Assigning administrator roles in Azure Active Directory

Using Azure Active Directory (Azure AD), you can designate separate administrators to serve different functions. Administrators have access to various features in the Azure portal and, depending on their role, can create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things. A user who is assigned an admin role will have the same permissions across all of the cloud services to which your organization has subscribed to, regardless of whether you assign the role in the Office 365 portal, or in the Azure portal, or by using the Azure AD module for Windows PowerShell.

Details about the Global Administrator role

The Global Administrator has access to all administrative features. By default, the person who signs up for an Azure subscription is assigned the global administrator role for the directory. Only global administrators can assign other administrator roles.

Assign or remove administrator roles

To learn how to assign administrative roles to a user in Azure Active Directory, see Assign a user to administrator roles in Azure Active Directory.

Available roles

The following administrator roles are available:

  • Application Administrator: Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. Members of this role are not added as owners when creating new application registrations or enterprise applications.

  • Application Developer: Users in this role can create application registrations when the “Users can register applications” setting is set to No. This role also allows members to consent on their own behalf when the “Users can consent to apps accessing company data on their behalf” setting is set to No. Members of this role are added as owners when creating new application registrations or enterprise applications.

  • Billing Administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

  • Cloud Application Administrator: Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications, application registrations. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. Members of this role are not added as owners when creating new application registrations or enterprise applications.

  • Compliance Administrator: Users with this role have management permissions within in the Office 365 Security & Compliance Center and Exchange Admin Center. More information at “About Office 365 admin roles.”

  • Conditional Access Administrator: Users with this role have the ability to manage Azure Active Directory conditional access settings.

    Note

    To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator.

  • Device Administrators: This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.

  • Directory Readers: This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.

  • Directory Synchronization Accounts: Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

  • Directory Writers: This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.

  • Dynamics 365 Administrator: Users with this role have global permissions within Microsoft Dynamics 365, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.

  • Exchange Service Administrator: Users with this role have global permissions within Microsoft Exchange Online, when the service is present. More information at About Office 365 admin roles.

  • Global Administrator / Company Administrator / Tenant Administrator: Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.

    Note

    In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal.

  • Guest Inviter: Users in this role can manage Azure Active Directory B2B guest user invitations when the “Members can invite” user setting is set to No. More information about B2B collaboration at About Azure AD B2B collaboration. It does not include any other permissions.

  • Information Protection Administrator: Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection.

  • Intune Service Administrator: Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.

  • Mailbox Administrator: This role is only used as part of Exchange Online email support for RIM Blackberry devices. If your organization does not use Exchange Online email on RIM Blackberry devices, do not use this role.

  • Message Center Reader: Users in this role can monitor notifications and advisory health updates in Office 365 Message center for their organization on configured services such as Exchange, Intune and Microsoft Teams. Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Office 365. In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups.

  • Partner Tier 1 Support: Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

  • Partner Tier 2 Support: Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

  • Password Administrator / Helpdesk Administrator: Users with this role can change passwords, manage service requests, and monitor service health. Helpdesk administrators can change passwords only for users and other Helpdesk administrators.

    Note

    In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Helpdesk Administrator". It is "Password Administrator" in the Azure portal.

  • Power BI Service Administrator: Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.

  • Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management.

  • Reports Reader: Users with this role can view usage reporting data and the reports dashboard in Office 365 admin center and the adoption context pack in PowerBI. Additionally, the role provides access to sign-on reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product specific admin centers like Exchange.

  • Security Administrator: Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity Protection, Azure Information Protection, Privileged Identity Management, and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

  • Security Reader: Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

  • Service Support Administrator: Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Office 365 admin portal. More information at About Office 365 admin roles.

  • SharePoint Service Administrator: Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.

  • Skype for Business / Lync Service Administrator: Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.

    Note

    In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator". It is "Skype for Business Service Administrator" in the Azure portal.

  • User Account Administrator: Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator. User Account administrators can change passwords for users, Helpdesk administrators, and other User Account administrators only.

Administrator permissions

Application Administrator

Can do Cannot do
Read all directory information
Create application registrations
Update application registration properties
Acquire enterprise applications
Manage application registration permissions
Delete application registrations
Manage enterprise application single sign-on settings
Manage enterprise application provisioning settings
Manage enterprise application self-service settings
Manage enterprise application permission settings
Manage application access
Manage provisioning settings
Delete enterprise applications
Consent on behalf of everyone for all delegated permission requests
Consent on behalf of everyone for all application permission requests except Azure AD Graph or Microsoft Graph
Manage application proxy settings
Access services settings
Monitor service health
Manage support tickets
Read hidden group membership
Create, edit, and delete groups
Manage user licenses
Use directory synchronization
View sign-in reports and audit logs

Application Developer

Can do Cannot do
Read all directory information
Create application registrations
Consent on behalf of self
View sign-in and audit logs
Read hidden group membership

Billing Administrator

Can do Cannot do

View company and user information

Manage Office support tickets

Perform billing and purchasing operations for Office products

Reset user passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

View audit logs

Cloud Application Administrator

Can do Cannot do
Read all directory information
Create application registrations
Update application registration properties
Acquire enterprise applications
Manage application registration permissions
Delete application registrations
Manage enterprise application single sign-on settings
Manage enterprise application provisioning settings
Manage enterprise application self-service settings
Manage enterprise application permission settings
Manage application access
Manage provisioning settings
Delete enterprise applications
Consent on behalf of everyone for all delegated permission requests
Consent on behalf of everyone for all application permission requests except Azure AD Graph or Microsoft Graph
Access services settings
Monitor service health
Manage support tickets
Read hidden group membership
Manage application proxy settings
Create, edit, and delete groups
Manage user licenses
Use directory synchronization
View sign-in reports and audit logs

Conditional Access Administrator

Can do Cannot do

View company and user information

Manage conditional access settings

Reset user passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

View audit logs

Global Administrator

Can do Cannot do

View company and user information

Manage Office support tickets

Perform billing and purchasing operations for Office products

Reset user passwords

Reset other administrators' passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Enable or disable multi-factor authentication

View audit logs

N/A

Password Administrator / Helpdesk Administrator

Can do Cannot do

View company and user information

Manage Office support tickets

Change passwords for users and other Helpdesk administrators only

Perform billing and purchasing operations for Office products

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

View reports

Information Protection Administrator

In Can do
Azure Information Protection
  • Configure labels and settings in global and scoped policies
  • Configure and manage protection templates
  • Activate or deactivate protection--
  • Reports Reader

    Can do Cannot do
    View Azure AD sign-in Reports and audit logs
    View company and user information
    Access Office 365 usage dashboard
    Create and manage user views
    Create, edit, and delete users and groups, and manage user licenses
    Delegate administrative roles to others
    Manage company information

    Security Reader

    In Can do
    Identity Protection Center Read all security reports and settings information for security features
    • Anti-spam
    • Encryption
    • Data loss prevention
    • Anti-malware
    • Advanced threat protection
    • Anti-phishing
    • Mailflow rules
    Privileged Identity Management

    Has read-only access to all information surfaced in Azure AD PIM: Policies and reports for Azure AD role assignments, security reviews and in the future read access to policy data and reports for scenarios besides Azure AD role assignment.

    Cannot sign up for Azure AD PIM or make any changes to it. In PIM's portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is a candidate for them.

    Monitor Office 365 Service Health

    Office 365 Security & Compliance Center

    • Read and manage alerts
    • Read security policies
    • Read threat intelligence, Cloud App Discovery, and Quarantine in Search and Investigate
    • Read all reports

    Security Administrator

    In Can do
    Identity Protection Center
    • All permissions of the Security Reader role.
    • Additionally, the ability to perform all IPC operations except for resetting passwords.
    Privileged Identity Management
    • All permissions of the Security Reader role.
    • Cannot manage Azure AD role memberships or settings.

    Monitor Office 365 Service Health

    Office 365 Security & Compliance Center

    • All permissions of the Security Reader role.
    • Can configure all settings in the Advanced Threat Protection feature (malware & virus protection, malicious URL config, URL tracing, etc.).

    Service Administrator

    Can do Cannot do

    View company and user information

    Manage Office support tickets

    Reset user passwords

    Perform billing and purchasing operations for Office products

    Create and manage user views

    Create, edit, and delete users and groups, and manage user licenses

    Manage domains

    Manage company information

    Delegate administrative roles to others

    Use directory synchronization

    View audit logs

    User Account Administrator

    Can do Cannot do

    View company and user information

    Manage Office support tickets

    Change passwords for users, Helpdesk administrators, and other User Account administrators only

    Create and manage user views

    Create, edit, and delete users and groups, and manage user licenses, with limitations. He or she cannot delete a global administrator or create other administrators.

    Perform billing and purchasing operations for Office products

    Manage domains

    Manage company information

    Delegate administrative roles to others

    Use directory synchronization

    Enable or disable multi-factor authentication

    View audit logs

    To add a user as a global administrator

    1. Sign in to the Azure Active Directory Admin Center with an account that's a Global Administrator for the tenant directory.

      Opening azure AD admin center

    2. Select Users and groups > All users

    3. Find the user you want to designate as a Global Administrator and open the blade for that user.

    4. On the user blade, select Directory role.

    5. On the directory role blade, select the Global Administrator role, and save.

    Deprecated roles

    The following roles should not be used. They been deprecated and will be removed from Azure AD in the future.

    • AdHoc License Administrator
    • Email Verified User Creator
    • Device Join
    • Device Managers
    • Device Users
    • Workplace Device Join

    Next steps