for

Administrator some some
users users

Actions Description
Actions Description

[Link]/organization/strongAuthen Manage all aspects of strong authentication

tication/allTasks properties of an organization

[Link]/userCredentialPolicies/creat Create credential policies for users

e

[Link]/userCredentialPolicies/delet Delete credential policies for users

e

[Link]/userCredentialPolicies/stan Read standard properties of credential policies

dard/read for users

[Link]/userCredentialPolicies/own Read owners of credential policies for users

ers/read

[Link]/userCredentialPolicies/polic Read [Link] navigation link

yAppliedTo/read

[Link]/userCredentialPolicies/basic Update basic policies for users

/update

[Link]/userCredentialPolicies/own Update owners of credential policies for users

ers/update

[Link]/userCredentialPolicies/tena Update [Link] property

ntDefault/update

[Link]/verifiableCredentials/config Read a verifiable credential card

uration/contracts/cards/allProperties/read

[Link]/verifiableCredentials/config Revoke a verifiable credential card

uration/contracts/cards/revoke

[Link]/verifiableCredentials/config Create a verifiable credential contract

uration/contracts/create

[Link]/verifiableCredentials/config Read a verifiable credential contract

uration/contracts/allProperties/read

[Link]/verifiableCredentials/config Update a verifiable credential contract

uration/contracts/allProperties/update

[Link]/verifiableCredentials/config Create configuration required to create and

uration/create manage verifiable credentials

[Link]/verifiableCredentials/config Delete configuration required to create and

uration/delete manage verifiable credentials and delete all of
its verifiable credentials
 Actions Description

[Link]/verifiableCredentials/config Read configuration required to create and

uration/allProperties/read manage verifiable credentials

[Link]/verifiableCredentials/config Update configuration required to create and

uration/allProperties/update manage verifiable credentials

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

Azure AD Joined Device Local Administrator

This role is available for assignment only as an additional local administrator in Device
settings . Users with this role become local machine administrators on all Windows 10
devices that are joined to Azure Active Directory. They do not have the ability to
manage devices objects in Azure Active Directory.

Actions Description

[Link]/groupSettings/standard/rea Read basic properties on group settings

d

[Link]/groupSettingTemplates/sta Read basic properties on group setting

ndard/read templates

Azure DevOps Administrator

Users with this role can manage all enterprise Azure DevOps policies, applicable to all
Azure DevOps organizations backed by the Azure AD. Users in this role can manage
these policies by navigating to any Azure DevOps organization that is backed by the
company's Azure AD. Additionally, users in this role can claim ownership of orphaned
Azure DevOps organizations. This role grants no other Azure DevOps-specific
permissions (for example, Project Collection Administrators) inside any of the Azure
DevOps organizations backed by the company's Azure AD organization.

Actions Description

[Link]/allEntities/allTasks Read and configure Azure DevOps

Azure Information Protection Administrator

Users with this role have all permissions in the Azure Information Protection service. This
role allows configuring labels for the Azure Information Protection policy, managing
protection templates, and activating protection. This role does not grant any
permissions in Identity Protection Center, Privileged Identity Management, Monitor
Microsoft 365 Service Health, or Office 365 Security & Compliance Center.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/allEntitie Manage all aspects of Azure Information

s/allTasks Protection

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

B2C IEF Keyset Administrator

User can create and manage policy keys and secrets for token encryption, token
signatures, and claim encryption/decryption. By adding new keys to existing key
containers, this limited administrator can roll over secrets as needed without impacting
existing applications. This user can see the full content of these secrets and their
expiration dates even after their creation.

） Important

This is a sensitive role. The keyset administrator role should be carefully audited
and assigned with care during pre-production and production.

Actions Description
 Actions Description

[Link]/b2cTrustFrameworkKeySet/ Read and configure key sets in Azure Active

allProperties/allTasks Directory B2C

B2C IEF Policy Administrator

Users in this role have the ability to create, read, update, and delete all custom policies
in Azure AD B2C and therefore have full control over the Identity Experience Framework
in the relevant Azure AD B2C organization. By editing policies, this user can establish
direct federation with external identity providers, change the directory schema, change
all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an
authentication, create new users, send user data to external systems including full
migrations, and edit all user information including sensitive fields like passwords and
phone numbers. Conversely, this role cannot change the encryption keys or edit the
secrets used for federation in the organization.

） Important

The B2 IEF Policy Administrator is a highly sensitive role which should be assigned
on a very limited basis for organizations in production. Activities by these users
should be closely audited, especially for organizations in production.

Actions Description

[Link]/b2cTrustFrameworkPolicy/al Read and configure custom policies in Azure

lProperties/allTasks Active Directory B2C

Billing Administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors
service health.

Actions Description

[Link]/organization/basic/update Update basic properties on organization

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks
 Actions Description

[Link]/allEntities/allProper Manage all aspects of Office 365 billing

ties/allTasks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Cloud App Security Administrator

Users with this role have full permissions in Defender for Cloud Apps. They can add
administrators, add Microsoft Defender for Cloud Apps policies and settings, upload
logs, and perform governance actions.

Actions Description

[Link]/cloudAppSecurity/allProper Create and delete all resources, and read and

ties/allTasks update standard properties in Microsoft
Defender for Cloud Apps

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Cloud Application Administrator

Users in this role have the same permissions as the Application Administrator role,
excluding the ability to manage application proxy. This role grants the ability to create
and manage all aspects of enterprise applications and application registrations. Users
assigned to this role are not added as owners when creating new application
registrations or enterprise applications.

This role also grants the ability to consent for delegated permissions and application
permissions, with the exception of application permissions for Microsoft Graph.

） Important

This exception means that you can still consent to application permissions for other
apps (for example, non-Microsoft apps or apps that you have registered). You can
 still request these permissions as part of the app registration, but granting (that is,
consenting to) these permissions requires a more privileged administrator, such as
Global Administrator.

This role grants the ability to manage application credentials. Users assigned this
role can add credentials to an application, and use those credentials to
impersonate the application’s identity. If the application’s identity has been granted
access to a resource, such as the ability to create or update User or other objects,
then a user assigned to this role could perform those actions while impersonating
the application. This ability to impersonate the application’s identity may be an
elevation of privilege over what the user can do via their role assignments. It is
important to understand that assigning a user to the Application Administrator role
gives them the ability to impersonate an application’s identity.

Actions Description

[Link]/adminConsentRequestPolic Manage admin consent request policies in

y/allProperties/allTasks Azure AD

[Link]/appConsent/appConsentRe Read all properties of consent requests for

quests/allProperties/read applications registered with Azure AD

[Link]/applications/create Create all types of applications

[Link]/applications/delete Delete all types of applications

[Link]/applications/appRoles/upd Update the appRoles property on all types of

ate applications

[Link]/applications/audience/upda Update the audience property for applications

te

[Link]/applications/authentication Update authentication on all types of

/update applications

[Link]/applications/basic/update Update basic properties for applications

[Link]/applications/credentials/up Update application credentials

date

[Link]/applications/extensionProp Update extension properties on applications

erties/update

[Link]/applications/notes/update Update notes of applications

[Link]/applications/owners/updat Update owners of applications

e
Actions Description

[Link]/applications/permissions/u Update exposed permissions and required

pdate permissions on all types of applications

[Link]/applications/policies/updat Update policies of applications

e

[Link]/applications/tag/update Update tags of applications

[Link]/applications/verification/up Update applicationsverification property

date

[Link]/applications/synchronizatio Read provisioning settings associated with the

n/standard/read application object

[Link]/applicationTemplates/insta Instantiate gallery applications from application

ntiate templates

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/[Link]/d Permanently delete applications, which can no

elete longer be restored

[Link]/[Link]/r Restore soft deleted applications to original

estore state

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/applicationPolicies/create Create application policies

[Link]/applicationPolicies/delete Delete application policies

[Link]/applicationPolicies/standar Read standard properties of application policies

d/read

[Link]/applicationPolicies/owners/ Read owners on application policies

read

[Link]/applicationPolicies/policyA Read application policies applied to objects list

ppliedTo/read

[Link]/applicationPolicies/basic/up Update standard properties of application

date policies

[Link]/applicationPolicies/owners/ Update the owner property of application

update policies

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read
Actions Description

[Link]/servicePrincipals/create Create service principals

[Link]/servicePrincipals/delete Delete service principals

[Link]/servicePrincipals/disable Disable service principals

[Link]/servicePrincipals/enable Enable service principals

[Link]/servicePrincipals/getPasswo Manage password single sign-on credentials on

rdSingleSignOnCredentials service principals

[Link]/servicePrincipals/synchroniz Manage application provisioning secrets and

ationCredentials/manage credentials

[Link]/servicePrincipals/synchroniz Start, restart, and pause application

ationJobs/manage provisioning syncronization jobs

[Link]/servicePrincipals/synchroniz Create and manage application provisioning

ationSchema/manage syncronization jobs and schema

[Link]/servicePrincipals/managePa Read password single sign-on credentials on

sswordSingleSignOnCredentials service principals

[Link]/servicePrincipals/managePe Grant consent for application permissions and

[Link]-application- delegated permissions on behalf of any user or
admin all users, except for application permissions for
Microsoft Graph

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/servicePrincipals/audience/ Update audience properties on service

update principals

[Link]/servicePrincipals/authentica Update authentication properties on service

tion/update principals

[Link]/servicePrincipals/basic/upd Update basic properties on service principals

ate

[Link]/servicePrincipals/credential Update credentials of service principals

s/update

[Link]/servicePrincipals/notes/upd Update notes of service principals

ate

[Link]/servicePrincipals/owners/up Update owners of service principals

date
 Actions Description

[Link]/servicePrincipals/permissio Update permissions of service principals

ns/update

[Link]/servicePrincipals/policies/u Update policies of service principals

pdate

[Link]/servicePrincipals/tag/updat Update the tag property for service principals

e

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with your

ation/standard/read service principal

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Cloud Device Administrator

Users in this role can enable, disable, and delete devices in Azure AD and read Windows
10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to
manage any other properties on the device.

Actions Description

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

 Actions Description

[Link]/[Link]/delet Permanently delete devices, which can no

e longer be restored

[Link]/[Link]/restor Restore soft deleted devices to original state

e

[Link]/devices/delete Delete devices from Azure AD

[Link]/devices/disable Disable devices in Azure AD

[Link]/devices/enable Enable devices in Azure AD

[Link]/deviceManagementPolicies Read standard properties on device

/standard/read management application policies

[Link]/deviceManagementPolicies Update basic properties on device

/basic/update management application policies

[Link]/deviceRegistrationPolicy/sta Read standard properties on device registration

ndard/read policies

[Link]/deviceRegistrationPolicy/ba Update basic properties on device registration

sic/update policies

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

Compliance Administrator
Users with this role have permissions to manage compliance-related features in the
Microsoft Purview compliance portal, Microsoft 365 admin center, Azure, and Office 365
Security & Compliance Center. Assignees can also manage all features within the
Exchange admin center and create support tickets for Azure and Microsoft 365. More
information is available at About Microsoft 365 admin roles .

In Can do

Microsoft Purview Protect and manage your organization's data across Microsoft 365 services
compliance portal Manage compliance alerts
 In Can do

Compliance Track, assign, and verify your organization's regulatory compliance

Manager activities

Office 365 Security Manage data governance

& Compliance Perform legal and data investigation
Center Manage Data Subject Request

This role has the same permissions as the Compliance Administrator

RoleGroup in Office 365 Security & Compliance Center role-based access
control.

Intune View all Intune audit data

Microsoft Defender Has read-only permissions and can manage alerts

for Cloud Apps Can create and modify file policies and allow file governance actions
Can view all the built-in reports under Data Management

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/entitlementManagement/al Read all properties in Azure AD entitlement

lProperties/read management

[Link]/allEnti Manage all aspects of Office 365 Compliance

ties/allTasks Manager

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Compliance Data Administrator

Users with this role have permissions to track data in the Microsoft Purview compliance
portal, Microsoft 365 admin center, and Azure. Users can also track compliance data
within the Exchange admin center, Compliance Manager, and Teams & Skype for
Business admin center and create support tickets for Azure and Microsoft 365. This
documentation has details on differences between Compliance Administrator and
Compliance Data Administrator.

In Can do

Microsoft Purview Monitor compliance-related policies across Microsoft 365 services

compliance Manage compliance alerts
portal

Compliance Track, assign, and verify your organization's regulatory compliance activities
Manager

Office 365 Security Manage data governance

& Compliance Perform legal and data investigation
Center Manage Data Subject Request

This role has the same permissions as the Compliance Data Administrator
RoleGroup in Office 365 Security & Compliance Center role-based access
control.

Intune View all Intune audit data

Microsoft Defender Has read-only permissions and can manage alerts

for Cloud Apps Can create and modify file policies and allow file governance actions
Can view all the built-in reports under Data Management

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/cloudAppSecurity/allProper Create and delete all resources, and read and

ties/allTasks update standard properties in Microsoft
Defender for Cloud Apps

[Link]/allEntitie Manage all aspects of Azure Information

s/allTasks Protection

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEnti Manage all aspects of Office 365 Compliance

ties/allTasks Manager

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center
 Actions Description

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Conditional Access Administrator

Users with this role have the ability to manage Azure Active Directory Conditional
Access settings.

Actions Description

[Link]/namedLocations/create Create custom rules that define network

locations

[Link]/namedLocations/delete Delete custom rules that define network

locations

[Link]/namedLocations/standard/r Read basic properties of custom rules that

ead define network locations

[Link]/namedLocations/basic/upd Update basic properties of custom rules that

ate define network locations

[Link]/conditionalAccessPolicies/cr Create conditional access policies

eate

[Link]/conditionalAccessPolicies/d Delete conditional access policies

elete

[Link]/conditionalAccessPolicies/st Read conditional access for policies

andard/read

[Link]/conditionalAccessPolicies/o Read the owners of conditional access policies

wners/read

[Link]/conditionalAccessPolicies/p Read the "applied to" property for conditional

olicyAppliedTo/read access policies

[Link]/conditionalAccessPolicies/b Update basic properties for conditional access

asic/update policies

[Link]/conditionalAccessPolicies/o Update owners for conditional access policies

wners/update
 Actions Description

[Link]/conditionalAccessPolicies/t Update the default tenant for conditional

enantDefault/update access policies

[Link]/resourceNamespaces/resou Update Conditional Access authentication

rceActions/authenticationContext/update context of Microsoft 365 role-based access
control (RBAC) resource actions

Customer LockBox Access Approver

Manages Customer Lockbox requests in your organization. They receive email
notifications for Customer Lockbox requests and can approve and deny requests from
the Microsoft 365 admin center. They can also turn the Customer Lockbox feature on or
off. Only Global Administrators can reset the passwords of people assigned to this role.

Actions Description

[Link]/allEntities/allTasks Manage all aspects of Customer Lockbox

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Desktop Analytics Administrator

Users in this role can manage the Desktop Analytics service. This includes the ability to
view asset inventory, create deployment plans, and view deployment and health status.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities Manage all aspects of Desktop Analytics

/allTasks

Directory Readers
Users in this role can read basic directory information. This role should be used for:

Granting a specific set of guest users read access instead of granting it to all guest
users.
Granting a specific set of non-admin users access to Azure portal when "Restrict
access to Azure AD portal to admins only" is set to "Yes".
Granting service principals access to directory where [Link] is not an
option.

Actions Description

[Link]/administrativeUnits/standar Read basic properties on administrative units

d/read

[Link]/administrativeUnits/membe Read members of administrative units

rs/read

[Link]/applications/standard/read Read standard properties of applications

[Link]/applications/owners/read Read owners of applications

[Link]/applications/policies/read Read policies of applications

[Link]/contacts/standard/read Read basic properties on contacts in Azure AD

[Link]/contacts/memberOf/read Read the group membership for all contacts in

Azure AD

[Link]/contracts/standard/read Read basic properties on partner contracts

[Link]/devices/standard/read Read basic properties on devices

[Link]/devices/memberOf/read Read device memberships

[Link]/devices/registeredOwners/r Read registered owners of devices

ead

[Link]/devices/registeredUsers/rea Read registered users of devices

d

[Link]/directoryRoles/standard/rea Read basic properties in Azure AD roles

d

[Link]/directoryRoles/eligibleMem Read the eligible members of Azure AD roles

bers/read

[Link]/directoryRoles/members/re Read all members of Azure AD roles

ad

[Link]/domains/standard/read Read basic properties on domains

Actions Description

[Link]/groups/standard/read Read standard properties of Security groups

and Microsoft 365 groups, including role-
assignable groups

[Link]/groups/appRoleAssignment Read application role assignments of groups

s/read

[Link]/groups/memberOf/read Read the memberOf property on Security

groups and Microsoft 365 groups, including
role-assignable groups

[Link]/groups/members/read Read members of Security groups and

Microsoft 365 groups, including role-assignable
groups

[Link]/groups/owners/read Read owners of Security groups and Microsoft

365 groups, including role-assignable groups

[Link]/groups/settings/read Read settings of groups

[Link]/groupSettings/standard/rea Read basic properties on group settings

d

[Link]/groupSettingTemplates/sta Read basic properties on group setting

ndard/read templates

[Link]/oAuth2PermissionGrants/st Read basic properties on OAuth 2.0 permission

andard/read grants

[Link]/organization/standard/read Read basic properties on an organization

[Link]/organization/trustedCAsFor Read trusted certificate authorities for

PasswordlessAuth/read passwordless authentication

[Link]/applicationPolicies/standar Read standard properties of application policies

d/read

[Link]/roleAssignments/standard/r Read basic properties on role assignments

ead

[Link]/roleDefinitions/standard/re Read basic properties on role definitions

ad

[Link]/servicePrincipals/appRoleAs Read service principal role assignments

signedTo/read

[Link]/servicePrincipals/appRoleAs Read role assignments assigned to service

signments/read principals
Actions Description

[Link]/servicePrincipals/standard/r Read basic properties of service principals

ead

[Link]/servicePrincipals/memberO Read the group memberships on service

f/read principals

[Link]/servicePrincipals/oAuth2Per Read delegated permission grants on service

missionGrants/read principals

[Link]/servicePrincipals/owners/re Read owners of service principals

ad

[Link]/servicePrincipals/ownedObj Read owned objects of service principals

ects/read

[Link]/servicePrincipals/policies/re Read policies of service principals

ad

[Link]/subscribedSkus/standard/re Read basic properties on subscriptions

ad

[Link]/users/standard/read Read basic properties on users

[Link]/users/appRoleAssignments/ Read application role assignments for users

read

[Link]/users/deviceForResourceAc Read deviceForResourceAccount of users

count/read

[Link]/users/directReports/read Read the direct reports for users

[Link]/users/licenseDetails/read Read license details of users

[Link]/users/manager/read Read manager of users

[Link]/users/memberOf/read Read the group memberships of users

[Link]/users/oAuth2PermissionGra Read delegated permission grants on users

nts/read

[Link]/users/ownedDevices/read Read owned devices of users

[Link]/users/ownedObjects/read Read owned objects of users

[Link]/users/photo/read Read photo of users

[Link]/users/registeredDevices/rea Read registered devices of users

d
 Actions Description

[Link]/users/scopedRoleMemberO Read user's membership of an Azure AD role,

f/read that is scoped to an administrative unit

Directory Synchronization Accounts

Do not use. This role is automatically assigned to the Azure AD Connect service, and is
not intended or supported for any other use.

Actions Description

[Link]/applications/create Create all types of applications

[Link]/applications/delete Delete all types of applications

[Link]/applications/appRoles/upd Update the appRoles property on all types of

ate applications

[Link]/applications/audience/upda Update the audience property for applications

te

[Link]/applications/authentication Update authentication on all types of

/update applications

[Link]/applications/basic/update Update basic properties for applications

[Link]/applications/credentials/up Update application credentials

date

[Link]/applications/notes/update Update notes of applications

[Link]/applications/owners/updat Update owners of applications

e

[Link]/applications/permissions/u Update exposed permissions and required

pdate permissions on all types of applications

[Link]/applications/policies/updat Update policies of applications

e

[Link]/applications/tag/update Update tags of applications

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/hybridAuthenticationPolicy/ Manage hybrid authentication policy in Azure

allProperties/allTasks AD
Actions Description

[Link]/organization/dirSync/updat Update the organization directory sync

e property

[Link]/passwordHashSync/allProp Manage all aspects of Password Hash

erties/allTasks Synchronization (PHS) in Azure AD

[Link]/policies/create Create policies in Azure AD

[Link]/policies/delete Delete policies in Azure AD

[Link]/policies/standard/read Read basic properties on policies

[Link]/policies/owners/read Read owners of policies

[Link]/policies/policyAppliedTo/re Read [Link] property

ad

[Link]/policies/basic/update Update basic properties on policies

[Link]/policies/owners/update Update owners of policies

[Link]/policies/tenantDefault/upd Update default organization policies

ate

[Link]/servicePrincipals/create Create service principals

[Link]/servicePrincipals/delete Delete service principals

[Link]/servicePrincipals/enable Enable service principals

[Link]/servicePrincipals/disable Disable service principals

[Link]/servicePrincipals/getPasswo Manage password single sign-on credentials on

rdSingleSignOnCredentials service principals

[Link]/servicePrincipals/managePa Read password single sign-on credentials on

sswordSingleSignOnCredentials service principals

[Link]/servicePrincipals/appRoleAs Read service principal role assignments

signedTo/read

[Link]/servicePrincipals/appRoleAs Read role assignments assigned to service

signments/read principals

[Link]/servicePrincipals/standard/r Read basic properties of service principals

ead

[Link]/servicePrincipals/memberO Read the group memberships on service

f/read principals
 Actions Description

[Link]/servicePrincipals/oAuth2Per Read delegated permission grants on service

missionGrants/read principals

[Link]/servicePrincipals/owners/re Read owners of service principals

ad

[Link]/servicePrincipals/ownedObj Read owned objects of service principals

ects/read

[Link]/servicePrincipals/policies/re Read policies of service principals

ad

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/servicePrincipals/audience/ Update audience properties on service

update principals

[Link]/servicePrincipals/authentica Update authentication properties on service

tion/update principals

[Link]/servicePrincipals/basic/upd Update basic properties on service principals

ate

[Link]/servicePrincipals/credential Update credentials of service principals

s/update

[Link]/servicePrincipals/notes/upd Update notes of service principals

ate

[Link]/servicePrincipals/owners/up Update owners of service principals

date

[Link]/servicePrincipals/permissio Update permissions of service principals

ns/update

[Link]/servicePrincipals/policies/u Update policies of service principals

pdate

[Link]/servicePrincipals/tag/updat Update the tag property for service principals

e

Directory Writers
Users in this role can read and update basic information of users, groups, and service
principals.
Actions Description

[Link]/applications/extensionProp Update extension properties on applications

erties/update

[Link]/contacts/create Create contacts

[Link]/groups/assignLicense Assign product licenses to groups for group-

based licensing

[Link]/groups/create Create Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/reprocessLicenseAs Reprocess license assignments for group-based

signment licensing

[Link]/groups/basic/update Update basic properties on Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/classification/updat Update the classification property on Security

e groups and Microsoft 365 groups, excluding
role-assignable groups

[Link]/groups/dynamicMembershi Update the dynamic membership rule on

pRule/update Security groups and Microsoft 365 groups,
excluding role-assignable groups

[Link]/groups/groupType/update Update properties that would affect the group

type of Security groups and Microsoft 365
groups, excluding role-assignable groups

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/onPremWriteBack/ Update Azure Active Directory groups to be

update written back to on-premises with Azure AD
Connect

[Link]/groups/owners/update Update owners of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/settings/update Update settings of groups

[Link]/groups/visibility/update Update the visibility property of Security groups

and Microsoft 365 groups, excluding role-
assignable groups

[Link]/groupSettings/create Create group settings

Actions Description

[Link]/groupSettings/delete Delete group settings

[Link]/groupSettings/basic/updat Update basic properties on group settings

e

[Link]/oAuth2PermissionGrants/cr Create OAuth 2.0 permission grants

eate

[Link]/oAuth2PermissionGrants/b Update OAuth 2.0 permission grants

asic/update

[Link]/servicePrincipals/synchroniz Manage application provisioning secrets and

ationCredentials/manage credentials

[Link]/servicePrincipals/synchroniz Start, restart, and pause application

ationJobs/manage provisioning syncronization jobs

[Link]/servicePrincipals/synchroniz Create and manage application provisioning

ationSchema/manage syncronization jobs and schema

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/users/assignLicense Manage user licenses

[Link]/users/create Add users

[Link]/users/disable Disable users

[Link]/users/enable Enable users

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/inviteGuest Invite guest users

[Link]/users/reprocessLicenseAssi Reprocess license assignments for users

gnment

[Link]/users/basic/update Update basic properties on users

[Link]/users/manager/update Update manager for users

[Link]/users/photo/update Update photo of users

[Link]/users/userPrincipalName/u Update User Principal Name of users

pdate

Domain Name Administrator

Users with this role can manage (read, add, verify, update, and delete) domain names.
They can also read directory information about users, groups, and applications, as these
objects possess domain dependencies. For on-premises environments, users with this
role can configure domain names for federation so that associated users are always
authenticated on-premises. These users can then sign into Azure AD-based services with
their on-premises passwords via single sign-on. Federation settings need to be synced
via Azure AD Connect, so users also have permissions to manage Azure AD Connect.

Actions Description

[Link]/domains/allProperties/allTa Create and delete domains, and read and

sks update all properties

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Dynamics 365 Administrator

Users with this role have global permissions within Microsoft Dynamics 365 Online,
when the service is present, as well as the ability to manage support tickets and monitor
service health. More information at Use the service admin role to manage your Azure
AD organization.

７ Note

In the Microsoft Graph API and Azure AD PowerShell, this role is identified as
"Dynamics 365 Service Administrator." It is "Dynamics 365 Administrator" in the
Azure portal .

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

microsoft.dynamics365/allEntities/allTasks Manage all aspects of Dynamics 365

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center
 Actions Description

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Edge Administrator
Users in this role can create and manage the enterprise site list required for Internet
Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and
publish the site list and additionally allows access to manage support tickets. Learn
more

Actions Description

[Link]/allEntities/allProperties/allTasks Manage all aspects of Microsoft Edge

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Exchange Administrator
Users with this role have global permissions within Microsoft Exchange Online, when the
service is present. Also has the ability to create and manage all Microsoft 365 groups,
manage support tickets, and monitor service health. More information at About
Microsoft 365 admin roles .

７ Note

In the Microsoft Graph API and Azure AD PowerShell, this role is identified as
"Exchange Service Administrator." It is "Exchange Administrator" in the Azure
portal . It is "Exchange Online administrator" in the Exchange admin center .

Actions Description

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups
 Actions Description

[Link]/[Link]/create Create Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/delete Delete Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/restore Restore Microsoft 365 groups from soft-deleted

container, excluding role-assignable groups

[Link]/[Link]/basic/updat Update basic properties on Microsoft 365

e groups, excluding role-assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link]/owners/upd Update owners of Microsoft 365 groups,

ate excluding role-assignable groups

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/basic/a Manage all aspects of Exchange Online

llTasks

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Exchange Recipient Administrator

Users with this role have read access to recipients and write access to the attributes of
those recipients in Exchange Online. More information at Exchange Recipients.
 Actions Description

[Link]/recipients/allProp Create and delete all recipients, and read and

erties/allTasks update all properties of recipients in Exchange
Online

[Link]/migration/allProp Manage all tasks related to migration of

erties/allTasks recipients in Exchange Online

External ID User Flow Administrator

Users with this role can create and manage user flows (also called "built-in" policies) in
the Azure portal. These users can customize HTML/CSS/JavaScript content, change MFA
requirements, select claims in the token, manage API connectors and their credentials,
and configure session settings for all user flows in the Azure AD organization. On the
other hand, this role does not include the ability to review user data or make changes to
the attributes that are included in the organization schema. Changes to Identity
Experience Framework policies (also known as custom policies) are also outside the
scope of this role.

Actions Description

[Link]/b2cUserFlow/allProperties/ Read and configure user flow in Azure Active

allTasks Directory B2C

External ID User Flow Attribute Administrator

Users with this role add or delete custom attributes available to all user flows in the
Azure AD organization. As such, users with this role can change or add new elements to
the end-user schema and impact the behavior of all user flows and indirectly result in
changes to what data may be asked of end users and ultimately sent as claims to
applications. This role cannot edit user flows.

Actions Description

[Link]/b2cUserAttribute/allPropert Read and configure user attribute in Azure

ies/allTasks Active Directory B2C

External Identity Provider Administrator

This administrator manages federation between Azure AD organizations and external
identity providers. With this role, users can add new identity providers and configure all
available settings (e.g. authentication path, service ID, assigned key containers). This user
can enable the Azure AD organization to trust authentications from external identity
providers. The resulting impact on end-user experiences depends on the type of
organization:

Azure AD organizations for employees and partners: The addition of a federation

(e.g. with Gmail) will immediately impact all guest invitations not yet redeemed.
See Adding Google as an identity provider for B2B guest users.
Azure Active Directory B2C organizations: The addition of a federation (for
example, with Facebook, or with another Azure AD organization) does not
immediately impact end-user flows until the identity provider is added as an
option in a user flow (also called a built-in policy). See Configuring a Microsoft
account as an identity provider for an example. To change user flows, the limited
role of "B2C User Flow Administrator" is required.

Actions Description

[Link]/domains/federation/update Update federation property of domains

[Link]/identityProviders/allPropert Read and configure identity providers in Azure

ies/allTasks Active Directory B2C

Global Administrator
Users with this role have access to all administrative features in Azure Active Directory,
as well as services that use Azure Active Directory identities like the Microsoft 365
Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint
Online, and Skype for Business Online. Furthermore, Global Administrators can elevate
their access to manage all Azure subscriptions and management groups. This allows
Global Administrators to get full access to all Azure resources using the respective Azure
AD Tenant. The person who signs up for the Azure AD organization becomes a Global
Administrator. There can be more than one Global Administrator at your company.
Global Administrators can reset the password for any user and all other administrators.

７ Note

As a best practice, Microsoft recommends that you assign the Global Administrator
role to fewer than five people in your organization. For more information, see Best
practices for Azure AD roles.

Actions Description
Actions Description

[Link]/accessReviews/allProperties (Deprecated) Create and delete access reviews,

/allTasks read and update all properties of access
reviews, and manage access reviews of groups
in Azure AD

[Link]/accessReviews/definitions/a Manage access reviews of all reviewable

llProperties/allTasks resources in Azure AD

[Link]/adminConsentRequestPolic Manage admin consent request policies in

y/allProperties/allTasks Azure AD

[Link]/administrativeUnits/allProp Create and manage administrative units

erties/allTasks (including members)

[Link]/appConsent/appConsentRe Read all properties of consent requests for

quests/allProperties/read applications registered with Azure AD

[Link]/applications/allProperties/al Create and delete applications, and read and

lTasks update all properties

[Link]/applications/synchronizatio Read provisioning settings associated with the

n/standard/read application object

[Link]/applicationTemplates/insta Instantiate gallery applications from application

ntiate templates

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/users/authenticationMetho Create authentication methods for users

ds/create

[Link]/users/authenticationMetho Delete authentication methods for users

ds/delete

[Link]/users/authenticationMetho Read standard properties of authentication

ds/standard/read methods for users

[Link]/users/authenticationMetho Update basic properties of authentication

ds/basic/update methods for users

[Link]/authorizationPolicy/allProp Manage all aspects of authorization policy

erties/allTasks

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/cloudAppSecurity/allProper Create and delete all resources, and read and

ties/allTasks update standard properties in Microsoft
Defender for Cloud Apps
Actions Description

[Link]/connectors/create Create application proxy connectors

[Link]/connectors/allProperties/re Read all properties of application proxy

ad connectors

[Link]/connectorGroups/create Create application proxy connector groups

[Link]/connectorGroups/delete Delete application proxy connector groups

[Link]/connectorGroups/allPropert Read all properties of application proxy

ies/read connector groups

[Link]/connectorGroups/allPropert Update all properties of application proxy

ies/update connector groups

[Link]/contacts/allProperties/allTas Create and delete contacts, and read and

ks update all properties

[Link]/contracts/allProperties/allTa Create and delete partner contracts, and read

sks and update all properties

[Link]/customAuthenticationExten Create and manage custom authentication

sions/allProperties/allTasks extensions

[Link]/deletedItems/delete Permanently delete objects, which can no

longer be restored

[Link]/deletedItems/restore Restore soft deleted objects to original state

[Link]/devices/allProperties/allTas Create and delete devices, and read and update

ks all properties

[Link]/namedLocations/create Create custom rules that define network

locations

[Link]/namedLocations/delete Delete custom rules that define network

locations

[Link]/namedLocations/standard/r Read basic properties of custom rules that

ead define network locations

[Link]/namedLocations/basic/upd Update basic properties of custom rules that

ate define network locations

[Link]/deviceManagementPolicies Read standard properties on device

/standard/read management application policies

[Link]/deviceManagementPolicies Update basic properties on device

/basic/update management application policies
Actions Description

[Link]/deviceRegistrationPolicy/sta Read standard properties on device registration

ndard/read policies

[Link]/deviceRegistrationPolicy/ba Update basic properties on device registration

sic/update policies

[Link]/directoryRoles/allProperties Create and delete directory roles, and read and

/allTasks update all properties

[Link]/directoryRoleTemplates/allP Create and delete Azure AD role templates, and

roperties/allTasks read and update all properties

[Link]/domains/allProperties/allTa Create and delete domains, and read and

sks update all properties

[Link]/entitlementManagement/al Create and delete resources, and read and

lProperties/allTasks update all properties in Azure AD entitlement
management

[Link]/groups/allProperties/allTask Create and delete groups, and read and update

s all properties

[Link]/groupsAssignableToRoles/c Create role-assignable groups

reate

[Link]/groupsAssignableToRoles/d Delete role-assignable groups

elete

[Link]/groupsAssignableToRoles/r Restore role-assignable groups

estore

[Link]/groupsAssignableToRoles/a Update role-assignable groups

llProperties/update

[Link]/groupSettings/allProperties Create and delete group settings, and read and

/allTasks update all properties

[Link]/groupSettingTemplates/allP Create and delete group setting templates, and

roperties/allTasks read and update all properties

[Link]/hybridAuthenticationPolicy/ Manage hybrid authentication policy in Azure

allProperties/allTasks AD

[Link]/identityProtection/allProper Create and delete all resources, and read and

ties/allTasks update standard properties in Azure AD
Identity Protection

[Link]/loginOrganizationBranding/ Create and delete loginTenantBranding, and

allProperties/allTasks read and update all properties
Actions Description

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/organization/allProperties/a Read and update all properties for an

llTasks organization

[Link]/passwordHashSync/allProp Manage all aspects of Password Hash

erties/allTasks Synchronization (PHS) in Azure AD

[Link]/policies/allProperties/allTas Create and delete policies, and read and update

ks all properties

[Link]/conditionalAccessPolicies/al Manage all properties of conditional access

lProperties/allTasks policies

[Link]/crossTenantAccessPolicy/st Read basic properties of cross-tenant access

andard/read policy

[Link]/crossTenantAccessPolicy/all Update allowed cloud endpoints of cross-

owedCloudEndpoints/update tenant access policy

[Link]/crossTenantAccessPolicy/ba Update basic settings of cross-tenant access

sic/update policy

[Link]/crossTenantAccessPolicy/de Read basic properties of the default cross-

fault/standard/read tenant access policy

[Link]/crossTenantAccessPolicy/de Update Azure AD B2B collaboration settings of

fault/b2bCollaboration/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/de Update Azure AD B2B direct connect settings of

fault/b2bDirectConnect/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/de Update cross-cloud Teams meeting settings of

fault/crossCloudMeetings/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/de Update tenant restrictions of the default cross-

fault/tenantRestrictions/update tenant access policy

[Link]/crossTenantAccessPolicy/pa Create cross-tenant access policy for partners

rtners/create

[Link]/crossTenantAccessPolicy/pa Delete cross-tenant access policy for partners

rtners/delete

[Link]/crossTenantAccessPolicy/pa Read basic properties of cross-tenant access

rtners/standard/read policy for partners

[Link]/crossTenantAccessPolicy/pa Update Azure AD B2B collaboration settings of

rtners/b2bCollaboration/update cross-tenant access policy for partners
Actions Description

[Link]/crossTenantAccessPolicy/pa Update Azure AD B2B direct connect settings of

rtners/b2bDirectConnect/update cross-tenant access policy for partners

[Link]/crossTenantAccessPolicy/pa Update cross-cloud Teams meeting settings of

rtners/crossCloudMeetings/update cross-tenant access policy for partners

[Link]/crossTenantAccessPolicy/pa Update tenant restrictions of cross-tenant

rtners/tenantRestrictions/update access policy for partners

[Link]/privilegedIdentityManagem Read all resources in Privileged Identity

ent/allProperties/read Management

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/resourceNamespaces/resou Update Conditional Access authentication

rceActions/authenticationContext/update context of Microsoft 365 role-based access
control (RBAC) resource actions

[Link]/roleAssignments/allProperti Create and delete role assignments, and read

es/allTasks and update all role assignment properties

[Link]/roleDefinitions/allProperties Create and delete role definitions, and read and

/allTasks update all properties

[Link]/scopedRoleMemberships/al Create and delete scopedRoleMemberships,

lProperties/allTasks and read and update all properties

[Link]/serviceAction/activateServic Can perform the "activate service" action for a

e service

[Link]/serviceAction/disableDirect Can perform the "disable directory feature"

oryFeature service action

[Link]/serviceAction/enableDirect Can perform the "enable directory feature"

oryFeature service action

[Link]/serviceAction/getAvailableE Can perform the

xtentionProperties getAvailableExtentionProperties service action

[Link]/servicePrincipals/allProperti Create and delete service principals, and read

es/allTasks and update all properties

[Link]/servicePrincipals/managePe Grant consent for any permission to any

[Link]-company- application
admin

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with your

ation/standard/read service principal
Actions Description

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/subscribedSkus/allPropertie Buy and manage subscriptions and delete

s/allTasks subscriptions

[Link]/users/allProperties/allTasks Create and delete users, and read and update

all properties

[Link]/permissionGrantPolicies/cre Create permission grant policies

ate

[Link]/permissionGrantPolicies/del Delete permission grant policies

ete

[Link]/permissionGrantPolicies/sta Read standard properties of permission grant

ndard/read policies

[Link]/permissionGrantPolicies/ba Update basic properties of permission grant

sic/update policies

[Link]/servicePrincipalCreationPoli Create service principal creation policies

cies/create

[Link]/servicePrincipalCreationPoli Delete service principal creation policies

cies/delete

[Link]/servicePrincipalCreationPoli Read standard properties of service principal

cies/standard/read creation policies

[Link]/servicePrincipalCreationPoli Update basic properties of service principal

cies/basic/update creation policies

[Link]/tenantManagement/tenant Create new tenants in Azure Active Directory

s/create

[Link]/verifiableCredentials/config Read a verifiable credential card

uration/contracts/cards/allProperties/read

[Link]/verifiableCredentials/config Revoke a verifiable credential card

uration/contracts/cards/revoke

[Link]/verifiableCredentials/config Create a verifiable credential contract

uration/contracts/create

[Link]/verifiableCredentials/config Read a verifiable credential contract

uration/contracts/allProperties/read

[Link]/verifiableCredentials/config Update a verifiable credential contract

uration/contracts/allProperties/update
Actions Description

[Link]/verifiableCredentials/config Create configuration required to create and

uration/create manage verifiable credentials

[Link]/verifiableCredentials/config Delete configuration required to create and

uration/delete manage verifiable credentials and delete all of
its verifiable credentials

[Link]/verifiableCredentials/config Read configuration required to create and

uration/allProperties/read manage verifiable credentials

[Link]/verifiableCredentials/config Update configuration required to create and

uration/allProperties/update manage verifiable credentials

[Link]/lifecycleWorkflows/workflo Manage all aspects of lifecycle workflows and

ws/allProperties/allTasks tasks in Azure AD

[Link]/allE Manage all aspects of Azure Advanced Threat

ntities/allTasks Protection

[Link]/allEntitie Manage all aspects of Azure Information

s/allTasks Protection

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allProperties/allTa Manage all aspects of Windows 365

sks

[Link]/allEntities/allProper Manage all aspects of Office 365 billing

ties/allTasks

[Link]/purchases/standard Read purchase services in M365 Admin Center.

/read

microsoft.dynamics365/allEntities/allTasks Manage all aspects of Dynamics 365

[Link]/allEntities/allProperties/allTasks Manage all aspects of Microsoft Edge

[Link]/allEntities/allTasks Manage all aspects of Microsoft Power

Automate

[Link]/shippingAddress/a Create, read, update, and delete shipping

llProperties/allTasks addresses for Microsoft hardware warranty
claims, including shipping addresses created by
others
Actions Description

[Link]/shippingStatus/allP Read shipping status for open Microsoft

roperties/read hardware warranty claims

[Link]/warrantyClaims/all Create and manage all aspects of Microsoft

Properties/allTasks hardware warranty claims

[Link]/allEntities/allProperties/allTas Manage all aspects of Insights app

ks

[Link]/allEntities/allTasks Manage all aspects of Microsoft Intune

[Link]/allEnti Manage all aspects of Office 365 Compliance

ties/allTasks Manager

[Link]/allEntities Manage all aspects of Desktop Analytics

/allTasks

[Link]/allEntities/basic/a Manage all aspects of Exchange Online

llTasks

[Link]/contentUnderst Read and update all properties of content

anding/allProperties/allTasks understanding in Microsoft 365 admin center

[Link]/contentUnderst Read analytics reports of content

anding/analytics/allProperties/read understanding in Microsoft 365 admin center

[Link]/knowledgeNet Read and update all properties of knowledge

work/allProperties/allTasks network in Microsoft 365 admin center

[Link]/knowledgeNet Manage topic visibility of knowledge network in

work/topicVisibility/allProperties/allTasks Microsoft 365 admin center

[Link]/learningSources Manage learning sources and all their

/allProperties/allTasks properties in Learning App.

[Link]/allEntities/allTasks Manage all aspects of Customer Lockbox

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/securityMe Read security messages in Message Center in

ssages/read the Microsoft 365 admin center

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/all Manage all authoring aspects of Microsoft 365

Entities/allProperties/allTasks Organizational Messages
Actions Description

[Link]/allEntities Manage all aspects of the Security and

/allProperties/allTasks Compliance centers

[Link]/content/manage Create and delete content, and read and

update all properties in Microsoft Search

[Link]/ Create and delete all resources, and read and

allEntities/allTasks update standard properties in the Office 365
Security & Compliance Center

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/allTas Create and delete all resources, and read and

ks update standard properties in SharePoint

[Link]/allEntities Manage all aspects of Skype for Business

/allTasks Online

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntit Read and update what's new messages visibility

ies/allTasks

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/allEntities/allPrope Manage all aspects of Yammer

rties/allTasks

[Link]/allEntities/a Manage all aspects of Entra Permissions

llProperties/allTasks Management

[Link]/allEntities/allTasks Manage all aspects of Power Apps

[Link]/allEntities/allTas Manage all aspects of Power BI

ks

[Link]/allEntities/allProperties/allTask Manage all resources in Teams

s

[Link]/allEntities/allProperties/al Manage and share Virtual Visits information

lTasks and metrics from admin centers or the Virtual
Visits app
 Actions Description

[Link] Manage all aspects of Microsoft Defender for

otection/allEntities/allTasks Endpoint

[Link]/allEnti Read and configure all aspects of Windows

ties/allProperties/allTasks Update Service

Global Reader
Users in this role can read settings and administrative information across Microsoft 365
services but can't take management actions. Global Reader is the read-only counterpart
to Global Administrator. Assign Global Reader instead of Global Administrator for
planning, audits, or investigations. Use Global Reader in combination with other limited
admin roles like Exchange Administrator to make it easier to get work done without the
assigning the Global Administrator role. Global Reader works with Microsoft 365 admin
center, Exchange admin center, SharePoint admin center, Teams admin center, Security
center, Compliance center, Azure AD admin center, and Device Management admin
center.

Users with this role cannot do the following:

Cannot access the Purchase Services area in the Microsoft 365 admin center.

７ Note

Global Reader role has the following limitations:

OneDrive admin center - OneDrive admin center does not support the
Global Reader role
Microsoft 365 admin center - Global Reader can't read integrated apps.
You won't find the Integrated apps tab under Settings in the left pane of
Microsoft 365 admin center.
Office Security & Compliance Center - Global Reader can't read SCC audit
logs, do content search, or see Secure Score.
Teams admin center - Global Reader cannot read Teams lifecycle, Analytics
& reports, IP phone device management, and App catalog. For more
information, see Use Microsoft Teams administrator roles to manage Teams.
Privileged Access Management (PAM) doesn't support the Global Reader
role.
 Azure Information Protection - Global Reader is supported for central
reporting only, and when your Azure AD organization isn't on the unified
labeling platform.
SharePoint - Global Reader currently can't access SharePoint using
PowerShell.
Power Platform admin center - Global Reader is not yet supported in the
Power Platform admin center.
Microsoft Purview doesn't support the Global Reader role.

Actions Description

[Link]/accessReviews/allProperties (Deprecated) Read all properties of access

/read reviews

[Link]/accessReviews/definitions/a Read all properties of access reviews of all

llProperties/read reviewable resources in Azure AD

[Link]/adminConsentRequestPolic Read all properties of admin consent request

y/allProperties/read policies in Azure AD

[Link]/administrativeUnits/allProp Read all properties of administrative units,

erties/read including members

[Link]/appConsent/appConsentRe Read all properties of consent requests for

quests/allProperties/read applications registered with Azure AD

[Link]/applications/allProperties/r Read all properties (including privileged

ead properties) on all types of applications

[Link]/applications/synchronizatio Read provisioning settings associated with the

n/standard/read application object

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/users/authenticationMetho Read standard properties of authentication

ds/standard/restrictedRead methods that do not include personally
identifiable information for users

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/cloudAppSecurity/allProper Read all properties for Defender for Cloud Apps

ties/read
Actions Description

[Link]/connectors/allProperties/re Read all properties of application proxy

ad connectors

[Link]/connectorGroups/allPropert Read all properties of application proxy

ies/read connector groups

[Link]/contacts/allProperties/read Read all properties for contacts

[Link]/customAuthenticationExten Read custom authentication extensions

sions/allProperties/read

[Link]/devices/allProperties/read Read all properties of devices

[Link]/directoryRoles/allProperties Read all properties of directory roles

/read

[Link]/directoryRoleTemplates/allP Read all properties of directory role templates

roperties/read

[Link]/domains/allProperties/read Read all properties of domains

[Link]/entitlementManagement/al Read all properties in Azure AD entitlement

lProperties/read management

[Link]/groups/allProperties/read Read all properties (including privileged

properties) on Security groups and Microsoft
365 groups, including role-assignable groups

[Link]/groupSettings/allProperties Read all properties of group settings

/read

[Link]/groupSettingTemplates/allP Read all properties of group setting templates

roperties/read

[Link]/identityProtection/allProper Read all resources in Azure AD Identity

ties/read Protection

[Link]/loginOrganizationBranding/ Read all properties for your organization's

allProperties/read branded sign-in page

[Link]/namedLocations/standard/r Read basic properties of custom rules that

ead define network locations

[Link]/oAuth2PermissionGrants/all Read all properties of OAuth 2.0 permission

Properties/read grants

[Link]/organization/allProperties/r Read all properties for an organization

ead
Actions Description

[Link]/permissionGrantPolicies/sta Read standard properties of permission grant

ndard/read policies

[Link]/policies/allProperties/read Read all properties of policies

[Link]/conditionalAccessPolicies/al Read all properties of conditional access

lProperties/read policies

[Link]/crossTenantAccessPolicy/st Read basic properties of cross-tenant access

andard/read policy

[Link]/crossTenantAccessPolicy/de Read basic properties of the default cross-

fault/standard/read tenant access policy

[Link]/crossTenantAccessPolicy/pa Read basic properties of cross-tenant access

rtners/standard/read policy for partners

[Link]/deviceManagementPolicies Read standard properties on device

/standard/read management application policies

[Link]/deviceRegistrationPolicy/sta Read standard properties on device registration

ndard/read policies

[Link]/privilegedIdentityManagem Read all resources in Privileged Identity

ent/allProperties/read Management

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/roleAssignments/allProperti Read all properties of role assignments

es/read

[Link]/roleDefinitions/allProperties Read all properties of role definitions

/read

[Link]/scopedRoleMemberships/al View members in administrative units

lProperties/read

[Link]/serviceAction/getAvailableE Can perform the

xtentionProperties getAvailableExtentionProperties service action

[Link]/servicePrincipals/allProperti Read all properties (including privileged

es/read properties) on servicePrincipals

[Link]/servicePrincipalCreationPoli Read standard properties of service principal

cies/standard/read creation policies

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with your

ation/standard/read service principal
Actions Description

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/subscribedSkus/allPropertie Read all properties of product subscriptions

s/read

[Link]/users/allProperties/read Read all properties of users

[Link]/verifiableCredentials/config Read a verifiable credential card

uration/contracts/cards/allProperties/read

[Link]/verifiableCredentials/config Read a verifiable credential contract

uration/contracts/allProperties/read

[Link]/verifiableCredentials/config Read configuration required to create and

uration/allProperties/read manage verifiable credentials

[Link]/lifecycleWorkflows/workflo Read all properties of lifecycle workflows and

ws/allProperties/read tasks in Azure AD

[Link]/allEntities/allProperties/read Read all aspects of Windows 365

[Link]/allEntities/allProper Read all resources of Office 365 billing

ties/read

[Link]/purchases/standard Read purchase services in M365 Admin Center.

/read

[Link]/allEntities/allProperties/read Read all aspects of Microsoft Edge

[Link]/shippingAddress/a Read shipping addresses for Microsoft

llProperties/read hardware warranty claims, including existing
shipping addresses created by others

[Link]/shippingStatus/allP Read shipping status for open Microsoft

roperties/read hardware warranty claims

[Link]/warrantyClaims/all Read Microsoft hardware warranty claims

Properties/read

[Link]/allEntities/allProperties/read Read all aspects of Viva Insights

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/securityMe Read security messages in Message Center in

ssages/read the Microsoft 365 admin center
 Actions Description

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/all Read all aspects of Microsoft 365

Entities/allProperties/read Organizational Messages

[Link]/allEntities Read all properties in the Security and

/allProperties/read Compliance centers

[Link]/ Read standard properties in Microsoft 365

allEntities/read Security and Compliance Center

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/allEntities/allPrope Read all aspects of Yammer

rties/read

[Link]/allEntities/a Read all aspects of Entra Permissions

llProperties/read Management

[Link]/allEntities/allProperties/read Read all properties of Microsoft Teams

[Link]/allEntities/allProperties/r Read all aspects of Virtual Visits

ead

[Link]/allEnti Read all aspects of Windows Update Service

ties/allProperties/read

Groups Administrator
Users in this role can create/manage groups and its settings like naming and expiration
policies. It is important to understand that assigning a user to this role gives them the
ability to manage all groups in the organization across various workloads like Teams,
SharePoint, Yammer in addition to Outlook. Also the user will be able to manage the
various groups settings across various admin portals like Microsoft admin center, Azure
portal, as well as workload specific ones like Teams and SharePoint admin centers.

Actions Description

[Link]/[Link]/delete Permanently delete groups, which can no

longer be restored
Actions Description

[Link]/[Link]/restor Restore soft deleted groups to original state

e

[Link]/groups/assignLicense Assign product licenses to groups for group-

based licensing

[Link]/groups/create Create Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/delete Delete Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups

[Link]/groups/reprocessLicenseAs Reprocess license assignments for group-based

signment licensing

[Link]/groups/restore Restore groups from soft-deleted container

[Link]/groups/basic/update Update basic properties on Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/classification/updat Update the classification property on Security

e groups and Microsoft 365 groups, excluding
role-assignable groups

[Link]/groups/dynamicMembershi Update the dynamic membership rule on

pRule/update Security groups and Microsoft 365 groups,
excluding role-assignable groups

[Link]/groups/groupType/update Update properties that would affect the group

type of Security groups and Microsoft 365
groups, excluding role-assignable groups

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/onPremWriteBack/ Update Azure Active Directory groups to be

update written back to on-premises with Azure AD
Connect

[Link]/groups/owners/update Update owners of Security groups and

Microsoft 365 groups, excluding role-
assignable groups
 Actions Description

[Link]/groups/settings/update Update settings of groups

[Link]/groups/visibility/update Update the visibility property of Security groups

and Microsoft 365 groups, excluding role-
assignable groups

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Guest Inviter
Users in this role can manage Azure Active Directory B2B guest user invitations when the
Members can invite user setting is set to No. More information about B2B collaboration
at About Azure AD B2B collaboration. It does not include any other permissions.

Actions Description

[Link]/users/inviteGuest Invite guest users

[Link]/users/standard/read Read basic properties on users

[Link]/users/appRoleAssignments/ Read application role assignments for users

read

[Link]/users/deviceForResourceAc Read deviceForResourceAccount of users

count/read

[Link]/users/directReports/read Read the direct reports for users

[Link]/users/licenseDetails/read Read license details of users

[Link]/users/manager/read Read manager of users

[Link]/users/memberOf/read Read the group memberships of users

 Actions Description

[Link]/users/oAuth2PermissionGra Read delegated permission grants on users

nts/read

[Link]/users/ownedDevices/read Read owned devices of users

[Link]/users/ownedObjects/read Read owned objects of users

[Link]/users/photo/read Read photo of users

[Link]/users/registeredDevices/rea Read registered devices of users

d

[Link]/users/scopedRoleMemberO Read user's membership of an Azure AD role,

f/read that is scoped to an administrative unit

Helpdesk Administrator
Users with this role can change passwords, invalidate refresh tokens, create and manage
support requests with Microsoft for Azure and Microsoft 365 services, and monitor
service health. Invalidating a refresh token forces the user to sign in again. Whether a
Helpdesk Administrator can reset a user's password and invalidate refresh tokens
depends on the role the user is assigned. For a list of the roles that a Helpdesk
Administrator can reset passwords for and invalidate refresh tokens, see Who can reset
passwords.

Users with this role cannot do the following:

Cannot change the credentials or reset MFA for members and owners of a role-
assignable group.

） Important

Users with this role can change passwords for people who may have access to
sensitive or private information or critical configuration inside and outside of Azure
Active Directory. Changing the password of a user may mean the ability to assume
that user's identity and permissions. For example:

Application Registration and Enterprise Application owners, who can manage

credentials of apps they own. Those apps may have privileged permissions in
Azure AD and elsewhere not granted to Helpdesk Administrators. Through
this path a Helpdesk Administrator may be able to assume the identity of an
 application owner and then further assume the identity of a privileged
application by updating the credentials for the application.
Azure subscription owners, who might have access to sensitive or private
information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group
membership. Those groups may grant access to sensitive or private
information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online,
Office Security and Compliance Center, and human resources systems.
Non-administrators like executives, legal counsel, and human resources
employees who may have access to sensitive or private information.

Delegating administrative permissions over subsets of users and applying policies to a

subset of users is possible with Administrative Units.

This role was previously called "Password Administrator" in the Azure portal . The
"Helpdesk Administrator" name in Azure AD now matches its name in Azure AD
PowerShell and the Microsoft Graph API.

Actions Description

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/password/update Reset passwords for all users

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Hybrid Identity Administrator

Users in this role can create, manage and deploy provisioning configuration setup from
AD to Azure AD using Cloud Provisioning as well as manage Azure AD Connect, Pass-
through Authentication (PTA), Password hash synchronization (PHS), Seamless Single
Sign-On (Seamless SSO), and federation settings. Users can also troubleshoot and
monitor logs using this role.

Actions Description

[Link]/applications/create Create all types of applications

[Link]/applications/delete Delete all types of applications

[Link]/applications/appRoles/upd Update the appRoles property on all types of

ate applications

[Link]/applications/audience/upda Update the audience property for applications

te

[Link]/applications/authentication Update authentication on all types of

/update applications

[Link]/applications/basic/update Update basic properties for applications

[Link]/applications/notes/update Update notes of applications

[Link]/applications/owners/updat Update owners of applications

e

[Link]/applications/permissions/u Update exposed permissions and required

pdate permissions on all types of applications

[Link]/applications/policies/updat Update policies of applications

e

[Link]/applications/tag/update Update tags of applications

[Link]/applications/synchronizatio Read provisioning settings associated with the

n/standard/read application object

[Link]/applicationTemplates/insta Instantiate gallery applications from application

ntiate templates

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/cloudProvisioning/allProper Read and configure all properties of Azure AD

ties/allTasks Cloud Provisioning service.

[Link]/[Link]/d Permanently delete applications, which can no

elete longer be restored
Actions Description

[Link]/[Link]/r Restore soft deleted applications to original

estore state

[Link]/domains/allProperties/read Read all properties of domains

[Link]/domains/federation/update Update federation property of domains

[Link]/hybridAuthenticationPolicy/ Manage hybrid authentication policy in Azure

allProperties/allTasks AD

[Link]/organization/dirSync/updat Update the organization directory sync

e property

[Link]/passwordHashSync/allProp Manage all aspects of Password Hash

erties/allTasks Synchronization (PHS) in Azure AD

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/servicePrincipals/create Create service principals

[Link]/servicePrincipals/delete Delete service principals

[Link]/servicePrincipals/disable Disable service principals

[Link]/servicePrincipals/enable Enable service principals

[Link]/servicePrincipals/synchroniz Manage application provisioning secrets and

ationCredentials/manage credentials

[Link]/servicePrincipals/synchroniz Start, restart, and pause application

ationJobs/manage provisioning syncronization jobs

[Link]/servicePrincipals/synchroniz Create and manage application provisioning

ationSchema/manage syncronization jobs and schema

[Link]/servicePrincipals/audience/ Update audience properties on service

update principals

[Link]/servicePrincipals/authentica Update authentication properties on service

tion/update principals

[Link]/servicePrincipals/basic/upd Update basic properties on service principals

ate

[Link]/servicePrincipals/notes/upd Update notes of service principals

ate

[Link]/servicePrincipals/owners/up Update owners of service principals

date
 Actions Description

[Link]/servicePrincipals/permissio Update permissions of service principals

ns/update

[Link]/servicePrincipals/policies/u Update policies of service principals

pdate

[Link]/servicePrincipals/tag/updat Update the tag property for service principals

e

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with your

ation/standard/read service principal

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Identity Governance Administrator

Users with this role can manage Azure AD identity governance configuration, including
access packages, access reviews, catalogs and policies, ensuring access is approved and
reviewed and guest users who no longer need access are removed.

Actions Description

[Link]/accessReviews/definitions.a Manage access reviews of application role

pplications/allProperties/allTasks assignments in Azure AD

[Link]/accessReviews/definitions.e Manage access reviews for access package

ntitlementManagement/allProperties/allTasks assignments in entitlement management
 Actions Description

[Link]/accessReviews/definitions.g Read all properties of access reviews for

roups/allProperties/read membership in Security and Microsoft 365
groups, including role-assignable groups.

[Link]/accessReviews/definitions.g Update all properties of access reviews for

roups/allProperties/update membership in Security and Microsoft 365
groups, excluding role-assignable groups.

[Link]/accessReviews/definitions.g Create access reviews for membership in

roups/create Security and Microsoft 365 groups.

[Link]/accessReviews/definitions.g Delete access reviews for membership in

roups/delete Security and Microsoft 365 groups.

[Link]/accessReviews/allProperties (Deprecated) Create and delete access reviews,

/allTasks read and update all properties of access
reviews, and manage access reviews of groups
in Azure AD

[Link]/entitlementManagement/al Create and delete resources, and read and

lProperties/allTasks update all properties in Azure AD entitlement
management

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

Insights Administrator
Users in this role can access the full set of administrative capabilities in the Microsoft
Viva Insights app. This role has the ability to read directory information, monitor service
health, file support tickets, and access the Insights Administrator settings aspects.

Learn more

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks
 Actions Description

[Link]/allEntities/allProperties/allTas Manage all aspects of Insights app

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Insights Analyst
Assign the Insights Analyst role to users who need to do the following:

Analyze data in the Microsoft Viva Insights app, but can't manage any
configuration settings
Create, manage, and run queries
View basic settings and reports in the Microsoft 365 admin center
Create and manage service requests in the Microsoft 365 admin center

Learn more

Actions Description

[Link]/queries/allProperties/allTasks Run and manage queries in Viva Insights

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Insights Business Leader

Users in this role can access a set of dashboards and insights via the Microsoft Viva
Insights app. This includes full access to all dashboards and presented insights and data
exploration functionality. Users in this role do not have access to product configuration
settings, which is the responsibility of the Insights Administrator role.

Learn more
 Actions Description

[Link]/reports/allProperties/read View reports and dashboard in Insights app

[Link]/programs/allProperties/upda Deploy and manage programs in Insights app

te

Intune Administrator
Users with this role have global permissions within Microsoft Intune Online, when the
service is present. Additionally, this role contains the ability to manage users and devices
in order to associate policy, as well as create and manage groups. More information at
Role-based administration control (RBAC) with Microsoft Intune.

This role can create and manage all security groups. However, Intune Administrator does
not have admin rights over Office groups. That means the admin cannot update owners
or memberships of all Office groups in the organization. However, he/she can manage
the Office group that he creates which comes as a part of his/her end-user privileges.
So, any Office group (not security group) that he/she creates should be counted against
his/her quota of 250.

７ Note

In the Microsoft Graph API and Azure AD PowerShell, this role is identified as
"Intune Service Administrator." It is "Intune Administrator" in the Azure portal .

Actions Description

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/contacts/create Create contacts

[Link]/contacts/delete Delete contacts

[Link]/contacts/basic/update Update basic properties on contacts

[Link]/[Link]/delet Permanently delete devices, which can no

e longer be restored

[Link]/[Link]/restor Restore soft deleted devices to original state

e

[Link]/devices/create Create devices (enroll in Azure AD)

[Link]/devices/delete Delete devices from Azure AD

Actions Description

[Link]/devices/disable Disable devices in Azure AD

[Link]/devices/enable Enable devices in Azure AD

[Link]/devices/basic/update Update basic properties on devices

[Link]/devices/extensionAttribute Update the extensionAttribute1 to

Set1/update extensionAttribute5 properties on devices

[Link]/devices/extensionAttribute Update the extensionAttribute6 to

Set2/update extensionAttribute10 properties on devices

[Link]/devices/extensionAttribute Update the extensionAttribute11 to

Set3/update extensionAttribute15 properties on devices

[Link]/devices/registeredOwners/ Update registered owners of devices

update

[Link]/devices/registeredUsers/up Update registered users of devices

date

[Link]/deviceManagementPolicies Read standard properties on device

/standard/read management application policies

[Link]/deviceRegistrationPolicy/sta Read standard properties on device registration

ndard/read policies

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups

[Link]/[Link]/create Create Security groups, excluding role-

assignable groups

[Link]/[Link]/delete Delete Security groups, excluding role-

assignable groups

[Link]/[Link]/basic/updat Update basic properties on Security groups,

e excluding role-assignable groups

[Link]/[Link]/classificatio Update the classification property on Security

n/update groups, excluding role-assignable groups

[Link]/[Link]/dynamicMe Update the dynamic membership rule on

mbershipRule/update Security groups, excluding role-assignable
groups

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups
 Actions Description

[Link]/[Link]/owners/up Update owners of Security groups, excluding

date role-assignable groups

[Link]/[Link]/visibility/up Update the visibility property on Security

date groups, excluding role-assignable groups

[Link]/users/basic/update Update basic properties on users

[Link]/users/manager/update Update manager for users

[Link]/users/photo/update Update photo of users

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allProperties/allTa Manage all aspects of Windows 365

sks

[Link]/allEntities/allTasks Manage all aspects of Microsoft Intune

[Link]/all Read all aspects of Microsoft 365

Entities/allProperties/read Organizational Messages

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Kaizala Administrator
Users with this role have global permissions to manage settings within Microsoft Kaizala,
when the service is present, as well as the ability to manage support tickets and monitor
service health. Additionally, the user can access reports related to adoption & usage of
Kaizala by Organization members and business reports generated using the Kaizala
actions.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests
 Actions Description

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Knowledge Administrator
Users in this role have full access to all knowledge, learning and intelligent features
settings in the Microsoft 365 admin center. They have a general understanding of the
suite of products, licensing details and has responsibility to control access. Knowledge
Administrator can create and manage content, like topics, acronyms and learning
resources. Additionally, these users can create content centers, monitor service health,
and create service requests.

Actions Description

[Link]/[Link]/create Create Security groups, excluding role-

assignable groups

[Link]/[Link]/createAsO Create Security groups, excluding role-

wner assignable groups. Creator is added as the first
owner.

[Link]/[Link]/delete Delete Security groups, excluding role-

assignable groups

[Link]/[Link]/basic/updat Update basic properties on Security groups,

e excluding role-assignable groups

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups

[Link]/[Link]/owners/up Update owners of Security groups, excluding

date role-assignable groups

[Link]/contentUnderst Read and update all properties of content

anding/allProperties/allTasks understanding in Microsoft 365 admin center

[Link]/knowledgeNet Read and update all properties of knowledge

work/allProperties/allTasks network in Microsoft 365 admin center

[Link]/learningSources Manage learning sources and all their

/allProperties/allTasks properties in Learning App.

[Link]/sensitivity Read all properties of sensitivity labels in the

Labels/allProperties/read Security and Compliance centers
 Actions Description

[Link]/allEntities/allTas Create and delete all resources, and read and

ks update standard properties in SharePoint

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Knowledge Manager
Users in this role can create and manage content, like topics, acronyms and learning
content. These users are primarily responsible for the quality and structure of
knowledge. This user has full rights to topic management actions to confirm a topic,
approve edits, or delete a topic. This role can also manage taxonomies as part of the
term store management tool and create content centers.

Actions Description

[Link]/[Link]/create Create Security groups, excluding role-

assignable groups

[Link]/[Link]/createAsO Create Security groups, excluding role-

wner assignable groups. Creator is added as the first
owner.

[Link]/[Link]/delete Delete Security groups, excluding role-

assignable groups

[Link]/[Link]/basic/updat Update basic properties on Security groups,

e excluding role-assignable groups

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups

[Link]/[Link]/owners/up Update owners of Security groups, excluding

date role-assignable groups

[Link]/contentUnderst Read analytics reports of content

anding/analytics/allProperties/read understanding in Microsoft 365 admin center

[Link]/knowledgeNet Manage topic visibility of knowledge network in

work/topicVisibility/allProperties/allTasks Microsoft 365 admin center

[Link]/allEntities/allTas Create and delete all resources, and read and

ks update standard properties in SharePoint
 Actions Description

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

License Administrator
Users in this role can add, remove, and update license assignments on users, groups
(using group-based licensing), and manage the usage location on users. The role does
not grant the ability to purchase or manage subscriptions, create or manage groups, or
create or manage users beyond the usage location. This role has no access to view,
create, or manage support tickets.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/groups/assignLicense Assign product licenses to groups for group-

based licensing

[Link]/groups/reprocessLicenseAs Reprocess license assignments for group-based

signment licensing

[Link]/users/assignLicense Manage user licenses

[Link]/users/reprocessLicenseAssi Reprocess license assignments for users

gnment

[Link]/users/usageLocation/updat Update usage location of users

e

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Lifecycle Workflows Administrator

Assign the Lifecycle Workflows Administrator role to users who need to do the following
tasks:

Create and manage all aspects of workflows and tasks associated with Lifecycle
Workflows in Azure AD
Check the execution of scheduled workflows
Launch on-demand workflow runs
Inspect workflow execution logs

Actions Description

[Link]/lifecycleWorkflows/workflo Manage all aspects of lifecycle workflows and

ws/allProperties/allTasks tasks in Azure AD

Message Center Privacy Reader

Users in this role can monitor all notifications in the Message Center, including data
privacy messages. Message Center Privacy Readers get email notifications including
those related to data privacy and they can unsubscribe using Message Center
Preferences. Only the Global Administrator and the Message Center Privacy Reader can
read data privacy messages. Additionally, this role contains the ability to view groups,
domains, and subscriptions. This role has no permission to view, create, or manage
service requests.

Actions Description

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/securityMe Read security messages in Message Center in

ssages/read the Microsoft 365 admin center

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Message Center Reader

Users in this role can monitor notifications and advisory health updates in Message
center for their organization on configured services such as Exchange, Intune, and
Microsoft Teams. Message Center Readers receive weekly email digests of posts,
updates, and can share message center posts in Microsoft 365. In Azure AD, users
assigned to this role will only have read-only access on Azure AD services such as users
and groups. This role has no access to view, create, or manage support tickets.

Actions Description

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Microsoft Hardware Warranty Administrator

Assign the Microsoft Hardware Warranty Administrator role to users who need to do the
following tasks:

Create new warranty claims for Microsoft manufactured hardware, like Surface and
HoloLens
Search and read opened or closed warranty claims
Search and read warranty claims by serial number
Create, read, update, and delete shipping addresses
Read shipping status for open warranty claims
Create and manage service requests in the Microsoft 365 admin center
Read Message center announcements in the Microsoft 365 admin center

A warranty claim is a request to have the hardware repaired or replaced in accordance

with the terms of the warranty. For more information, see Self-serve your Surface
warranty & service requests.

Actions Description

[Link]/shippingAddress/a Create, read, update, and delete shipping

llProperties/allTasks addresses for Microsoft hardware warranty
claims, including shipping addresses created by
others

[Link]/shippingStatus/allP Read shipping status for open Microsoft

roperties/read hardware warranty claims

[Link]/warrantyClaims/all Create and manage all aspects of Microsoft

Properties/allTasks hardware warranty claims

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages
 Actions Description

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Microsoft Hardware Warranty Specialist

Assign the Microsoft Hardware Warranty Specialist role to users who need to do the
following tasks:

Create new warranty claims for Microsoft manufactured hardware, like Surface and
HoloLens
Read warranty claims that they created
Read and update existing shipping addresses
Read shipping status for open warranty claims they created
Create and manage service requests in the Microsoft 365 admin center

A warranty claim is a request to have the hardware repaired or replaced in accordance

with the terms of the warranty. For more information, see Self-serve your Surface
warranty & service requests.

Actions Description

[Link]/shippingAddress/a Read shipping addresses for Microsoft

llProperties/read hardware warranty claims, including existing
shipping addresses created by others

[Link]/warrantyClaims/cre Create Microsoft hardware warranty claims

ateAsOwner where creator is the owner

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/shippingStatus/allP Read shipping status for open Microsoft

roperties/read hardware warranty claims

[Link]/warrantyClaims/all Read Microsoft hardware warranty claims

Properties/read
Modern Commerce User
Do not use. This role is automatically assigned from Commerce, and is not intended or
supported for any other use. See details below.

The Modern Commerce User role gives certain users permission to access Microsoft 365
admin center and see the left navigation entries for Home, Billing, and Support. The
content available in these areas is controlled by commerce-specific roles assigned to
users to manage products that they bought for themselves or your organization. This
might include tasks like paying bills, or for access to billing accounts and billing profiles.

Users with the Modern Commerce User role typically have administrative permissions in
other Microsoft purchasing systems, but do not have Global Administrator or Billing
Administrator roles used to access the admin center.

When is the Modern Commerce User role assigned?

Self-service purchase in Microsoft 365 admin center – Self-service purchase gives

users a chance to try out new products by buying or signing up for them on their
own. These products are managed in the admin center. Users who make a self-
service purchase are assigned a role in the commerce system, and the Modern
Commerce User role so they can manage their purchases in admin center. Admins
can block self-service purchases (for Power BI, Power Apps, Power automate)
through PowerShell. For more information, see Self-service purchase FAQ.
Purchases from Microsoft commercial marketplace – Similar to self-service
purchase, when a user buys a product or service from Microsoft AppSource or
Azure Marketplace, the Modern Commerce User role is assigned if they don’t have
the Global Administrator or Billing Administrator role. In some cases, users might
be blocked from making these purchases. For more information, see Microsoft
commercial marketplace.
Proposals from Microsoft – A proposal is a formal offer from Microsoft for your
organization to buy Microsoft products and services. When the person who is
accepting the proposal doesn’t have a Global Administrator or Billing
Administrator role in Azure AD, they are assigned both a commerce-specific role to
complete the proposal and the Modern Commerce User role to access admin
center. When they access the admin center they can only use features that are
authorized by their commerce-specific role.
Commerce-specific roles – Some users are assigned commerce-specific roles. If a
user isn't a Global Administrator or Billing Administrator, they get the Modern
Commerce User role so they can access the admin center.
If the Modern Commerce User role is unassigned from a user, they lose access to
Microsoft 365 admin center. If they were managing any products, either for themselves
or for your organization, they won’t be able to manage them. This might include
assigning licenses, changing payment methods, paying bills, or other tasks for managing
subscriptions.

Actions Description

[Link]/partners/read

[Link] Manage all aspects of Volume Licensing Service

er/allEntities/allTasks Center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/basic/r Read basic properties on all resources in the

ead Microsoft 365 admin center

Network Administrator
Users in this role can review network perimeter architecture recommendations from
Microsoft that are based on network telemetry from their user locations. Network
performance for Microsoft 365 relies on careful enterprise customer network perimeter
architecture which is generally user location specific. This role allows for editing of
discovered user locations and configuration of network parameters for those locations
to facilitate improved telemetry measurements and design recommendations

Actions Description

[Link]/locations/allProper Manage all aspects of network locations

ties/allTasks

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Office Apps Administrator

Users in this role can manage Microsoft 365 apps' cloud settings. This includes
managing cloud policies, self-service download management and the ability to view
Office apps related report. This role additionally grants the ability to manage support
tickets, and monitor service health within the main admin center. Users assigned to this
role can also manage communication of new features in Office apps.

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntit Read and update what's new messages visibility

ies/allTasks

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Organizational Messages Writer

Assign the Organizational Messages Writer role to users who need to do the following
tasks:

Write, publish, and delete organizational messages using Microsoft 365 admin
center or Microsoft Endpoint Manager
Manage organizational message delivery options using Microsoft 365 admin
center or Microsoft Endpoint Manager
Read organizational message delivery results using Microsoft 365 admin center or
Microsoft Endpoint Manager
View usage reports and most settings in the Microsoft 365 admin center, but can't
make changes

Actions Description

[Link]/all Manage all authoring aspects of Microsoft 365

Entities/allProperties/allTasks Organizational Messages
 Actions Description

[Link]/allEntities/sta Read tenant-level aggregated Office 365 usage

ndard/read reports

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Partner Tier1 Support

Do not use. This role has been deprecated and will be removed from Azure AD in the
future. This role is intended for use by a small number of Microsoft resale partners, and
is not intended for general use.

） Important

This role can reset passwords and invalidate refresh tokens for only non-
administrators. This role should not be used as it is deprecated and it will no longer
be returned in API.

Actions Description

[Link]/applications/appRoles/upd Update the appRoles property on all types of

ate applications

[Link]/applications/audience/upda Update the audience property for applications

te

[Link]/applications/authentication Update authentication on all types of

/update applications

[Link]/applications/basic/update Update basic properties for applications

[Link]/applications/credentials/up Update application credentials

date

[Link]/applications/notes/update Update notes of applications

[Link]/applications/owners/updat Update owners of applications

e

[Link]/applications/permissions/u Update exposed permissions and required

pdate permissions on all types of applications

[Link]/applications/policies/updat Update policies of applications

e
Actions Description

[Link]/applications/tag/update Update tags of applications

[Link]/contacts/create Create contacts

[Link]/contacts/delete Delete contacts

[Link]/contacts/basic/update Update basic properties on contacts

[Link]/[Link]/restor Restore soft deleted groups to original state

e

[Link]/[Link]/restore Restore soft deleted users to original state

[Link]/groups/create Create Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/delete Delete Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/restore Restore groups from soft-deleted container

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/owners/update Update owners of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/users/assignLicense Manage user licenses

[Link]/users/create Add users

[Link]/users/delete Delete users

[Link]/users/disable Disable users

[Link]/users/enable Enable users

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/restore Restore deleted users

[Link]/users/basic/update Update basic properties on users

 Actions Description

[Link]/users/manager/update Update manager for users

[Link]/users/password/update Reset passwords for all users

[Link]/users/photo/update Update photo of users

[Link]/users/userPrincipalName/u Update User Principal Name of users

pdate

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Partner Tier2 Support

Do not use. This role has been deprecated and will be removed from Azure AD in the
future. This role is intended for use by a small number of Microsoft resale partners, and
is not intended for general use.

） Important

This role can reset passwords and invalidate refresh tokens for all non-
administrators and administrators (including Global Administrators). This role
should not be used as it is deprecated and it will no longer be returned in API.

Actions Description

[Link]/applications/appRoles/upd Update the appRoles property on all types of

ate applications

[Link]/applications/audience/upda Update the audience property for applications

te
Actions Description

[Link]/applications/authentication Update authentication on all types of

/update applications

[Link]/applications/basic/update Update basic properties for applications

[Link]/applications/credentials/up Update application credentials

date

[Link]/applications/notes/update Update notes of applications

[Link]/applications/owners/updat Update owners of applications

e

[Link]/applications/permissions/u Update exposed permissions and required

pdate permissions on all types of applications

[Link]/applications/policies/updat Update policies of applications

e

[Link]/applications/tag/update Update tags of applications

[Link]/contacts/create Create contacts

[Link]/contacts/delete Delete contacts

[Link]/contacts/basic/update Update basic properties on contacts

[Link]/[Link]/restor Restore soft deleted groups to original state

e

[Link]/[Link]/restore Restore soft deleted users to original state

[Link]/domains/allProperties/allTa Create and delete domains, and read and

sks update all properties

[Link]/groups/create Create Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/delete Delete Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/restore Restore groups from soft-deleted container

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/owners/update Update owners of Security groups and

Microsoft 365 groups, excluding role-
assignable groups
Actions Description

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/organization/basic/update Update basic properties on organization

[Link]/roleAssignments/allProperti Create and delete role assignments, and read

es/allTasks and update all role assignment properties

[Link]/roleDefinitions/allProperties Create and delete role definitions, and read and

/allTasks update all properties

[Link]/scopedRoleMemberships/al Create and delete scopedRoleMemberships,

lProperties/allTasks and read and update all properties

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/subscribedSkus/standard/re Read basic properties on subscriptions

ad

[Link]/users/assignLicense Manage user licenses

[Link]/users/create Add users

[Link]/users/delete Delete users

[Link]/users/disable Disable users

[Link]/users/enable Enable users

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/restore Restore deleted users

[Link]/users/basic/update Update basic properties on users

[Link]/users/manager/update Update manager for users

[Link]/users/password/update Reset passwords for all users

[Link]/users/photo/update Update photo of users

[Link]/users/userPrincipalName/u Update User Principal Name of users

pdate

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks
 Actions Description

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Password Administrator
Users with this role have limited ability to manage passwords. This role does not grant
the ability to manage service requests or monitor service health. Whether a Password
Administrator can reset a user's password depends on the role the user is assigned. For
a list of the roles that a Password Administrator can reset passwords for, see Who can
reset passwords.

Users with this role cannot do the following:

Cannot change the credentials or reset MFA for members and owners of a role-
assignable group.

Actions Description

[Link]/users/password/update Reset passwords for all users

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Permissions Management Administrator

Assign the Permissions Management Administrator role to users who need to do the
following tasks:

Manage all aspects of Entra Permissions Management, when the service is present

Learn more about Permissions Management roles and polices at View information about
roles/policies.

Actions Description
 Actions Description

[Link]/allEntities/a Manage all aspects of Entra Permissions

llProperties/allTasks Management

Power BI Administrator
Users with this role have global permissions within Microsoft Power BI, when the service
is present, as well as the ability to manage support tickets and monitor service health.
More information at Understanding the Power BI Administrator role.

７ Note

In the Microsoft Graph API and Azure AD PowerShell, this role is identified as
"Power BI Service Administrator ". It is "Power BI Administrator" in the Azure
portal .

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/allEntities/allTas Manage all aspects of Power BI

ks

Power Platform Administrator

Users in this role can create and manage all aspects of environments, Power Apps,
Flows, Data Loss Prevention policies. Additionally, users with this role have the ability to
manage support tickets and monitor service health.
 Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

microsoft.dynamics365/allEntities/allTasks Manage all aspects of Dynamics 365

[Link]/allEntities/allTasks Manage all aspects of Microsoft Power

Automate

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/allEntities/allTasks Manage all aspects of Power Apps

Printer Administrator
Users in this role can register printers and manage all aspects of all printer
configurations in the Microsoft Universal Print solution, including the Universal Print
Connector settings. They can consent to all delegated print permission requests. Printer
Administrators also have access to print reports.

Actions Description

[Link]/allEntities/allProperties/all Create and delete printers and connectors, and

Tasks read and update all properties in Microsoft
Print

Printer Technician
Users with this role can register printers and manage printer status in the Microsoft
Universal Print solution. They can also read all connector information. Key task a Printer
Technician cannot do is set user permissions on printers and sharing printers.

Actions Description
 Actions Description

[Link]/connectors/allProperties/r Read all properties of connectors in Microsoft

ead Print

[Link]/printers/allProperties/rea Read all properties of printers in Microsoft Print

d

[Link]/printers/register Register printers in Microsoft Print

[Link]/printers/unregister Unregister printers in Microsoft Print

[Link]/printers/basic/update Update basic properties of printers in Microsoft

Print

Privileged Authentication Administrator

Assign the Privileged Authentication Administrator role to users who need to do the
following:

Set or reset any authentication method (including passwords) for any user,
including Global Administrators.
Delete or restore any users, including Global Administrators. For more information,
see Who can perform sensitive actions.
Force users to re-register against existing non-password credential (such as MFA or
FIDO) and revoke remember MFA on the device, prompting for MFA on the next
sign-in of all users.
Update sensitive properties for all users. For more information, see Who can
perform sensitive actions.
Create and manage support tickets in Azure and the Microsoft 365 admin center.

Users with this role cannot do the following:

Cannot manage per-user MFA in the legacy MFA management portal. The same
functions can be accomplished using the Set-MsolUser commandlet Azure AD
PowerShell module.

The following table compares the capabilities of this role with related roles.

Role Manage Manage Manage Manage Manage Update Delete

user's per- MFA auth password sensitive and
auth user settings method protection properties restore
methods MFA policy policy users
Role Manage Manage Manage Manage Manage Update Delete
user's per- MFA auth password sensitive and
auth user settings method protection properties restore
methods MFA policy policy users

Authentication Yes for Yes for No No No Yes for Yes for

Administrator some some some some
users users users users

Privileged Yes for Yes for No No No Yes for all Yes for
Authentication all users all users users all
Administrator users

Authentication No No Yes Yes Yes No No

Policy
Administrator

User No No No No No Yes for Yes for

Administrator some some
users users

） Important

Users with this role can change credentials for people who may have access to
sensitive or private information or critical configuration inside and outside of Azure
Active Directory. Changing the credentials of a user may mean the ability to assume
that user's identity and permissions. For example:

Application Registration and Enterprise Application owners, who can manage

credentials of apps they own. Those apps may have privileged permissions in
Azure AD and elsewhere not granted to Authentication Administrators.
Through this path an Authentication Administrator can assume the identity of
an application owner and then further assume the identity of a privileged
application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private
information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group
membership. Those groups may grant access to sensitive or private
information or critical configuration in Azure AD and elsewhere.
Administrators in other services outside of Azure AD like Exchange Online,
Office Security and Compliance Center, and human resources systems.
Non-administrators like executives, legal counsel, and human resources
employees who may have access to sensitive or private information.
Actions Description

[Link]/users/authenticationMetho Create authentication methods for users

ds/create

[Link]/users/authenticationMetho Delete authentication methods for users

ds/delete

[Link]/users/authenticationMetho Read standard properties of authentication

ds/standard/read methods for users

[Link]/users/authenticationMetho Update basic properties of authentication

ds/basic/update methods for users

[Link]/[Link]/restore Restore soft deleted users to original state

[Link]/users/delete Delete users

[Link]/users/disable Disable users

[Link]/users/enable Enable users

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/restore Restore deleted users

[Link]/users/basic/update Update basic properties on users

[Link]/users/manager/update Update manager for users

[Link]/users/password/update Reset passwords for all users

[Link]/users/userPrincipalName/u Update User Principal Name of users

pdate

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center
Privileged Role Administrator
Users with this role can manage role assignments in Azure Active Directory, as well as
within Azure AD Privileged Identity Management. They can create and manage groups
that can be assigned to Azure AD roles. In addition, this role allows management of all
aspects of Privileged Identity Management and administrative units.

） Important

This role grants the ability to manage assignments for all Azure AD roles including
the Global Administrator role. This role does not include any other privileged
abilities in Azure AD like creating or updating users. However, users assigned to this
role can grant themselves or others additional privilege by assigning additional
roles.

Actions Description

[Link]/accessReviews/definitions.a Read all properties of access reviews of

pplications/allProperties/read application role assignments in Azure AD

[Link]/accessReviews/definitions.d Manage access reviews for Azure AD role

irectoryRoles/allProperties/allTasks assignments

[Link]/accessReviews/definitions.g Update all properties of access reviews for

roupsAssignableToRoles/allProperties/update membership in groups that are assignable to
Azure AD roles

[Link]/accessReviews/definitions.g Create access reviews for membership in

roupsAssignableToRoles/create groups that are assignable to Azure AD roles

[Link]/accessReviews/definitions.g Delete access reviews for membership in

roupsAssignableToRoles/delete groups that are assignable to Azure AD roles

[Link]/accessReviews/definitions.g Read all properties of access reviews for

roups/allProperties/read membership in Security and Microsoft 365
groups, including role-assignable groups.

[Link]/administrativeUnits/allProp Create and manage administrative units

erties/allTasks (including members)

[Link]/authorizationPolicy/allProp Manage all aspects of authorization policy

erties/allTasks

[Link]/directoryRoles/allProperties Create and delete directory roles, and read and

/allTasks update all properties
 Actions Description

[Link]/groupsAssignableToRoles/c Create role-assignable groups

reate

[Link]/groupsAssignableToRoles/d Delete role-assignable groups

elete

[Link]/groupsAssignableToRoles/r Restore role-assignable groups

estore

[Link]/groupsAssignableToRoles/a Update role-assignable groups

llProperties/update

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/privilegedIdentityManagem Create and delete all resources, and read and

ent/allProperties/allTasks update standard properties in Privileged
Identity Management

[Link]/roleAssignments/allProperti Create and delete role assignments, and read

es/allTasks and update all role assignment properties

[Link]/roleDefinitions/allProperties Create and delete role definitions, and read and

/allTasks update all properties

[Link]/scopedRoleMemberships/al Create and delete scopedRoleMemberships,

lProperties/allTasks and read and update all properties

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/servicePrincipals/permissio Update permissions of service principals

ns/update

[Link]/servicePrincipals/managePe Grant consent for any permission to any

[Link]-company- application
admin

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Reports Reader
Users with this role can view usage reporting data and the reports dashboard in
Microsoft 365 admin center and the adoption context pack in Power BI. Additionally, the
role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and
data returned by the Microsoft Graph reporting API. A user assigned to the Reports
Reader role can access only relevant usage and adoption metrics. They don't have any
admin permissions to configure settings or access the product-specific admin centers
like Exchange. This role has no access to view, create, or manage support tickets.

Actions Description

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Search Administrator
Users in this role have full access to all Microsoft Search management features in the
Microsoft 365 admin center. Additionally, these users can view the message center,
monitor service health, and create service requests.

Actions Description

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/content/manage Create and delete content, and read and

update all properties in Microsoft Search

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests
 Actions Description

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Search Editor
Users in this role can create, manage, and delete content for Microsoft Search in the
Microsoft 365 admin center, including bookmarks, Q&As, and locations.

Actions Description

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages

[Link]/content/manage Create and delete content, and read and

update all properties in Microsoft Search

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Security Administrator
Users with this role have permissions to manage security-related features in the
Microsoft 365 Defender portal, Azure Active Directory Identity Protection, Azure Active
Directory Authentication, Azure Information Protection, and Office 365 Security &
Compliance Center. More information about Office 365 permissions is available at
Permissions in the Security & Compliance Center .

In Can do

Microsoft 365 security Monitor security-related policies across Microsoft 365 services
center Manage security threats and alerts
View reports

Identity Protection Center All permissions of the Security Reader role

Additionally, the ability to perform all Identity Protection Center
operations except for resetting passwords

Privileged Identity All permissions of the Security Reader role

Management Cannot manage Azure AD role assignments or settings
In Can do

Office 365 Security & Manage security policies

Compliance Center View, investigate, and respond to security threats
View reports

Azure Advanced Threat Monitor and respond to suspicious security activity

Protection

Microsoft Defender for Assign roles

Endpoint Manage machine groups
Configure endpoint threat detection and automated remediation
View, investigate, and respond to alerts
View machines/device inventory

Intune Views user, device, enrollment, configuration, and application

information
Cannot make changes to Intune

Microsoft Defender for Add admins, add policies and settings, upload logs and perform
Cloud Apps governance actions

Microsoft 365 service View the health of Microsoft 365 services

health

Smart lockout Define the threshold and duration for lockouts when failed sign-in
events happen.

Password Protection Configure custom banned password list or on-premises password

protection.

Actions Description

[Link]/applications/policies/updat Update policies of applications

e

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/crossTenantAccessPolicy/st Read basic properties of cross-tenant access

andard/read policy

[Link]/crossTenantAccessPolicy/all Update allowed cloud endpoints of cross-

owedCloudEndpoints/update tenant access policy
Actions Description

[Link]/crossTenantAccessPolicy/ba Update basic settings of cross-tenant access

sic/update policy

[Link]/crossTenantAccessPolicy/de Read basic properties of the default cross-

fault/standard/read tenant access policy

[Link]/crossTenantAccessPolicy/de Update Azure AD B2B collaboration settings of

fault/b2bCollaboration/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/de Update Azure AD B2B direct connect settings of

fault/b2bDirectConnect/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/de Update cross-cloud Teams meeting settings of

fault/crossCloudMeetings/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/de Update tenant restrictions of the default cross-

fault/tenantRestrictions/update tenant access policy

[Link]/crossTenantAccessPolicy/pa Create cross-tenant access policy for partners

rtners/create

[Link]/crossTenantAccessPolicy/pa Delete cross-tenant access policy for partners

rtners/delete

[Link]/crossTenantAccessPolicy/pa Read basic properties of cross-tenant access

rtners/standard/read policy for partners

[Link]/crossTenantAccessPolicy/pa Update Azure AD B2B collaboration settings of

rtners/b2bCollaboration/update cross-tenant access policy for partners

[Link]/crossTenantAccessPolicy/pa Update Azure AD B2B direct connect settings of

rtners/b2bDirectConnect/update cross-tenant access policy for partners

[Link]/crossTenantAccessPolicy/pa Update cross-cloud Teams meeting settings of

rtners/crossCloudMeetings/update cross-tenant access policy for partners

[Link]/crossTenantAccessPolicy/pa Update tenant restrictions of cross-tenant

rtners/tenantRestrictions/update access policy for partners

[Link]/domains/federation/update Update federation property of domains

[Link]/entitlementManagement/al Read all properties in Azure AD entitlement

lProperties/read management

[Link]/identityProtection/allProper Read all resources in Azure AD Identity

ties/read Protection

[Link]/identityProtection/allProper Update all resources in Azure AD Identity

ties/update Protection
Actions Description

[Link]/namedLocations/create Create custom rules that define network

locations

[Link]/namedLocations/delete Delete custom rules that define network

locations

[Link]/namedLocations/standard/r Read basic properties of custom rules that

ead define network locations

[Link]/namedLocations/basic/upd Update basic properties of custom rules that

ate define network locations

[Link]/policies/create Create policies in Azure AD

[Link]/policies/delete Delete policies in Azure AD

[Link]/policies/basic/update Update basic properties on policies

[Link]/policies/owners/update Update owners of policies

[Link]/policies/tenantDefault/upd Update default organization policies

ate

[Link]/conditionalAccessPolicies/cr Create conditional access policies

eate

[Link]/conditionalAccessPolicies/d Delete conditional access policies

elete

[Link]/conditionalAccessPolicies/st Read conditional access for policies

andard/read

[Link]/conditionalAccessPolicies/o Read the owners of conditional access policies

wners/read

[Link]/conditionalAccessPolicies/p Read the "applied to" property for conditional

olicyAppliedTo/read access policies

[Link]/conditionalAccessPolicies/b Update basic properties for conditional access

asic/update policies

[Link]/conditionalAccessPolicies/o Update owners for conditional access policies

wners/update

[Link]/conditionalAccessPolicies/t Update the default tenant for conditional

enantDefault/update access policies

[Link]/privilegedIdentityManagem Read all resources in Privileged Identity

ent/allProperties/read Management
 Actions Description

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/resourceNamespaces/resou Update Conditional Access authentication

rceActions/authenticationContext/update context of Microsoft 365 role-based access
control (RBAC) resource actions

[Link]/servicePrincipals/policies/u Update policies of service principals

pdate

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities Read standard properties of all resources in the

/standard/read Security and Compliance centers

[Link]/allEntities Update basic properties of all resources in the

/basic/update Security and Compliance centers

[Link]/attackSim Create and manage attack payloads in Attack

ulator/payload/allProperties/allTasks Simulator

[Link]/attackSim Read reports of attack simulation responses

ulator/reports/allProperties/read and associated training

[Link]/attackSim Create and manage attack simulation templates

ulator/simulation/allProperties/allTasks in Attack Simulator

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Security Operator
Users with this role can manage alerts and have global read-only access on security-
related features, including all information in Microsoft 365 security center, Azure Active
Directory, Identity Protection, Privileged Identity Management and Office 365 Security &
Compliance Center. More information about Office 365 permissions is available at
Permissions in the Security & Compliance Center.

In Can do

Microsoft 365 All permissions of the Security Reader role

security View, investigate, and respond to security threats alerts
center Manage security settings in security center

Azure AD All permissions of the Security Reader role

Identity Additionally, the ability to perform all Identity Protection Center operations
Protection except for resetting passwords and configuring alert e-mails.

Privileged All permissions of the Security Reader role

Identity
Management

Office 365 All permissions of the Security Reader role

Security & View, investigate, and respond to security alerts
Compliance
Center

Microsoft All permissions of the Security Reader role

Defender for View, investigate, and respond to security alerts
Endpoint When you turn on role-based access control in Microsoft Defender for Endpoint,
users with read-only permissions such as the Security Reader role lose access
until they are assigned a Microsoft Defender for Endpoint role.

Intune All permissions of the Security Reader role

Microsoft All permissions of the Security Reader role

Defender for View, investigate, and respond to security alerts
Cloud Apps

Microsoft 365 View the health of Microsoft 365 services

service health

Actions Description

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/cloudAppSecurity/allProper Create and delete all resources, and read and

ties/allTasks update standard properties in Microsoft
Defender for Cloud Apps
 Actions Description

[Link]/identityProtection/allProper Create and delete all resources, and read and

ties/allTasks update standard properties in Azure AD
Identity Protection

[Link]/privilegedIdentityManagem Read all resources in Privileged Identity

ent/allProperties/read Management

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allE Manage all aspects of Azure Advanced Threat

ntities/allTasks Protection

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/read Read all resources in Microsoft Intune

[Link]/ Create and delete all resources, and read and

allEntities/allTasks update standard properties in the Office 365
Security & Compliance Center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link] Manage all aspects of Microsoft Defender for

otection/allEntities/allTasks Endpoint

Security Reader
Users with this role have global read-only access on security-related feature, including
all information in Microsoft 365 security center, Azure Active Directory, Identity
Protection, Privileged Identity Management, as well as the ability to read Azure Active
Directory sign-in reports and audit logs, and in Office 365 Security & Compliance
Center. More information about Office 365 permissions is available at Permissions in the
Security & Compliance Center .

In Can do

Microsoft View security-related policies across Microsoft 365 services

365 security View security threats and alerts
center View reports
In Can do

Identity Read all security reports and settings information for security features
Protection
Center Anti-spam
Encryption
Data loss prevention
Anti-malware
Advanced threat protection
Anti-phishing
Mail flow rules

Privileged Has read-only access to all information surfaced in Azure AD Privileged Identity
Identity Management: Policies and reports for Azure AD role assignments and security
Management reviews.
Cannot sign up for Azure AD Privileged Identity Management or make any
changes to it. In the Privileged Identity Management portal or via PowerShell,
someone in this role can activate additional roles (for example, Global
Administrator or Privileged Role Administrator), if the user is eligible for them.

Office 365 View security policies

Security & View and investigate security threats
Compliance View reports
Center

Microsoft View and investigate alerts

Defender for When you turn on role-based access control in Microsoft Defender for Endpoint,
Endpoint users with read-only permissions such as the Security Reader role lose access until
they are assigned a Microsoft Defender for Endpoint role.

Intune Views user, device, enrollment, configuration, and application information. Cannot
make changes to Intune.

Microsoft Has read permissions.

Defender for
Cloud Apps

Microsoft View the health of Microsoft 365 services

365 service
health

Actions Description

[Link]/accessReviews/definitions/a Read all properties of access reviews of all

llProperties/read reviewable resources in Azure AD

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties
Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/entitlementManagement/al Read all properties in Azure AD entitlement

lProperties/read management

[Link]/identityProtection/allProper Read all resources in Azure AD Identity

ties/read Protection

[Link]/namedLocations/standard/r Read basic properties of custom rules that

ead define network locations

[Link]/policies/standard/read Read basic properties on policies

[Link]/policies/owners/read Read owners of policies

[Link]/policies/policyAppliedTo/re Read [Link] property

ad

[Link]/conditionalAccessPolicies/st Read conditional access for policies

andard/read

[Link]/conditionalAccessPolicies/o Read the owners of conditional access policies

wners/read

[Link]/conditionalAccessPolicies/p Read the "applied to" property for conditional

olicyAppliedTo/read access policies

[Link]/privilegedIdentityManagem Read all resources in Privileged Identity

ent/allProperties/read Management

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities Read standard properties of all resources in the

/standard/read Security and Compliance centers

[Link]/attackSim Read all properties of attack payloads in Attack

ulator/payload/allProperties/read Simulator

[Link]/attackSim Read reports of attack simulation responses

ulator/reports/allProperties/read and associated training
 Actions Description

[Link]/attackSim Read all properties of attack simulation

ulator/simulation/allProperties/read templates in Attack Simulator

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Service Support Administrator

Users with this role can create and manage support requests with Microsoft for Azure
and Microsoft 365 services, and view the service dashboard and message center in the
Azure portal and Microsoft 365 admin center . More information at About admin
roles .

７ Note

Previously, this role was called "Service Administrator" in Azure portal and
Microsoft 365 admin center . We have renamed it to "Service Support
Administrator" to align with the existing name in Microsoft Graph API and Azure
AD PowerShell.

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center
SharePoint Administrator
Users with this role have global permissions within Microsoft SharePoint Online, when
the service is present, as well as the ability to create and manage all Microsoft 365
groups, manage support tickets, and monitor service health. More information at About
admin roles .

７ Note

In the Microsoft Graph API and Azure AD PowerShell, this role is identified as
"SharePoint Service Administrator." It is "SharePoint Administrator" in the Azure
portal .

７ Note

This role also grants scoped permissions to the Microsoft Graph API for Microsoft
Intune, allowing the management and configuration of policies related to
SharePoint and OneDrive resources.

Actions Description

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups

[Link]/[Link]/create Create Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/delete Delete Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/restore Restore Microsoft 365 groups from soft-deleted

container, excluding role-assignable groups

[Link]/[Link]/basic/updat Update basic properties on Microsoft 365

e groups, excluding role-assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link]/owners/upd Update owners of Microsoft 365 groups,

ate excluding role-assignable groups

[Link]/allEntities/allTask Read and configure Azure Service Health

s
 Actions Description

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/allTas Create and delete all resources, and read and

ks update standard properties in SharePoint

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Skype for Business Administrator

Users with this role have global permissions within Microsoft Skype for Business, when
the service is present, as well as manage Skype-specific user attributes in Azure Active
Directory. Additionally, this role grants the ability to manage support tickets and
monitor service health, and to access the Teams and Skype for Business admin center.
The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets.
More information at About the Skype for Business admin role and Teams licensing
information at Skype for Business and Microsoft Teams add-on licensing

７ Note

In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Lync
Service Administrator." It is "Skype for Business Administrator" in the Azure
portal .

Actions Description

[Link]/allEntities/allTask Read and configure Azure Service Health

s
 Actions Description

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities Manage all aspects of Skype for Business

/allTasks Online

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Teams Administrator
Users in this role can manage all aspects of the Microsoft Teams workload via the
Microsoft Teams & Skype for Business admin center and the respective PowerShell
modules. This includes, among other areas, all management tools related to telephony,
messaging, meetings, and the teams themselves. This role additionally grants the ability
to create and manage all Microsoft 365 groups, manage support tickets, and monitor
service health.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups

[Link]/[Link]/create Create Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/delete Delete Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/restore Restore Microsoft 365 groups from soft-deleted

container, excluding role-assignable groups
Actions Description

[Link]/[Link]/basic/updat Update basic properties on Microsoft 365

e groups, excluding role-assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link]/owners/upd Update owners of Microsoft 365 groups,

ate excluding role-assignable groups

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities Manage all aspects of Skype for Business

/allTasks Online

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/allEntities/allProperties/allTask Manage all resources in Teams

s

[Link]/crossTenantAccessPolicy/st Read basic properties of cross-tenant access

andard/read policy

[Link]/crossTenantAccessPolicy/all Update allowed cloud endpoints of cross-

owedCloudEndpoints/update tenant access policy

[Link]/crossTenantAccessPolicy/de Read basic properties of the default cross-

fault/standard/read tenant access policy

[Link]/crossTenantAccessPolicy/de Update cross-cloud Teams meeting settings of

fault/crossCloudMeetings/update the default cross-tenant access policy

[Link]/crossTenantAccessPolicy/pa Create cross-tenant access policy for partners

rtners/create
 Actions Description

[Link]/crossTenantAccessPolicy/pa Read basic properties of cross-tenant access

rtners/standard/read policy for partners

[Link]/crossTenantAccessPolicy/pa Update cross-cloud Teams meeting settings of

rtners/crossCloudMeetings/update cross-tenant access policy for partners

Teams Communications Administrator

Users in this role can manage aspects of the Microsoft Teams workload related to voice
& telephony. This includes the management tools for telephone number assignment,
voice and meeting policies, and full access to the call analytics toolset.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities Manage all aspects of Skype for Business

/allTasks Online

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/callQuality/allProperties/read Read all data in the Call Quality Dashboard

(CQD)

[Link]/meetings/allProperties/allTask Manage meetings including meeting policies,

s configurations, and conference bridges

[Link]/voice/allProperties/allTasks Manage voice including calling policies and

phone number inventory and assignment
Teams Communications Support Engineer
Users in this role can troubleshoot communication issues within Microsoft Teams &
Skype for Business using the user call troubleshooting tools in the Microsoft Teams &
Skype for Business admin center. Users in this role can view full call record information
for all participants involved. This role has no access to view, create, or manage support
tickets.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities Manage all aspects of Skype for Business

/allTasks Online

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/callQuality/allProperties/read Read all data in the Call Quality Dashboard

(CQD)

Teams Communications Support Specialist

Users in this role can troubleshoot communication issues within Microsoft Teams &
Skype for Business using the user call troubleshooting tools in the Microsoft Teams &
Skype for Business admin center. Users in this role can only view user details in the call
for the specific user they have looked up. This role has no access to view, create, or
manage support tickets.

Actions Description

[Link]/authorizationPolicy/standar Read standard properties of authorization

d/read policy

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center
 Actions Description

[Link]/allEntities Manage all aspects of Skype for Business

/allTasks Online

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/callQuality/standard/read Read basic data in the Call Quality Dashboard

(CQD)

Teams Devices Administrator

Users with this role can manage Teams-certified devices from the Teams admin center.
This role allows viewing all devices at single glance, with ability to search and filter
devices. The user can check details of each device including logged-in account, make
and model of the device. The user can change the settings on the device and update the
software versions. This role does not grant permissions to check Teams activity and call
quality of the device.

Actions Description

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/devices/standard/read Manage all aspects of Teams-certified devices

including configuration policies

Tenant Creator
Assign the Tenant Creator role to users who need to do the following tasks:

Create both Azure Active Directory and Azure Active Directory B2C tenants even if
the tenant creation toggle is turned off in the user settings

７ Note

The tenant creators will be assigned the Global administrator role on the new
tenants they create.

Actions Description
 Actions Description

[Link]/tenantManagement/tenant Create new tenants in Azure Active Directory

s/create

Usage Summary Reports Reader

Users with this role can access tenant level aggregated data and associated insights in
Microsoft 365 admin center for Usage and Productivity Score but cannot access any user
level details or insights. In Microsoft 365 admin center for the two reports, we
differentiate between tenant level aggregated data and user level details. This role gives
an extra layer of protection on individual user identifiable data, which was requested by
both customers and legal teams.

Actions Description

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/sta Read tenant-level aggregated Office 365 usage

ndard/read reports

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

User Administrator
Assign the User Administrator role to users who need to do the following:

Permission More information

Create users

Update most user properties for all users, including all Who can perform sensitive
administrators actions

Update sensitive properties (including user principal name) for Who can perform sensitive
some users actions

Disable or enable some users Who can perform sensitive

actions

Delete or restore some users Who can perform sensitive

actions

Create and manage user views

 Permission More information

Create and manage all groups

Assign licenses for all users, including all administrators

Reset passwords Who can reset passwords

Invalidate refresh tokens Who can reset passwords

Update (FIDO) device keys

Update password expiration policies

Create and manage support tickets in Azure and the Microsoft 365
admin center

Monitor service health

Users with this role cannot do the following:

Cannot manage MFA.

Cannot change the credentials or reset MFA for members and owners of a role-
assignable group.
Cannot manage shared mailboxes.

） Important

Users with this role can change passwords for people who may have access to
sensitive or private information or critical configuration inside and outside of Azure
Active Directory. Changing the password of a user may mean the ability to assume
that user's identity and permissions. For example:

Application Registration and Enterprise Application owners, who can manage

credentials of apps they own. Those apps may have privileged permissions in
Azure AD and elsewhere not granted to User Administrators. Through this
path a User Administrator may be able to assume the identity of an
application owner and then further assume the identity of a privileged
application by updating the credentials for the application.
Azure subscription owners, who may have access to sensitive or private
information or critical configuration in Azure.
Security Group and Microsoft 365 group owners, who can manage group
membership. Those groups may grant access to sensitive or private
information or critical configuration in Azure AD and elsewhere.
 Administrators in other services outside of Azure AD like Exchange Online,
Office Security and Compliance Center, and human resources systems.
Non-administrators like executives, legal counsel, and human resources
employees who may have access to sensitive or private information.

Actions Description

[Link]/accessReviews/definitions.a Manage access reviews of application role

pplications/allProperties/allTasks assignments in Azure AD

[Link]/accessReviews/definitions.d Read all properties of access reviews for Azure

irectoryRoles/allProperties/read AD role assignments

[Link]/accessReviews/definitions.e Manage access reviews for access package

ntitlementManagement/allProperties/allTasks assignments in entitlement management

[Link]/accessReviews/definitions.g Update all properties of access reviews for

roups/allProperties/update membership in Security and Microsoft 365
groups, excluding role-assignable groups.

[Link]/accessReviews/definitions.g Create access reviews for membership in

roups/create Security and Microsoft 365 groups.

[Link]/accessReviews/definitions.g Delete access reviews for membership in

roups/delete Security and Microsoft 365 groups.

[Link]/accessReviews/definitions.g Read all properties of access reviews for

roups/allProperties/read membership in Security and Microsoft 365
groups, including role-assignable groups.

[Link]/contacts/create Create contacts

[Link]/contacts/delete Delete contacts

[Link]/contacts/basic/update Update basic properties on contacts

[Link]/[Link]/restor Restore soft deleted groups to original state

e

[Link]/[Link]/restore Restore soft deleted users to original state

[Link]/entitlementManagement/al Create and delete resources, and read and

lProperties/allTasks update all properties in Azure AD entitlement
management

[Link]/groups/assignLicense Assign product licenses to groups for group-

based licensing
Actions Description

[Link]/groups/create Create Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/delete Delete Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups

[Link]/groups/reprocessLicenseAs Reprocess license assignments for group-based

signment licensing

[Link]/groups/restore Restore groups from soft-deleted container

[Link]/groups/basic/update Update basic properties on Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/classification/updat Update the classification property on Security

e groups and Microsoft 365 groups, excluding
role-assignable groups

[Link]/groups/dynamicMembershi Update the dynamic membership rule on

pRule/update Security groups and Microsoft 365 groups,
excluding role-assignable groups

[Link]/groups/groupType/update Update properties that would affect the group

type of Security groups and Microsoft 365
groups, excluding role-assignable groups

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/onPremWriteBack/ Update Azure Active Directory groups to be

update written back to on-premises with Azure AD
Connect

[Link]/groups/owners/update Update owners of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/groups/settings/update Update settings of groups

[Link]/groups/visibility/update Update the visibility property of Security groups

and Microsoft 365 groups, excluding role-
assignable groups
Actions Description

[Link]/oAuth2PermissionGrants/all Create and delete OAuth 2.0 permission grants,

Properties/allTasks and read and update all properties

[Link]/policies/standard/read Read basic properties on policies

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/users/assignLicense Manage user licenses

[Link]/users/create Add users

[Link]/users/delete Delete users

[Link]/users/disable Disable users

[Link]/users/enable Enable users

[Link]/users/inviteGuest Invite guest users

[Link]/users/invalidateAllRefreshT Force sign-out by invalidating user refresh

okens tokens

[Link]/users/reprocessLicenseAssi Reprocess license assignments for users

gnment

[Link]/users/restore Restore deleted users

[Link]/users/basic/update Update basic properties on users

[Link]/users/manager/update Update manager for users

[Link]/users/password/update Reset passwords for all users

[Link]/users/photo/update Update photo of users

[Link]/users/userPrincipalName/u Update User Principal Name of users

pdate

[Link]/allEntities/allTask Read and configure Azure Service Health

s

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests
 Actions Description

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Virtual Visits Administrator

Users with this role can do the following tasks:

Manage and configure all aspects of Virtual Visits in Bookings in the Microsoft 365
admin center, and in the Teams EHR connector
View usage reports for Virtual Visits in the Teams admin center, Microsoft 365
admin center, and PowerBI
View features and settings in the Microsoft 365 admin center, but can't edit any
settings

Virtual Visits are a simple way to schedule and manage online and video appointments
for staff and attendees. For example, usage reporting can show how sending SMS text
messages before appointments can reduce the number of people who don't show up
for appointments.

Actions Description

[Link]/allEntities/allProperties/al Manage and share Virtual Visits information

lTasks and metrics from admin centers or the Virtual
Visits app

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Windows 365 Administrator

Users with this role have global permissions on Windows 365 resources, when the
service is present. Additionally, this role contains the ability to manage users and devices
in order to associate policy, as well as create and manage groups.

This role can create and manage security groups, but does not have administrator rights
over Microsoft 365 groups. That means administrators cannot update owners or
memberships of Microsoft 365 groups in the organization. However, they can manage
the Microsoft 365 group they create, which is a part of their end-user privileges. So, any
Microsoft 365 group (not security group) they create is counted against their quota of
250.
Assign the Windows 365 Administrator role to users who need to do the following tasks:

Manage Windows 365 Cloud PCs in Microsoft Endpoint Manager

Enroll and manage devices in Azure AD, including assigning users and policies
Create and manage security groups, but not role-assignable groups
View basic properties in the Microsoft 365 admin center
Read usage reports in the Microsoft 365 admin center
Create and manage support tickets in Azure and the Microsoft 365 admin center

Actions Description

[Link]/[Link]/delet Permanently delete devices, which can no

e longer be restored

[Link]/[Link]/restor Restore soft deleted devices to original state

e

[Link]/devices/create Create devices (enroll in Azure AD)

[Link]/devices/delete Delete devices from Azure AD

[Link]/devices/disable Disable devices in Azure AD

[Link]/devices/enable Enable devices in Azure AD

[Link]/devices/basic/update Update basic properties on devices

[Link]/devices/extensionAttribute Update the extensionAttribute1 to

Set1/update extensionAttribute5 properties on devices

[Link]/devices/extensionAttribute Update the extensionAttribute6 to

Set2/update extensionAttribute10 properties on devices

[Link]/devices/extensionAttribute Update the extensionAttribute11 to

Set3/update extensionAttribute15 properties on devices

[Link]/devices/registeredOwners/ Update registered owners of devices

update

[Link]/devices/registeredUsers/up Update registered users of devices

date

[Link]/[Link]/create Create Security groups, excluding role-

assignable groups

[Link]/[Link]/delete Delete Security groups, excluding role-

assignable groups

[Link]/[Link]/basic/updat Update basic properties on Security groups,

e excluding role-assignable groups
 Actions Description

[Link]/[Link]/classificatio Update the classification property on Security

n/update groups, excluding role-assignable groups

[Link]/[Link]/dynamicMe Update the dynamic membership rule on

mbershipRule/update Security groups, excluding role-assignable
groups

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups

[Link]/[Link]/owners/up Update owners of Security groups, excluding

date role-assignable groups

[Link]/[Link]/visibility/up Update the visibility property on Security

date groups, excluding role-assignable groups

[Link]/deviceManagementPolicies Read standard properties on device

/standard/read management application policies

[Link]/deviceRegistrationPolicy/sta Read standard properties on device registration

ndard/read policies

[Link]/allEntities/allTas Create and manage Azure support tickets

ks

[Link]/allEntities/allProperties/allTa Manage all aspects of Windows 365

sks

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

Windows Update Deployment Administrator

Users in this role can create and manage all aspects of Windows Update deployments
through the Windows Update for Business deployment service. The deployment service
enables users to define settings for when and how updates are deployed, and specify
which updates are offered to groups of devices in their tenant. It also allows users to
monitor the update progress.

Actions Description
 Actions Description

[Link]/allEnti Read and configure all aspects of Windows

ties/allProperties/allTasks Update Service

Yammer Administrator
Assign the Yammer Administrator role to users who need to do the following tasks:

Manage all aspects of Yammer

Create, manage, and restore Microsoft 365 Groups, but not role-assignable groups
View the hidden members of Security groups and Microsoft 365 groups, including
role assignable groups
Read usage reports in the Microsoft 365 admin center
Create and manage service requests in the Microsoft 365 admin center
View announcements in the Message center, but not security announcements
View service health

Learn more

Actions Description

[Link]/groups/hiddenMembers/re Read hidden members of Security groups and

ad Microsoft 365 groups, including role-assignable
groups

[Link]/[Link]/create Create Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/delete Delete Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link]/restore Restore Microsoft 365 groups from soft-deleted

container, excluding role-assignable groups

[Link]/[Link]/basic/updat Update basic properties on Microsoft 365

e groups, excluding role-assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link]/owners/upd Update owners of Microsoft 365 groups,

ate excluding role-assignable groups

[Link]/messages/r Read messages in Message Center in the

ead Microsoft 365 admin center, excluding security
messages
 Actions Description

[Link]/performance/allPr Read all network performance properties in the

operties/read Microsoft 365 admin center

[Link]/allEntities/allT Read and configure Service Health in the

asks Microsoft 365 admin center

[Link]/allEntities/al Create and manage Microsoft 365 service

lTasks requests

[Link]/allEntities/all Read Office 365 usage reports

Properties/read

[Link]/allEntities/standa Read basic properties on all resources in the

rd/read Microsoft 365 admin center

[Link]/allEntities/allPrope Manage all aspects of Yammer

rties/allTasks

How to understand role permissions

The schema for permissions loosely follows the REST format of Microsoft Graph:

<namespace>/<entity>/<propertySet>/<action>

For example:

[Link]/applications/credentials/update

Permission Description
element

namespace Product or service that exposes the task and is prepended with microsoft . For
example, all tasks in Azure AD use the [Link] namespace.

entity Logical feature or component exposed by the service in Microsoft Graph. For
example, Azure AD exposes User and Groups, OneNote exposes Notes, and
Exchange exposes Mailboxes and Calendars. There is a special allEntities
keyword for specifying all entities in a namespace. This is often used in roles that
grant access to an entire product.
 Permission Description
element

propertySet Specific properties or aspects of the entity for which access is being granted. For
example, [Link]/applications/authentication/read grants the ability
to read the reply URL, logout URL, and implicit flow property on the application
object in Azure AD.

allProperties designates all properties of the entity, including privileged

properties.
standard designates common properties, but excludes privileged ones
related to read action. For example, [Link]/user/standard/read
includes the ability to read standard properties like public phone number and
email address, but not the private secondary phone number or email address
used for multifactor authentication.
basic designates common properties, but excludes privileged ones related
to the update action. The set of properties that you can read may be different
from what you can update. That’s why there are standard and basic
keywords to reflect that.

action Operation being granted, most typically create, read, update, or delete (CRUD).
There is a special allTasks keyword for specifying all of the above abilities (create,
read, update, and delete).

Deprecated roles
The following roles should not be used. They have been deprecated and will be
removed from Azure AD in the future.

AdHoc License Administrator

Device Join
Device Managers
Device Users
Email Verified User Creator
Mailbox Administrator
Workplace Device Join

Roles not shown in the portal

Not every role returned by PowerShell or MS Graph API is visible in Azure portal. The
following table organizes those differences.

API name Azure portal name Notes

 API name Azure portal name Notes

Device Join Deprecated Deprecated roles documentation

Device Managers Deprecated Deprecated roles documentation

Device Users Deprecated Deprecated roles documentation

Directory Synchronization Not shown because it Directory Synchronization Accounts

Accounts shouldn't be used documentation

Guest User Not shown because it can't NA

be used

Partner Tier 1 Support Not shown because it Partner Tier1 Support documentation
shouldn't be used

Partner Tier 2 Support Not shown because it Partner Tier2 Support documentation
shouldn't be used

Restricted Guest User Not shown because it can't NA

be used

User Not shown because it can't NA

be used

Workplace Device Join Deprecated Deprecated roles documentation

Who can reset passwords

In the following table, the columns list the roles that can reset passwords and invalidate
refresh tokens. The rows list the roles for which their password can be reset.

The following table is for roles assigned at the scope of a tenant. For roles assigned at
the scope of an administrative unit, further restrictions apply.

Role that password can be Password Helpdesk Auth User Privileged Global
reset Admin Admin Admin Admin Auth Admin
Admin

Auth Admin ✔️ ✔️ ✔️

Directory Readers ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

Global Admin ✔️ ✔️*

Groups Admin ✔️ ✔️ ✔️

Guest Inviter ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
 Role that password can be Password Helpdesk Auth User Privileged Global
reset Admin Admin Admin Admin Auth Admin
Admin

Helpdesk Admin ✔️ ✔️ ✔️ ✔️

Message Center Reader ✔️ ✔️ ✔️ ✔️ ✔️

Password Admin ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

Privileged Auth Admin ✔️ ✔️

Privileged Role Admin ✔️ ✔️

Reports Reader ✔️ ✔️ ✔️ ✔️ ✔️

User ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
(no admin role)

User ✔️ ✔️
(no admin role, but member
or owner of a role-assignable
group)

User Admin ✔️ ✔️ ✔️

Usage Summary Reports ✔️ ✔️ ✔️ ✔️ ✔️

Reader

* A Global Administrator cannot remove their own Global Administrator assignment.

This is to prevent a situation where an organization has 0 Global Administrators.

７ Note

The ability to reset a password includes the ability to update the following sensitive
properties required for self-service password reset:

businessPhones
mobilePhone
otherMails

Who can perform sensitive actions

Some administrators can perform the following sensitive actions for some users. All
users can read the sensitive properties.
 Sensitive action Sensitive property name

Disable or enable users accountEnabled

Update business phone businessPhones

Update mobile phone mobilePhone

Update on-premises immutable ID onPremisesImmutableId

Update other emails otherMails

Update password profile passwordProfile

Update user principal name userPrincipalName

Delete or restore users Not applicable

In the following table, the columns list the roles that can perform sensitive actions. The
rows list the roles for which the sensitive action can be performed upon.

The following table is for roles assigned at the scope of a tenant. For roles assigned at
the scope of an administrative unit, further restrictions apply.

Role that sensitive action can be Auth User Privileged Global

performed upon Admin Admin Auth Admin Admin

Auth Admin ✔️ ✔️ ✔️

Directory Readers ✔️ ✔️ ✔️ ✔️

Global Admin ✔️ ✔️

Groups Admin ✔️ ✔️ ✔️

Guest Inviter ✔️ ✔️ ✔️ ✔️

Helpdesk Admin ✔️ ✔️ ✔️

Message Center Reader ✔️ ✔️ ✔️ ✔️

Password Admin ✔️ ✔️ ✔️ ✔️

Privileged Auth Admin ✔️ ✔️

Privileged Role Admin ✔️ ✔️

Reports Reader ✔️ ✔️ ✔️ ✔️

User ✔️ ✔️ ✔️ ✔️
(no admin role)
 Role that sensitive action can be Auth User Privileged Global
performed upon Admin Admin Auth Admin Admin

User ✔️ ✔️
(no admin role, but member or owner of a
role-assignable group)

User Admin ✔️ ✔️ ✔️

Usage Summary Reports Reader ✔️ ✔️ ✔️ ✔️

Next steps
Assign Azure AD roles to groups
Understand the different roles
Assign a user as an administrator of an Azure subscription

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources
 Documentation

Least privileged roles by task - Azure Active Directory - Microsoft Entra

Least privileged roles to delegate for tasks in Azure Active Directory

Assign or list Azure AD roles with administrative unit scope - Azure Active Directory -
Microsoft Entra
Use administrative units to restrict the scope of role assignments in Azure Active Directory.

Understand Azure Active Directory role concepts - Microsoft Entra

Learn how to understand Azure Active Directory built-in and custom roles with resource scope in
Azure Active Directory.

Use Azure AD groups to manage role assignments - Azure Active Directory -

Microsoft Entra
Use Azure AD groups to simplify role assignment management in Azure Active Directory.
Assign Azure AD roles in PIM - Azure Active Directory - Microsoft Entra
Learn how to assign Azure AD roles in Azure AD Privileged Identity Management (PIM).

Activate Azure AD roles in PIM - Azure Active Directory - Microsoft Entra

Learn how to activate Azure AD roles in Azure AD Privileged Identity Management (PIM).

User management permissions for Azure AD custom roles (preview) - Azure Active
Directory - Microsoft Entra
User management permissions for Azure AD custom roles in the Azure portal, PowerShell, or
Microsoft Graph API.

Approve or deny requests for Azure AD roles in PIM - Azure AD - Microsoft Entra
Learn how to approve or deny requests for Azure AD roles in Azure AD Privileged Identity
Management (PIM).

Show 5 more
Least privileged roles by task in Azure
Active Directory
Article • 01/05/2023 • 9 minutes to read

In this article, you can find the information needed to restrict a user's administrator
permissions by assigning least privileged roles in Azure Active Directory (Azure AD). You
will find tasks organized by feature area and the least privileged role required to
perform each task, along with additional non-Global Administrator roles that can
perform the task.

You can further restrict permissions by assigning roles at smaller scopes or by creating
your own custom roles. For more information, see Assign Azure AD roles at different
scopes or Create and assign a custom role.

Application proxy
Task Least privileged role Additional roles

Configure application proxy Application Administrator

app

Configure connector group Application Administrator

properties

Create application registration Application Developer Cloud Application

when ability is disabled for all Administrator
users Application Administrator

Create connector group Application Administrator

Delete connector group Application Administrator

Disable application proxy Application Administrator

Download connector service Application Administrator

Read all configuration Application Administrator

External Identities/B2C
Task Least privileged role Additional roles
Task Least privileged role Additional roles

Create Azure AD B2C All non-guest users

directories

Create B2C applications Global Administrator

Create enterprise applications Cloud Application Application Administrator

Administrator

Create, read, update, and B2C IEF Policy Administrator

delete B2C policies

Create, read, update, and External Identity Provider

delete identity providers Administrator

Create, read, update, and External ID User Flow

delete password reset user Administrator
flows

Create, read, update, and External ID User Flow

delete profile editing user Administrator
flows

Create, read, update, and External ID User Flow

delete sign-in user flows Administrator

Create, read, update, and External ID User Flow

delete sign-up user flow Administrator

Create, read, update, and External ID User Flow Attribute

delete user attributes Administrator

Create, read, update, and User Administrator

delete users

Configure B2B external Global Administrator

collaboration settings

Read all configuration Global Reader

Read B2C audit logs Global Reader

７ Note

Azure AD B2C Global Administrators do not have the same permissions as Azure
AD Global Administrators. If you have Azure AD B2C Global Administrator
privileges, make sure that you are in an Azure AD B2C directory and not an Azure
AD directory.
Company branding
Task Least privileged role Additional roles

Configure company branding Global Administrator

Read all configuration Directory Readers Default user role

Company properties
Task Least privileged role Additional roles

Configure company properties Global Administrator

Connect
Task Least privileged role Additional roles

Passthrough authentication Global Administrator

Read all configuration Global Reader Global Administrator

Seamless single sign-on Global Administrator

Cloud Provisioning
Task Least privileged role Additional roles

Passthrough authentication Hybrid Identity Administrator

Read all configuration Global Reader Hybrid Identity Administrator

Seamless single sign-on Hybrid Identity Administrator

Connect Health
Task Least privileged role Additional roles

Add or delete services Owner

Apply fixes to sync error Contributor Owner

Configure notifications Contributor Owner

Task Least privileged role Additional roles

Configure settings Owner

Configure sync notifications Contributor Owner

Read ADFS security reports Security Reader Contributor

Owner

Read all configuration Reader Contributor

Owner

Read sync errors Reader Contributor

Owner

Read sync services Reader Contributor

Owner

View metrics and alerts Reader Contributor

Owner

View metrics and alerts Reader Contributor

Owner

View sync service metrics and Reader Contributor

alerts Owner

Custom domain names

Task Least privileged role Additional roles

Manage domains Domain Name Administrator

Read all configuration Directory Readers Default user role

Domain Services
Task Least privileged role Additional roles

Create Azure AD Domain Application Administrator

Services instance Groups Administrator
Domain Services Contributor

Perform all Azure AD Domain AAD DC Administrators group

Services tasks
Task Least privileged role Additional roles

Read all configuration Reader on Azure subscription

containing AD DS service

Devices
Task Least privileged role Additional roles

Delete device Cloud Device Administrator Intune Administrator

Disable device Cloud Device Administrator Intune Administrator

Enable device Cloud Device Administrator Intune Administrator

Read basic configuration Default user role

Read BitLocker keys Cloud Device Administrator Helpdesk Administrator

Intune Administrator
Security Administrator
Security Reader

Enterprise applications
Task Least privileged role Additional roles

Consent to any delegated Cloud Application Application Administrator

permissions Administrator

Consent to application Cloud Application Application Administrator

permissions not including Administrator
Microsoft Graph

Consent to application Privileged Role Administrator

permissions to Microsoft
Graph

Consent to applications Default user role

accessing own data

Create enterprise application Cloud Application Application Administrator

Administrator

Manage Application Proxy Application Administrator

Manage user settings Global Administrator

Task Least privileged role Additional roles

Read access review of a group Security Reader Security Administrator

or of an app User Administrator

Read all configuration Default user role

Update enterprise application Enterprise application owner Cloud Application

assignments Administrator
Application Administrator
User Administrator

Update enterprise application Enterprise application owner Cloud Application

owners Administrator
Application Administrator

Update enterprise application Enterprise application owner Cloud Application

properties Administrator
Application Administrator

Update enterprise application Enterprise application owner Cloud Application

provisioning Administrator
Application Administrator

Update enterprise application Enterprise application owner Cloud Application

self-service Administrator
Application Administrator

Update single sign-on Enterprise application owner Cloud Application

properties Administrator
Application Administrator

Entitlement management
Task Least privileged role Additional roles

Add resources to a catalog Identity Governance With entitlement

Administrator management, you can
delegate this task to the
catalog owner

Add SharePoint Online sites to SharePoint Administrator

catalog

Groups
Task Least privileged role Additional roles
Task Least privileged role Additional roles

Assign license User Administrator

Create group Groups Administrator User Administrator

Create, update, or delete User Administrator

access review of a group or of
an app

Manage group expiration User Administrator

Manage group settings Groups Administrator User Administrator

Read all configuration (except Directory Readers Default user role

hidden membership)

Read hidden membership Group member Group owner

Password Administrator
Exchange Administrator
SharePoint Administrator
Teams Administrator
User Administrator

Read membership of groups Helpdesk Administrator User Administrator

with hidden membership Teams Administrator

Revoke license License Administrator User Administrator

Update group membership Group owner User Administrator

Update group owners Group owner User Administrator

Update group properties Group owner User Administrator

Delete group Groups Administrator User Administrator

Identity Protection
Task Least privileged role Additional roles

Configure alert notifications Security Administrator

Configure and enable or Security Administrator

disable MFA policy

Configure and enable or Security Administrator

disable sign-in risk policy
Task Least privileged role Additional roles

Configure and enable or Security Administrator

disable user risk policy

Configure weekly digests Security Administrator

Dismiss all risk detections Security Administrator

Fix or dismiss vulnerability Security Administrator

Read all configuration Security Reader

Read all risk detections Security Reader

Read vulnerabilities Security Reader

Licenses
Task Least privileged role Additional roles

Assign license License Administrator User Administrator

Read all configuration Directory Readers Default user role

Revoke license License Administrator User Administrator

Try or buy subscription Billing Administrator

Monitoring - Audit logs

Task Least privileged role Additional roles

Read audit logs Reports Reader Security Reader

Security Administrator

Monitoring - Sign-ins
Task Least privileged role Additional roles

Read sign-in logs Reports Reader Security Reader

Security Administrator
Global Reader
Multi-factor authentication
Task Least privileged role Additional roles

Delete all existing app Global Administrator

passwords generated by the
selected users

Disable per-user MFA Authentication Administrator Privileged Authentication

(via PowerShell) Administrator (via PowerShell)

Enable per-user MFA Authentication Administrator Privileged Authentication

(via PowerShell) Administrator (via PowerShell)

Manage MFA service settings Authentication Policy

Administrator

Require selected users to Authentication Administrator

provide contact methods
again

Restore multi-factor Authentication Administrator

authentication on all
remembered devices

MFA Server
Task Least privileged role Additional roles

Block/unblock users Authentication Policy

Administrator

Configure account lockout Authentication Policy

Administrator

Configure caching rules Authentication Policy

Administrator

Configure fraud alert Authentication Policy

Administrator

Configure notifications Authentication Policy

Administrator

Configure one-time bypass Authentication Policy

Administrator

Configure phone call settings Authentication Policy

Administrator
Task Least privileged role Additional roles

Configure providers Authentication Policy

Administrator

Configure server settings Authentication Policy

Administrator

Read activity report Global Reader

Read all configuration Global Reader

Read server status Global Reader

Organizational relationships
Task Least privileged role Additional roles

Manage identity providers External Identity Provider

Administrator

Manage settings Global Administrator

Manage terms of use Global Administrator

Read all configuration Global Reader

Password reset
Task Least privileged role Additional roles

Configure authentication Global Administrator

methods

Configure customization Global Administrator

Configure notification Global Administrator

Configure on-premises Global Administrator

integration

Configure password reset User Administrator Global Administrator

properties

Configure registration Global Administrator

Read all configuration Security Administrator User Administrator

Privileged identity management
Task Least privileged role Additional roles

Assign users to roles Privileged Role Administrator

Configure role settings Privileged Role Administrator

View audit activity Security Reader

View role memberships Security Reader

Roles and administrators

Task Least privileged role Additional roles

Manage role assignments Privileged Role Administrator

Read access review of an Security Reader Security Administrator

Azure AD role Privileged Role Administrator

Read all configuration Default user role

Security - Authentication methods

Task Least privileged role Additional roles

Configure authentication Global Administrator

methods

Configure password Security Administrator

protection

Configure smart lockout Security Administrator

Read all configuration Global Reader

Security - Conditional Access

Task Least privileged role Additional roles

Configure MFA trusted IP Conditional Access

addresses Administrator
Task Least privileged role Additional roles

Create custom controls Conditional Access Security Administrator

Administrator

Create named locations Conditional Access Security Administrator

Administrator

Create policies Conditional Access Security Administrator

Administrator

Create terms of use Conditional Access Security Administrator

Administrator

Create VPN connectivity Global Administrator

certificate

Delete classic policy Conditional Access Security Administrator

Administrator

Delete terms of use Conditional Access Security Administrator

Administrator

Delete VPN connectivity Conditional Access Security Administrator

certificate Administrator

Disable classic policy Conditional Access Security Administrator

Administrator

Manage custom controls Conditional Access Security Administrator

Administrator

Manage named locations Conditional Access Security Administrator

Administrator

Manage terms of use Conditional Access Security Administrator

Administrator

Read all configuration Security Reader Security Administrator

Read named locations Security Reader Conditional Access

Administrator
Security Administrator

Security - Identity security score

Task Least privileged role Additional roles

Read all configuration Security Reader Security Administrator

Task Least privileged role Additional roles

Read security score Security Reader Security Administrator

Update event status Security Administrator

Security - Risky sign-ins

Task Least privileged role Additional roles

Read all configuration Security Reader

Read risky sign-ins Security Reader

Security - Users flagged for risk

Task Least privileged role Additional roles

Dismiss all events Security Administrator

Read all configuration Security Reader

Read users flagged for risk Security Reader

Temporary Access Pass

Task Least privileged role Additional roles

Create, delete, or view a Global Administrator

Temporary Access Pass for any
user (except themselves) and
can configure and manage
authentication method policy

Create, delete, or view a Privileged Authentication

Temporary Access Pass for Administrator
admins or members (except
themselves)

Create, delete, or view a Authentication Administrator

Temporary Access Pass for
members (except themselves)
Task Least privileged role Additional roles

View a Temporary Access Pass Global Reader

details for a user (without
reading the code itself)

Configure or update the Authentication Policy

Temporary Access Pass Administrator
authentication method policy

Tenant Creation
Task Least privileged role Additional roles

Create Azure AD or Azure AD Tenant Creator Global Administrator

B2C Tenant

Users
Task Least privileged role Additional roles

Add user to directory role Privileged Role Administrator

Add user to group User Administrator

Assign license License Administrator User Administrator

Create guest user Guest Inviter User Administrator

Reset guest user invite User Administrator Global Administrator

Create user User Administrator

Delete users User Administrator

Invalidate refresh tokens of User Administrator

limited admins

Invalidate refresh tokens of Password Administrator User Administrator

non-admins

Invalidate refresh tokens of Privileged Authentication

privileged admins Administrator

Read basic configuration Default user role

Reset password for limited User Administrator

admins
Task Least privileged role Additional roles

Reset password of non- Password Administrator User Administrator

admins

Reset password of privileged Privileged Authentication

admins Administrator

Revoke license License Administrator User Administrator

Update all properties except User Administrator

User Principal Name

Update User Principal Name User Administrator

for limited admins

Update User Principal Name Global Administrator

property on privileged admins

Update user settings Global Administrator

Update Authentication Authentication Administrator Privileged Authentication

methods Administrator
Global Administrator

Support
Task Least privileged role Additional roles
 Task Least privileged role Additional roles

Submit support ticket Service Support Administrator Application Administrator

Azure Information Protection
Administrator
Billing Administrator
Cloud Application
Administrator
Compliance Administrator
Dynamics 365 Administrator
Desktop Analytics
Administrator
Exchange Administrator
Intune Administrator
Password Administrator
Power BI Administrator
Privileged Authentication
Administrator
SharePoint Administrator
Skype for Business
Administrator
Teams Administrator
Teams Communications
Administrator
User Administrator

Next steps
Assign Azure AD roles to users
Assign Azure AD roles at different scopes
Create and assign a custom role in Azure Active Directory
Azure AD built-in roles

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What are the default user permissions in
Azure Active Directory?
Article • 01/11/2023 • 11 minutes to read

In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A
user's access consists of the type of user, their role assignments, and their ownership of
individual objects.

This article describes those default permissions and compares the member and guest
user defaults. The default user permissions can be changed only in user settings in Azure
AD.

Member and guest users

The set of default permissions depends on whether the user is a native member of the
tenant (member user) or whether the user is brought over from another directory as a
business-to-business (B2B) collaboration guest (guest user). For more information about
adding guest users, see What is Azure AD B2B collaboration?. Here are the capabilities of
the default permissions:

Member users can register applications, manage their own profile photo and
mobile phone number, change their own password, and invite B2B guests. These
users can also read all directory information (with a few exceptions).

Guest users have restricted directory permissions. They can manage their own
profile, change their own password, and retrieve some information about other
users, groups, and apps. However, they can't read all directory information.

For example, guest users can't enumerate the list of all users, groups, and other
directory objects. Guests can be added to administrator roles, which grant them full
read and write permissions. Guests can also invite other guests.

Compare member and guest default

permissions
Area Member user Default guest user Restricted guest user
permissions permissions permissions
Area Member user Default guest user Restricted guest user
permissions permissions permissions

Users and Enumerate the Read their own Read their own
contacts list of all users properties properties
and contacts Read display name, Change their
Read all public email, sign-in name, own password
properties of photo, user principal Manage their
users and name, and user type own mobile
contacts properties of other users phone number
Invite guests and contacts
Change their Change their own
own password password
Manage their Search for another user
own mobile by object ID (if allowed)
phone number Read manager and direct
Manage their report information of
own photo other users
Invalidate their
own refresh
tokens
Area Member user Default guest user Restricted guest user
permissions permissions permissions

Groups Create security Read properties of non- Read object ID

groups hidden groups, including for joined groups
Create membership and Read
Microsoft 365 ownership (even non- membership and
groups joined groups) ownership of
Enumerate the Read hidden Microsoft joined groups in
list of all 365 group memberships some Microsoft
groups for joined groups 365 apps (if
Read all Search for groups by allowed)
properties of display name or object
groups ID (if allowed)
Read non-
hidden group
memberships
Read hidden
Microsoft 365
group
memberships
for joined
groups
Manage
properties,
ownership, and
membership of
groups that the
user owns
Add guests to
owned groups
Manage
dynamic
membership
settings
Delete owned
groups
Restore owned
Microsoft 365
groups
Area Member user Default guest user Restricted guest user
permissions permissions permissions

Applications Register Read properties of Read properties

(create) new registered and enterprise of registered and
applications applications enterprise
Enumerate the List permissions granted applications
list of all to applications List permissions
applications granted to
Read applications
properties of
registered and
enterprise
applications
List
permissions
granted to
applications
Manage
application
properties,
assignments,
and credentials
for owned
applications
Create or
delete
application
passwords for
users
Delete owned
applications
Restore owned
applications
List
permissions
granted to
applications

Devices Enumerate the No permissions No permissions

list of all
devices
Read all
properties of
devices
Manage all
properties of
owned devices
 Area Member user Default guest user Restricted guest user
permissions permissions permissions

Organization Read all Read company display Read company

company name display name
information Read all domains
Read all domains
Read all Read configuration of
domains certificate-based
Read authentication
configuration
of certificate-
based
authentication
Read all
partner
contracts

Roles and Read all No permissions No permissions

scopes administrative
roles and
memberships
Read all
properties and
membership of
administrative
units

Subscriptions Read all No permissions No permissions

subscriptions
Enable service
plan
memberships

Policies Read all No permissions No permissions

properties of
policies
Manage all
properties of
owned policies

Restrict member users' default permissions

It's possible to add restrictions to users' default permissions.

You can restrict default permissions for member users in the following ways:
 Ｕ Caution

Using the Restrict access to Azure AD administration portal switch is NOT a

security measure. For more information on the functionality, see the table below.

Permission Setting explanation

Register Setting this option to No prevents users from creating application registrations.
applications You can then grant the ability back to specific individuals, by adding them to the
application developer role.

Allow users to Setting this option to No prevents users from connecting their work or school
connect work account with their LinkedIn account. For more information, see LinkedIn account
or school connections data sharing and consent.
account with
LinkedIn

Create Setting this option to No prevents users from creating security groups. Global
security administrators and user administrators can still create security groups. To learn
groups how, see Azure Active Directory cmdlets for configuring group settings.

Create Setting this option to No prevents users from creating Microsoft 365 groups.
Microsoft 365 Setting this option to Some allows a set of users to create Microsoft 365 groups.
groups Global administrators and user administrators can still create Microsoft 365
groups. To learn how, see Azure Active Directory cmdlets for configuring group
settings.
Permission Setting explanation

Restrict access What does this switch do?

to Azure AD No lets non-administrators browse the Azure AD administration portal.
administration Yes Restricts non-administrators from browsing the Azure AD administration
portal portal. Non-administrators who are owners of groups or applications are unable
to use the Azure portal to manage their owned resources.

What does it not do?

It doesn't restrict access to Azure AD data using PowerShell, Microsoft GraphAPI,
or other clients such as Visual Studio.
It doesn't restrict access as long as a user is assigned a custom role (or any role).

When should I use this switch?

Use this option to prevent users from misconfiguring the resources that they
own.

When should I not use this switch?

Don't use this switch as a security measure. Instead, create a Conditional Access
policy that targets Microsoft Azure Management will block non-administrators
access to Microsoft Azure Management.

How do I grant only a specific non-administrator users the ability to use the
Azure AD administration portal?
Set this option to Yes, then assign them a role like global reader.

Restrict access to the Entra administration portal

A Conditional Access policy that targets Microsoft Azure Management will target
access to all Azure management.

Restrict non- Users can create tenants in the Azure AD and Entra administration portal under
admin users Manage tenant. The creation of a tenant is recorded in the Audit log as category
from creating DirectoryManagement and activity Create Company. Anyone who creates a
tenants tenant will become the Global Administrator of that tenant. The newly created
tenant does not inherit any settings or configurations.

What does this switch do?

Setting this option to Yes restricts creation of Azure AD tenants to the Global
Administrator or tenant creator roles. Setting this option to No allows non-
admin users to create Azure AD tenants. Tenant create will continue to be
recorded in the Audit log.

How do I grant only a specific non-administrator users the ability to create

new tenants?
Set this option to Yes, then assign them the tenant creator role.
 Permission Setting explanation

Read other This setting is available in Microsoft Graph and PowerShell only. Setting this flag
users to $false prevents all non-admins from reading user information from the
directory. This flag doesn't prevent reading user information in other Microsoft
services like Exchange Online.

This setting is meant for special circumstances, so we don't recommend setting

the flag to $false .

Restrict guest users' default permissions

You can restrict default permissions for guest users in the following ways.

７ Note

The Guest user access restrictions setting replaced the Guest users permissions
are limited setting. For guidance on using this feature, see Restrict guest access
permissions in Azure Active Directory.

Permission Setting explanation

Guest user Setting this option to Guest users have the same access as members grants all
access member user permissions to guest users by default.
restrictions
Setting this option to Guest user access is restricted to properties and
memberships of their own directory objects restricts guest access to only their own
user profile by default. Access to other users is no longer allowed, even when
they're searching by user principal name, object ID, or display name. Access to
group information, including groups memberships, is also no longer allowed.

This setting doesn't prevent access to joined groups in some Microsoft 365 services
like Microsoft Teams. To learn more, see Microsoft Teams guest access.

Guest users can still be added to administrator roles regardless of this permission
setting.

Guests can Setting this option to Yes allows guests to invite other guests. To learn more, see
invite Configure external collaboration settings.

Members Setting this option to Yes allows non-admin members of your directory to invite
can invite guests. To learn more, see Configure external collaboration settings.
 Permission Setting explanation

Admins Setting this option to Yes allows admins and users in the guest inviter role to invite
and users guests. When you set this option to Yes, users in the guest inviter role will still be
in the able to invite guests, regardless of the Members can invite setting. To learn more,
guest see Configure external collaboration settings.
inviter role
can invite

Object ownership

Application registration owner permissions

When a user registers an application, they're automatically added as an owner for the
application. As an owner, they can manage the metadata of the application, such as the
name and permissions that the app requests. They can also manage the tenant-specific
configuration of the application, such as the single sign-on (SSO) configuration and user
assignments.

An owner can also add or remove other owners. Unlike global administrators, owners
can manage only the applications that they own.

Enterprise application owner permissions

When a user adds a new enterprise application, they're automatically added as an
owner. As an owner, they can manage the tenant-specific configuration of the
application, such as the SSO configuration, provisioning, and user assignments.

An owner can also add or remove other owners. Unlike global administrators, owners
can manage only the applications that they own.

Group owner permissions

When a user creates a group, they're automatically added as an owner for that group. As
an owner, they can manage properties of the group (such as the name) and manage
group membership.

An owner can also add or remove other owners. Unlike global administrators and user
administrators, owners can manage only the groups that they own.

To assign a group owner, see Managing owners for a group.

Ownership permissions
The following tables describe the specific permissions in Azure AD that member users
have over owned objects. Users have these permissions only on objects that they own.

Owned application registrations

Users can perform the following actions on owned application registrations:

Action Description

[Link]/applications/audience/update Update the [Link]

property in Azure AD.

[Link]/applications/authentication/update Update the

[Link] property
in Azure AD.

[Link]/applications/basic/update Update basic properties on applications

in Azure AD.

[Link]/applications/credentials/update Update the [Link]

property in Azure AD.

[Link]/applications/delete Delete applications in Azure AD.

[Link]/applications/owners/update Update the [Link]

property in Azure AD.

[Link]/applications/permissions/update Update the [Link]

property in Azure AD.

[Link]/applications/policies/update Update the [Link]

property in Azure AD.

[Link]/applications/restore Restore applications in Azure AD.

Owned enterprise applications

Users can perform the following actions on owned enterprise applications. An enterprise
application consists of a service principal, one or more application policies, and
sometimes an application object in the same tenant as the service principal.

Action Description
Action Description

[Link]/auditLogs/allProperties/read Read all properties (including

privileged properties) on audit logs in
Azure AD.

[Link]/policies/basic/update Update basic properties on policies in

Azure AD.

[Link]/policies/delete Delete policies in Azure AD.

[Link]/policies/owners/update Update the [Link] property

in Azure AD.

[Link]/servicePrincipals/appRoleAssignedTo/update Update the

[Link]
property in Azure AD.

[Link]/servicePrincipals/appRoleAssignments/update Update the

[Link] property in
Azure AD.

[Link]/servicePrincipals/audience/update Update the

[Link] property
in Azure AD.

[Link]/servicePrincipals/authentication/update Update the

[Link]
property in Azure AD.

[Link]/servicePrincipals/basic/update Update basic properties on service

principals in Azure AD.

[Link]/servicePrincipals/credentials/update Update the

[Link]
property in Azure AD.

[Link]/servicePrincipals/delete Delete service principals in Azure AD.

[Link]/servicePrincipals/owners/update Update the

[Link] property in
Azure AD.

[Link]/servicePrincipals/permissions/update Update the

[Link]
property in Azure AD.

[Link]/servicePrincipals/policies/update Update the

[Link] property
in Azure AD.
 Action Description

[Link]/signInReports/allProperties/read Read all properties (including

privileged properties) on sign-in
reports in Azure AD.

Owned devices

Users can perform the following actions on owned devices:

Action Description

[Link]/devices/bitLockerRecoveryKeys/read Read the

[Link]
property in Azure AD.

[Link]/devices/disable Disable devices in Azure AD.

Owned groups

Users can perform the following actions on owned groups.

７ Note

Owners of dynamic groups must have a global administrator, group administrator,

Intune administrator, or user administrator role to edit group membership rules. For
more information, see Create or update a dynamic group in Azure Active
Directory.

Action Description

[Link]/groups/appRoleAssignments/update Update the [Link]

property in Azure AD.

[Link]/groups/basic/update Update basic properties on groups in

Azure AD.

[Link]/groups/delete Delete groups in Azure AD.

[Link]/groups/members/update Update the [Link] property in

Azure AD.

[Link]/groups/owners/update Update the [Link] property in

Azure AD.
 Action Description

[Link]/groups/restore Restore groups in Azure AD.

[Link]/groups/settings/update Update the [Link] property

in Azure AD.

Next steps
To learn more about the Guest user access restrictions setting, see Restrict guest
access permissions in Azure Active Directory.
To learn more about how to assign Azure AD administrator roles, see Assign a user
to administrator roles in Azure Active Directory.
To learn more about how resource access is controlled in Microsoft Azure, see
Understanding resource access in Azure.
For more information on how Azure AD relates to your Azure subscription, see
How Azure subscriptions are associated with Azure Active Directory.
Manage users.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Application registration permissions for
custom roles in Azure Active Directory
Article • 08/21/2022 • 4 minutes to read

This article contains the currently available app registration permissions for custom role
definitions in Azure Active Directory (Azure AD).

License requirements
Using this feature requires Azure AD Premium P1 licenses. To find the right license for
your requirements, see Compare generally available features of Azure AD .

Permissions for managing single-tenant

applications
When choosing the permissions for your custom role, you have the option to grant
access to manage only single-tenant applications. single-tenant applications are
available only to users in the Azure AD organization where the application is registered.
single-tenant applications are defined as having Supported account types set to
"Accounts in this organizational directory only." In the Graph API, single-tenant
applications have the signInAudience property set to "AzureADMyOrg."

To grant access to manage only single-tenant applications, use the permissions below
with the subtype [Link]. For example,
[Link]/[Link]/basic/update.

See the custom roles overview for an explanation of what the general terms subtype,
permission, and property set mean. The following information is specific to application
registrations.

Create and delete

There are two permissions available for granting the ability to create application
registrations, each with different behavior:

[Link]/applications/createAsOwner
Assigning this permission results in the creator being added as the first owner of the
created app registration, and the created app registration will count against the creator's
250 created objects quota.

[Link]/applications/create
Assigning this permission results in the creator not being added as the first owner of the
created app registration, and the created app registration will not count against the
creator's 250 created objects quota. Use this permission carefully, because there is
nothing preventing the assignee from creating app registrations until the directory-level
quota is hit.

If both permissions are assigned, the /create permission will take precedence. Though
the /createAsOwner permission does not automatically add the creator as the first
owner, owners can be specified during the creation of the app registration when using
Graph APIs or PowerShell cmdlets.

Create permissions grant access to the New registration command.

These permissions grant access to the New Registration portal command

There are two permissions available for granting the ability to delete app registrations:

[Link]/applications/delete

Grants the ability to delete app registrations regardless of subtype; that is, both single-
tenant and multi-tenant applications.

[Link]/[Link]/delete
Grants the ability to delete app registrations restricted to those that are accessible only
to accounts in your organization or single-tenant applications (myOrganization
subtype).
 ７ Note

When assigning a role that contains create permissions, the role assignment must
be made at the directory scope. A create permission assigned at a resource scope
does not grant the ability to create app registrations.

Read
All member users in the organization can read app registration information by default.
However, guest users and application service principals can't. If you plan to assign a role
to a guest user or application, you must include the appropriate read permissions.

[Link]/applications/allProperties/read
Ability to read all properties of single-tenant and multi-tenant applications outside of
properties that cannot be read in any situation like credentials.

[Link]/[Link]/allProperties/read
Grants the same permissions as [Link]/applications/allProperties/read, but
only for single-tenant applications.
[Link]/applications/owners/read
Grants the ability to read owners property on single-tenant and multi-tenant
applications. Grants access to all fields on the application registration owners page:

[Link]/applications/standard/read

Grants access to read standard application registration properties. This includes

properties across application registration pages.

[Link]/[Link]/standard/read
Grants the same permissions as [Link]/applications/standard/read, but for
only single-tenant applications.

Update

[Link]/applications/allProperties/update

Ability to update all properties on single-tenant and multi-tenant applications.

[Link]/[Link]/allProperties/update

Grants the same permissions as [Link]/applications/allProperties/update,

but only for single-tenant applications.

[Link]/applications/audience/update
Ability to update the supported account type (signInAudience) property on single-
tenant and multi-tenant applications.

[Link]/[Link]/audience/update

Grants the same permissions as [Link]/applications/audience/update, but

only for single-tenant applications.

[Link]/applications/authentication/update
Ability to update the reply URL, sign-out URL, implicit flow, and publisher domain
properties on single-tenant and multi-tenant applications. Grants access to all fields on
the application registration authentication page except supported account types:
[Link]/[Link]/authentication/update

Grants the same permissions as [Link]/applications/authentication/update,

but only for single-tenant applications.

[Link]/applications/basic/update
Ability to update the name, logo, homepage URL, terms of service URL, and privacy
statement URL properties on single-tenant and multi-tenant applications. Grants access
to all fields on the application registration branding page:
[Link]/[Link]/basic/update
Grants the same permissions as [Link]/applications/basic/update, but only
for single-tenant applications.

[Link]/applications/credentials/update
Ability to update the certificates and client secrets properties on single-tenant and
multi-tenant applications. Grants access to all fields on the application registration
certificates & secrets page:

[Link]/[Link]/credentials/update
Grants the same permissions as [Link]/applications/credentials/update, but
only for single-tenant applications.

[Link]/applications/owners/update

Ability to update the owner property on single-tenant and multi-tenant. Grants access
to all fields on the application registration owners page:

[Link]/[Link]/owners/update
Grants the same permissions as [Link]/applications/owners/update, but
only for single-tenant applications.

[Link]/applications/permissions/update

Ability to update the delegated permissions, application permissions, authorized client

applications, required permissions, and grant consent properties on single-tenant and
multi-tenant applications. Does not grant the ability to perform consent. Grants access
to all fields on the application registration API permissions and Expose an API pages:
[Link]/[Link]/permissions/update
Grants the same permissions as [Link]/applications/permissions/update,
but only for single-tenant applications.

Next steps
 Create custom roles using the Azure portal, Azure AD PowerShell, and Microsoft
Graph API
List role assignments

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Enterprise application permissions for
custom roles in Azure Active Directory
Article • 01/25/2023 • 5 minutes to read

This article contains the currently available enterprise application permissions for
custom role definitions in Azure Active Directory (Azure AD). In this article, you'll find
permission lists for some common scenarios and the full list of enterprise app
permissions.

License requirements
Using this feature requires Azure AD Premium P1 licenses. To find the right license for
your requirements, see Compare generally available features of Azure AD .

Enterprise application permissions

For more information about how to use these permissions, see Assign custom roles to
manage enterprise apps

Assigning users or groups to an application

To delegate the assignment of user and groups that can access SAML based single sign-
on applications. Permissions required

[Link]/servicePrincipals/appRoleAssignedTo/update

Creating gallery applications

To delegate the creation of Azure AD Gallery applications such as ServiceNow, F5,
Salesforce, among others. Permissions required:

[Link]/applicationTemplates/instantiate

Configuring basic SAML URLs

To delegate the update and read of basic SAML Configurations for SAML based single
sign-on applications. Permissions required:

[Link]/servicePrincipals/authentication/update
 [Link]/[Link]/authentication/update

Rolling over or creating signing certs

To delegate the management of signing certificates for SAML based single sign-on
applications. Permissions required.

[Link]/servicePrincipals/credentials/update

Update expiring sign-in cert notification email address

To delegate the update of expiring sign-in certificates notification email addresses for
SAML based single sign-on applications. Permissions required:

[Link]/[Link]/authentication/update
[Link]/[Link]/permissions/update
[Link]/servicePrincipals/authentication/update
[Link]/servicePrincipals/basic/update

Manage SAML token signature and Sign-in algorithm

To delegate the update of the SAML token signature and sign-in algorithm for SAML
based single sign-on applications. Permissions required:

[Link]/applicationPolicies/basic/update
[Link]/applications/authentication/update
[Link]/servicePrincipals/policies/update

Manage user attributes and claims

To delegate the create, delete, and update of user attributes and claims for SAML based
single sign-on applications. Permissions required:

[Link]/applicationPolicies/basic/update
[Link]/applications/authentication/update
[Link]/servicePrincipals/policies/update

App provisioning permissions

Performing any write operation such as managing the job, schema, or credentials
through the UI will also require the read permissions to view the provisioning page.
Setting the scope to all users and groups or assigned users and groups currently
requires both the synchronizationJob and synchronizationCredentials permissions.

Turn on or restart provisioning jobs

To delegate ability to turn on, off and restart provisioning jobs. Permissions required:

[Link]/servicePrincipals/synchronizationJobs/manage

Configure the provisioning schema

To delegate updates to attribute mapping. Permissions required:

[Link]/servicePrincipals/synchronizationSchema/manage

Read provisioning settings associated with the application object

To delegate ability to read provisioning settings associated with the object. Permissions
required:

[Link]/applications/synchronization/standard/read

Read provisioning settings associated with your service principal

To delegate ability to read provisioning settings associated with your service principal.
Permissions required:

[Link]/servicePrincipals/synchronization/standard/read

Authorize application access for provisioning

To delegate ability to authorize application access for provisioning. Example input Oauth
bearer token. Permissions required:

[Link]/servicePrincipals/synchronizationCredentials/manage

Application Proxy permissions

Performing any write operations to the Application Proxy properties of the application
also requires the permissions to update the application's basic properties and
authentication.
To read and perform any write operations to the Application Proxy properties of the
application also requires the read permissions to view connector groups as this is part of
the list of properties shown on the page.

Delegate Application Proxy connector management

To delegate create, read, update, and delete actions for connector management.
Permissions required:

[Link]/connectorGroups/allProperties/read
[Link]/connectorGroups/allProperties/update
[Link]/connectorGroups/create
[Link]/connectorGroups/delete
[Link]/connectors/allProperties/read
[Link]/connectors/create

Delegate Application Proxy settings management

To delegate create, read, update, and delete actions for Application Proxy properties on
an app. Permissions required:

[Link]/applications/applicationProxy/read
[Link]/applications/applicationProxy/update
[Link]/applications/applicationProxyAuthentication/update
[Link]/applications/applicationProxySslCertificate/update
[Link]/applications/applicationProxyUrlSettings/update
[Link]/applications/basic/update
[Link]/applications/authentication/update
[Link]/connectorGroups/allProperties/read

Read Application Proxy Settings for an app

To delegate read permissions for Application Proxy properties on an app. Permissions

required:

[Link]/applications/applicationProxy/read
[Link]/connectorGroups/allProperties/read

Update URL configuration Application Proxy settings for an app

To delegate create, read, update, and delete (CRUD) permissions for updating the
Application Proxy external URL, internal URL, and SSL certificate properties. Permissions
required:

[Link]/applications/applicationProxy/read
[Link]/connectorGroups/allProperties/read
[Link]/applications/basic/update
[Link]/applications/authentication/update
[Link]/applications/applicationProxyAuthentication/update
[Link]/applications/applicationProxySslCertificate/update
[Link]/applications/applicationProxyUrlSettings/update

Full list of permissions

Permission Description

[Link]/applicationPolicies/allPrope Read all properties (including privileged

rties/read properties) on application policies

[Link]/applicationPolicies/allPrope Update all properties (including privileged

rties/update properties) on application policies

[Link]/applicationPolicies/basic/up Update standard properties of application

date policies

[Link]/applicationPolicies/create Create application policies

[Link]/applicationPolicies/createAs Create application policies, and creator is added

Owner as the first owner

[Link]/applicationPolicies/delete Delete application policies

[Link]/applicationPolicies/owners/ Read owners on application policies

read

[Link]/applicationPolicies/owners/ Update the owner property of application

update policies

[Link]/applicationPolicies/policyA Read application policies applied to objects list

ppliedTo/read

[Link]/applicationPolicies/standar Read standard properties of application policies

d/read

[Link]/servicePrincipals/allProperti Create and delete servicePrincipals, and read

es/allTasks and update all properties in Azure Active
Directory
Permission Description

[Link]/servicePrincipals/allProperti Read all properties (including privileged

es/read properties) on servicePrincipals

[Link]/servicePrincipals/allProperti Update all properties (including privileged

es/update properties) on servicePrincipals

[Link]/servicePrincipals/appRoleAs Read service principal role assignments

signedTo/read

[Link]/servicePrincipals/appRoleAs Update service principal role assignments

signedTo/update

[Link]/servicePrincipals/appRoleAs Read role assignments assigned to service

signments/read principals

[Link]/servicePrincipals/audience/ Update audience properties on service

update principals

[Link]/servicePrincipals/authentica Update authentication properties on service

tion/update principals

[Link]/servicePrincipals/basic/upd Update basic properties on service principals

ate

[Link]/servicePrincipals/create Create service principals

[Link]/servicePrincipals/createAsO Create service principals, with creator as the

wner first owner

[Link]/servicePrincipals/credential Update credentials of service principals

s/update

[Link]/servicePrincipals/delete Delete service principals

[Link]/servicePrincipals/disable Disable service principals

[Link]/servicePrincipals/enable Enable service principals

[Link]/servicePrincipals/getPasswo Read password single sign-on credentials on

rdSingleSignOnCredentials service principals

[Link]/servicePrincipals/managePa Manage password single sign-on credentials on

sswordSingleSignOnCredentials service principals

[Link]/servicePrincipals/oAuth2Per Read delegated permission grants on service

missionGrants/read principals

[Link]/servicePrincipals/owners/re Read owners of service principals

ad
Permission Description

[Link]/servicePrincipals/owners/up Update owners of service principals

date

[Link]/servicePrincipals/permissio Update permissions of service principals

ns/update

[Link]/servicePrincipals/policies/re Read policies of service principals

ad

[Link]/servicePrincipals/policies/u Update policies of service principals

pdate

[Link]/servicePrincipals/standard/r Read basic properties of service principals

ead

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with your

ation/standard/read service principal

[Link]/servicePrincipals/tag/updat Update the tag property for service principals

e

[Link]/applicationTemplates/insta Instantiate gallery applications from application

ntiate templates

[Link]/auditLogs/allProperties/rea Read all properties on audit logs, including

d privileged properties

[Link]/signInReports/allProperties/ Read all properties on sign-in reports, including

read privileged properties

[Link]/applications/applicationPro Read all application proxy properties

xy/read

[Link]/applications/applicationPro Update all application proxy properties

xy/update

[Link]/applications/applicationPro Update authentication on all types of

xyAuthentication/update applications

[Link]/applications/applicationPro Update URL settings for application proxy

xyUrlSettings/update

[Link]/applications/applicationPro Update SSL certificate settings for application

xySslCertificate/update proxy

[Link]/applications/synchronizatio Read provisioning settings associated with the

n/standard/read application object

[Link]/connectorGroups/create Create application proxy connector groups

 Permission Description

[Link]/connectorGroups/delete Delete application proxy connector groups

[Link]/connectorGroups/allPropert Read all properties of application proxy

ies/read connector groups

[Link]/connectorGroups/allPropert Update all properties of application proxy

ies/update connector groups

[Link]/connectors/create Create application proxy connectors

[Link]/connectors/allProperties/re Read all properties of application proxy

ad connectors

[Link]/servicePrincipals/synchroniz Start, restart, and pause application

ationJobs/manage provisioning syncronization jobs

[Link]/servicePrincipals/synchroniz Read provisioning settings associated with the

ation/standard/read application object

[Link]/servicePrincipals/synchroniz Create and manage application provisioning

ationSchema/manage syncronization jobs and schema

[Link]/provisioningLogs/allPropert Read all properties of provisioning logs

ies/read

Next steps
Create custom roles using the Azure portal, Azure AD PowerShell, and Microsoft
Graph API
List role assignments

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Additional resources

 Documentation
App consent permissions for custom roles in Azure Active Directory - Microsoft Entra
Preview app consent permissions for custom Azure AD roles in the Azure portal, PowerShell, or
Graph API.

Create custom roles to manage enterprise apps in Azure Active Directory - Microsoft
Entra
Create and assign custom Azure AD roles for enterprise apps access in Azure Active Directory

Custom role permissions for app registration - Azure AD - Microsoft Entra

Delegate custom administrator role permissions for managing app registrations.

Assign enterprise application owners - Microsoft Entra

Learn how to assign owners to applications in Azure Active Directory

Overview of enterprise application ownership - Microsoft Entra

Learn about enterprise application ownership in Azure Active Directory

Assign or remove custom security attributes for an application (Preview) - Azure

Active Directory - Microsoft Entra
Assign or remove custom security attributes for an application that has been registered with your
Azure Active Directory (Azure AD) tenant.

List Azure AD role assignments for a user - Azure Active Directory - Microsoft Entra
Learn how to list Azure AD roles assignments of a user

Properties of an enterprise application - Microsoft Entra

Learn about the properties of an enterprise application in Azure Active Directory.

Show 5 more
App consent permissions for custom
roles in Azure Active Directory
Article • 08/21/2022 • 2 minutes to read

This article contains the currently available app consent permissions for custom role
definitions in Azure Active Directory (Azure AD). In this article, you'll find the permissions
required for some common scenarios related to app consent and permissions.

License requirements
Using this feature requires Azure AD Premium P1 licenses. To find the right license for
your requirements, see Compare generally available features of Azure AD .

App consent permissions

Use the permissions listed in this article to manage app consent policies, as well as the
permission to grant consent to apps.

７ Note

The Azure AD admin portal does not yet support adding the permissions listed in
this article to a custom directory role definition. You must use Azure AD PowerShell
to create a custom directory role with the permissions listed in this article.

Granting delegated permissions to apps on behalf of self (user

consent)
To allow users to grant consent to applications on behalf of themselves (user consent),
subject to an app consent policy.

[Link]/servicePrincipals/managePermissionGrantsForSelf.{id}

Where {id} is replaced by the ID of an app consent policy which will set the conditions
which must be met for this permission to be active.

For example, to allow users to grant consent on their own behalf, subject to the built-in
app consent policy with ID microsoft-user-default-low , you would use the permission
...[Link]-user-default-low .
Granting permissions to apps on behalf of all (admin consent)
To delegate tenant-wide admin consent to apps, for both delegated permissions and
application permissions (app roles):

[Link]/servicePrincipals/managePermissionGrantsForAll.{id}

Where {id} is replaced by the ID of an app consent policy which will set the conditions
which must be met for this permission to be usable.

For example, to allow role assignees to grant tenant-wide admin consent to apps
subject to a custom app consent policy with ID low-risk-any-app , you would use the
permission [Link]/servicePrincipals/[Link]-
risk-any-app .

Managing app consent policies

To delegate the creation, update and deletion of app consent policies.

[Link]/permissionGrantPolicies/create
[Link]/permissionGrantPolicies/standard/read
[Link]/permissionGrantPolicies/basic/update
[Link]/permissionGrantPolicies/delete

Full list of permissions

Permission Description

[Link]/servicePrincipals/managePe Grants the ability to consent to apps on behalf

rmissionGrantsForSelf.{id} of self (user consent), subject to app consent
policy {id} .

[Link]/servicePrincipals/managePe Grants the permission to consent to apps on

rmissionGrantsForAll.{id} behalf of all (tenant-wide admin consent),
subject to app consent policy {id} .

[Link]/permissionGrantPolicies/sta Grants the ability to read app consent policies.

ndard/read

[Link]/permissionGrantPolicies/ba Grants the ability to update basic properties on

sic/update existing app consent policies.

[Link]/permissionGrantPolicies/cre Grants the ability to create app consent

ate policies.
 Permission Description

[Link]/permissionGrantPolicies/del Grants the ability to delete app consent

ete policies.

Next steps
Create custom roles using the Azure portal, Azure AD PowerShell, and Microsoft
Graph API
View the assignments for a custom role

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Device management permissions for
Azure AD custom roles
Article • 12/01/2022 • 2 minutes to read

Device management permissions can be used in custom role definitions in Azure Active
Directory (Azure AD) to grant fine-grained access such as the following:

Enable or disable devices

Delete devices
Read BitLocker recovery keys
Read BitLocker metadata
Read device registration policies
Update device registration policies

This article lists the permissions you can use in your custom roles for different device
management scenarios. For information about how to create custom roles, see Create
and assign a custom role.

Enable or disable devices

The following permissions are available to toggle device states.

[Link]/devices/enable
[Link]/devices/disable

Read BitLocker recovery keys

The following permission is available to read BitLocker metadata and recovery keys.
Note that this single permission provides read for both BitLocker metadata and recovery
keys.

[Link]/bitlockerKeys/key/read

You can view the BitLocker recovery key by selecting a device from the All Devices page,
and then selecting Show Recovery Key. For more information about reading BitLocker
recovery keys, see View or copy BitLocker keys.
Read BitLocker metadata
The following permission is available to read the BitLocker metadata for all devices.

[Link]/bitlockerKeys/metadata/read

You can read the BitLocker metadata for all devices, but you can't read the BitLocker
recovery key.

Read device registration policies

The following permission is available to read tenant-wide device registration settings.

[Link]/deviceRegistrationPolicy/standard/read

You can read device settings in the Azure portal.

Update device registration policies
The following permission is available to update tenant-wide device registration settings.

[Link]/deviceRegistrationPolicy/basic/update

Full list of permissions

Read

Permission Description

[Link]/devices/createdFrom/read Read createdfrom properties of devices

[Link]/devices/registeredOwners/r Read registered owners of devices

ead

[Link]/devices/registeredUsers/rea Read registered users of devices

d

[Link]/devices/standard/read Read basic properties on devices

[Link]/bitlockerKeys/key/read Read bitlocker metadata and key on devices

[Link]/bitlockerKeys/metadata/rea Read bitlocker metadata on devices

d

[Link]/deviceRegistrationPolicy/sta Read standard properties on device registration

ndard/read policies

Update

Permission Description

[Link]/devices/registeredOwners/ Update registered owners of devices

update

[Link]/devices/registeredUsers/up Update registered users of devices

date

[Link]/devices/enable Enable devices in Azure AD

[Link]/devices/disable Disable devices in Azure AD

[Link]/deviceRegistrationPolicy/ba Update basic properties on device registration

sic/update policies
Delete

Permission Description

[Link]/devices/delete Delete devices from Azure AD

Next steps
Create and assign a custom role in Azure Active Directory
List Azure AD role assignments

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

User management permissions for
Azure AD custom roles (preview)
Article • 10/26/2022 • 3 minutes to read

） Important

User management permissions for Azure AD custom roles is currently in PREVIEW.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not yet
released into general availability.

User management permissions can be used in custom role definitions in Azure Active
Directory (Azure AD) to grant fine-grained access such as the following:

Read or update basic properties of users

Read or update identity of users
Read or update job information of users
Update contact information of users
Update parental controls of users
Update settings of users
Read direct reports of users
Update extension properties of users
Read device information of users
Read or manage licenses of users
Update password policies of users
Read assignments and memberships of users

This article lists the permissions you can use in your custom roles for different user
management scenarios. For information about how to create custom roles, see Create
and assign a custom role.

License requirements
Using this feature requires Azure AD Premium P1 licenses. To find the right license for
your requirements, see Compare generally available features of Azure AD .

Read or update basic properties of users

The following permissions are available to read or update basic properties of users.

Permission Description

[Link]/users/standard/read Read basic properties on users.

[Link]/users/basic/update Update basic properties on users.

Read or update identity of users

The following permissions are available to read or update identity of users.

Permission Description

[Link]/users/identities/read Read identities of users.

[Link]/users/identities/update Update the identity properties of users, such as

name and user principal name.

Read or update job information of users

The following permissions are available to read or update job information of users.

Permission Description

[Link]/users/manager/read Read manager of users.

[Link]/users/manager/update Update manager for users.

[Link]/users/jobInfo/update Update the job info properties of users, such as

job title, department, and company name.

Update contact information of users

The following permissions are available to update contact information of users.

Permission Description

[Link]/users/contactInfo/update Update the contact info properties of users,

such as address, phone, and email.

Update parental controls of users

The following permissions are available to update parental controls of users.

Permission Description

[Link]/users/parentalControls/upd Update parental controls of users.

ate

Update settings of users

The following permissions are available to update settings of users.

Permission Description

[Link]/users/usageLocation/updat Update usage location of users.

e

Read direct reports of users

The following permissions are available to read direct reports of users.

Permission Description

[Link]/users/directReports/read Read the direct reports for users.

Update extension properties of users

The following permissions are available to update extension properties of users.

Permission Description

[Link]/users/extensionProperties/ Update extension properties of users.

update

Read device information of users

The following permissions are available to read device information of users.

Permission Description

[Link]/users/ownedDevices/read Read owned devices of users

 Permission Description

[Link]/users/registeredDevices/rea Read registered devices of users

d

[Link]/users/deviceForResourceAc Read deviceForResourceAccount of users.

count/read

Read or manage licenses of users

The following permissions are available to read or manage licenses of users.

Permission Description

[Link]/users/licenseDetails/read Read license details of users.

[Link]/users/assignLicense Manage user licenses.

[Link]/users/reprocessLicenseAssi Reprocess license assignments for users.

gnment

Update password policies of users

The following permissions are available to update password policies of users.

Permission Description

[Link]/users/passwordPolicies/upd Update password policies properties of users.

ate

Read assignments and memberships of users

The following permissions are available to read assignments and memberships of users.

Permission Description

[Link]/users/appRoleAssignments/ Read application role assignments for users

read

[Link]/users/scopedRoleMemberO Read user's membership of an Azure AD role,

f/read that is scoped to an administrative unit

[Link]/users/memberOf/read Read the group memberships of users

Full list of permissions
Permission Description

[Link]/users/appRoleAssignments/ Read application role assignments for users.

read

[Link]/users/assignLicense Manage user licenses.

[Link]/users/basic/update Update basic properties on users.

[Link]/users/contactInfo/update Update the contact info properties of users,

such as address, phone, and email.

[Link]/users/deviceForResourceAc Read deviceForResourceAccount of users.

count/read

[Link]/users/directReports/read Read the direct reports for users.

[Link]/users/extensionProperties/ Update extension properties of users.

update

[Link]/users/identities/read Read identities of users.

[Link]/users/identities/update Update the identity properties of users, such as

name and user principal name.

[Link]/users/jobInfo/update Update the job info properties of users, such as

job title, department, and company name.

[Link]/users/licenseDetails/read Read license details of users.

[Link]/users/manager/read Read manager of users.

[Link]/users/manager/update Update manager for users.

[Link]/users/memberOf/read Read the group memberships of users.

[Link]/users/ownedDevices/read Read owned devices of users.

[Link]/users/parentalControls/upd Update parental controls of users.

ate

[Link]/users/passwordPolicies/upd Update password policies properties of users.

ate

[Link]/users/registeredDevices/rea Read registered devices of users.

d

[Link]/users/reprocessLicenseAssi Reprocess license assignments for users.

gnment
 Permission Description

[Link]/users/scopedRoleMemberO Read user's membership of an Azure AD role,

f/read that is scoped to an administrative unit.

[Link]/users/standard/read Read basic properties on users.

[Link]/users/usageLocation/updat Update usage location of users.

e

Next steps
Create and assign a custom role in Azure Active Directory
List Azure AD role assignments

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Group management permissions for
Azure AD custom roles
Article • 08/21/2022 • 5 minutes to read

Group management permissions can be used in custom role definitions in Azure Active
Directory (Azure AD) to grant fine-grained access such as the following:

Manage group properties like name and description

Manage members and owners
Create or delete groups
Read audit logs
Manage a specific type of group

This article lists the permissions you can use in your custom roles for different group
management scenarios. For information about how to create custom roles, see Create
and assign a custom role.

License requirements
Using this feature requires Azure AD Premium P1 licenses. To find the right license for
your requirements, see Compare generally available features of Azure AD .

How to interpret group management

permissions
To interpret the group management permissions, it helps to understand what the
different permission subtypes mean.

Permission subtype Permission subtype description

groups Manage security groups and Microsoft 365

groups, excluding role-assignable groups

[Link] Manage Microsoft 365 groups of both dynamic

and assigned membership type, excluding role-
assignable groups

[Link] Manage Microsoft 365 groups of only assigned

membership type, excluding role-assignable
groups
 Permission subtype Permission subtype description

[Link] Manage security groups of both dynamic and

assigned membership type, excluding role-
assignable groups

[Link] Manage security groups of only assigned

membership type, excluding role-assignable
groups

The following table has example permissions for updating group members of different
subtypes.

Permission example Permission description

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link] Update members of Microsoft 365 groups of

mbership/members/update assigned membership type, excluding role-
assignable groups

[Link]/[Link]/members/ Update members of Security groups, excluding

update role-assignable groups

[Link]/[Link] Update members of Security groups of

embership/members/update assigned membership type, excluding role-
assignable groups

Read group information

The following permissions are available to read properties, members, and owners of
groups.

Permission Description

[Link]/groups/allProperties/read Read all properties (including privileged

properties) on Security groups and Microsoft
365 groups, including role-assignable groups

[Link]/groups/standard/read Read standard properties of Security groups

and Microsoft 365 groups, including role-
assignable groups
 Permission Description

[Link]/groups/members/read Read members of Security groups and

Microsoft 365 groups, including role-assignable
groups

[Link]/groups/memberOf/read Read the memberOf property on Security

groups and Microsoft 365 groups, including
role-assignable groups

[Link]/groups/owners/read Read owners of Security groups and Microsoft

365 groups, including role-assignable groups

Create groups
The following permissions are available to create groups of different types.

Permission Description

[Link]/groups/create Create Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/[Link]/create Create Microsoft 365 groups, excluding role-

assignable groups

[Link]/[Link] Create Microsoft 365 groups of assigned

mbership/create membership type, excluding role-assignable
groups

[Link]/[Link]/create Create Security groups, excluding role-

assignable groups

[Link]/[Link] Create Security groups of assigned membership

mbership/create type, excluding role-assignable groups

[Link]/groups/createAsOwner Create Security groups and Microsoft 365

groups, excluding role-assignable groups.
Creator is added as the first owner.

[Link]/[Link]/createAsOw Create Microsoft 365 groups, excluding role-

ner assignable groups. Creator is added as the first
owner.

[Link]/[Link] Create Microsoft 365 groups of assigned

mbership/createAsOwner membership type, excluding role-assignable
groups. Creator is added as the first owner.
 Permission Description

[Link]/[Link]/createAsO Create Security groups, excluding role-

wner assignable groups. Creator is added as the first
owner.

[Link]/[Link] Create Security groups of assigned membership

mbership/createAsOwner type, excluding role-assignable groups. Creator
is added as the first owner.

Update group information

The following permissions are available to update properties and members of groups.

Permission Description

[Link]/groups/allProperties/updat Update all properties (including privileged

e properties) on Security groups and Microsoft
365 groups, excluding role-assignable groups

[Link]/[Link]/allProperties Update all properties (including privileged

/update properties) on Microsoft 365 groups, excluding
role-assignable groups

[Link]/[Link] Update all properties (including privileged

mbership/allProperties/update properties) on Microsoft 365 groups of
assigned membership type, excluding role-
assignable groups

[Link]/[Link]/allPropertie Update all properties (including privileged

s/update properties) on Security groups, excluding role-
assignable groups

[Link]/[Link] Update all properties (including privileged

mbership/allProperties/update properties) on Security groups of assigned
membership type, excluding role-assignable
groups

[Link]/groups/basic/update Update basic properties on Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/[Link]/basic/updat Update basic properties on Microsoft 365

e groups, excluding role-assignable groups

[Link]/[Link] Update basic properties on Microsoft 365

mbership/basic/update groups of assigned membership type,
excluding role-assignable groups
Permission Description

[Link]/[Link]/basic/updat Update basic properties on Security groups,

e excluding role-assignable groups

[Link]/[Link] Update basic properties on Security groups of

mbership/basic/update assigned membership type, excluding role-
assignable groups

[Link]/groups/classification/updat Update the classification property on Security

e groups and Microsoft 365 groups, excluding
role-assignable groups

[Link]/[Link]/classification Update the classification property on Microsoft

/update 365 groups, excluding role-assignable groups

[Link]/[Link] Update the classification property on Microsoft

mbership/classification/update 365 groups of assigned membership type,
excluding role-assignable groups

[Link]/[Link]/classificatio Update the classification property on Security

n/update groups, excluding role-assignable groups

[Link]/[Link] Update the classification property on Security

mbership/classification/update groups of assigned membership type,
excluding role-assignable groups

[Link]/groups/dynamicMembershi Update the dynamic membership rule on

pRule/update Security groups and Microsoft 365 groups,
excluding role-assignable groups

[Link]/[Link]/dynamicMe Update the dynamic membership rule on

mbershipRule/update Microsoft 365 groups, excluding role-
assignable groups

[Link]/[Link]/dynamicMe Update the dynamic membership rule on

mbershipRule/update Security groups, excluding role-assignable
groups

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link] Update members of Microsoft 365 groups of

mbership/members/update assigned membership type, excluding role-
assignable groups
 Permission Description

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups

[Link]/[Link] Update members of Security groups of

mbership/members/update assigned membership type, excluding role-
assignable groups

Update members of different group types

The following permissions are available to update members of different group types.

Permission Description

[Link]/groups/members/update Update members of Security groups and

Microsoft 365 groups, excluding role-
assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups

[Link]/[Link] Update members of Microsoft 365 groups of

mbership/members/update assigned membership type, excluding role-
assignable groups

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups

[Link]/[Link] Update members of Security groups of

mbership/members/update assigned membership type, excluding role-
assignable groups

Delete groups
The following permissions are available to delete groups.

Permission Description

[Link]/groups/delete Delete Security groups and Microsoft 365

groups, excluding role-assignable groups

[Link]/[Link]/members/u Update members of Microsoft 365 groups,

pdate excluding role-assignable groups
 Permission Description

[Link]/[Link] Update members of Microsoft 365 groups of

mbership/members/update assigned membership type, excluding role-
assignable groups

[Link]/[Link]/members/u Update members of Security groups, excluding

pdate role-assignable groups

[Link]/[Link] Update members of Security groups of

mbership/members/update assigned membership type, excluding role-
assignable groups

Next steps
Create and assign a custom role in Azure Active Directory
List Azure AD role assignments

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure AD service limits and restrictions
Article • 08/18/2022 • 6 minutes to read

This article contains the usage constraints and other service limits for the Azure Active
Directory (Azure AD), part of Microsoft Entra, service. If you’re looking for the full set of
Microsoft Azure service limits, see Azure Subscription and Service Limits, Quotas, and
Constraints.

Here are the usage constraints and other service limits for the Azure AD service.

Category Limit

Tenants A single user can belong to a maximum of 500 Azure AD tenants as a

member or a guest.
A single user can create a maximum of 200 directories.

Domains You can add no more than 5,000 managed domain names.
If you set up all of your domains for federation with on-premises Active
Directory, you can add no more than 2,500 domain names in each tenant.

Resources By default, a maximum of 50,000 Azure AD resources can be created in a

single tenant by users of the Azure Active Directory Free edition. If you
have at least one verified domain, the default Azure AD service quota for
your organization is extended to 300,000 Azure AD resources.
The Azure AD service quota for organizations created by self-service sign-
up remains 50,000 Azure AD resources, even after you perform an internal
admin takeover and the organization is converted to a managed tenant
with at least one verified domain. This service limit is unrelated to the
pricing tier limit of 500,000 resources on the Azure AD pricing page.
To go beyond the default quota, you must contact Microsoft Support.
A non-admin user can create no more than 250 Azure AD resources. Both
active resources and deleted resources that are available to restore count
toward this quota. Only deleted Azure AD resources that were deleted
fewer than 30 days ago are available to restore. Deleted Azure AD
resources that are no longer available to restore count toward this quota
at a value of one-quarter for 30 days.
If you have developers who are likely to repeatedly exceed this quota in
the course of their regular duties, you can create and assign a custom role
with permission to create a limitless number of app registrations.
Resource limitations apply to all directory objects in a given Azure AD
tenant, including users, groups, applications, and service principals.
Category Limit

Schema String-type extensions can have a maximum of 256 characters.

extensions Binary-type extensions are limited to 256 bytes.
Only 100 extension values, across all types and all applications, can be
written to any single Azure AD resource.
Only User, Group, TenantDetail, Device, Application, and ServicePrincipal
entities can be extended with string-type or binary-type single-valued
attributes.

Applications A maximum of 100 users and service principals can be owners of a single
application.
A user, group, or service principal can have a maximum of 1,500 app role
assignments. The limitation is on the service principal, user, or group
across all app roles and not on the number of assignments on a single app
role.
An app configured for password-based single sign-on can have a
maximum of 48 groups assigned with credentials configured.
A user can have credentials configured for a maximum of 48 apps using
password-based single sign-on. This limit only applies for credentials
configured when the user is directly assigned the app, not when the user is
a member of a group which is assigned.
See additional limits in Validation differences by supported account types.

Application A maximum of 1,200 entries can be added to the application manifest.

manifest See additional limits in Validation differences by supported account types.

Groups A non-admin user can create a maximum of 250 groups in an Azure AD

organization. Any Azure AD admin who can manage groups in the
organization can also create an unlimited number of groups (up to the
Azure AD object limit). If you assign a role to a user to remove the limit for
that user, assign a less privileged, built-in role such as User Administrator
or Groups Administrator.
An Azure AD organization can have a maximum of 5,000 dynamic groups
and dynamic administrative units combined.
A maximum of 500 role-assignable groups can be created in a single Azure
AD organization (tenant).
A maximum of 100 users can be owners of a single group.
Any number of Azure AD resources can be members of a single group.
A user can be a member of any number of groups. When security groups
are being used in combination with SharePoint Online, a user can be a part
of 2,049 security groups in total. This includes both direct and indirect
group memberships. When this limit is exceeded, authentication and
search results become unpredictable.
By default, the number of members in a group that you can synchronize
from your on-premises Active Directory to Azure Active Directory by using
Azure AD Connect is limited to 50,000 members. If you need to sync a
Category Limit

group membership that's over this limit, you must onboard the Azure AD
Connect Sync V2 endpoint API.
Nested groups in Azure AD are not supported within all scenarios.
When you select a list of groups, you can assign a group expiration policy
to a maximum of 500 Microsoft 365 groups. There is no limit when the
policy is applied to all Microsoft 365 groups.

At this time, the following scenarios are supported with nested groups:

One group can be added as a member of another group, and you can
achieve group nesting.
Group membership claims. When an app is configured to receive group
membership claims in the token, nested groups in which the signed-in
user is a member are included.
Conditional access (when a conditional access policy has a group scope).
Restricting access to self-serve password reset.
Restricting which users can do Azure AD Join and device registration.

The following scenarios are not supported with nested groups:

App role assignment, for both access and provisioning. Assigning groups
to an app is supported, but any groups nested within the directly assigned
group won't have access.
Group-based licensing (assigning a license automatically to all members of
a group).
Microsoft 365 Groups.

Application A maximum of 500 transactions* per second per Application Proxy

Proxy application.
A maximum of 750 transactions per second for the Azure AD organization.

*A transaction is defined as a single HTTP request and response for a

unique resource. When clients are throttled, they'll receive a 429 response
(too many requests).

Access Panel There's no limit to the number of applications per user that can be displayed in
the Access Panel, regardless of the number of assigned licenses.

Reports A maximum of 1,000 rows can be viewed or downloaded in any report. Any
additional data is truncated.

Administrative An Azure AD resource can be a member of no more than 30 administrative

units units.
An Azure AD organization can have a maximum of 5,000 dynamic groups
and dynamic administrative units combined.
 Category Limit

Azure AD A maximum of 100 Azure AD custom roles can be created in an Azure

roles and AD organization.
permissions A maximum of 150 Azure AD custom role assignments for a single
principal at any scope.
A maximum of 100 Azure AD built-in role assignments for a single
principal at non-tenant scope (such as an administrative unit or Azure AD
object). There is no limit to Azure AD built-in role assignments at tenant
scope.
A group can't be added as a group owner.
A user's ability to read other users' tenant information can be restricted
only by the Azure AD organization-wide switch to disable all non-admin
users' access to all tenant information (not recommended). For more
information, see To restrict the default permissions for member users.
It might take up to 15 minutes or you might have to sign out and sign
back in before admin role membership additions and revocations take
effect.

Conditional A maximum of 195 policies can be created in a single Azure AD organization

Access (tenant).
Policies

Next steps
Sign up for Azure as an organization
How Azure subscriptions are associated with Azure AD

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

AzureAD
Reference

In this article
Administrative Units
Application Proxy Application Management
Application Proxy Connector Management
Applications
AzureAD
Certificate Authorities
Connect to your directory
Contacts
Contracts
Deleted Objects
Devices
Directory
Directory Objects
Directory Roles
Domains
Extension Properties
Groups
OAuth2
Policies
Service Principals
Users

） Important

Azure AD PowerShell is planned for deprecation. For more details on the deprecation plans, see the
deprecation update . You can start trying Microsoft Graph PowerShell to interact with Azure AD as
you would in Azure AD PowerShell. In addition, Microsoft Graph PowerShell allows you access to all
Microsoft Graph APIs and is available on PowerShell 7. For answers to frequent migration queries, see
the migration FAQ.

The Azure Active Directory PowerShell for Graph module can be downloaded and installed from the
PowerShell Gallery . The gallery uses the PowerShellGet module. The PowerShellGet module requires
PowerShell 3.0 or newer and requires one of the following operating systems:

Windows 10
Windows 8.1 Pro
Windows 8.1 Enterprise
Windows 7 SP1
Windows Server 2016 TP5
Windows Server 2012 R2
Windows Server 2008 R2 SP1
PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above
from here .

For more detailed info on installation of the AzureAD cmdlets please see: Azure Active Directory PowerShell
for Graph.

These are the cmdlets in the Azure Active Directory PowerShell for Graph module.

Administrative Units
Add- Adds an administrative unit member.
AzureADMSAdministrativeUnitMember

Add- Adds a scoped role membership to an administrative unit.

AzureADMSScopedRoleMembership

Get-AzureADMSAdministrativeUnit Gets an administrative unit.

Get- Gets a member of an administrative unit.

AzureADMSAdministrativeUnitMember

Get- Gets a scoped role membership from an administrative unit.

AzureADMSScopedRoleMembership

New-AzureADMSAdministrativeUnit Creates an administrative unit.

Remove- Removes an administrative unit.

AzureADMSAdministrativeUnit

Remove- Removes an administrative unit member.

AzureADMSAdministrativeUnitMember

Remove- Removes a scoped role membership.

AzureADMSScopedRoleMembership

Application Proxy Application Management

Get-AzureADApplicationProxyApplication The Get-AzureADApplicationProxyApplication cmdlet retrieves
an application configured for Application Proxy in Azure
Active Directory.

Get-AzureADApplicationProxyApplicationConnectorGroup The Get-AzureADApplicationProxyApplicationConnectorGroup

cmdlet retrieves the connector group assigned for a specific
application.

New-AzureADApplicationProxyApplication The New-AzureADApplicationProxyApplication cmdlet creates

a new application configured for Application Proxy in Azure
Active Directory.

Remove-AzureADApplicationProxyApplication Deletes an Application Proxy application.

Remove-AzureADApplicationProxyApplicationConnectorGroup The Remove-

AzureADApplicationProxyApplicationConnectorGroup cmdlet
sets the connector group assigned for the specified
application to 'Default' and removes the current assignment.

Set-AzureADApplicationProxyApplication The Set-AzureADApplicationProxyApplication allows you to

 modify and set configurations for an application in Azure
Active Directory configured to use ApplicationProxy.

Set- The Set-

AzureADApplicationProxyApplicationCustomDomainCertificate AzureADApplicationProxyApplicationCustomDomainCertificate
cmdlet assigns a certificate to an application configured for
Application Proxy in Azure Active Directory (AD). This will
upload the certificate and allow the application to use Custom
Domains.

Set-AzureADApplicationProxyApplicationSingleSignOn The Set-AzureADApplicationProxyApplicationSingleSignOn

cmdlet allows you to set and modify single sign-on (SSO)
settings for an application configured for Application Proxy in
Azure Active Directory.

Application Proxy Connector Management

Get-AzureADApplicationProxyConnector The Get-AzureADApplicationProxyApplicationConnector cmdlet
a list of all connectors, or if specified, details of a specific
connector.

Get-AzureADApplicationProxyConnectorGroup The Get-AzureADApplicationProxyConnectorGroup cmdlet

retrieves a list of all connector groups, or if specified, details of
a specific connector group.

Get- The Get-AzureADApplicationProxyConnectorGroupMembers

AzureADApplicationProxyConnectorGroupMembers gets all the Application Proxy connectors associated with the
given connector group.

Get-AzureADApplicationProxyConnectorMemberOf The Get-AzureADApplicationProxyConnectorMemberOf

command gets the ConnectorGroup that the specified
Connector is a member of.

New-AzureADApplicationProxyConnectorGroup The New-AzureADApplicationProxyConnectorGroup cmdlet

creates a new Application Proxy Connector group.

Remove-AzureADApplicationProxyConnectorGroup The Remove-AzureADApplicationProxyConnectorGroup cmdlet

deletes an Application Proxy Connector group.

Set- The Set-AzureADApplicationProxyApplicationConnectorGroup

AzureADApplicationProxyApplicationConnectorGroup cmdlet assigns the given connector group to a specified
application.

Set-AzureADApplicationProxyConnector The Set-AzureADApplicationProxyConnector cmdlet allows

reassignment of the connector to another connector group.

Set-AzureADApplicationProxyConnectorGroup The Set-AzureADApplicationProxyConnectorGroup cmdlet

allows you to change the name of a given Application Proxy
connector group.

Applications
Add-AzureADApplicationOwner Adds an owner to an application.

Get-AzureADApplication Gets an application.

Get- Gets application extension properties.

AzureADApplicationExtensionProperty

Get-AzureADApplicationKeyCredential Gets the key credentials for an application.

Get-AzureADApplicationLogo Retrieve the logo of an application

Get-AzureADApplicationOwner Gets the owner of an application.

Get- Gets the password credential for an application.

AzureADApplicationPasswordCredential

Get- Retrieve the service endpoint of an application

AzureADApplicationServiceEndpoint

Get-AzureADDeletedApplication Retrieves the list of previously deleted applications

New-AzureADApplication Creates an application.

New- Creates an application extension property.

AzureADApplicationExtensionProperty

New-AzureADApplicationKeyCredential Creates a key credential for an application.

New- Creates a password credential for an application.

AzureADApplicationPasswordCredential

Remove-AzureADApplication Delete an application by objectId.

Remove- Removes an application extension property.

AzureADApplicationExtensionProperty

Remove- Removes a key credential from an application.

AzureADApplicationKeyCredential

Remove-AzureADApplicationOwner Removes an owner from an application.

Remove- Removes a password credential from an application.

AzureADApplicationPasswordCredential

Set-AzureADApplication Updates an application.

Set-AzureADApplicationLogo Sets the logo for an Application

AzureAD
Add-AzureADMSApplicationOwner Adds an owner for an application object.

Add- Add a classification for a delegated permission.

AzureADMSServicePrincipalDelegatedPermissionClassification

Get-AzureADApplicationProxyConnectorGroupMember {{ Fill in the Synopsis }}

Get-AzureADCurrentSessionInfo This cmdlet will return the current session state

Get-AzureADMSApplication Retrieves the list of applications within the organization.

Get-AzureADMSApplicationExtensionProperty Retrieves the list of extension properties on an

application object.

Get-AzureADMSApplicationOwner Retrieves the list of owners for an application object.

Get-AzureADMSConditionalAccessPolicy Gets an Azure Active Directory conditional access

 policy.

Get-AzureADMSDeletedDirectoryObject This cmdlet is used to retrieve a soft deleted directory

object from the directory

Get-AzureADMSDeletedGroup This cmdlet is used to retrieve the soft deleted groups

in a directory.

Get-AzureADMSIdentityProvider This cmdlet is used to retrieve the configured identity

providers in the directory.

Get-AzureADMSNamedLocationPolicy Gets an Azure Active Directory named location policy.

Get-AzureADMSPermissionGrantConditionSet Get an Azure Active Directory permission grant

condition set by id.

Get-AzureADMSPermissionGrantPolicy Gets a permission grant policy.

Get- Retreive the delegated permission classification objects

AzureADMSServicePrincipalDelegatedPermissionClassification on a service principal.

Get-CrossCloudVerificationCode Gets the verification code used to validate the

ownership of the domain in another connected cloud.
Important: Only applies to a verified domain.

New-AzureADMSApplication Creates (registers) a new application object.

New-AzureADMSApplicationExtensionProperty Creates an extension property on an application object.

New-AzureADMSApplicationKey Adds a new key to an application.

New-AzureADMSApplicationPassword Adds a strong password to an application.

New-AzureADMSConditionalAccessPolicy Creates a new conditional access policy in Azure Active

Directory.

New-AzureADMSIdentityProvider This cmdlet is used to configure a new identity provider

in the directory.

New-AzureADMSNamedLocationPolicy Creates a new named location policy in Azure Active

Directory.

New-AzureADMSPermissionGrantConditionSet Create a new Azure Active Directory permission grant

condition set in a given policy.

New-AzureADMSPermissionGrantPolicy Creates a permission grant policy.

Remove-AzureADDeletedApplication {{ Fill in the Synopsis }}

Remove-AzureADMSApplication Deletes an application object.

Remove-AzureADMSApplicationExtensionProperty Deletes an extension property from an application

object.

Remove-AzureADMSApplicationKey Removes a key from an application.

Remove-AzureADMSApplicationOwner Removes an owner from an application object.

Remove-AzureADMSApplicationPassword Remove a password from an application.

Remove-AzureADMSApplicationVerifiedPublisher Removes the verified publisher from an application.

Remove-AzureADMSConditionalAccessPolicy Deletes a conditional access policy in Azure Active

Directory by Id.
Remove-AzureADMSDeletedDirectoryObject This cmdlet is used to permanently delete a previously
deleted directory object

Remove-AzureADMSIdentityProvider This cmdlet is used to delete an identity provider in the

directory.

Remove-AzureADMSNamedLocationPolicy Deletes an Azure Active Directory named location

policy by PolicyId.

Remove-AzureADMSPermissionGrantConditionSet Delete an Azure Active Directory permission grant

condition set by id

Remove-AzureADMSPermissionGrantPolicy Removes a permission grant policy.

Remove- Remove delegated permission classification.

AzureADMSServicePrincipalDelegatedPermissionClassification

Restore-AzureADMSDeletedDirectoryObject This cmdlet is used to restore a previously deleted

object.

Set-AzureADMSAdministrativeUnit Updates an administrative unit.

Set-AzureADMSApplication Updates the properties of an application object.

Set-AzureADMSApplicationLogo Sets the logo for an application object.

Set-AzureADMSApplicationVerifiedPublisher Sets the verified publisher of an application to a verified

Microsoft Partner Network (MPN) identifier.

Set-AzureADMSConditionalAccessPolicy Updates a conditional access policy in Azure Active

Directory by Id.

Set-AzureADMSIdentityProvider This cmdlet is used to update the properties of an

existing identity provider configured in the directory.

Set-AzureADMSNamedLocationPolicy Updates a named location policy in Azure Active

Directory by PolicyId.

Set-AzureADMSPermissionGrantConditionSet Update an existing Azure Active Directory permission

grant condition set.

Set-AzureADMSPermissionGrantPolicy Updates a permission grant policy.

Certificate Authorities
Get- Gets the trusted certificate authority.
AzureADTrustedCertificateAuthority

New- Creates a trusted certificate authority.

AzureADTrustedCertificateAuthority

Remove- Removes a trusted certificate authority.

AzureADTrustedCertificateAuthority

Set- Updates a trusted certificate authority.

AzureADTrustedCertificateAuthority

Connect to your directory

Connect-AzureAD Connects with an authenticated account to use Active Directory cmdlet
requests.

Disconnect-AzureAD Disconnects the current session from an Azure Active Directory tenant.

Contacts
Get-AzureADContact Gets a contact from Azure Active Directory.

Get-AzureADContactDirectReport Get the direct reports for a contact.

Get-AzureADContactManager Gets the manager of a contact.

Get-AzureADContactMembership Get a contact membership.

Get-AzureADContactThumbnailPhoto Retrieves the thumbnail photo of a contact

Remove-AzureADContact Removes a contact.

Remove-AzureADContactManager Removes a contact's manager.

Select- Get groups in which a contact is a member.

AzureADGroupIdsContactIsMemberOf

Contracts
Get-AzureADContract Gets a contract.

Deleted Objects
Restore-AzureADDeletedApplication Restores a previously deleted application

Devices
Add-AzureADDeviceRegisteredOwner Adds a registered owner for a device.

Add-AzureADDeviceRegisteredUser Adds a registered user for a device.

Get-AzureADDevice Gets a device from Active Directory.

Get-AzureADDeviceConfiguration This cmdlet retrieves the device configuration object

Get-AzureADDeviceRegisteredOwner Gets the registered owner of a device.

Get-AzureADDeviceRegisteredUser Gets a registered user.

New-AzureADDevice Creates a device.

Remove-AzureADDevice Deletes a device.

Remove- Removes the registered owner of a device.

AzureADDeviceRegisteredOwner

Remove- Removes a registered user from a device.

AzureADDeviceRegisteredUser

Set-AzureADDevice Updates a device.

Directory
Get-AzureADSubscribedSku Gets subscribed SKUs to Microsoft services.

Get-AzureADTenantDetail Gets the details of a tenant.

Set-AzureADTenantDetail Set contact details for a tenant

Directory Objects
Get-AzureADObjectByObjectId Retrieves the object(s) specified by the objectIds parameter

Directory Roles
Add-AzureADDirectoryRoleMember Adds a member to a directory role.

Enable-AzureADDirectoryRole Activates an existing directory role in Azure Active Directory.

Get-AzureADDirectoryRole Gets a directory role.

Get-AzureADDirectoryRoleMember Gets members of a directory role.

Get-AzureADDirectoryRoleTemplate Gets directory role templates.

Get-AzureADMSRoleAssignment Gets information about role assignments in Azure AD.

Get-AzureADMSRoleDefinition Gets information about role definitions in Azure AD.

New-AzureADMSRoleAssignment Creates an Azure AD role assignment.

New-AzureADMSRoleDefinition Creates an Azure AD role definition.

Remove- Removes a member of a directory role.

AzureADDirectoryRoleMember

Remove-AzureADMSRoleAssignment Removes an Azure AD role assignment.

Remove-AzureADMSRoleDefinition Removes an Azure AD role definition.

Set-AzureADMSRoleDefinition Update an existing Azure AD role definition.

Domains
Confirm-AzureADDomain Validate the ownership of a domain.

Get-AzureADDomain Gets a domain.

Get-AzureADDomainNameReference This cmdlet retrieves the objects that are referenced by a given domain
name

Get- Gets the domain's service configuration records from the

AzureADDomainServiceConfigurationRecord serviceConfigurationRecords navigation property.

Get-AzureADDomainVerificationDnsRecord Retrieve the domain verification DNS record for a domain

New-AzureADDomain Creates a domain.

Remove-AzureADDomain Removes a domain.

Set-AzureADDomain Updates a domain.

Extension Properties
Get-AzureADExtensionProperty Gets extension properties registered with Azure AD.

Groups
Add-AzureADGroupMember Adds a member to a group.

Add-AzureADGroupOwner Adds an owner to a group.

Add-AzureADMSLifecyclePolicyGroup Adds a group to a lifecycle policy

Get-AzureADGroup Gets a group (via AzureAD Graph).

Get- Gets a group application role assignment.

AzureADGroupAppRoleAssignment

Get-AzureADGroupMember Gets a member of a group.

Get-AzureADGroupOwner Gets an owner of a group.

Get-AzureADMSGroup Gets information about groups in Azure AD (via MS Graph).

Get-AzureADMSGroupLifecyclePolicy Retrieves the properties and relationships of a groupLifecyclePolicies object in

Azure Active Directory. If you specify no parameters, this cmdlet gets all
groupLifecyclePolicies.

Get-AzureADMSLifecyclePolicyGroup Retrieves the lifecycle policy object to which a group belongs.

New-AzureADGroup Creates a group.

New- Assign a group of users to an application role.

AzureADGroupAppRoleAssignment

New-AzureADMSGroup Creates an Azure AD group.

New- Creates a new groupLifecyclePolicy

AzureADMSGroupLifecyclePolicy

Remove-AzureADGroup Removes a group.

Remove- Delete a group application role assignment.

AzureADGroupAppRoleAssignment

Remove-AzureADGroupMember Removes a member from a group.

Remove-AzureADGroupOwner Removes an owner from a group.

Remove-AzureADMSGroup Removes an Azure AD group.

Remove- Deletes a groupLifecyclePolicies object
AzureADMSGroupLifecyclePolicy

Remove- Removes a group from a lifecycle policy

AzureADMSLifecyclePolicyGroup

Reset-AzureADMSLifeCycleGroup Renews a group by updating the RenewedDateTime property on a group to the

current DateTime.

Select- Gets group IDs that a group is a member of.

AzureADGroupIdsGroupIsMemberOf

Set-AzureADGroup Updates a specific group in Azure Active Directory

Set-AzureADMSGroup Sets the properties for an existing Azure AD group.

Set-AzureADMSGroupLifecyclePolicy Updates a specific group Lifecycle Policy in Azure Active Directory

OAuth2
Get-AzureADOAuth2PermissionGrant Gets OAuth2PermissionGrant entities.

Remove- Removes an oAuth2PermissionGrant.

AzureADOAuth2PermissionGrant

Policies
Get-AzureADMSAuthorizationPolicy Gets an authorization policy, which represents a policy that can control Azure
Active Directory authorization settings.

Set-AzureADMSAuthorizationPolicy Updates an authorization policy, which represents a policy that can control
Azure Active Directory authorization settings.

Service Principals
Add-AzureADServicePrincipalOwner Adds an owner to a service principal.

Get-AzureADServiceAppRoleAssignedTo Gets app role assignments for this app or service, granted to users,
groups and other service principals.

Get-AzureADServiceAppRoleAssignment Gets a service principal application role assignment.

Get-AzureADServicePrincipal Gets a service principal.

Get-AzureADServicePrincipalCreatedObject Get objects created by a service principal.

Get-AzureADServicePrincipalKeyCredential Get key credentials for a service principal.

Get-AzureADServicePrincipalMembership Get a service principal membership.

Get- Gets an oAuth2PermissionGrant object.

AzureADServicePrincipalOAuth2PermissionGrant

Get-AzureADServicePrincipalOwnedObject Gets an object owned by a service principal.

Get-AzureADServicePrincipalOwner Get the owner of a service principal.

Get-AzureADServicePrincipalPasswordCredential Get credentials for a service principal.

New-AzureADServiceAppRoleAssignment Assigns an app role to a user, a group, or another service principal.

New-AzureADServicePrincipal Creates a service principal.

New-AzureADServicePrincipalKeyCredential Create a new key credential for a service principal

New- Creates a password credential for a service principal.

AzureADServicePrincipalPasswordCredential

Remove-AzureADServiceAppRoleAssignment Removes a service principal application role assignment.

Remove-AzureADServicePrincipal Removes a service principal.

Remove-AzureADServicePrincipalKeyCredential Removes a key credential from a service principal.

Remove-AzureADServicePrincipalOwner Removes an owner from a service principal.

Remove- Removes a password credential from a service principal.

AzureADServicePrincipalPasswordCredential

Select- Selects the groups in which a service principal is a member.

AzureADGroupIdsServicePrincipalIsMemberOf

Set-AzureADServicePrincipal Updates a service principal.

Users
Get-AzureADUser Gets a user.

Get-AzureADUserAppRoleAssignment Get a user application role assignment.

Get-AzureADUserCreatedObject Get objects created by the user.

Get-AzureADUserDirectReport Get the user's direct reports.

Get-AzureADUserExtension Gets a user extension.

Get-AzureADUserLicenseDetail Retrieves license details for a user

Get-AzureADUserManager Gets the manager of a user.

Get-AzureADUserMembership Get user memberships.

Get- Gets an oAuth2PermissionGrant object.

AzureADUserOAuth2PermissionGrant

Get-AzureADUserOwnedDevice Get registered devices owned by a user.

Get-AzureADUserOwnedObject Get objects owned by a user.

Get-AzureADUserRegisteredDevice Get devices registered by a user.

Get-AzureADUserThumbnailPhoto Retrieve the thumbnail photo of a user

New-AzureADMSInvitation This cmdlet is used to invite a new external user to your directory.

New-AzureADUser Creates an Azure AD user.

New- Assigns a user to an application role.

AzureADUserAppRoleAssignment
Remove-AzureADUser Removes a user.

Remove- Removes a user application role assignment.

AzureADUserAppRoleAssignment

Remove-AzureADUserExtension Removes a user extension.

Remove-AzureADUserManager Removes a user's manager.

Revoke- Invalidates the refresh tokens issued to applications for the current user.
AzureADSignedInUserAllRefreshToken

Revoke-AzureADUserAllRefreshToken Invalidates the refresh tokens issued to applications for a user.

Select- Selects the groups that a user is a member of.

AzureADGroupIdsUserIsMemberOf

Set-AzureADUser Updates a user.

Set-AzureADUserExtension Sets a user extension.

Set-AzureADUserLicense Adds or removes licenses for a Microsoft online service to the list of assigned
licenses for a user.

７ Note

The Set-AzureADUserLicense cmdlet is deprecated. Learn how

to assign licenses with Microsoft Graph PowerShell. For more
info, see the Assign License Microsoft Graph API.

Set-AzureADUserManager Updates a user's manager.

Set-AzureADUserPassword Sets the password of a user.

Set-AzureADUserThumbnailPhoto Set the thumbnail photo for a user

Update- Updates the password for the signed-in user.

AzureADSignedInUserPassword
directoryRole resource type
Article • 07/28/2022 • 2 minutes to read

Namespace: [Link]

Represents an Azure AD directory role. Azure AD directory roles are also known as
administrator roles. For more information about directory (administrator) roles, see
Assigning administrator roles in Azure AD. With the Microsoft Graph, you can assign
users to directory roles to grant them the permissions of the target role. To read a
directory role or update its members, it must first be activated in the tenant. Only the
Company Administrators directory role is activated by default. To activate other available
directory roles you send a POST request with the ID of the directoryRoleTemplate on
which the directory role is based. List directory role templates to get all the other
available directory roles. Inherits from directoryObject.

This resource supports:

Using delta query to track incremental additions, deletions, and updates, by

providing a delta function.

Methods
Method Return Type Description

Get directoryRole Read properties and relationships of directoryRole

directoryRole object.

List directoryRole collection List the directory roles that are activated in the
directoryRoles tenant.

Add member directoryObject Add a user to the directory role by posting to the
members navigation property.

List members directoryObject Get the users that are members of the directory
collection role from the members navigation property.

Remove a directoryObject Remove a user from the directory role.

member

Activate directoryRole Activate a directory role.

directoryRole

List scopedRoleMembership List the members of this directory role that are
scopedMembers collection scoped to administrative units, through the
scopedRoleMembership resource collection.
 Method Return Type Description

delta directoryRole collection Get incremental changes for directory roles.

Properties
Property Type Description

description String The description for the directory role. Read-only. Supports $filter
( eq ), $search , $select .

displayName String The display name for the directory role. Read-only. Supports $filter
( eq ), $search , $select .

id String The unique identifier for the directory role. Inherited from
directoryObject. Key, Not nullable, Read-only. Supports $filter ( eq ),
$select .

roleTemplateId String The id of the directoryRoleTemplate that this role is based on. The
property must be specified when activating a directory role in a tenant
with a POST operation. After the directory role has been activated, the
property is read only. Supports $filter ( eq ), $select .

Relationships
Relationship Type Description

members directoryObject Users that are members of this directory role. HTTP
collection Methods: GET, POST, DELETE. Read-only. Nullable.
Supports $expand .

scopedMembers scopedRoleMembership Members of this directory role that are scoped to

collection administrative units. Read-only. Nullable.

JSON representation
Here is a JSON representation of the resource

JSON

{
"description": "string",
"displayName": "string",
"id": "string (identifier)",
"roleTemplateId": "string"
}