Administrator role permissions in Azure Active Directory
Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can be changed only in user settings in Azure AD.
Limit use of Global administrator
Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization. By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. When you add a subscription to an existing tenant, you aren't assigned to the Global Administrator role. Only Global administrators and Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.
As a best practice, we recommend that you assign this role to fewer than five people in your organization. If you have more than five admins assigned to the Global Administrator role in your organization, here are some ways to reduce its use.
Find the role you need
If it's frustrating for you to find the role you need out of a list of many roles, Azure AD can show you subsets of the roles based on role categories. Check out our new Type filter for Azure AD Roles and administrators to show you only the roles in the selected type.
A role exists now that didn't exist when you assigned the Global administrator role
It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not an option when you elevated some users to Global administrator. Over time, we are rolling out additional roles that accomplish tasks that only the Global administrator role could do before. You can see these reflected in the following Available roles.
Assign or remove administrator roles
To learn how to assign administrative roles to a user in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.
Note
If you have an Azure AD premium P2 license and you're already a Privileged Identity Management (PIM) user, all role management tasks are performed in Privilege Identity Management and not in Azure AD.
Available roles
The following administrator roles are available:
Application Administrator
Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
This role also grants the ability to consent to delegated permissions and application permissions, with the exception of application permissions on the Microsoft Graph API.
Important
This exception means that you can still consent to permissions for other apps (for example, non-Microsoft apps or apps that you have registered), but not to permissions on Azure AD itself. You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a global admin.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.
Application Developer
Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications.
Authentication Administrator
Users with this role can set or reset non-password credentials for some users and can update passwords for all users. Authentication administrators can require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in. These actions apply only to users who are non-administrators or who are assigned one or more of the following roles:
- Authentication Administrator
- Directory Readers
- Guest Inviter
- Message Center Reader
- Reports Reader
The Privileged authentication administrator role has permission can force re-registration and multi-factor authentication for all users.
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
- Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Attack Payload Author
Users in this role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation.
Attack Simulation Administrator
Users in this role can create and manage all aspects of attack simulation creation, launch/scheduling of a simulation, and the review of simulation results. Members of this role have this access for all simulations in the tenant.
Azure DevOps Administrator
Users with this role can manage the Azure DevOps policy to restrict new Azure DevOps organization creation to a set of configurable users or groups. Users in this role can manage this policy through any Azure DevOps organization that is backed by the company's Azure AD organization. This role grants no other Azure DevOps-specific permissions (for example, Project Collection Administrators) inside any of the Azure DevOps organizations backed by the company's Azure AD organization.
All enterprise Azure DevOps policies can be managed by users in this role.
Azure Information Protection Administrator
Users with this role have all permissions in the Azure Information Protection service. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. This role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, or Office 365 Security & Compliance Center.
B2C IEF Keyset Administrator
User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation.
Important
This is a sensitive role. The keyset administrator role should be carefully audited and assigned with care during pre-production and production.
B2C IEF Policy Administrator
Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the organization.
Important
The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production. Activities by these users should be closely audited, especially for organizations in production.
Billing Administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Cloud Application Administrator
Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
Important
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Cloud Application Administrator role gives them the ability to impersonate an application’s identity.
Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.
Compliance Administrator
Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. Assignees can also manage all features within the Exchange admin center and Teams & Skype for Business admin centers and create support tickets for Azure and Microsoft 365. More information is available at About Microsoft 365 admin roles.
In | Can do |
---|---|
Microsoft 365 compliance center | Protect and manage your organization's data across Microsoft 365 services Manage compliance alerts |
Compliance Manager | Track, assign, and verify your organization's regulatory compliance activities |
Office 365 Security & Compliance Center | Manage data governance Perform legal and data investigation Manage Data Subject Request This role has the same permissions as the Compliance Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control. |
Intune | View all Intune audit data |
Cloud App Security | Has read-only permissions and can manage alerts Can create and modify file policies and allow file governance actions Can view all the built-in reports under Data Management |
Compliance Data Administrator
Users with this role have permissions to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. This documentation has details on differences between Compliance Administrator and Compliance Data Administrator.
In | Can do |
---|---|
Microsoft 365 compliance center | Monitor compliance-related policies across Microsoft 365 services Manage compliance alerts |
Compliance Manager | Track, assign, and verify your organization's regulatory compliance activities |
Office 365 Security & Compliance Center | Manage data governance Perform legal and data investigation Manage Data Subject Request This role has the same permissions as the Compliance Data Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control. |
Intune | View all Intune audit data |
Cloud App Security | Has read-only permissions and can manage alerts Can create and modify file policies and allow file governance actions Can view all the built-in reports under Data Management |
Conditional Access Administrator
Users with this role have the ability to manage Azure Active Directory Conditional Access settings.
Customer Lockbox access approver
Manages Customer Lockbox requests in your organization. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn the Customer Lockbox feature on or off. Only global admins can reset the passwords of people assigned to this role.
Desktop Analytics Administrator
Users in this role can manage the Desktop Analytics and Office Customization & Policy services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. For Office Customization & Policy service, this role enables users to manage Office policies.
Device Administrators
This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.
Directory Readers
Users in this role can read basic directory information. This role should be used for:
- Granting a specific set of guest users read access instead of granting it to all guest users.
- Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal to admins only" is set to "Yes".
- Granting service principals access to directory where Directory.Read.All is not an option.
Directory Synchronization Accounts
Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.
Directory Writers
Users in this role can read and update basic information of users, groups, and service principals. Assign this role only to applications that don’t support the Consent Framework. It should not be assigned to any users.
Dynamics 365 administrator / CRM Administrator
Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at Use the service admin role to manage your Azure AD organization.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." It is "Dynamics 365 Administrator" in the Azure portal.
Exchange Administrator
Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. More information at About Microsoft 365 admin roles.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." It is "Exchange Administrator" in the Azure portal. It is "Exchange Online administrator" in the Exchange admin center.
External ID User Flow Administrator
Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. These users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token, manage API connectors, and configure session settings for all user flows in the Azure AD organization. On the other hand, this role does not include the ability to review user data or make changes to the attributes that are included in the organization schema. Changes to Identity Experience Framework policies (also known as custom policies) are also outside the scope of this role.
External ID User Flow Attribute Administrator
Users with this role add or delete custom attributes available to all user flows in the Azure AD organization. As such, users with this role can change or add new elements to the end-user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.
External IDentity Provider Administrator
This administrator manages federation between Azure AD organizations and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). This user can enable the Azure AD organization to trust authentications from external identity providers. The resulting impact on end-user experiences depends on the type of organization:
- Azure AD organizations for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. See Adding Google as an identity provider for B2B guest users.
- Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). See Configuring a Microsoft account as an identity provider for an example. To change user flows, the limited role of "B2C User Flow Administrator" is required.
Global Administrator / Company Administrator
Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Admins can elevate their access to manage all Azure subscriptions and management groups. This allows Global Admins to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a global administrator. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal.
Global Reader
Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global reader is the read-only counterpart to Global administrator. Assign Global reader instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.
Note
Global reader role has a few limitations right now -
- OneDrive admin center - OneDrive admin center does not support the Global reader role
- M365 admin center - Global reader can't read customer lockbox requests. You won't find the Customer lockbox requests tab under Support in the left pane of M365 Admin Center.
- Office Security & Compliance Center - Global reader can't read SCC audit logs, do content search, or see Secure Score.
- Teams admin center - Global reader cannot read Teams lifecycle, Analytics & reports, IP phone device management and App catalog.
- Privileged Access Management (PAM) doesn't support the Global reader role.
- Azure Information Protection - Global reader is supported for central reporting only, and when your Azure AD organization isn't on the unified labeling platform.
These features are currently in development.
Groups Administrator
Users in this role can create/manage groups and its settings like naming and expiration policies. It is important to understand that assigning a user to this role gives them the ability to manage all groups in the organization across various workloads like Teams, SharePoint, Yammer in addition to Outlook. Also the user will be able to manage the various groups settings across various admin portals like Microsoft Admin Center, Azure portal, as well as workload specific ones like Teams and SharePoint Admin Centers.
Guest Inviter
Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can invite user setting is set to No. More information about B2B collaboration at About Azure AD B2B collaboration. It does not include any other permissions.
Helpdesk Administrator
Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. Invalidating a refresh token forces the user to sign in again. Helpdesk administrators can reset passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following roles only:
- Directory Readers
- Guest Inviter
- Helpdesk Administrator
- Message Center Reader
- Password Administrator
- Reports Reader
Important
Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who might have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
- Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Delegating administrative permissions over subsets of users and applying policies to a subset of users is possible with Administrative Units (now in public preview).
This role was previously called "Password Administrator" in the Azure portal. The "Helpdesk Administrator" name in Azure AD now matches its name in Azure AD PowerShell and the Microsoft Graph API.
Hybrid Identity Administrator
Users in this role can create, manage and deploy provisioning configuration setup from AD to Azure AD using Cloud Provisioning as well as manage federation settings. Users can also troubleshoot and monitor logs using this role.
Insights Administrator
Users in this role can access the full set of administrative capabilities in the M365 Insights application. This role has the ability to read directory information, monitor service health, file support tickets, and access the Insights admin settings aspects.
Insights Business Leader
Users in this role can access a set of dashboards and insights via the M365 Insights application. This includes full access to all dashboards and presented insights and data exploration functionality. Users in this role do not have access to product configuration settings, which is the responsibility of the Insights Admin role.
Intune Administrator
Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. More information at Role-based administration control (RBAC) with Microsoft Intune.
This role can create and manage all security groups. However, Intune Admin does not have admin rights over Office groups. That means the admin cannot update owners or memberships of all Office groups in the organization. However, he/she can manage the Office group that he creates which comes as a part of his/her end-user privileges. So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Intune Service Administrator." It is "Intune Administrator" in the Azure portal.
Kaizala Administrator
Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.
License Administrator
Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no access to view, create, or manage support tickets.
Message Center Privacy Reader
Users in this role can monitor all notifications in the Message Center, including data privacy messages. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups, domains, and subscriptions. This role has no permission to view, create, or manage service requests.
Message Center Reader
Users in this role can monitor notifications and advisory health updates in Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Microsoft 365. In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups. This role has no access to view, create, or manage support tickets.
Modern Commerce User
Do not use. This role is automatically assigned from Commerce, and is not intended or supported for any other use. See details below.
The Modern Commerce User role gives certain users permission to access Microsoft 365 admin center and see the left navigation entries for Home, Billing, and Support. The content available in these areas is controlled by commerce-specific roles assigned to users to manage products that they bought for themselves or your organization. This might include tasks like paying bills, or for access to billing accounts and billing profiles.
Users with the Modern Commerce User role typically have administrative permissions in other Microsoft purchasing systems, but do not have Global administrator or Billing administrator roles used to access the admin center.
When is the Modern Commerce User role assigned?
- Self-service purchase in Microsoft 365 admin center – Self-service purchase gives users a chance to try out new products by buying or signing up for them on their own. These products are managed in the admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-service purchases (for Power BI, Power Apps, Power automate) through PowerShell. For more information, see Self-service purchase FAQ.
- Purchases from Microsoft commercial marketplace – Similar to self-service purchase, when a user buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User role is assigned if they don’t have the Global admin or Billing admin role. In some cases, users might be blocked from making these purchases. For more information, see Microsoft commercial marketplace.
- Proposals from Microsoft – A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. When the person who is accepting the proposal doesn’t have a Global admin or Billing admin role in Azure AD, they are assigned both a commerce-specific role to complete the proposal and the Modern Commerce User role to access admin center. When they access the admin center they can only use features that are authorized by their commerce-specific role.
- Commerce-specific roles – Some users are assigned commerce-specific roles. If a user isn't a Global or Billing admin, they get the Modern Commerce User role so they can access the admin center.
If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center. If they were managing any products, either for themselves or for your organization, they won’t be able to manage them. This might include assigning licenses, changing payment methods, paying bills, or other tasks for managing subscriptions.
Network Administrator
Users in this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture which is generally user location specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations
Office Apps Administrator
Users in this role can manage Microsoft 365 apps' cloud settings. This includes managing cloud policies, self-service download management and the ability to view Office apps related report. This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. Users assigned to this role can also manage communication of new features in Office apps.
Partner Tier1 Support
Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.
Partner Tier2 Support
Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.
Password Administrator
Users with this role have limited ability to manage passwords. This role does not grant the ability to manage service requests or monitor service health. Password administrators can reset passwords of other users who are non-administrators or members of the following roles only:
- Directory Readers
- Guest Inviter
- Password Administrator
Power BI Administrator
Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at Understanding the Power BI admin role.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". It is "Power BI Administrator" in the Azure portal.
Power Platform Administrator
Users in this role can create and manage all aspects of environments, PowerApps, Flows, Data Loss Prevention policies. Additionally, users with this role have the ability to manage support tickets and monitor service health.
Printer Administrator
Users in this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.
Printer Technician
Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key task a Printer Technician cannot do is set user permissions on printers and sharing printers.
Privileged Authentication Administrator
Users with this role can set or reset non-password credentials for all users, including global administrators, and can update passwords for all users. Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users. The Authentication administrator role can force re-registration and MFA for only non-admins and users assigned to the following Azure AD roles:
- Authentication Administrator
- Directory Readers
- Guest Inviter
- Message Center Reader
- Reports Reader
Privileged Role Administrator
Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.
Important
This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. This role does not include any other privileged abilities in Azure AD like creating or updating users. However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.
Reports Reader
Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Additionally, the role provides access to sign-in reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.
Search Administrator
Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Additionally, these users can view the message center, monitor service health, and create service requests.
Search Editor
Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.
Security Administrator
Users with this role have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.
In | Can do |
---|---|
Microsoft 365 security center | Monitor security-related policies across Microsoft 365 services Manage security threats and alerts View reports |
Identity Protection Center | All permissions of the Security Reader role Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords |
Privileged Identity Management | All permissions of the Security Reader role Cannot manage Azure AD role assignments or settings |
Office 365 Security & Compliance Center | Manage security policies View, investigate, and respond to security threats View reports |
Azure Advanced Threat Protection | Monitor and respond to suspicious security activity |
Windows Defender ATP and EDR | Assign roles Manage machine groups Configure endpoint threat detection and automated remediation View, investigate, and respond to alerts |
Intune | Views user, device, enrollment, configuration, and application information Cannot make changes to Intune |
Cloud App Security | Add admins, add policies and settings, upload logs and perform governance actions |
Azure Security Center | Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations |
Microsoft 365 service health | View the health of Microsoft 365 services |
Smart lockout | Define the threshold and duration for lockouts when failed sign-in events happen. |
Password Protection | Configure custom banned password list or on-premises password protection. |
Security operator
Users with this role can manage alerts and have global read-only access on security-related features, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.
In | Can do |
---|---|
Microsoft 365 security center | All permissions of the Security Reader role View, investigate, and respond to security threats alerts |
Identity Protection Center | All permissions of the Security Reader role Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords |
Privileged Identity Management | All permissions of the Security Reader role |
Office 365 Security & Compliance Center | All permissions of the Security Reader role View, investigate, and respond to security alerts |
Windows Defender ATP and EDR | All permissions of the Security Reader role View, investigate, and respond to security alerts |
Intune | All permissions of the Security Reader role |
Cloud App Security | All permissions of the Security Reader role |
Microsoft 365 service health | View the health of Microsoft 365 services |
Security Reader
Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.
In | Can do |
---|---|
Microsoft 365 security center | View security-related policies across Microsoft 365 services View security threats and alerts View reports |
Identity Protection Center | Read all security reports and settings information for security features
|
Privileged Identity Management | Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews. Cannot sign up for Azure AD Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is eligible for them. |
Office 365 Security & Compliance Center | View security policies View and investigate security threats View reports |
Windows Defender ATP and EDR | View and investigate alerts. When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security reader role lose access until they are assigned to a Windows Defender ATP role. |
Intune | Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune. |
Cloud App Security | Has read-only permissions and can manage alerts |
Azure Security Center | Can view recommendations and alerts, view security policies, view security states, but cannot make changes |
Microsoft 365 service health | View the health of Microsoft 365 services |
Service Support Administrator
Users with this role can open support requests with Microsoft for Azure and Microsoft 365 services, and views the service dashboard and message center in the Azure portal and Microsoft 365 admin center. More information at About admin roles.
Note
Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. We have renamed it to "Service Support Administrator" to align with the exsiting name in Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell.
SharePoint Administrator
Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. More information at About admin roles.
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." It is "SharePoint Administrator" in the Azure portal.
Note
This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources.
Skype for Business / Lync Administrator
Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. More information at About the Skype for Business admin role and Teams licensing information at Skype for Business and Microsoft Teams add-on licensing
Note
In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator." It is "Skype for Business Administrator" in the Azure portal.
Teams Communications Administrator
Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.
Teams Communications Support Engineer
Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can view full call record information for all participants involved. This role has no access to view, create, or manage support tickets.
Teams Communications Support Specialist
Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can only view user details in the call for the specific user they have looked up. This role has no access to view, create, or manage support tickets.
Teams Devices Administrator
Users with this role can manage Teams-certified devices from the Teams Admin Center. This role allows viewing all devices at single glance, with ability to search and filter devices. The user can check details of each device including logged-in account, make and model of the device. The user can change the settings on the device and update the software versions. This role does not grant permissions to check Teams activity and call quality of the device.
Teams Service Administrator
Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role additionally grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health.
Usage Summary Reports Reader
Users with this role can access tenant level aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score but cannot access any user level details or insights. In Microsoft 365 Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details. This role gives an extra layer of protection on individual user identifiable data, which was requested by both customers and legal teams.
User Administrator
Users with this role can create users, and manage all aspects of users with some restrictions (see the table), and can update password expiration policies. Additionally, users with this role can create and manage all groups. This role also includes the ability to create and manage user views, manage support tickets, and monitor service health. User administrators don't have permission to manage some user properties for users in most administrator roles. User with this role do not have permissions to manage MFA. The roles that are exceptions to this restriction are listed in the following table.
Permission | Can do |
---|---|
General permissions | Create users and groups Create and manage user views Manage Office support tickets Update password expiration policies |
On all users, including all admins |
Manage licenses Manage all user properties except User Principal Name |
Only on users who are non-admins or in any of the following limited admin roles:
|
Delete and restore Disable and enable Invalidate refresh Tokens Manage all user properties including User Principal Name Reset password Update (FIDO) device keys |
Important
Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
- Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Role Permissions
The following tables describe the specific permissions in Azure Active Directory given to each role. Some roles may have additional permissions in Microsoft services outside of Azure Active Directory.
Application Administrator permissions
Can create and manage all aspects of app registrations and enterprise apps.
Actions | Description |
---|---|
microsoft.directory/Application/appProxyAuthentication/update | Update App Proxy authentication properties on service principals in Azure Active Directory. |
microsoft.directory/Application/appProxyUrlSettings/update | Update application proxy internal and external URLS in Azure Active Directory. |
microsoft.directory/applications/applicationProxy/read | Read all of App Proxy properties. |
microsoft.directory/applications/applicationProxy/update | Update all of App Proxy properties. |
microsoft.directory/applications/audience/update | Update applications.audience property in Azure Active Directory. |
microsoft.directory/applications/authentication/update | Update applications.authentication property in Azure Active Directory. |
microsoft.directory/applications/basic/update | Update basic properties on applications in Azure Active Directory. |
microsoft.directory/applications/create | Create applications in Azure Active Directory. |
microsoft.directory/applications/credentials/update | Update applications.credentials property in Azure Active Directory. |
microsoft.directory/applications/delete | Delete applications in Azure Active Directory. |
microsoft.directory/applications/owners/update | Update applications.owners property in Azure Active Directory. |
microsoft.directory/applications/permissions/update | Update applications.permissions property in Azure Active Directory. |
microsoft.directory/applications/policies/update | Update applications.policies property in Azure Active Directory. |
microsoft.directory/appRoleAssignments/create | Create appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/read | Read appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/update | Update appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/delete | Delete appRoleAssignments in Azure Active Directory. |
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/connectorGroups/allProperties/read | Read application proxy connector group properties in Azure Active Directory. |
microsoft.directory/connectorGroups/allProperties/update | Update all application proxy connector group properties in Azure Active Directory. |
microsoft.directory/connectorGroups/create | Create application proxy connector groups in Azure Active Directory. |
microsoft.directory/connectorGroups/delete | Delete application proxy connector groups in Azure Active Directory. |
microsoft.directory/connectors/allProperties/read | Read all application proxy connector properties in Azure Active Directory. |
microsoft.directory/connectors/create | Create application proxy connectors in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/basic/read | Read policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/basic/update | Update policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/create | Create policies in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/delete | Delete policies in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/owners/read | Read policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/owners/update | Update policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/policyAppliedTo/read | Read policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignments/update | Update servicePrincipals.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/servicePrincipals/audience/update | Update servicePrincipals.audience property in Azure Active Directory. |
microsoft.directory/servicePrincipals/authentication/update | Update servicePrincipals.authentication property in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/create | Create servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/credentials/update | Update servicePrincipals.credentials property in Azure Active Directory. |
microsoft.directory/servicePrincipals/delete | Delete servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/update | Update servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/permissions/update | Update servicePrincipals.permissions property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/update | Update servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Application Developer permissions
Can create application registrations independent of the 'Users can register applications' setting.
Actions | Description |
---|---|
microsoft.directory/applications/createAsOwner | Create applications in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/appRoleAssignments/createAsOwner | Create appRoleAssignments in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/oAuth2PermissionGrants/createAsOwner | Create oAuth2PermissionGrants in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/servicePrincipals/createAsOwner | Create servicePrincipals in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
Authentication Administrator permissions
Allowed to view, set and reset authentication method information for any non-admin user.
Actions | Description |
---|---|
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.directory/users/strongAuthentication/update | Update strong authentication properties like MFA credential information. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.directory/users/password/update | Update passwords for all users in the Microsoft 365 organization. See online documentation for more detail. |
Attack Payload Author permissions
Can create attack payloads that can be deployed by an administrator later.
Actions | Description |
---|---|
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks | Create and manage attack payloads in Attack Simulator. |
microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read | Read reports of attack simulation, responses, and associated training. |
Attack Simulation Administrator permissions
Can create and manage all aspects of attack simulation campaigns.
Actions | Description |
---|---|
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks | Create and manage attack payloads in Attack Simulator. |
microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read | Read reports of attack simulation, responses, and associated training. |
microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks | Create and manage attack simulation templates in Attack Simulator. |
Azure DevOps Administrator permissions
Can manage Azure DevOps organization policy and settings.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.devOps/allEntities/allTasks | Read and configure Azure DevOps. |
Azure Information Protection Administrator permissions
Can manage all aspects of the Azure Information Protection service.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
B2C IEF Keyset Administrator permissions
Manage secrets for federation and encryption in the Identity Experience Framework.
Actions | Description |
---|---|
microsoft.aad.b2c/trustFramework/keySets/allTasks | Read and configure key sets in Azure Active Directory B2C. |
B2C IEF Policy Administrator permissions
Create and manage trust framework policies in the Identity Experience Framework.
Actions | Description |
---|---|
microsoft.aad.b2c/trustFramework/policies/allTasks | Read and configure custom policies in Azure Active Directory B2C. |
Billing Administrator permissions
Can perform common billing related tasks like updating payment information.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/organization/basic/update | Update basic properties on organization in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.commerce.billing/allEntities/allTasks | Manage all aspects of billing. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Cloud Application Administrator permissions
Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
Actions | Description |
---|---|
microsoft.directory/applications/audience/update | Update applications.audience property in Azure Active Directory. |
microsoft.directory/applications/authentication/update | Update applications.authentication property in Azure Active Directory. |
microsoft.directory/applications/basic/update | Update basic properties on applications in Azure Active Directory. |
microsoft.directory/applications/create | Create applications in Azure Active Directory. |
microsoft.directory/applications/credentials/update | Update applications.credentials property in Azure Active Directory. |
microsoft.directory/applications/delete | Delete applications in Azure Active Directory. |
microsoft.directory/applications/owners/update | Update applications.owners property in Azure Active Directory. |
microsoft.directory/applications/permissions/update | Update applications.permissions property in Azure Active Directory. |
microsoft.directory/applications/policies/update | Update applications.policies property in Azure Active Directory. |
microsoft.directory/appRoleAssignments/create | Create appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/update | Update appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/delete | Delete appRoleAssignments in Azure Active Directory. |
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/create | Create policies in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/basic/read | Read policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/basic/update | Update policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/delete | Delete policies in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/owners/read | Read policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/owners/update | Update policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/policies/applicationConfiguration/policyAppliedTo/read | Read policies.applicationConfiguration property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignments/update | Update servicePrincipals.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/servicePrincipals/audience/update | Update servicePrincipals.audience property in Azure Active Directory. |
microsoft.directory/servicePrincipals/authentication/update | Update servicePrincipals.authentication property in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/create | Create servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/credentials/update | Update servicePrincipals.credentials property in Azure Active Directory. |
microsoft.directory/servicePrincipals/delete | Delete servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/update | Update servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/permissions/update | Update servicePrincipals.permissions property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/update | Update servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Cloud Device Administrator permissions
Full access to manage devices in Azure AD.
Actions | Description |
---|---|
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/bitlockerKeys/key/read | Read bitlocker key objects and properties (including recovery key) in Azure Active Directory. |
microsoft.directory/devices/delete | Delete devices in Azure Active Directory. |
microsoft.directory/devices/disable | Disable devices in Azure Active Directory. |
microsoft.directory/devices/enable | Enable devices in Azure Active Directory. |
microsoft.directory/devices/extensionAttributes/update | Update all values for devices.extensionAttributes property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
Company Administrator permissions
Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. This role is also known as the Global Administrator role.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.aad.cloudAppSecurity/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.aad.cloudAppSecurity. |
microsoft.directory/administrativeUnits/allProperties/allTasks | Create and delete administrativeUnits, and read and update all properties in Azure Active Directory. |
microsoft.directory/applications/allProperties/allTasks | Create and delete applications, and read and update all properties in Azure Active Directory. |
microsoft.directory/appRoleAssignments/allProperties/allTasks | Create and delete appRoleAssignments, and read and update all properties in Azure Active Directory. |
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/bitlockerKeys/key/read | Read bitlocker key objects and properties (including recovery key) in Azure Active Directory. |
microsoft.directory/contacts/allProperties/allTasks | Create and delete contacts, and read and update all properties in Azure Active Directory. |
microsoft.directory/contracts/allProperties/allTasks | Create and delete contracts, and read and update all properties in Azure Active Directory. |
microsoft.directory/devices/allProperties/allTasks | Create and delete devices, and read and update all properties in Azure Active Directory. |
microsoft.directory/directoryRoles/allProperties/allTasks | Create and delete directoryRoles, and read and update all properties in Azure Active Directory. |
microsoft.directory/directoryRoleTemplates/allProperties/allTasks | Create and delete directoryRoleTemplates, and read and update all properties in Azure Active Directory. |
microsoft.directory/domains/allProperties/allTasks | Create and delete domains, and read and update all properties in Azure Active Directory. |
microsoft.directory/entitlementManagement/allProperties/allTasks | Create and delete resources, and read and update all properties in Azure AD entitlement management. |
microsoft.directory/groups/allProperties/allTasks | Create and delete groups, and read and update all properties in Azure Active Directory. |
microsoft.directory/groupsAssignableToRoles/allProperties/update | Update groups with isAssignableToRole property set to true in Azure Active Directory. |
microsoft.directory/groupsAssignableToRoles/create | Create groups with isAssignableToRole property set to true in Azure Active Directory. |
microsoft.directory/groupsAssignableToRoles/delete | Delete groups with isAssignableToRole property set to true in Azure Active Directory. |
microsoft.directory/groupSettings/allProperties/allTasks | Create and delete groupSettings, and read and update all properties in Azure Active Directory. |
microsoft.directory/groupSettingTemplates/allProperties/allTasks | Create and delete groupSettingTemplates, and read and update all properties in Azure Active Directory. |
microsoft.directory/loginTenantBranding/allProperties/allTasks | Create and delete loginTenantBranding, and read and update all properties in Azure Active Directory. |
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete oAuth2PermissionGrants, and read and update all properties in Azure Active Directory. |
microsoft.directory/organization/allProperties/allTasks | Create and delete organization, and read and update all properties in Azure Active Directory. |
microsoft.directory/policies/allProperties/allTasks | Create and delete policies, and read and update all properties in Azure Active Directory. |
microsoft.directory/roleAssignments/allProperties/allTasks | Create and delete roleAssignments, and read and update all properties in Azure Active Directory. |
microsoft.directory/roleDefinitions/allProperties/allTasks | Create and delete roleDefinitions, and read and update all properties in Azure Active Directory. |
microsoft.directory/scopedRoleMemberships/allProperties/allTasks | Create and delete scopedRoleMemberships, and read and update all properties in Azure Active Directory. |
microsoft.directory/serviceAction/activateService | Can perform the Activateservice service action in Azure Active Directory |
microsoft.directory/serviceAction/disableDirectoryFeature | Can perform the Disabledirectoryfeature service action in Azure Active Directory |
microsoft.directory/serviceAction/enableDirectoryFeature | Can perform the Enabledirectoryfeature service action in Azure Active Directory |
microsoft.directory/serviceAction/getAvailableExtentionProperties | Can perform the Getavailableextentionproperties service action in Azure Active Directory |
microsoft.directory/servicePrincipals/allProperties/allTasks | Create and delete servicePrincipals, and read and update all properties in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.directory/subscribedSkus/allProperties/allTasks | Create and delete subscribedSkus, and read and update all properties in Azure Active Directory. |
microsoft.directory/users/allProperties/allTasks | Create and delete users, and read and update all properties in Azure Active Directory. |
microsoft.directorySync/allEntities/allTasks | Perform all actions in Azure AD Connect. |
microsoft.aad.identityProtection/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.aad.identityProtection. |
microsoft.aad.privilegedIdentityManagement/allEntities/read | Read all resources in microsoft.aad.privilegedIdentityManagement. |
microsoft.azure.advancedThreatProtection/allEntities/read | Read all resources in microsoft.azure.advancedThreatProtection. |
microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.commerce.billing/allEntities/allTasks | Manage all aspects of billing. |
microsoft.intune/allEntities/allTasks | Manage all aspects of Intune. |
microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
microsoft.office365.desktopAnalytics/allEntities/allTasks | Manage all aspects of Desktop Analytics. |
microsoft.office365.exchange/allEntities/allTasks | Manage all aspects of Exchange Online. |
microsoft.office365.lockbox/allEntities/allTasks | Manage all aspects of Office 365 Customer Lockbox |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.messageCenter/securityMessages/read | Read securityMessages in microsoft.office365.messageCenter. |
microsoft.office365.protectionCenter/allEntities/allTasks | Manage all aspects of Office 365 Protection Center. |
microsoft.office365.securityComplianceCenter/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.office365.securityComplianceCenter. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.sharepoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint. |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.powerApps.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365. |
microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI. |
microsoft.windows.defenderAdvancedThreatProtection/allEntities/read | Read all resources in microsoft.windows.defenderAdvancedThreatProtection. |
Compliance Administrator permissions
Can read and manage compliance configuration and reports in Azure AD and Microsoft 365.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management. |
microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Compliance Data Administrator permissions
Creates and manages compliance content.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory.cloudAppSecurity/allEntities/allTasks | Read and configure Microsoft Cloud App Security. |
microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Conditional Access Administrator permissions
Can manage Conditional Access capabilities.
Actions | Description |
---|---|
microsoft.directory/policies/conditionalAccess/basic/read | Read policies.conditionalAccess property in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/basic/update | Update policies.conditionalAccess property in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/create | Create policies in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/delete | Delete policies in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/owners/read | Read policies.conditionalAccess property in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/owners/update | Update policies.conditionalAccess property in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/policiesAppliedTo/read | Read policies.conditionalAccess property in Azure Active Directory. |
microsoft.directory/policies/conditionalAccess/tenantDefault/update | Update policies.conditionalAccess property in Azure Active Directory. |
CRM Service Administrator permissions
Can manage all aspects of the Dynamics 365 product.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.powerApps.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Customer LockBox Access Approver permissions
Can approve Microsoft support requests to access customer organizational data.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.lockbox/allEntities/allTasks | Manage all aspects of Office 365 Customer Lockbox |
Desktop Analytics Administrator permissions
Can manage the Desktop Analytics and Office Customization & Policy services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. For Office Customization & Policy service, this role enables users to manage Office policies.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.desktopAnalytics/allEntities/allTasks | Manage all aspects of Desktop Analytics. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Device Administrators permissions
Users assigned to this role are added to the local administrators group on Azure AD-joined devices.
Actions | Description |
---|---|
microsoft.directory/groupSettings/basic/read | Read basic properties on groupSettings in Azure Active Directory. |
microsoft.directory/groupSettingTemplates/basic/read | Read basic properties on groupSettingTemplates in Azure Active Directory. |
Directory Readers permissions
Can read basic directory information. For granting access to applications, not intended for users.
Actions | Description |
---|---|
microsoft.directory/administrativeUnits/basic/read | Read basic properties on administrativeUnits in Azure Active Directory. |
microsoft.directory/administrativeUnits/members/read | Read administrativeUnits.members property in Azure Active Directory. |
microsoft.directory/applications/basic/read | Read basic properties on applications in Azure Active Directory. |
microsoft.directory/applications/owners/read | Read applications.owners property in Azure Active Directory. |
microsoft.directory/applications/policies/read | Read applications.policies property in Azure Active Directory. |
microsoft.directory/contacts/basic/read | Read basic properties on contacts in Azure Active Directory. |
microsoft.directory/contacts/memberOf/read | Read contacts.memberOf property in Azure Active Directory. |
microsoft.directory/contracts/basic/read | Read basic properties on contracts in Azure Active Directory. |
microsoft.directory/devices/basic/read | Read basic properties on devices in Azure Active Directory. |
microsoft.directory/devices/memberOf/read | Read devices.memberOf property in Azure Active Directory. |
microsoft.directory/devices/registeredOwners/read | Read devices.registeredOwners property in Azure Active Directory. |
microsoft.directory/devices/registeredUsers/read | Read devices.registeredUsers property in Azure Active Directory. |
microsoft.directory/directoryRoles/basic/read | Read basic properties on directoryRoles in Azure Active Directory. |
microsoft.directory/directoryRoles/eligibleMembers/read | Read directoryRoles.eligibleMembers property in Azure Active Directory. |
microsoft.directory/directoryRoles/members/read | Read directoryRoles.members property in Azure Active Directory. |
microsoft.directory/domains/basic/read | Read basic properties on domains in Azure Active Directory. |
microsoft.directory/groups/appRoleAssignments/read | Read groups.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/groups/basic/read | Read basic properties on groups in Azure Active Directory. |
microsoft.directory/groups/memberOf/read | Read groups.memberOf property in Azure Active Directory. |
microsoft.directory/groups/members/read | Read groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/read | Read groups.owners property in Azure Active Directory. |
microsoft.directory/groups/settings/read | Read groups.settings property in Azure Active Directory. |
microsoft.directory/groupSettings/basic/read | Read basic properties on groupSettings in Azure Active Directory. |
microsoft.directory/groupSettingTemplates/basic/read | Read basic properties on groupSettingTemplates in Azure Active Directory. |
microsoft.directory/oAuth2PermissionGrants/basic/read | Read basic properties on oAuth2PermissionGrants in Azure Active Directory. |
microsoft.directory/organization/basic/read | Read basic properties on organization in Azure Active Directory. |
microsoft.directory/organization/trustedCAsForPasswordlessAuth/read | Read organization.trustedCAsForPasswordlessAuth property in Azure Active Directory. |
microsoft.directory/roleAssignments/basic/read | Read basic properties on roleAssignments in Azure Active Directory. |
microsoft.directory/roleDefinitions/basic/read | Read basic properties on roleDefinitions in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read servicePrincipals.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/read | Read basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/memberOf/read | Read servicePrincipals.memberOf property in Azure Active Directory. |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read | Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/servicePrincipals/ownedObjects/read | Read servicePrincipals.ownedObjects property in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/read | Read servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/read | Read servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/subscribedSkus/basic/read | Read basic properties on subscribedSkus in Azure Active Directory. |
microsoft.directory/users/appRoleAssignments/read | Read users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/basic/read | Read basic properties on users in Azure Active Directory. |
microsoft.directory/users/directReports/read | Read users.directReports property in Azure Active Directory. |
microsoft.directory/users/manager/read | Read users.manager property in Azure Active Directory. |
microsoft.directory/users/memberOf/read | Read users.memberOf property in Azure Active Directory. |
microsoft.directory/users/oAuth2PermissionGrants/basic/read | Read users.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/users/ownedDevices/read | Read users.ownedDevices property in Azure Active Directory. |
microsoft.directory/users/ownedObjects/read | Read users.ownedObjects property in Azure Active Directory. |
microsoft.directory/users/registeredDevices/read | Read users.registeredDevices property in Azure Active Directory. |
Directory Synchronization Accounts permissions
Only used by Azure AD Connect service.
Actions | Description |
---|---|
microsoft.directory/organization/dirSync/update | Update organization.dirSync property in Azure Active Directory. |
microsoft.directory/policies/create | Create policies in Azure Active Directory. |
microsoft.directory/policies/delete | Delete policies in Azure Active Directory. |
microsoft.directory/policies/basic/read | Read basic properties on policies in Azure Active Directory. |
microsoft.directory/policies/basic/update | Update basic properties on policies in Azure Active Directory. |
microsoft.directory/policies/owners/read | Read policies.owners property in Azure Active Directory. |
microsoft.directory/policies/owners/update | Update policies.owners property in Azure Active Directory. |
microsoft.directory/policies/policiesAppliedTo/read | Read policies.policiesAppliedTo property in Azure Active Directory. |
microsoft.directory/policies/tenantDefault/update | Update policies.tenantDefault property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read servicePrincipals.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignments/update | Update servicePrincipals.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/servicePrincipals/audience/update | Update servicePrincipals.audience property in Azure Active Directory. |
microsoft.directory/servicePrincipals/authentication/update | Update servicePrincipals.authentication property in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/read | Read basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/create | Create servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/credentials/update | Update servicePrincipals.credentials property in Azure Active Directory. |
microsoft.directory/servicePrincipals/memberOf/read | Read servicePrincipals.memberOf property in Azure Active Directory. |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read | Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/read | Read servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/update | Update servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/ownedObjects/read | Read servicePrincipals.ownedObjects property in Azure Active Directory. |
microsoft.directory/servicePrincipals/permissions/update | Update servicePrincipals.permissions property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/read | Read servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/update | Update servicePrincipals.policies property in Azure Active Directory. |
microsoft.directorySync/allEntities/allTasks | Perform all actions in Azure AD Connect. |
Directory Writers permissions
Can read & write basic directory information. For granting access to applications, not intended for users.
Actions | Description |
---|---|
microsoft.directory/groups/appRoleAssignments/update | Update groups.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/groups/assignLicense | Manage licenses on groups in Azure Active Directory. |
microsoft.directory/groups/basic/update | Update basic properties on groups in Azure Active Directory. |
microsoft.directory/groups/classification/update | Update classification property of the group in Azure Active Directory. |
microsoft.directory/groups/create | Create groups in Azure Active Directory. |
microsoft.directory/groups/groupType/update | Update the groupType property of a group in Azure Active Directory. |
microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. |
microsoft.directory/groups/reprocessLicenseAssignment | Reprocess license assignments for a group in Azure Active Directory. |
microsoft.directory/groups/securityEnabled/update | Update the secutiryEnabled property of a group in Azure Active Directory. |
microsoft.directory/groups/settings/update | Update groups.settings property in Azure Active Directory. |
microsoft.directory/groups/visibility/update | Update visibility property of the group |
microsoft.directory/groupSettings/basic/update | Update basic properties on groupSettings in Azure Active Directory. |
microsoft.directory/groupSettings/create | Create groupSettings in Azure Active Directory.. |
microsoft.directory/groupSettings/delete | Delete groupSettings in Azure Active Directory. |
microsoft.directory/oAuth2PermissionGrants/basic/update | Update basic properties of oAuth2PermissionGrants in Azure Active Directory. |
microsoft.directory/oAuth2PermissionGrants/create | Create oAuth2PermissionGrants in Azure Active Directory. |
microsoft.directory/servicePrincipals/synchronizationCredentials/manage | Manage application provisioning secrets and credentials. |
microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning synchronization jobs. |
microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning synchronization jobs and schema. |
microsoft.directory/users/appRoleAssignments/update | Update users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/assignLicense | Manage licenses on users in Azure Active Directory. |
microsoft.directory/users/basic/update | Update basic properties on users in Azure Active Directory. |
microsoft.directory/users/create | Create users in Azure Active Directory. |
microsoft.directory/users/disable | Disable a user account in Azure Active Directory. |
microsoft.directory/users/enable | Enable a user account in Azure Active Directory |
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory, requiring users to re-authenticate on their next sign-in |
microsoft.directory/users/manager/update | Update users.manager property in Azure Active Directory. |
microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for a user in Azure Active Directory. |
microsoft.directory/users/userPrincipalName /update | Update the users.userPrincipalName property in Azure Active Directory. |
Exchange Service Administrator permissions
Can manage all aspects of the Exchange product.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/groups/unified/appRoleAssignments/update | Update groups.unified property in Azure Active Directory. |
microsoft.directory/groups/unified/basic/update | Update basic properties of Microsoft 365 groups. |
microsoft.directory/groups/unified/create | Create Microsoft 365 groups. |
microsoft.directory/groups/unified/delete | Delete Microsoft 365 groups. |
microsoft.directory/groups/unified/members/update | Update membership of Microsoft 365 groups. |
microsoft.directory/groups/unified/owners/update | Update ownership of Microsoft 365 groups. |
microsoft.office365.exchange/allEntities/allTasks | Manage all aspects of Exchange Online. |
microsoft.office365.network/performance/allProperties/read | Read network performance pages in Microsoft 365 Admin Center. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
External ID User Flow Administrator permissions
Create and manage all aspects of user flows.
Actions | Description |
---|---|
microsoft.aad.b2c/userFlows/allTasks | Read and configure user flows in Azure Active Directory B2C. |
External ID User Flow Attribute Administrator permissions
Create and manage the attribute schema available to all user flows.
Actions | Description |
---|---|
microsoft.aad.b2c/userAttributes/allTasks | Read and configure user attributes in Azure Active Directory B2C. |
External Identity Provider Administrator permissions
Configure identity providers for use in direct federation.
Actions | Description |
---|---|
microsoft.aad.b2c/identityProviders/allTasks | Read and configure identity providers in Azure Active Directory B2C. |
Global Reader permissions
Can read everything that a Global Administrator can, but not edit anything.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.commerce.billing/allEntities/read | Read all aspects of billing. |
microsoft.directory/administrativeUnits/basic/read | Read basic properties on administrativeUnits in Azure Active Directory. |
microsoft.directory/administrativeUnits/members/read | Read administrativeUnits.members property in Azure Active Directory. |
microsoft.directory/applications/basic/read | Read basic properties on applications in Azure Active Directory. |
microsoft.directory/applications/owners/read | Read applications.owners property in Azure Active Directory. |
microsoft.directory/applications/policies/read | Read applications.policies property in Azure Active Directory. |
microsoft.directory/bitlockerKeys/key/read | Read bitlocker key objects and properties (including recovery key) in Azure Active Directory. |
microsoft.directory/contacts/basic/read | Read basic properties on contacts in Azure Active Directory. |
microsoft.directory/contacts/memberOf/read | Read contacts.memberOf property in Azure Active Directory. |
microsoft.directory/contracts/basic/read | Read basic properties on contracts in Azure Active Directory. |
microsoft.directory/devices/basic/read | Read basic properties on devices in Azure Active Directory. |
microsoft.directory/devices/memberOf/read | Read devices.memberOf property in Azure Active Directory. |
microsoft.directory/devices/registeredOwners/read | Read devices.registeredOwners property in Azure Active Directory. |
microsoft.directory/devices/registeredUsers/read | Read devices.registeredUsers property in Azure Active Directory. |
microsoft.directory/directoryRoles/basic/read | Read basic properties on directoryRoles in Azure Active Directory. |
microsoft.directory/directoryRoles/eligibleMembers/read | Read directoryRoles.eligibleMembers property in Azure Active Directory. |
microsoft.directory/directoryRoles/members/read | Read directoryRoles.members property in Azure Active Directory. |
microsoft.directory/domains/basic/read | Read basic properties on domains in Azure Active Directory. |
microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management. |
microsoft.directory/groups/appRoleAssignments/read | Read groups.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/groups/basic/read | Read basic properties on groups in Azure Active Directory. |
microsoft.directory/groups/hiddenMembers/read | Read groups.hiddenMembers property in Azure Active Directory. |
microsoft.directory/groups/memberOf/read | Read groups.memberOf property in Azure Active Directory. |
microsoft.directory/groups/members/read | Read groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/read | Read groups.owners property in Azure Active Directory. |
microsoft.directory/groups/settings/read | Read groups.settings property in Azure Active Directory. |
microsoft.directory/groupSettings/basic/read | Read basic properties on groupSettings in Azure Active Directory. |
microsoft.directory/groupSettingTemplates/basic/read | Read basic properties on groupSettingTemplates in Azure Active Directory. |
microsoft.directory/oAuth2PermissionGrants/basic/read | Read basic properties on oAuth2PermissionGrants in Azure Active Directory. |
microsoft.directory/organization/basic/read | Read basic properties on organization in Azure Active Directory. |
microsoft.directory/organization/trustedCAsForPasswordlessAuth/read | Read organization.trustedCAsForPasswordlessAuth property in Azure Active Directory. |
microsoft.directory/policies/standard/read | Read standard policies in Azure Active Directory. |
microsoft.directory/roleAssignments/basic/read | Read basic properties on roleAssignments in Azure Active Directory. |
microsoft.directory/roleDefinitions/basic/read | Read basic properties on roleDefinitions in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read servicePrincipals.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/read | Read basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/memberOf/read | Read servicePrincipals.memberOf property in Azure Active Directory. |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read | Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/servicePrincipals/ownedObjects/read | Read servicePrincipals.ownedObjects property in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/read | Read servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/read | Read servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.directory/subscribedSkus/basic/read | Read basic properties on subscribedSkus in Azure Active Directory. |
microsoft.directory/users/appRoleAssignments/read | Read users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/basic/read | Read basic properties on users in Azure Active Directory. |
microsoft.directory/users/directReports/read | Read users.directReports property in Azure Active Directory. |
microsoft.directory/users/manager/read | Read users.manager property in Azure Active Directory. |
microsoft.directory/users/memberOf/read | Read users.memberOf property in Azure Active Directory. |
microsoft.directory/users/oAuth2PermissionGrants/basic/read | Read users.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/users/ownedDevices/read | Read users.ownedDevices property in Azure Active Directory. |
microsoft.directory/users/ownedObjects/read | Read users.ownedObjects property in Azure Active Directory. |
microsoft.directory/users/registeredDevices/read | Read users.registeredDevices property in Azure Active Directory. |
microsoft.directory/users/strongAuthentication/read | Read strong authentication properties like MFA credential information. |
microsoft.office365.exchange/allEntities/read | Read all aspects of Exchange Online. |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.messageCenter/securityMessages/read | Read securityMessages in microsoft.office365.messageCenter. |
microsoft.office365.network/performance/allProperties/read | Read network performance pages in Microsoft 365 Admin Center. |
microsoft.office365.protectionCenter/allEntities/read | Read all aspects of Office 365 Protection Center. |
microsoft.office365.securityComplianceCenter/allEntities/read | Read all standard properties in microsoft.office365.securityComplianceCenter. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/standard/read | Read standard properties on all resources in microsoft.office365.webPortal. |
Groups Administrator permissions
Can manage all aspects of groups and group settings like naming and expiration policies.
Actions | Description |
---|---|
microsoft.directory/groups/basic/read | Read standard properties on Groups in Azure Active Directory. |
microsoft.directory/groups/basic/update | Update basic properties on groups in Azure Active Directory. |
microsoft.directory/groups/create | Create groups in Azure Active Directory. |
microsoft.directory/groups/createAsOwner | Create groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/groups/delete | Delete groups in Azure Active Directory. |
microsoft.directory/groups/hiddenMembers/read | Read groups.hiddenMembers property in Azure Active Directory. |
microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. |
microsoft.directory/groups/restore | Restore groups in Azure Active Directory. |
microsoft.directory/groups/settings/update | Update groups.settings property in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Guest Inviter permissions
Can invite guest users independent of the 'members can invite guests' setting.
Actions | Description |
---|---|
microsoft.directory/users/appRoleAssignments/read | Read users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/basic/read | Read basic properties on users in Azure Active Directory. |
microsoft.directory/users/directReports/read | Read users.directReports property in Azure Active Directory. |
microsoft.directory/users/inviteGuest | Invite guest users in Azure Active Directory. |
microsoft.directory/users/manager/read | Read users.manager property in Azure Active Directory. |
microsoft.directory/users/memberOf/read | Read users.memberOf property in Azure Active Directory. |
microsoft.directory/users/oAuth2PermissionGrants/basic/read | Read users.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/users/ownedDevices/read | Read users.ownedDevices property in Azure Active Directory. |
microsoft.directory/users/ownedObjects/read | Read users.ownedObjects property in Azure Active Directory. |
microsoft.directory/users/registeredDevices/read | Read users.registeredDevices property in Azure Active Directory. |
Helpdesk Administrator permissions
Can reset passwords for non-administrators and Helpdesk Administrators.
Actions | Description |
---|---|
microsoft.directory/devices/bitLockerRecoveryKeys/read | Read devices.bitLockerRecoveryKeys property in Azure Active Directory. |
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.directory/users/password/update | Update passwords for all users in Azure Active Directory. See online documentation for more detail. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Hybrid Identity Administrator permissions
Can manage AD to Azure AD cloud provisioning and federation settings.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/applications/audience/update | Update applications.audience property in Azure Active Directory. |
microsoft.directory/applications/authentication/update | Update applications.authentication property in Azure Active Directory. |
microsoft.directory/applications/basic/update | Update basic properties on applications in Azure Active Directory. |
microsoft.directory/applications/create | Create applications in Azure Active Directory. |
microsoft.directory/applications/credentials/update | Update applications.credentials property in Azure Active Directory. |
microsoft.directory/applications/delete | Delete applications in Azure Active Directory. |
microsoft.directory/applications/owners/update | Update applications.owners property in Azure Active Directory. |
microsoft.directory/applications/permissions/update | Update applications.permissions property in Azure Active Directory. |
microsoft.directory/applications/policies/update | Update applications.policies property in Azure Active Directory. |
microsoft.directory/applicationTemplates/instantiate | Instantiate gallery applications from application templates. |
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/cloudProvisioning/allProperties/allTasks | Read and configure all properties of Azure AD Cloud Provisioning service. |
microsoft.directory/domains/allProperties/read | Read all properties of domains. |
microsoft.directory/domains/federation/update | Update federation property of domains. |
microsoft.directory/organization/dirSync/update | Update organization.dirSync property in Azure Active Directory. |
microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs. |
microsoft.directory/servicePrincipals/audience/update | Update servicePrincipals.audience property in Azure Active Directory. |
microsoft.directory/servicePrincipals/authentication/update | Update servicePrincipals.authentication property in Azure Active Directory. |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/create | Create servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/credentials/update | Update servicePrincipals.credentials property in Azure Active Directory. |
microsoft.directory/servicePrincipals/delete | Delete servicePrincipals in Azure Active Directory. |
microsoft.directory/servicePrincipals/owners/update | Update servicePrincipals.owners property in Azure Active Directory. |
microsoft.directory/servicePrincipals/permissions/update | Update servicePrincipals.permissions property in Azure Active Directory. |
microsoft.directory/servicePrincipals/policies/update | Update servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/servicePrincipals/synchronizationJobs/manage | Manage all aspects of synchronization jobs in Azure AD. |
microsoft.directory/servicePrincipals/synchronizationSchema/manage | Manage all aspects of synchronization schema in Azure AD. |
microsoft.directory/servicePrincipals/synchronizationCredentials/manage | Manage all aspects of synchronization credentials in Azure AD. |
microsoft.directory/servicePrincipals/tag/update | Update servicePrincipals.tag property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Insights Administrator permissions
Has administrative access in the Microsoft 365 Insights app.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.insights/allEntities/allTasks | Manage all aspects of Insights. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Insights Business Leader permissions
Can view and share dashboards and insights via the M365 Insights app.
Actions | Description |
---|---|
microsoft.insights/reports/read | View reports and dashboard in Insights app. |
microsoft.insights/programs/update | Deploy and manage programs in Insights app. |
Intune Service Administrator permissions
Can manage all aspects of the Intune product.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/bitlockerKeys/key/read | Read bitlocker key objects and properties (including recovery key) in Azure Active Directory. |
microsoft.directory/contacts/basic/update | Update basic properties on contacts in Azure Active Directory. |
microsoft.directory/contacts/create | Create contacts in Azure Active Directory. |
microsoft.directory/contacts/delete | Delete contacts in Azure Active Directory. |
microsoft.directory/devices/basic/update | Update basic properties on devices in Azure Active Directory. |
microsoft.directory/devices/create | Create devices in Azure Active Directory. |
microsoft.directory/devices/delete | Delete devices in Azure Active Directory. |
microsoft.directory/devices/disable | Disable devices in Azure Active Directory. |
microsoft.directory/devices/enable | Enable devices in Azure Active Directory. |
microsoft.directory/devices/extensionAttributes/update | Update all values for devices.extensionAttributes property in Azure Active Directory. |
microsoft.directory/devices/registeredOwners/update | Update devices.registeredOwners property in Azure Active Directory. |
microsoft.directory/devices/registeredUsers/update | Update devices.registeredUsers property in Azure Active Directory. |
microsoft.directory/groups/appRoleAssignments/update | Update groups.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/groups/basic/update | Update basic properties on groups in Azure Active Directory. |
microsoft.directory/groups/create | Create groups in Azure Active Directory. |
microsoft.directory/groups/createAsOwner | Create groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/groups/delete | Delete groups in Azure Active Directory. |
microsoft.directory/groups/hiddenMembers/read | Read groups.hiddenMembers property in Azure Active Directory. |
microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. |
microsoft.directory/groups/restore | Restore groups in Azure Active Directory. |
microsoft.directory/groups/settings/update | Update groups.settings property in Azure Active Directory. |
microsoft.directory/users/appRoleAssignments/update | Update users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/basic/update | Update basic properties on users in Azure Active Directory. |
microsoft.directory/users/manager/update | Update users.manager property in Azure Active Directory. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.intune/allEntities/allTasks | Manage all aspects of Intune. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Kaizala Administrator permissions
Can manage settings for Microsoft Kaizala.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read Microsoft 365 admin center. |
License Administrator permissions
Can manage product licenses on users and groups.
Actions | Description |
---|---|
microsoft.directory/users/assignLicense | Manage licenses on users in Azure Active Directory. |
microsoft.directory/users/usageLocation/update | Update users.usageLocation property in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
Lync Service Administrator permissions
Can manage all aspects of the Skype for Business product.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Message Center Privacy Reader permissions
Can read Message Center posts, data privacy messages, groups, domains and subscriptions.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.messageCenter/securityMessages/read | Read securityMessages in microsoft.office365.messageCenter. |
Message Center Reader permissions
Can read messages and updates for their organization in Message Center only.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
Modern Commerce User permissions
Can manage commercial purchases for a company, department or team.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.commerce.billing/partners/read | Read partner property of Microsoft 365 Billing. |
microsoft.commerce.volumeLicenseServiceCenter/allEntities/allTasks | Manage all aspects of Volume Licensing Service Center. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and view own Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Network Administrator permissions
Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.network/performance/allProperties/read | Read network performance pages in M365 Admin Center. |
microsoft.office365.network/locations/allProperties/allTasks | Read and configure network locations properties for each location. |
Office Apps Administrator permissions
Can manage Office apps' cloud services, including policy and settings management, and manage the ability to select, unselect and publish "what's new" feature content to end-user's devices.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.userCommunication/allEntities/allTasks | Read and update What's New messages visibility. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Partner Tier1 Support permissions
Do not use - not intended for general use.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/applications/appRoles/update | Manage app roles and request delegated permissions for applications. |
microsoft.directory/applications/audience/update | Update audience on all types of applications. |
microsoft.directory/applications/authentication/update | Update authentication on all types of applications. |
microsoft.directory/applications/basic/update | Update basic properties on all types of applications. |
microsoft.directory/applications/credentials/update | Update credentials on all types of applications. |
microsoft.directory/applications/owners/update | Update owners on all types of applications. |
microsoft.directory/applications/permissions/update | Update exposed permissions and required permissions on all types of applications. |
microsoft.directory/applications/policies/update | Update applications.policies property in Azure Active Directory. |
microsoft.directory/contacts/basic/update | Update basic properties on contacts in Azure Active Directory. |
microsoft.directory/contacts/create | Create contacts in Azure Active Directory. |
microsoft.directory/contacts/delete | Delete contacts in Azure Active Directory. |
microsoft.directory/groups/create | Create groups in Azure Active Directory. |
microsoft.directory/groups/createAsOwner | Create groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. |
microsoft.directory/users/appRoleAssignments/update | Update users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/assignLicense | Manage licenses on users in Azure Active Directory. |
microsoft.directory/users/basic/update | Update basic properties on users in Azure Active Directory. |
microsoft.directory/users/delete | Delete users in Azure Active Directory. |
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.directory/users/manager/update | Update users.manager property in Azure Active Directory. |
microsoft.directory/users/password/update | Update passwords for all users in Azure Active Directory. See online documentation for more detail. |
microsoft.directory/users/restore | Restore deleted users in Azure Active Directory. |
microsoft.directory/users/userPrincipalName/update | Update users.userPrincipalName property in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Partner Tier2 Support permissions
Do not use - not intended for general use.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/applications/appRoles/update | Manage app roles and request delegated permissions for applications. |
microsoft.directory/applications/audience/update | Update audience on all types of applications. |
microsoft.directory/applications/authentication/update | Update authentication on all types of applications. |
microsoft.directory/applications/basic/update | Update basic properties on all types of applications. |
microsoft.directory/applications/credentials/update | Update credentials on all types of applications. |
microsoft.directory/applications/owners/update | Update owners on all types of applications. |
microsoft.directory/applications/permissions/update | Update exposed permissions and required permissions on all types of applications. |
microsoft.directory/applications/policies/update | Update applications.policies property in Azure Active Directory. |
microsoft.directory/contacts/basic/update | Update basic properties on contacts in Azure Active Directory. |
microsoft.directory/contacts/create | Create contacts in Azure Active Directory. |
microsoft.directory/contacts/delete | Delete contacts in Azure Active Directory. |
microsoft.directory/domains/allTasks | Create and delete domains, and read and update standard properties in Azure Active Directory. |
microsoft.directory/groups/create | Create groups in Azure Active Directory. |
microsoft.directory/groups/delete | Delete groups in Azure Active Directory. |
microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
microsoft.directory/groups/restore | Restore groups in Azure Active Directory. |
microsoft.directory/organization/basic/update | Update basic properties on organization in Azure Active Directory. |
microsoft.directory/users/appRoleAssignments/update | Update users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/assignLicense | Manage licenses on users in Azure Active Directory. |
microsoft.directory/users/basic/update | Update basic properties on users in Azure Active Directory. |
microsoft.directory/users/delete | Delete users in Azure Active Directory. |
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.directory/users/manager/update | Update users.manager property in Azure Active Directory. |
microsoft.directory/users/password/update | Update passwords for all users in Azure Active Directory. See online documentation for more detail. |
microsoft.directory/users/restore | Restore deleted users in Azure Active Directory. |
microsoft.directory/users/userPrincipalName/update | Update users.userPrincipalName property in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Password Administrator permissions
Can reset passwords for non-administrators and Password administrators.
Actions | Description |
---|---|
microsoft.directory/users/password/update | Update passwords for all users in Azure Active Directory. See online documentation for more detail. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Power BI Service Administrator permissions
Can manage all aspects of the Power BI product.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Power Platform Administrator permissions
Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Power Automate.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365. |
microsoft.flow/allEntities/allTasks | Manage all aspects of Power Automate. |
microsoft.powerApps/allEntities/allTasks | Manage all aspects of PowerApps. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Printer Administrator permissions
Can manage all aspects of printers and printer connectors.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.print/allEntities/allProperties/allTasks | Create and delete printers and connectors, and read and update all properties in Microsoft Print. |
Printer Technician permissions
Can register and unregister printers and update printer status.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.print/connectors/allProperties/read | Read all properties of connectors in Microsoft Print. |
microsoft.azure.print/printers/allProperties/read | Read all properties of printers in Microsoft Print. |
microsoft.azure.print/printers/basic/update | Update basic properties of printers in Microsoft Print. |
microsoft.azure.print/printers/register | Register printers in Microsoft Print. |
microsoft.azure.print/printers/unregister | Unregister printers in Microsoft Print. |
Privileged Authentication Administrator permissions
Allowed to view, set and reset authentication method information for any user (admin or non-admin).
Actions | Description |
---|---|
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.directory/users/strongAuthentication/update | Update strong authentication properties like MFA credential information. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.directory/users/password/update | Update passwords for all users in the Microsoft 365 organization. See online documentation for more detail. |
Privileged Role Administrator permissions
Can manage role assignments in Azure AD,and all aspects of Privileged Identity Management.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/groupsAssignableToRoles/allProperties/update | Update groups with isAssignableToRole property set to true in Azure Active Directory. |
microsoft.directory/groupsAssignableToRoles/create | Create groups with isAssignableToRole property set to true in Azure Active Directory. |
microsoft.directory/groupsAssignableToRoles/delete | Delete groups with isAssignableToRole property set to true in Azure Active Directory. |
microsoft.directory/privilegedIdentityManagement/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.aad.privilegedIdentityManagement. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/allTasks | Read and configure servicePrincipals.appRoleAssignedTo property in Azure Active Directory. |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/allTasks | Read and configure servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory. |
microsoft.directory/administrativeUnits/allProperties/allTasks | Create and manage administrative units (including members) |
microsoft.directory/roleAssignments/allProperties/allTasks | Create and manage role assignments. |
microsoft.directory/roleDefinitions/allProperties/allTasks | Create and manage role definitions. |
Reports Reader permissions
Can read sign-in and audit reports.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
Search Administrator permissions
Can create and manage all aspects of Microsoft Search settings.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.search/allEntities/allProperties/allTasks | Create and delete all resources, and read and update all properties in microsoft.office365.search. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Search Editor permissions
Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
microsoft.office365.search/content/allProperties/allTasks | Create and delete content, and read and update all properties in microsoft.office365.search. |
Security Administrator permissions
Can read security information and reports,and manage configuration in Azure AD and Microsoft 365.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/applications/policies/update | Update applications.policies property in Azure Active Directory. |
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/bitlockerKeys/key/read | Read bitlocker key objects and properties (including recovery key) in Azure Active Directory. |
microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management. |
microsoft.directory/identityProtection/allProperties/read | Read all resources in microsoft.aad.identityProtection. |
microsoft.directory/identityProtection/allProperties/update | Update all resources in microsoft.aad.identityProtection. |
microsoft.directory/policies/basic/update | Update basic properties on policies in Azure Active Directory. |
microsoft.directory/policies/create | Create policies in Azure Active Directory. |
microsoft.directory/policies/delete | Delete policies in Azure Active Directory. |
microsoft.directory/policies/owners/update | Update policies.owners property in Azure Active Directory. |
microsoft.directory/policies/tenantDefault/update | Update policies.tenantDefault property in Azure Active Directory. |
microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in microsoft.aad.privilegedIdentityManagement. |
microsoft.directory/servicePrincipals/policies/update | Update servicePrincipals.policies property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.office365.protectionCenter/allEntities/read | Read all aspects of Office 365 Protection Center. |
microsoft.office365.protectionCenter/allEntities/update | Update all resources in microsoft.office365.protectionCenter. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Security Operator permissions
Creates and manages security events.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.advancedThreatProtection/allEntities/read | Read and configure Azure AD Advanced Threat Protection. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/cloudAppSecurity/allProperties/allTasks | Read and configure Microsoft Cloud App Security. |
microsoft.directory/identityProtection/allProperties/read | Read all resources in microsoft.aad.identityProtection. |
microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in microsoft.aad.privilegedIdentityManagement. |
microsoft.intune/allEntities/allTasks | Manage all aspects of Intune. |
microsoft.office365.securityComplianceCenter/allEntities/allTasks | Read and configure Security & Compliance Center. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.windows.defenderAdvancedThreatProtection/allEntities/read | Read and configure Windows Defender Advanced Threat Protection. |
Security Reader permissions
Can read security information and reports in Azure AD and Microsoft 365.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.directory/auditLogs/allProperties/read | Read all properties (including privileged properties) on auditLogs in Azure Active Directory. |
microsoft.directory/bitlockerKeys/key/read | Read bitlocker key objects and properties (including recovery key) in Azure Active Directory. |
microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management. |
microsoft.directory/policies/conditionalAccess/basic/read | Read policies.conditionalAccess property in Azure Active Directory. |
microsoft.directory/signInReports/allProperties/read | Read all properties (including privileged properties) on signInReports in Azure Active Directory. |
microsoft.aad.identityProtection/allEntities/read | Read all resources in microsoft.aad.identityProtection. |
microsoft.aad.privilegedIdentityManagement/allEntities/read | Read all resources in microsoft.aad.privilegedIdentityManagement. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.protectionCenter/allEntities/read | Read all aspects of Office 365 Protection Center. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
Service Support Administrator permissions
Can read service health information and manage support tickets.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
SharePoint Service Administrator permissions
Can manage all aspects of the SharePoint service.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/groups/unified/appRoleAssignments/update | Update groups.unified property in Azure Active Directory. |
microsoft.directory/groups/unified/basic/update | Update basic properties of Microsoft 365 groups. |
microsoft.directory/groups/unified/create | Create Microsoft 365 groups. |
microsoft.directory/groups/unified/delete | Delete Microsoft 365 groups. |
microsoft.directory/groups/unified/members/update | Update membership of Microsoft 365 groups. |
microsoft.directory/groups/unified/owners/update | Update ownership of Microsoft 365 groups. |
microsoft.office365.network/performance/allProperties/read | Read network performance pages in M365 Admin Center. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.sharepoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
Teams Communications Administrator permissions
Can manage calling and meetings features within the Microsoft Teams service.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.teams/meetings/allProperties/allTasks | Manage meetings, including meeting policies, configurations, and conference bridges. |
microsoft.teams/voice/allProperties/allTasks | Manage voice, including calling policies and phone number inventory and assignment. |
microsoft.teams/callQuality/allProperties/read | Read all data in Call Quality Dashboard (CQD). |
Teams Communications Support Engineer permissions
Can troubleshoot communications issues within Teams using advanced tools.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.teams/callQuality/allProperties/read | Read all data in Call Quality Dashboard (CQD). |
Teams Communications Support Specialist permissions
Can troubleshoot communications issues within Teams using basic tools.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.teams/callQuality/basic/read | Read basic data in Call Quality Dashboard (CQD). |
Teams Devices Administrator permissions
Can perform management related tasks on Teams certified devices.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.teams/devices/basic/read | Manage all aspects of Teams-certified devices including configuration policies. |
Teams Service Administrator permissions
Can manage the Microsoft Teams service.
Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
Actions | Description |
---|---|
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.directory/groups/hiddenMembers/read | Read groups.hiddenMembers property in Azure Active Directory. |
microsoft.directory/groups/unified/appRoleAssignments/update | Update groups.unified property in Azure Active Directory. |
microsoft.directory/groups/unified/basic/update | Update basic properties of Microsoft 365 groups. |
microsoft.directory/groups/unified/create | Create Microsoft 365 groups. |
microsoft.directory/groups/unified/delete | Delete Microsoft 365 groups. |
microsoft.directory/groups/unified/members/update | Update membership of Microsoft 365 groups. |
microsoft.directory/groups/unified/owners/update | Update ownership of Microsoft 365 groups. |
microsoft.office365.network/performance/allProperties/read | Read network performance pages in M365 Admin Center. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams. |
Usage Summary Reports Reader permissions
Can see only tenant level aggregates in M365 Usage Analytics and Productivity Score.
Actions | Description |
---|---|
microsoft.office365.usageReports/allEntities/standard/read | Read tenant-level aggregated Office 365 usage reports. |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in microsoft.office365.webPortal. |
User Administrator permissions
Can manage all aspects of users and groups, including resetting passwords for limited admins.
Actions | Description |
---|---|
microsoft.directory/appRoleAssignments/create | Create appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/delete | Delete appRoleAssignments in Azure Active Directory. |
microsoft.directory/appRoleAssignments/update | Update appRoleAssignments in Azure Active Directory. |
microsoft.directory/contacts/basic/update | Update basic properties on contacts in Azure Active Directory. |
microsoft.directory/contacts/create | Create contacts in Azure Active Directory. |
microsoft.directory/contacts/delete | Delete contacts in Azure Active Directory. |
microsoft.directory/entitlementManagement/allProperties/allTasks | Create and delete resources, and read and update all properties in Azure AD entitlement management. |
microsoft.directory/groups/appRoleAssignments/update | Update groups.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/groups/basic/update | Update basic properties on groups in Azure Active Directory. |
microsoft.directory/groups/create | Create groups in Azure Active Directory. |
microsoft.directory/groups/createAsOwner | Create groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
microsoft.directory/groups/delete | Delete groups in Azure Active Directory. |
microsoft.directory/groups/hiddenMembers/read | Read groups.hiddenMembers property in Azure Active Directory. |
microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. |
microsoft.directory/groups/restore | Restore groups in Azure Active Directory. |
microsoft.directory/groups/settings/update | Update groups.settings property in Azure Active Directory. |
microsoft.directory/users/appRoleAssignments/update | Update users.appRoleAssignments property in Azure Active Directory. |
microsoft.directory/users/assignLicense | Manage licenses on users in Azure Active Directory. |
microsoft.directory/users/basic/update | Update basic properties on users in Azure Active Directory. |
microsoft.directory/users/create | Create users in Azure Active Directory. |
microsoft.directory/users/delete | Delete users in Azure Active Directory. |
microsoft.directory/users/invalidateAllRefreshTokens | Invalidate all user refresh tokens in Azure Active Directory. |
microsoft.directory/users/manager/update | Update users.manager property in Azure Active Directory. |
microsoft.directory/users/password/update | Update passwords for all users in Azure Active Directory. See online documentation for more detail. |
microsoft.directory/users/restore | Restore deleted users in Azure Active Directory. |
microsoft.directory/users/userPrincipalName/update | Update users.userPrincipalName property in Azure Active Directory. |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
Role template IDs
Role template IDs are used mainly by the Microsoft Graph API or PowerShell users.
Graph displayName | Azure portal display name | directoryRoleTemplateId |
---|---|---|
Application Administrator | Application administrator | 9B895D92-2CD3-44C7-9D02-A6AC2D5EA5C3 |
Application Developer | Application developer | CF1C38E5-3621-4004-A7CB-879624DCED7C |
Authentication Administrator | Authentication administrator | c4e39bd9-1100-46d3-8c65-fb160da0071f |
Attack Payload Author | Attack payload author | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f |
Attack Simulation Administrator | Attack simulation administrator | c430b396-e693-46cc-96f3-db01bf8bb62a |
Azure AD Joined Device Local Administrator | Azure AD Joined Device Local Administrator | 9f06204d-73c1-4d4c-880a-6edb90606fd8 |
Azure DevOps Administrator | Azure DevOps administrator | e3973bdf-4987-49ae-837a-ba8e231c7286 |
Azure Information Protection Administrator | Azure Information Protection administrator | 7495fdc4-34c4-4d15-a289-98788ce399fd |
B2C IEF Keyset Administrator | B2C IEF Keyset Administrator | aaf43236-0c0d-4d5f-883a-6955382ac081 |
B2C IEF Policy Administrator | B2C IEF Policy Administrator | 3edaf663-341e-4475-9f94-5c398ef6c070 |
Billing Administrator | Billing administrator | b0f54661-2d74-4c50-afa3-1ec803f12efe |
Cloud Application Administrator | Cloud application administrator | 158c047a-c907-4556-b7ef-446551a6b5f7 |
Cloud Device Administrator | Cloud device administrator | 7698a772-787b-4ac8-901f-60d6b08affd2 |
Compliance Administrator | Compliance administrator | 17315797-102d-40b4-93e0-432062caca18 |
Compliance Data Administrator | Compliance data administrator | e6d1a23a-da11-4be4-9570-befc86d067a7 |
Conditional Access Administrator | Conditional Access administrator | b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 |
Customer LockBox Access Approver | Customer Lockbox access approver | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 |
Desktop Analytics Administrator | Desktop Analytics Administrator | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 |
Device Join | Deprecated | 9c094953-4995-41c8-84c8-3ebb9b32c93f |
Device Managers | Deprecated | 2b499bcd-da44-4968-8aec-78e1674fa64d |
Device Users | Deprecated | d405c6df-0af8-4e3b-95e4-4d06e542189e |
Directory Readers | Directory readers | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
Directory Synchronization Accounts | Not shown because it shouldn't be used | d29b2b05-8046-44ba-8758-1e26182fcf32 |
Directory Writers | Directory Writers | 9360feb5-f418-4baa-8175-e2a00bac4301 |
Dynamics 365 Administrator | Dynamics 365 administrator | 44367163-eba1-44c3-98af-f5787879f96a |
Exchange Administrator | Exchange administrator | 29232cdf-9323-42fd-ade2-1d097af3e4de |
External Id User flow Administrator | External Id User flow Administrator | 6e591065-9bad-43ed-90f3-e9424366d2f0 |
External Id User Flow Attribute Administrator | External Id User Flow Attribute Administrator | 0f971eea-41eb-4569-a71e-57bb8a3eff1e |
External Identity Provider Administrator | External Identity Provider Administrator | be2f45a1-457d-42af-a067-6ec1fa63bc45 |
Global Administrator | Global administrator | 62e90394-69f5-4237-9190-012177145e10 |
Global Reader | Global reader | f2ef992c-3afb-46b9-b7cf-a126ee74c451 |
Groups Administrator | Groups administrator | fdd7a751-b60b-444a-984c-02652fe8fa1c |
Guest Inviter | Guest inviter | 95e79109-95c0-4d8e-aee3-d01accf2d47b |
Helpdesk Administrator | Helpdesk administrator | 729827e3-9c14-49f7-bb1b-9608f156bbb8 |
Hybrid Identity Administrator | Hybrid identity administrator | 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 |
Insights Administrator | Insights administrator | eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c |
Insights Business Leader | Insights business leader | 31e939ad-9672-4796-9c2e-873181342d2d |
Intune Administrator | Intune administrator | 3a2c62db-5318-420d-8d74-23affee5d9d5 |
Kaizala Administrator | Kaizala administrator | 74ef975b-6605-40af-a5d2-b9539d836353 |
License Administrator | License administrator | 4d6ac14f-3453-41d0-bef9-a3e0c569773a |
Message Center Privacy Reader | Message center privacy reader | ac16e43d-7b2d-40e0-ac05-243ff356ab5b |
Message Center Reader | Message center reader | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b |
Modern Commerce User | Modern Commerce User | d24aef57-1500-4070-84db-2666f29cf966 |
Network Administrator | Network administrator | d37c8bed-0711-4417-ba38-b4abe66ce4c2 |
Office Apps Administrator | Office apps administrator | 2b745bdf-0803-4d80-aa65-822c4493daac |
Partner Tier1 Support | Not shown because it shouldn't be used | 4ba39ca4-527c-499a-b93d-d9b492c50246 |
Partner Tier2 Support | Not shown because it shouldn't be used | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 |
Password Administrator | Password administrator | 966707d0-3269-4727-9be2-8c3a10f19b9d |
Power BI Administrator | Power BI administrator | a9ea8996-122f-4c74-9520-8edcd192826c |
Power Platform Administrator | Power platform administrator | 11648597-926c-4cf3-9c36-bcebb0ba8dcc |
Printer Administrator | Printer administrator | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f |
Printer Technician | Printer technician | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
Privileged Authentication Administrator | Privileged authentication administrator | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
Privileged Role Administrator | Privileged role administrator | e8611ab8-c189-46e8-94e1-60213ab1f814 |
Reports Reader | Reports reader | 4a5d8f65-41da-4de4-8968-e035b65339cf |
Search Administrator | Search administrator | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
Search Editor | Search editor | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
Security Administrator | Security administrator | 194ae4cb-b126-40b2-bd5b-6091b380977d |
Security Operator | Security operator | 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f |
Security Reader | Security reader | 5d6b6bb7-de71-4623-b4af-96380a352509 |
Service Support Administrator | Service support administrator | f023fd81-a637-4b56-95fd-791ac0226033 |
SharePoint Administrator | SharePoint administrator | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
Skype for Business Administrator | Skype for Business administrator | 75941009-915a-4869-abe7-691bff18279e |
Teams Communications Administrator | Teams Communications Administrator | baf37b3a-610e-45da-9e62-d9d1e5e8914b |
Teams Communications Support Engineer | Teams Communications Support Engineer | f70938a0-fc10-4177-9e90-2178f8765737 |
Teams Communications Support Specialist | Teams Communications Support Specialist | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 |
Teams Devices Administrator | Teams Devices Administrator | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
Teams Administrator | Teams Administrator | 69091246-20e8-4a56-aa4d-066075b2a7a8 |
Usage Summary Reports Reader | Usage summary reports reader | 75934031-6c7e-415a-99d7-48dbd49e875e |
User | Not shown because it can't be used | a0b1b346-4d3e-4e8b-98f8-753987be4970 |
User Administrator | User administrator | fe930be7-5e62-47db-91af-98c3a49a38b1 |
Workplace Device Join | Deprecated | c34f683f-4d5a-4403-affd-6615e00e3a7f |
Deprecated roles
The following roles should not be used. They have been deprecated and will be removed from Azure AD in the future.
- AdHoc License Administrator
- Device Join
- Device Managers
- Device Users
- Email Verified User Creator
- Mailbox Administrator
- Workplace Device Join
Roles not shown in the portal
Not every role returned by PowerShell or MS Graph API is visible in Azure portal. The following table organizes those differences.
API name | Azure portal name | Notes |
---|---|---|
Device Join | Deprecated | Deprecated roles documentation |
Device Managers | Deprecated | Deprecated roles documentation |
Device Users | Deprecated | Deprecated roles documentation |
Directory Synchronization Accounts | Not shown because it shouldn't be used | Directory Synchronization Accounts documentation |
Guest User | Not shown because it can't be used | NA |
Partner Tier 1 Support | Not shown because it shouldn't be used | Partner Tier1 Support documentation |
Partner Tier 2 Support | Not shown because it shouldn't be used | Partner Tier2 Support documentation |
Restricted Guest User | Not shown because it can't be used | NA |
User | Not shown because it can't be used | NA |
Workplace Device Join | Deprecated | Deprecated roles documentation |
Next steps
- To learn more about how to assign a user as an administrator of an Azure subscription, see Add or remove Azure role assignments (Azure RBAC)
- To learn more about how resource access is controlled in Microsoft Azure, see Understand the different roles
- For details on the relationship between subscriptions and an Azure AD tenant, or for instructions to associate or add a subscription, see Associate or add an Azure subscription to your Azure Active Directory tenant