Roles you can't manage in Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) enables you to manage all Azure AD roles and all Azure roles. Azure roles can also include your custom roles attached to your management groups, subscriptions, resource groups, and resources. However, there are few roles that you cannot manage. This article describes the roles you can't manage in Privileged Identity Management.

Classic subscription administrator roles

You cannot manage the following classic subscription administrator roles in Privileged Identity Management:

  • Account Administrator
  • Service Administrator
  • Co-Administrator

For more information about the classic subscription administrator roles, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.

What about Microsoft 365 admin roles?

We support all Microsoft 365 roles in the Azure AD Roles and Administrators portal experience, such as Exchange Administrator and SharePoint Administrator, but we don't support specific roles within Exchange RBAC or SharePoint RBAC. For more information about these Microsoft 365 services, see Microsoft 365 admin roles.

Note

  • Eligible users for the SharePoint administrator role, the Device administrator role, and any roles trying to access the Microsoft Security & Compliance Center might experience delays of up to a few hours after activating their role. We are working with those teams to fix the issues.
  • For information about delays activating the Azure AD Joined Device Local Administrator role, see How to manage the local administrators group on Azure AD joined devices.

Next steps