Directory roles you can manage using Azure AD PIM

You can assign users in your organization to different administrative roles in Azure AD. These role assignments control which tasks, such as adding or removing users or changing service settings, the users are able to perform on Azure AD, Office 365, and other Microsoft Online Services and connected applications.

A Global Administrator can update which users are permanently assigned to roles in Azure AD through the portal as described in assigning administrator roles in Azure Active Directory or using PowerShell commands.

Azure AD Privileged Identity Management (PIM) manages policies for privileged access for users in Azure AD. PIM assigns users to one or more roles in Azure AD, and you can assign someone to be permanently in the role, or eligible for the role. When a user is permanently assigned to a role, or activates an eligible role assignment, then they can manage Azure Active Directory, Office 365, and other applications with the permissions assigned to their roles.

There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time. They are made eligible for the role, and can turn it on and off whenever they need to.

Roles managed in PIM

Privileged Identity Management lets you assign users to common administrator roles, including:

  • Global administrator (also known as Company administrator) has access to all administrative features. You can have more than one global admin in your organization. The person who signs up to purchase Office 365 automatically becomes a global admin.
  • Privileged role administrator manages Azure AD PIM and updates role assignments for other users.
  • Billing administrator makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Password administrator resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users.
  • Service administrator manages service requests and monitors service health.


    If you are using Office 365, then before assigning the service admin role to a user, first assign the user administrative permissions to a service, such as Exchange Online.

  • User management administrator resets passwords, monitors service health, and manages user accounts, user groups, and service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for billing, global, and service admins.
  • Exchange administrator has administrative access to Exchange Online through the Exchange admin center (EAC), and can perform almost any task in Exchange Online.
  • SharePoint administrator (Preview) has administrative access to SharePoint Online through the SharePoint Online admin center, and can perform almost any task in SharePoint Online. This role is currently in preview. Eligible users may experience delays using this role within SharePoint after activating in PIM.
  • Skype for Business administrator has administrative access to Skype for Business through the Skype for Business admin center, and can perform almost any task in Skype for Business Online.

Read these articles for more details about assigning administrator roles in Azure AD and assigning admin roles in Office 365.

From PIM, you can assign these roles to a user so that the user can activate the role when needed.

If you want to give another user access to manage in PIM itself, the roles which PIM requires the user to have are described further in how to give access to PIM.

Roles not managed in PIM

Roles within Exchange Online or SharePoint Online, except for those mentioned above, are not represented in Azure AD and so are not visible in PIM. For more information on changing fine-grained role assignments in these Office 365 services, see Permissions in Office 365.

Azure subscriptions and resource groups are also not represented in Azure AD. To manage Azure subscriptions, see How to add or change Azure administrator roles and for more information on Azure RBAC, see Azure role-based access control.

User roles and signing in

For some Microsoft services and applications, assigning a user to a role may not be sufficient to enable that user to be an administrator.

Access to the Azure portal requires the user be a service administrator or co-administrator on an Azure subscription, even if the user does not need to manage the Azure subscriptions. For example, to manage configuration settings for Azure AD, a user must be both a global administrator in Azure AD and a subscription co-administrator on an Azure subscription. To learn how to add users to Azure subscriptions, see How to add or change Azure administrator roles.

Access to Microsoft Online Services may require the user also be assigned a license before they can open the service's portal or perform administrative tasks.

Assign a license to a user in Azure AD

  1. Sign in to the Azure portal with a global administrator account or a co-administrator account.
  2. Select Azure AD and the directory you want to work with and that has licenses associated with it.
  3. Select Licenses on the left. The list of available licenses will appear.
  4. Select the license plan that contains the licenses you want to distribute.
  5. Select Assign Users.
  6. Select the user that you want to assign a license to.
  7. Click the Assign button. The user can now sign in to Azure.

Next steps