Azure AD 內建角色 (部分機器翻譯)Azure AD built-in roles

在 Azure Active Directory (Azure AD) 中,如果另一個系統管理員或非系統管理員需要管理 Azure AD 資源,請將提供所需許可權的 Azure AD 角色指派給他們。In Azure Active Directory (Azure AD), if another administrator or non-administrator needs to manage Azure AD resources, you assign them an Azure AD role that provides the permissions they need. 例如,您可以指派角色以允許新增或變更使用者、重設使用者密碼、管理使用者授權或管理功能變數名稱。For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.

本文列出您可以指派以允許管理 Azure AD 資源的 Azure AD 內建角色。This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. 如需有關如何指派角色的詳細資訊,請參閱 將 Azure AD 角色指派給使用者For information about how to assign roles, see Assign Azure AD roles to users.

所有角色All roles

角色Role 描述Description 範本識別碼Template ID
應用程式系統管理員Application Administrator 能夠建立及管理應用程式註冊與企業應用程式的所有層面。Can create and manage all aspects of app registrations and enterprise apps. 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c39b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
應用程式開發人員Application Developer 可建立與 [使用者可註冊應用程式] 設定不相關的應用程式註冊。Can create application registrations independent of the 'Users can register applications' setting. cf1c38e5-3621-4004-a7cb-879624dced7ccf1c38e5-3621-4004-a7cb-879624dced7c
攻擊承載作者Attack Payload Author 可以建立系統管理員可以在稍後起始的攻擊承載。Can create attack payloads that an administrator can initiate later. 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f
攻擊模擬系統管理員Attack Simulation Administrator 可以建立和管理攻擊模擬活動的所有層面。Can create and manage all aspects of attack simulation campaigns. c430b396-e693-46cc-96f3-db01bf8bb62ac430b396-e693-46cc-96f3-db01bf8bb62a
驗證管理員Authentication Administrator 可以存取來查看、設定及重設任何非系統管理員使用者的驗證方法資訊。Can access to view, set and reset authentication method information for any non-admin user. c4e39bd9-1100-46d3-8c65-fb160da0071fc4e39bd9-1100-46d3-8c65-fb160da0071f
驗證原則系統管理員Authentication Policy Administrator 可以建立和管理驗證方法和密碼保護原則的所有層面。Can create and manage all aspects of authentication methods and password protection policies. 0526716b-113d-4c15-b2c8-68e3c22b9f800526716b-113d-4c15-b2c8-68e3c22b9f80
Azure AD 加入的裝置本機系統管理員Azure AD Joined Device Local Administrator 獲指派此角色的使用者會新增至已加入 Azure AD 的裝置上的本機系統管理員群組。Users assigned to this role are added to the local administrators group on Azure AD-joined devices. 9f06204d-73c1-4d4c-880a-6edb90606fd89f06204d-73c1-4d4c-880a-6edb90606fd8
Azure DevOps 管理員Azure DevOps Administrator 可管理 Azure DevOps 組織原則及設定。Can manage Azure DevOps organization policy and settings. e3973bdf-4987-49ae-837a-ba8e231c7286e3973bdf-4987-49ae-837a-ba8e231c7286
Azure 資訊保護管理員Azure Information Protection Administrator 可管理 Azure 資訊保護產品的所有層面。Can manage all aspects of the Azure Information Protection product. 7495fdc4-34c4-4d15-a289-98788ce399fd7495fdc4-34c4-4d15-a289-98788ce399fd
B2C IEF 金鑰集管理員B2C IEF Keyset Administrator 可以在 Identity Experience Framework (IEF) 中管理同盟和加密的秘密。Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). aaf43236-0c0d-4d5f-883a-6955382ac081aaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF 原則管理員B2C IEF Policy Administrator 可以在 Identity Experience Framework (IEF) 中建立及管理信任架構原則。Can create and manage trust framework policies in the Identity Experience Framework (IEF). 3edaf663-341e-4475-9f94-5c398ef6c0703edaf663-341e-4475-9f94-5c398ef6c070
計費管理員Billing Administrator 能夠執行一般計費相關工作,例如更新付款資訊。Can perform common billing related tasks like updating payment information. b0f54661-2d74-4c50-afa3-1ec803f12efeb0f54661-2d74-4c50-afa3-1ec803f12efe
雲端應用程式系統管理員Cloud Application Administrator 能夠建立及管理應用程式註冊與企業應用程式的所有層面,但應用程式 Proxy 除外。Can create and manage all aspects of app registrations and enterprise apps except App Proxy. 158c047a-c907-4556-b7ef-446551a6b5f7158c047a-c907-4556-b7ef-446551a6b5f7
雲端裝置管理員Cloud Device Administrator 在 Azure AD 中管理裝置的有限存取權。Limited access to manage devices in Azure AD. 7698a772-787b-4ac8-901f-60d6b08affd27698a772-787b-4ac8-901f-60d6b08affd2
合規性管理員Compliance Administrator 可以讀取和管理 Azure AD 和 Microsoft 365 中的合規性設定和報告。Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. 17315797-102d-40b4-93e0-432062caca1817315797-102d-40b4-93e0-432062caca18
合規性資料管理員Compliance Data Administrator 建立及管理合規性內容。Creates and manages compliance content. e6d1a23a-da11-4be4-9570-befc86d067a7e6d1a23a-da11-4be4-9570-befc86d067a7
條件式存取管理員Conditional Access Administrator 可管理條件式存取功能。Can manage Conditional Access capabilities. b1be1c3e-b65d-4f19-8427-f6fa0d97feb9b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
客戶 LockBox 存取核准者Customer LockBox Access Approver 可核准 Microsoft 支援要求,以存取客戶組織的資料。Can approve Microsoft support requests to access customer organizational data. 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc915c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
電腦分析管理員Desktop Analytics Administrator 可以存取及管理桌面管理工具與服務。Can access and manage Desktop management tools and services. 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a438a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
目錄讀取者Directory Readers 可讀取基本目錄資訊。Can read basic directory information. 通常用來授與目錄讀取存取權給應用程式和來賓。Commonly used to grant directory read access to applications and guests. 88d8e3e3-8f55-4a1e-953a-9b9898b8876b88d8e3e3-8f55-4a1e-953a-9b9898b8876b
目錄同步處理帳戶Directory Synchronization Accounts 僅供 Azure AD Connect 服務使用。Only used by Azure AD Connect service. d29b2b05-8046-44ba-8758-1e26182fcf32d29b2b05-8046-44ba-8758-1e26182fcf32
目錄寫入者Directory Writers 可以讀取和寫入基本目錄資訊。Can read and write basic directory information. 用來授與應用程式的存取權,不適用於使用者。For granting access to applications, not intended for users. 9360feb5-f418-4baa-8175-e2a00bac43019360feb5-f418-4baa-8175-e2a00bac4301
功能變數名稱管理員Domain Name Administrator 可以管理雲端和內部部署中的功能變數名稱。Can manage domain names in cloud and on-premises. 8329153b-31d0-4727-b945-745eb3bc5f318329153b-31d0-4727-b945-745eb3bc5f31
Dynamics 365 系統管理員Dynamics 365 Administrator 可管理 Dynamics 365 產品的所有層面。Can manage all aspects of the Dynamics 365 product. 44367163-eba1-44c3-98af-f5787879f96a44367163-eba1-44c3-98af-f5787879f96a
Exchange 管理員Exchange Administrator 可管理 Exchange 產品的所有層面。Can manage all aspects of the Exchange product. 29232cdf-9323-42fd-ade2-1d097af3e4de29232cdf-9323-42fd-ade2-1d097af3e4de
Exchange 收件者系統管理員Exchange Recipient Administrator 可以在 Exchange Online 組織內建立或更新 Exchange Online 的收件者。Can create or update Exchange Online recipients within the Exchange Online organization. 31392ffb-586c-42d1-9346-e59415a2cc4e31392ffb-586c-42d1-9346-e59415a2cc4e
外部識別碼使用者流程管理員External ID User Flow Administrator 可以建立及管理使用者流程的所有層面。Can create and manage all aspects of user flows. 6e591065-9bad-43ed-90f3-e9424366d2f06e591065-9bad-43ed-90f3-e9424366d2f0
外部識別碼使用者流程屬性管理員External ID User Flow Attribute Administrator 可以建立及管理所有使用者流程可用的屬性架構。Can create and manage the attribute schema available to all user flows. 0f971eea-41eb-4569-a71e-57bb8a3eff1e0f971eea-41eb-4569-a71e-57bb8a3eff1e
外部識別提供者管理員External Identity Provider Administrator 可以設定身分識別提供者以用於直接同盟。Can configure identity providers for use in direct federation. be2f45a1-457d-42af-a067-6ec1fa63bc45be2f45a1-457d-42af-a067-6ec1fa63bc45
全域管理員Global Administrator 可管理使用 Azure AD 身分識別的 Azure AD 與 Microsoft 服務的所有層面。Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. 62e90394-69f5-4237-9190-012177145e1062e90394-69f5-4237-9190-012177145e10
全域讀取者Global Reader 可以讀取全域系統管理員可以使用的所有專案,但無法更新任何專案。Can read everything that a Global Administrator can, but not update anything. f2ef992c-3afb-46b9-b7cf-a126ee74c451f2ef992c-3afb-46b9-b7cf-a126ee74c451
群組管理員Groups Administrator 此角色的成員可以建立/管理群組、建立/管理群組設定,例如命名和到期原則,以及查看群組活動和審核報表。Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. fdd7a751-b60b-444a-984c-02652fe8fa1cfdd7a751-b60b-444a-984c-02652fe8fa1c
來賓邀請者Guest Inviter 能夠邀請不受 [成員能夠邀請來賓] 設定限制的來賓使用者。Can invite guest users independent of the 'members can invite guests' setting. 95e79109-95c0-4d8e-aee3-d01accf2d47b95e79109-95c0-4d8e-aee3-d01accf2d47b
服務台管理員Helpdesk Administrator 能夠為非系統管理員與技術服務人員系統管理員重設密碼。Can reset passwords for non-administrators and Helpdesk Administrators. 729827e3-9c14-49f7-bb1b-9608f156bbb8729827e3-9c14-49f7-bb1b-9608f156bbb8
混合式身分識別管理員Hybrid Identity Administrator 可管理 AD 以 Azure AD 雲端布建、Azure AD Connect 和同盟設定。Can manage AD to Azure AD cloud provisioning, Azure AD Connect, and federation settings. 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb28ac3fc64-6eca-42ea-9e69-59f4c7b60eb2
Insights 管理員Insights Administrator 具有 Microsoft 365 Insights 應用程式的系統管理存取權。Has administrative access in the Microsoft 365 Insights app. eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7ceb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c
Insights 商務領導人Insights Business Leader 可以透過 M365 Insights 應用程式來查看和共用儀表板和深入解析。Can view and share dashboards and insights via the M365 Insights app. 31e939ad-9672-4796-9c2e-873181342d2d31e939ad-9672-4796-9c2e-873181342d2d
Intune 管理員Intune Administrator 可管理 Intune 產品的所有層面。Can manage all aspects of the Intune product. 3a2c62db-5318-420d-8d74-23affee5d9d53a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala 管理員Kaizala Administrator 可以管理 Microsoft Kaizala 的設定。Can manage settings for Microsoft Kaizala. 74ef975b-6605-40af-a5d2-b9539d83635374ef975b-6605-40af-a5d2-b9539d836353
知識管理員Knowledge Administrator 可以設定知識、學習和其他智慧型功能。Can configure knowledge, learning, and other intelligent features. b5a8dcf3-09d5-43a9-a639-8e29ef291470b5a8dcf3-09d5-43a9-a639-8e29ef291470
授權管理員License Administrator 可管理使用者和群組的產品授權。Can manage product licenses on users and groups. 4d6ac14f-3453-41d0-bef9-a3e0c569773a4d6ac14f-3453-41d0-bef9-a3e0c569773a
訊息中心隱私權讀取者Message Center Privacy Reader 只能在 Office 365 訊息中心中讀取安全性訊息和更新。Can read security messages and updates in Office 365 Message Center only. ac16e43d-7b2d-40e0-ac05-243ff356ab5bac16e43d-7b2d-40e0-ac05-243ff356ab5b
訊息中心讀取者Message Center Reader 只可在 Office 365 訊息中心讀取及更新其組織的訊息。Can read messages and updates for their organization in Office 365 Message Center only. 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
現代化商務使用者Modern Commerce User 可以管理公司、部門或團隊的商業採購。Can manage commercial purchases for a company, department or team. d24aef57-1500-4070-84db-2666f29cf966d24aef57-1500-4070-84db-2666f29cf966
網路管理員Network Administrator 可管理網路位置,及預覽 Microsoft 365 軟體即服務應用程式的企業網路設計見解。Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. d37c8bed-0711-4417-ba38-b4abe66ce4c2d37c8bed-0711-4417-ba38-b4abe66ce4c2
Office 應用程式管理員Office Apps Administrator 可以管理 Office 應用程式雲端服務,包括原則和設定管理,以及管理選取、取消選取及發佈「新功能」功能內容至使用者裝置的能力。Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. 2b745bdf-0803-4d80-aa65-822c4493daac2b745bdf-0803-4d80-aa65-822c4493daac
合作夥伴第 1 層支援Partner Tier1 Support 請勿使用 - 不適用於一般用途。Do not use - not intended for general use. 4ba39ca4-527c-499a-b93d-d9b492c502464ba39ca4-527c-499a-b93d-d9b492c50246
合作夥伴第 2 層支援Partner Tier2 Support 請勿使用 - 不適用於一般用途。Do not use - not intended for general use. e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
密碼管理員Password Administrator 可以重設非系統管理員和密碼管理員的密碼。Can reset passwords for non-administrators and Password Administrators. 966707d0-3269-4727-9be2-8c3a10f19b9d966707d0-3269-4727-9be2-8c3a10f19b9d
Power BI 管理員Power BI Administrator 可管理 Power BI 產品的所有層面。Can manage all aspects of the Power BI product. a9ea8996-122f-4c74-9520-8edcd192826ca9ea8996-122f-4c74-9520-8edcd192826c
Power Platform 管理員Power Platform Administrator 可建立及管理 Microsoft Dynamics 365、PowerApps 及 Microsoft Flow 的所有層面。Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow. 11648597-926c-4cf3-9c36-bcebb0ba8dcc11648597-926c-4cf3-9c36-bcebb0ba8dcc
印表機管理員Printer Administrator 可管理印表機和印表機連線程式的所有層面。Can manage all aspects of printers and printer connectors. 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f644ef478-e28f-4e28-b9dc-3fdde9aa0b1f
印表機技術人員Printer Technician 可註冊和取消註冊印表機,及更新印表機狀態。Can register and unregister printers and update printer status. e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
特殊權限驗證管理員Privileged Authentication Administrator 可以存取來查看、設定及重設任何使用者 (系統管理員或非系統管理員) 的驗證方法資訊。Can access to view, set and reset authentication method information for any user (admin or non-admin). 7be44c8a-adaf-4e2a-84d6-ab2649e08a137be44c8a-adaf-4e2a-84d6-ab2649e08a13
特殊權限角色管理員Privileged Role Administrator 可以管理 Azure AD 中的角色指派,以及 Privileged Identity Management 的所有層面。Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. e8611ab8-c189-46e8-94e1-60213ab1f814e8611ab8-c189-46e8-94e1-60213ab1f814
報告讀取者Reports Reader 可讀取登入與稽核報告。Can read sign-in and audit reports. 4a5d8f65-41da-4de4-8968-e035b65339cf4a5d8f65-41da-4de4-8968-e035b65339cf
搜尋管理員Search Administrator 可以建立及管理 Microsoft 搜尋設定的所有層面。Can create and manage all aspects of Microsoft Search settings. 0964bb5e-9bdb-4d7b-ac29-58e794862a400964bb5e-9bdb-4d7b-ac29-58e794862a40
搜尋編輯者Search Editor 可以建立及管理編輯內容,例如書籤、問與答、位置、樓面規劃。Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. 8835291a-918c-4fd7-a9ce-faa49f0cf7d98835291a-918c-4fd7-a9ce-faa49f0cf7d9
安全性系統管理員Security Administrator 可以讀取安全性資訊與報表,以及管理 Azure AD 和 Office 365 中的設定。Can read security information and reports, and manage configuration in Azure AD and Office 365. 194ae4cb-b126-40b2-bd5b-6091b380977d194ae4cb-b126-40b2-bd5b-6091b380977d
安全性操作員Security Operator 建立及管理安全性事件。Creates and manages security events. 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
安全性讀取者Security Reader 可讀取安全性資訊及 Azure AD 與 Office 365 中的報告。Can read security information and reports in Azure AD and Office 365. 5d6b6bb7-de71-4623-b4af-96380a3525095d6b6bb7-de71-4623-b4af-96380a352509
服務支援管理員Service Support Administrator 可讀取服務健康情況資訊及管理支援票證。Can read service health information and manage support tickets. f023fd81-a637-4b56-95fd-791ac0226033f023fd81-a637-4b56-95fd-791ac0226033
SharePoint 管理員SharePoint Administrator 可管理 SharePoint 服務的所有層面。Can manage all aspects of the SharePoint service. f28a1f50-f6e7-4571-818b-6a12f2af6b6cf28a1f50-f6e7-4571-818b-6a12f2af6b6c
商務用 Skype 系統管理員Skype for Business Administrator 可管理商務用 Skype 產品的所有層面。Can manage all aspects of the Skype for Business product. 75941009-915a-4869-abe7-691bff18279e75941009-915a-4869-abe7-691bff18279e
Microsoft Teams 管理員Teams Administrator 能夠管理 Microsoft Teams 服務。Can manage the Microsoft Teams service. 69091246-20e8-4a56-aa4d-066075b2a7a869091246-20e8-4a56-aa4d-066075b2a7a8
Teams 通訊管理員Teams Communications Administrator 能夠管理 Microsoft Teams 服務內的呼叫和會議功能。Can manage calling and meetings features within the Microsoft Teams service. baf37b3a-610e-45da-9e62-d9d1e5e8914bbaf37b3a-610e-45da-9e62-d9d1e5e8914b
Teams 通訊支援工程師Teams Communications Support Engineer 能夠使用進階工具針對 Microsoft Teams 內的通訊問題進行疑難排解。Can troubleshoot communications issues within Teams using advanced tools. f70938a0-fc10-4177-9e90-2178f8765737f70938a0-fc10-4177-9e90-2178f8765737
Teams 通訊支援專家Teams Communications Support Specialist 能夠使用基本工具針對 Microsoft Teams 內的通訊問題進行疑難排解。Can troubleshoot communications issues within Teams using basic tools. fcf91098-03e3-41a9-b5ba-6f0ec8188a12fcf91098-03e3-41a9-b5ba-6f0ec8188a12
Teams 裝置管理員Teams Devices Administrator 可以在已認證的團隊裝置上執行管理相關工作。Can perform management related tasks on Teams certified devices. 3d762c5a-1b6c-493f-843e-55a3b42923d43d762c5a-1b6c-493f-843e-55a3b42923d4
使用量摘要報表讀者Usage Summary Reports Reader 只能查看 Microsoft 365 使用量分析和生產力分數的租使用者層級匯總。Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. 75934031-6c7e-415a-99d7-48dbd49e875e75934031-6c7e-415a-99d7-48dbd49e875e
使用者管理員User Administrator 能夠管理使用者與群組的所有層面,包含為受限制的管理員重設密碼。Can manage all aspects of users and groups, including resetting passwords for limited admins. fe930be7-5e62-47db-91af-98c3a49a38b1fe930be7-5e62-47db-91af-98c3a49a38b1

應用程式系統管理員Application Administrator

此角色中的使用者可以建立和管理企業應用程式、應用程式註冊和應用程式 Proxy 設定的所有層面。Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. 請注意,建立新的應用程式註冊或企業應用程式時,獲指派此角色的使用者不會新增為擁有者。Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

此角色也會授與同意委派許可權和應用程式許可權的能力,但 Microsoft Graph 和 Azure AD Graph 的應用程式許可權除外。This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for both Microsoft Graph and Azure AD Graph.

重要

此例外狀況表示您仍可同意 其他 應用程式的應用程式許可權 (例如,您已) 註冊的非 Microsoft 應用程式或應用程式。This exception means that you can still consent to application permissions for other apps (for example, non-Microsoft apps or apps that you have registered). 您仍然可以在應用程式註冊過程中 要求 這些許可權,但授與 (也就 是同意) 這些許可權需要更具特殊許可權的系統管理員,例如全域管理員。You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.

此角色授與管理應用程式認證的能力。This role grants the ability to manage application credentials. 獲指派此角色的使用者可以將認證新增至應用程式,並使用這些認證來模擬應用程式的身分識別。Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. 如果應用程式的身分識別已被授與資源的存取權,例如建立或更新使用者或其他物件的能力,則指派給這個角色的使用者可以在模擬應用程式時執行這些動作。If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. 模擬應用程式身分識別的這項功能,可能是使用者透過其角色指派所能做的權限提高。This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. 請務必了解,將應用程式系統管理員角色指派給使用者,會給予他們模擬應用程式身分識別的能力。It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.

動作Actions 描述Description
microsoft.directory/applications/createmicrosoft.directory/applications/create 建立所有類型的應用程式Create all types of applications
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 刪除所有類型的應用程式Delete all types of applications
microsoft.directory/applications/applicationProxy/readmicrosoft.directory/applications/applicationProxy/read 讀取所有應用程式 proxy 屬性Read all application proxy properties
microsoft.directory/applications/applicationProxy/updatemicrosoft.directory/applications/applicationProxy/update 更新所有應用程式 proxy 屬性Update all application proxy properties
microsoft 目錄/應用程式/applicationProxyAuthentication/更新microsoft.directory/applications/applicationProxyAuthentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft 目錄/應用程式/applicationProxySslCertificate/更新microsoft.directory/applications/applicationProxySslCertificate/update 更新應用程式 proxy 的 SSL 憑證設定Update SSL certificate settings for application proxy
microsoft 目錄/應用程式/applicationProxyUrlSettings/更新microsoft.directory/applications/applicationProxyUrlSettings/update 更新應用程式 proxy 的 URL 設定Update URL settings for application proxy
microsoft 目錄/應用程式/appRoles/更新microsoft.directory/applications/appRoles/update 更新所有類型之應用程式的 appRoles 屬性Update the appRoles property on all types of applications
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新應用程式的物件屬性Update the audience property for applications
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新應用程式的基本屬性Update basic properties for applications
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新應用程式認證Update application credentials
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新應用程式的擁有者Update owners of applications
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新所有類型之應用程式的公開許可權和必要許可權Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft 目錄/應用程式/驗證/更新microsoft.directory/applications/verification/update 更新 applicationsverification 屬性Update applicationsverification property
microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read 讀取與應用程式物件相關聯的佈建設定Read provisioning settings associated with the application object
microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate 從應用程式範本具現化資源庫應用程式Instantiate gallery applications from application templates
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft.directory/connectors/createmicrosoft.directory/connectors/create 建立應用程式 proxy 連接器Create application proxy connectors
microsoft 目錄/連接器/allProperties/readmicrosoft.directory/connectors/allProperties/read 讀取應用程式 proxy 連接器的所有屬性Read all properties of application proxy connectors
microsoft.directory/connectorGroups/createmicrosoft.directory/connectorGroups/create 建立應用程式 proxy 連接器群組Create application proxy connector groups
microsoft.directory/connectorGroups/deletemicrosoft.directory/connectorGroups/delete 刪除應用程式 proxy 連接器群組Delete application proxy connector groups
microsoft. directory/connectorGroups/allProperties/readmicrosoft.directory/connectorGroups/allProperties/read 讀取應用程式 proxy 連接器群組的所有屬性Read all properties of application proxy connector groups
microsoft directory/connectorGroups/allProperties/updatemicrosoft.directory/connectorGroups/allProperties/update 更新應用程式 proxy 連接器群組的所有屬性Update all properties of application proxy connector groups
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft.directory/applicationPolicies/createmicrosoft.directory/applicationPolicies/create 建立應用程式原則Create application policies
microsoft.directory/applicationPolicies/deletemicrosoft.directory/applicationPolicies/delete 刪除應用程式原則Delete application policies
microsoft.directory/applicationPolicies/standard/readmicrosoft.directory/applicationPolicies/standard/read 讀取應用程式原則的標準屬性Read standard properties of application policies
microsoft.directory/applicationPolicies/owners/readmicrosoft.directory/applicationPolicies/owners/read 讀取應用程式原則的擁有者Read owners on application policies
microsoft.directory/applicationPolicies/policyAppliedTo/readmicrosoft.directory/applicationPolicies/policyAppliedTo/read 讀取套用至物件清單的應用程式原則Read application policies applied to objects list
microsoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/basic/update 更新應用程式原則的標準屬性Update standard properties of application policies
microsoft.directory/applicationPolicies/owners/updatemicrosoft.directory/applicationPolicies/owners/update 更新應用程式原則的擁有者屬性Update the owner property of application policies
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 建立服務主體Create service principals
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 刪除服務主體Delete service principals
microsoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/disable 停用服務主體Disable service principals
microsoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/enable 啟用服務主體Enable service principals
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials 管理服務主體的密碼單一登入認證Manage password single sign-on credentials on service principals
microsoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationCredentials/manage 管理應用程式布建的密碼和認證Manage application provisioning secrets and credentials
microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage 啟動、重新開機及暫停應用程式布建同步作業Start, restart, and pause application provisioning syncronization jobs
microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage 建立及管理應用程式布建同步處理作業和架構Create and manage application provisioning syncronization jobs and schema
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials 讀取服務主體的密碼單一登入認證Read password single sign-on credentials on service principals
microsoft directory/servicePrincipals/managePermissionGrantsForAll. microsoft-application-adminmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin 代表任何使用者或所有使用者授與應用程式許可權和委派許可權的同意,但 Microsoft Graph 和 Azure AD Graph 的應用程式許可權除外Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph and Azure AD Graph
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新服務主體的物件屬性Update audience properties on service principals
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新服務主體的驗證屬性Update authentication properties on service principals
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新服務主體的基本屬性Update basic properties on service principals
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新服務主體的認證Update credentials of service principals
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新服務主體的擁有者Update owners of service principals
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新服務主體的許可權Update permissions of service principals
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新服務主體的原則Update policies of service principals
microsoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/tag/update 更新服務主體的 tag 屬性Update the tag property for service principals
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 讀取與服務主體相關聯的佈建設定Read provisioning settings associated with your service principal
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

應用程式開發人員Application Developer

將「使用者可以註冊應用程式」設定設為「否」時,此角色中的使用者可以建立應用程式註冊。Users in this role can create application registrations when the "Users can register applications" setting is set to No. 將「使用者可同意應用程式代表自己存取公司資料」設定設為「否」時,此角色也會授與代表某人同意的權限。This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. 建立新的應用程式註冊或企業應用程式時,獲指派此角色的使用者會新增為擁有者。Users assigned to this role are added as owners when creating new application registrations or enterprise applications.

動作Actions 描述Description
microsoft.directory/applications/createAsOwnermicrosoft.directory/applications/createAsOwner 建立所有類型的應用程式,並將建立者新增為第一個擁有者Create all types of applications, and creator is added as the first owner
microsoft.directory/appRoleAssignments/createAsOwnermicrosoft.directory/appRoleAssignments/createAsOwner 建立應用程式角色指派,並以 creator 作為第一個擁有者Create application role assignments, with creator as the first owner
microsoft.directory/oAuth2PermissionGrants/createAsOwnermicrosoft.directory/oAuth2PermissionGrants/createAsOwner 建立 OAuth 2.0 許可權授與,並以 creator 作為第一個擁有者Create OAuth 2.0 permission grants, with creator as the first owner
microsoft.directory/servicePrincipals/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwner 建立服務主體,並以 creator 作為第一個擁有者Create service principals, with creator as the first owner

攻擊承載作者Attack Payload Author

此角色中的使用者可以建立攻擊承載,但不會實際啟動或排程它們。Users in this role can create attack payloads but not actually launch or schedule them. 然後,可以將攻擊承載提供給租使用者中的所有系統管理員使用,以建立模擬。Attack payloads are then available to all administrators in the tenant who can use them to create a simulation.

動作Actions 描述Description
office365. Microsoft.office365.protectioncenter/attackSimulator/承載/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks 在攻擊模擬器中建立和管理攻擊承載Create and manage attack payloads in Attack Simulator
office365. Microsoft.office365.protectioncenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/read 讀取攻擊模擬回應和相關定型的報告Read reports of attack simulation responses and associated training

攻擊模擬系統管理員Attack Simulation Administrator

此角色的使用者可以建立和管理攻擊模擬建立的所有層面、啟動/排程模擬,以及審核模擬結果。Users in this role can create and manage all aspects of attack simulation creation, launch/scheduling of a simulation, and the review of simulation results. 此角色的成員具有租使用者中所有模擬的此存取權。Members of this role have this access for all simulations in the tenant.

動作Actions 描述Description
office365. Microsoft.office365.protectioncenter/attackSimulator/承載/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks 在攻擊模擬器中建立和管理攻擊承載Create and manage attack payloads in Attack Simulator
office365. Microsoft.office365.protectioncenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/read 讀取攻擊模擬回應和相關定型的報告Read reports of attack simulation responses and associated training
office365. Microsoft.office365.protectioncenter/attackSimulator/模擬/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks 在攻擊模擬器中建立和管理攻擊模擬範本Create and manage attack simulation templates in Attack Simulator

驗證系統管理員Authentication Administrator

具有此角色的使用者可以設定或重設任何驗證方法 (包括非系統管理員和某些角色的密碼) 。Users with this role can set or reset any authentication method (including passwords) for non-administrators and some roles. 驗證管理員可以要求非系統管理員或被指派某些角色的使用者,針對現有的非密碼認證 (例如 MFA,FIDO) 重新註冊,也可以撤銷 在裝置上記住 MFA (其會在下次登入時提示 MFA)。Authentication administrators can require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in. 如需驗證系統管理員可以讀取或更新驗證方法的角色清單,請參閱 密碼重設許可權For a list of the roles that an Authentication Administrator can read or update authentication methods, see Password reset permissions.

特殊許可權 驗證管理員 角色具有許可權,可為所有使用者強制重新註冊和多重要素驗證。The Privileged authentication administrator role has permission to force re-registration and multi-factor authentication for all users.

驗證原則系統管理員角色具有設定租使用者驗證方法原則的許可權,以決定每個使用者可註冊和使用的方法。The Authentication policy administrator role has permissions to set the tenant's authentication method policy that determines which methods each user can register and use.

角色Role 管理使用者的驗證方法Manage user's auth methods 管理每個使用者的 MFAManage per-user MFA 管理 MFA 設定Manage MFA settings 管理驗證方法原則Manage auth method policy 管理密碼保護原則Manage password protection policy
驗證系統管理員Authentication administrator 是,對於某些使用者 (請參閱上述) Yes for some users (see above) 是,對於某些使用者 (請參閱上述) Yes for some users (see above) No No No
特殊權限驗證管理員Privileged authentication administrator 是適用于所有使用者Yes for all users 是適用于所有使用者Yes for all users No No No
驗證原則系統管理員Authentication policy administrator No No Yes Yes Yes

重要

對於可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員,具備此角色的使用者可以變更認證。Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的認證表示可承擔該使用者身分識別和權限。Changing the credentials of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與驗證系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. 透過此路徑,驗證系統管理員可以假設應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步假設特殊許可權應用程式的身分識別。Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們具有機密或私人資訊或者 Azure 中重要組態的存取權。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Microsoft 365 群組擁有者,他們可以管理群組成員資格。Security Group and Microsoft 365 group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

重要

此角色無法管理舊版 MFA 管理入口網站或硬體 OATH 權杖中的 MFA 設定。This role can't manage MFA settings in the legacy MFA management portal or Hardware OATH tokens. 您可以使用 set-msoluser 的 Commandlet Azure AD Powershell 模組來完成相同的功能。The same functions can be accomplished using the Set-MsolUser commandlet Azure AD Powershell module.

動作Actions 描述Description
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft.directory/users/strongAuthentication/updatemicrosoft.directory/users/strongAuthentication/update 更新使用者的增強式驗證屬性Update the strong authentication property for users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

驗證原則系統管理員Authentication Policy Administrator

具有此角色的使用者可以設定驗證方法原則、整個租使用者的 MFA 設定和密碼保護原則。Users with this role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. 此角色會授與管理密碼保護設定的許可權:智慧鎖定設定和更新自訂禁用密碼清單。This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.

驗證管理員 」和「特殊 許可權驗證管理員 」角色有權管理使用者的已註冊驗證方法,而且可以針對所有使用者強制重新註冊和多重要素驗證。The Authentication administrator and Privileged authentication administrator roles have permission to manage registered authentication methods on users and can force re-registration and multi-factor authentication for all users.

角色Role 管理使用者的驗證方法Manage user's auth methods 管理每個使用者的 MFAManage per-user MFA 管理 MFA 設定Manage MFA settings 管理驗證方法原則Manage auth method policy 管理密碼保護原則Manage password protection policy
驗證系統管理員Authentication administrator 是,對於某些使用者 (請參閱上述) Yes for some users (see above) 是,對於某些使用者 (請參閱上述) Yes for some users (see above) No No No
特殊權限驗證管理員Privileged authentication administrator 是適用于所有使用者Yes for all users 是適用于所有使用者Yes for all users No No No
驗證原則系統管理員Authentication policy administrator No No Yes Yes Yes

重要

此角色無法管理舊版 MFA 管理入口網站或硬體 OATH 權杖中的 MFA 設定。This role can't manage MFA settings in the legacy MFA management portal or Hardware OATH tokens.

動作Actions 描述Description
microsoft 目錄/組織/Users.strongauthentication/更新microsoft.directory/organization/strongAuthentication/update 更新組織的增強式驗證屬性Update strong auth properties of an organization
microsoft directory/userCredentialPolicies/createmicrosoft.directory/userCredentialPolicies/create 建立使用者的認證原則Create credential policies for users
microsoft 目錄/userCredentialPolicies/deletemicrosoft.directory/userCredentialPolicies/delete 刪除使用者的認證原則Delete credential policies for users
microsoft. directory/userCredentialPolicies/standard/readmicrosoft.directory/userCredentialPolicies/standard/read 讀取使用者的認證原則標準屬性Read standard properties of credential policies for users
microsoft 目錄/userCredentialPolicies/擁有者/讀取microsoft.directory/userCredentialPolicies/owners/read 讀取使用者的認證原則擁有者Read owners of credential policies for users
microsoft. directory/userCredentialPolicies/policyAppliedTo/readmicrosoft.directory/userCredentialPolicies/policyAppliedTo/read 讀取原則。 appliesTo 導覽連結Read policy.appliesTo navigation link
microsoft directory/userCredentialPolicies/basic/updatemicrosoft.directory/userCredentialPolicies/basic/update 更新使用者的基本原則Update basic policies for users
microsoft 目錄/userCredentialPolicies/擁有者/更新microsoft.directory/userCredentialPolicies/owners/update 更新使用者的認證原則擁有者Update owners of credential policies for users
microsoft directory/userCredentialPolicies/Policies.tenantdefault/updatemicrosoft.directory/userCredentialPolicies/tenantDefault/update 更新 policy. isOrganizationDefault 屬性Update policy.isOrganizationDefault property

Azure AD 加入的裝置本機系統管理員Azure AD Joined Device Local Administrator

此角色是只能指派為裝置設定中的其他本機系統管理員。This role is available for assignment only as an additional local administrator in Device settings. 具有此角色的使用者,會在已加入 Azure Active Directory 的所有 Windows 10 裝置上,成為本機電腦系統管理員。Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. 它們並沒有在 Azure Active Directory 中管理裝置物件的能力。They do not have the ability to manage devices objects in Azure Active Directory.

動作Actions 描述Description
microsoft. directory/groupSettings/standard/readmicrosoft.directory/groupSettings/standard/read 讀取群組設定的基本屬性Read basic properties on group settings
microsoft. directory/groupSettingTemplates/standard/readmicrosoft.directory/groupSettingTemplates/standard/read 讀取群組設定範本的基本屬性Read basic properties on group setting templates

Azure DevOps 管理員Azure DevOps Administrator

具有此角色的使用者可以管理 Azure DevOps 原則,將新的 Azure DevOps 組織建立限制於一組可設定的使用者或群組。Users with this role can manage the Azure DevOps policy to restrict new Azure DevOps organization creation to a set of configurable users or groups. 此角色的使用者可以透過公司 Azure AD 組織所支援的任何 Azure DevOps 組織來管理此原則。Users in this role can manage this policy through any Azure DevOps organization that is backed by the company's Azure AD organization. 此角色不會授與任何其他 Azure DevOps 特定的許可權 (例如,專案集合系統管理員) 在公司 Azure AD 組織所支援的任何 Azure DevOps 組織內。This role grants no other Azure DevOps-specific permissions (for example, Project Collection Administrators) inside any of the Azure DevOps organizations backed by the company's Azure AD organization.

具備此角色的使用者可以管理所有企業 Azure DevOps 原則。All enterprise Azure DevOps policies can be managed by users in this role.

動作Actions 描述Description
microsoft.azure.devOps/allEntities/allTasksmicrosoft.azure.devOps/allEntities/allTasks 讀取及設定 Azure DevOpsRead and configure Azure DevOps

Azure 資訊保護管理員Azure Information Protection Administrator

具有此角色的使用者在 Azure 資訊保護服務上擁有所有權限。Users with this role have all permissions in the Azure Information Protection service. 此角色允許設定「Azure 資訊保護」原則的標籤、管理保護範本,以及啟用保護。This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. 此角色不會授與 Identity Protection 中心、Privileged Identity Management、監視器 Microsoft 365 服務健康狀態或 Office 365 安全性 & 合規性中心的任何許可權。This role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, or Office 365 Security & Compliance Center.

動作Actions 描述Description
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 資訊保護的所有層面Manage all aspects of Azure Information Protection
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

B2C IEF 金鑰集管理員B2C IEF Keyset Administrator

使用者可以建立及管理用於權杖加密、權杖簽章和宣告加密/解密的原則金鑰和秘密。User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption.  將新金鑰新增至現有金鑰容器,此受限的管理員可以視需要變換秘密,而不會影響現有的應用程式。By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications.  即使在秘密建立之後,此使用者仍可查看這些秘密的完整內容及其到期日。This user can see the full content of these secrets and their expiration dates even after their creation.

重要

這是敏感性角色。This is a sensitive role.  在生產前和生產期間,應謹慎地稽核和指派金鑰集管理員角色。The keyset administrator role should be carefully audited and assigned with care during pre-production and production.

動作Actions 描述Description
microsoft directory/b2cTrustFrameworkKeySet/allProperties/allTasksmicrosoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks 讀取及更新授權原則的所有屬性Read and update all properties of authorization policies

B2C IEF 原則管理員B2C IEF Policy Administrator

具備此角色的使用者能夠在 Azure AD B2C 中建立、讀取、更新及刪除所有自訂原則,因此能完全掌控相關 Azure AD B2C 組織中的 Identity Experience Framework。Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization. 該使用者可藉由編輯原則來與外部識別提供者建立直接同盟、變更目錄結構描述、變更所有使用者面對的內容 (HTML、CSS、JavaScript)、變更完成驗證的需求、建立新使用者、將使用者資料傳送至外部系統 (包括完整移轉),以及編輯所有使用者資訊 (包括敏感性欄位,像是密碼和電話號碼)。By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. 相反地,此角色無法變更加密金鑰,或編輯組織中用於同盟的秘密。Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the organization.

重要

B2 IEF 原則管理員是高度敏感的角色,應針對生產中的組織非常有限地進行指派。The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production.  這些使用者的活動應予以嚴密稽核,尤其是針對生產中的組織。Activities by these users should be closely audited, especially for organizations in production.

動作Actions 描述Description
microsoft directory/b2cTrustFrameworkPolicy/allProperties/allTasksmicrosoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks 在 Azure Active Directory B2C 中讀取和設定金鑰集Read and configure key sets in Azure Active Directory B2C

計費管理員Billing Administrator

進行採購、管理訂用帳戶、管理支援票證,以及監控服務健全狀況。Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

動作Actions 描述Description
microsoft.directory/organization/basic/updatemicrosoft.directory/organization/basic/update 更新組織的基本屬性Update basic properties on organization
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理 Office 365 帳單的所有層面Manage all aspects of Office 365 billing
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

雲端應用程式系統管理員Cloud Application Administrator

此角色中的使用者具有與應用程式系統管理員角色相同的權限,但不包括管理應用程式 Proxy 的能力。Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. 此角色會授與能力來建立和管理企業應用程式和應用程式註冊的所有層面。This role grants the ability to create and manage all aspects of enterprise applications and application registrations. 建立新的應用程式註冊或企業應用程式時,獲指派此角色的使用者不會新增為擁有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

此角色也會授與同意委派許可權和應用程式許可權的能力,但 Microsoft Graph 和 Azure AD Graph 的應用程式許可權除外。This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for both Microsoft Graph and Azure AD Graph.

重要

此例外狀況表示您仍可同意 其他 應用程式的應用程式許可權 (例如,您已) 註冊的非 Microsoft 應用程式或應用程式。This exception means that you can still consent to application permissions for other apps (for example, non-Microsoft apps or apps that you have registered). 您仍然可以在應用程式註冊過程中 要求 這些許可權,但授與 (也就 是同意) 這些許可權需要更具特殊許可權的系統管理員,例如全域管理員。You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.

此角色授與管理應用程式認證的能力。This role grants the ability to manage application credentials. 獲指派此角色的使用者可以將認證新增至應用程式,並使用這些認證來模擬應用程式的身分識別。Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. 如果應用程式的身分識別已被授與資源的存取權,例如建立或更新使用者或其他物件的能力,則指派給這個角色的使用者可以在模擬應用程式時執行這些動作。If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. 模擬應用程式身分識別的這項功能,可能是使用者透過其角色指派所能做的權限提高。This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. 請務必了解,將應用程式系統管理員角色指派給使用者,會給予他們模擬應用程式身分識別的能力。It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.

動作Actions 描述Description
microsoft.directory/applications/createmicrosoft.directory/applications/create 建立所有類型的應用程式Create all types of applications
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 刪除所有類型的應用程式Delete all types of applications
microsoft 目錄/應用程式/appRoles/更新microsoft.directory/applications/appRoles/update 更新所有類型之應用程式的 appRoles 屬性Update the appRoles property on all types of applications
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新應用程式的物件屬性Update the audience property for applications
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新應用程式的基本屬性Update basic properties for applications
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新應用程式認證Update application credentials
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新應用程式的擁有者Update owners of applications
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新所有類型之應用程式的公開許可權和必要許可權Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft 目錄/應用程式/驗證/更新microsoft.directory/applications/verification/update 更新 applicationsverification 屬性Update applicationsverification property
microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read 讀取與應用程式物件相關聯的佈建設定Read provisioning settings associated with the application object
microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate 從應用程式範本具現化資源庫應用程式Instantiate gallery applications from application templates
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft.directory/applicationPolicies/createmicrosoft.directory/applicationPolicies/create 建立應用程式原則Create application policies
microsoft.directory/applicationPolicies/deletemicrosoft.directory/applicationPolicies/delete 刪除應用程式原則Delete application policies
microsoft.directory/applicationPolicies/standard/readmicrosoft.directory/applicationPolicies/standard/read 讀取應用程式原則的標準屬性Read standard properties of application policies
microsoft.directory/applicationPolicies/owners/readmicrosoft.directory/applicationPolicies/owners/read 讀取應用程式原則的擁有者Read owners on application policies
microsoft.directory/applicationPolicies/policyAppliedTo/readmicrosoft.directory/applicationPolicies/policyAppliedTo/read 讀取套用至物件清單的應用程式原則Read application policies applied to objects list
microsoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/basic/update 更新應用程式原則的標準屬性Update standard properties of application policies
microsoft.directory/applicationPolicies/owners/updatemicrosoft.directory/applicationPolicies/owners/update 更新應用程式原則的擁有者屬性Update the owner property of application policies
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 建立服務主體Create service principals
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 刪除服務主體Delete service principals
microsoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/disable 停用服務主體Disable service principals
microsoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/enable 啟用服務主體Enable service principals
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials 管理服務主體的密碼單一登入認證Manage password single sign-on credentials on service principals
microsoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationCredentials/manage 管理應用程式布建的密碼和認證Manage application provisioning secrets and credentials
microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage 啟動、重新開機及暫停應用程式布建同步作業Start, restart, and pause application provisioning syncronization jobs
microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage 建立及管理應用程式布建同步處理作業和架構Create and manage application provisioning syncronization jobs and schema
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials 讀取服務主體的密碼單一登入認證Read password single sign-on credentials on service principals
microsoft directory/servicePrincipals/managePermissionGrantsForAll. microsoft-application-adminmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin 代表任何使用者或所有使用者授與應用程式許可權和委派許可權的同意,但 Microsoft Graph 和 Azure AD Graph 的應用程式許可權除外Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph and Azure AD Graph
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新服務主體的物件屬性Update audience properties on service principals
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新服務主體的驗證屬性Update authentication properties on service principals
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新服務主體的基本屬性Update basic properties on service principals
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新服務主體的認證Update credentials of service principals
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新服務主體的擁有者Update owners of service principals
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新服務主體的許可權Update permissions of service principals
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新服務主體的原則Update policies of service principals
microsoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/tag/update 更新服務主體的 tag 屬性Update the tag property for service principals
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 讀取與服務主體相關聯的佈建設定Read provisioning settings associated with your service principal
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

雲端裝置管理員Cloud Device Administrator

此角色的使用者可以啟用、停用和刪除 Azure AD 中的裝置,並在 Azure 入口網站中讀取 Windows 10 BitLocker 金鑰 (如果有的話)。Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. 此角色不會授與可供管理裝置上任何其他屬性的權限。The role does not grant permissions to manage any other properties on the device.

動作Actions 描述Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft.directory/devices/deletemicrosoft.directory/devices/delete 從 Azure AD 刪除裝置Delete devices from Azure AD
microsoft.directory/devices/disablemicrosoft.directory/devices/disable 在 Azure AD 中停用裝置Disable devices in Azure AD
microsoft.directory/devices/enablemicrosoft.directory/devices/enable 在 Azure AD 中啟用裝置Enable devices in Azure AD
microsoft 目錄/裝置/Extensionattribute/更新microsoft.directory/devices/extensionAttributes/update 更新 Extensionattribute 屬性的所有值Update all values for devices.extensionAttributes property
microsoft. directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceManagementPolicies/standard/read 讀取裝置管理應用程式原則的標準屬性Read standard properties on device management application policies
microsoft directory/deviceManagementPolicies/basic/updatemicrosoft.directory/deviceManagementPolicies/basic/update 更新裝置管理應用程式原則的基本屬性Update basic properties on device management application policies
microsoft. directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/read 讀取裝置註冊原則的標準屬性Read standard properties on device registration policies
microsoft directory/deviceRegistrationPolicy/basic/updatemicrosoft.directory/deviceRegistrationPolicy/basic/update 更新裝置註冊原則的基本屬性Update basic properties on device registration policies
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center

合規性管理員Compliance Administrator

具備此角色的使用者有權限管理 Microsoft 365 合規性中心、Microsoft 365 系統管理中心、Azure 和 Office 365 安全性與合規性中心中的合規性相關功能。Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. 受託人也可以管理 Exchange 系統管理中心、Teams 和商務用 Skype 系統管理中心內的所有功能,並建立適用於 Azure 和 Microsoft 365 的支援票證。Assignees can also manage all features within the Exchange admin center and Teams & Skype for Business admin centers and create support tickets for Azure and Microsoft 365. 如需詳細資訊,請 參閱 Microsoft 365 管理員角色More information is available at About Microsoft 365 admin roles.

In 可以執行Can do
Microsoft 365 合規性中心Microsoft 365 compliance center 保護和管理您組織在所有 Microsoft 365 服務中的資料Protect and manage your organization's data across Microsoft 365 services
管理合規性警示Manage compliance alerts
合規性管理員Compliance Manager 追蹤、指派和確認您組織的法規合規性活動Track, assign, and verify your organization's regulatory compliance activities
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 管理資料治理Manage data governance
執行法律和資料的調查Perform legal and data investigation
管理資料主體要求Manage Data Subject Request

此角色具有與 Office 365 安全性與合規性中心角色型存取控制中的合規性管理員角色群組相同的權限。This role has the same permissions as the Compliance Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control.
IntuneIntune 檢視所有的 Intune 稽核資料View all Intune audit data
Cloud App SecurityCloud App Security 具有唯讀權限,並可管理警示Has read-only permissions and can manage alerts
可建立和修改檔案原則,並允許檔案治理動作Can create and modify file policies and allow file governance actions
可檢視 [資料管理] 下的所有內建報告Can view all the built-in reports under Data Management
動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft. directory/entitlementManagement/allProperties/readmicrosoft.directory/entitlementManagement/allProperties/read 讀取 Azure AD 權利管理中的所有屬性Read all properties in Azure AD entitlement management
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合規性管理員的所有層面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

相容性資料管理員Compliance Data Administrator

具備此角色的使用者有權限追蹤 Microsoft 365 合規性中心、Microsoft 365 系統管理中心和 Azure 中的資料。Users with this role have permissions to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. 使用者也可以追蹤 Exchange 系統管理中心、合規性管理員、Teams 和商務用 Skype 系統管理中心內的合規性資料,並建立適用於 Azure 和 Microsoft 365 的支援票證。Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. 本檔 包含合規性管理員和合規性資料管理員之間差異的詳細資料。This documentation has details on differences between Compliance Administrator and Compliance Data Administrator.

In 可以執行Can do
Microsoft 365 合規性中心Microsoft 365 compliance center 監視所有 Microsoft 365 服務的合規性相關原則Monitor compliance-related policies across Microsoft 365 services
管理合規性警示Manage compliance alerts
合規性管理員Compliance Manager 追蹤、指派和確認您組織的法規合規性活動Track, assign, and verify your organization's regulatory compliance activities
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 管理資料治理Manage data governance
執行法律和資料的調查Perform legal and data investigation
管理資料主體要求Manage Data Subject Request

此角色具有與 Office 365 安全性與合規性中心角色型存取控制中的合規性資料管理員角色群組相同的權限。This role has the same permissions as the Compliance Data Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control.
IntuneIntune 檢視所有的 Intune 稽核資料View all Intune audit data
Cloud App SecurityCloud App Security 具有唯讀權限,並可管理警示Has read-only permissions and can manage alerts
可建立和修改檔案原則,並允許檔案治理動作Can create and modify file policies and allow file governance actions
可檢視 [資料管理] 下的所有內建報告Can view all the built-in reports under Data Management
動作Actions 描述Description
microsoft directory/>portal.cloudappsecurity.com/allProperties/allTasksmicrosoft.directory/cloudAppSecurity/allProperties/allTasks 在 Microsoft Cloud App Security 中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in Microsoft Cloud App Security
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 資訊保護的所有層面Manage all aspects of Azure Information Protection
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合規性管理員的所有層面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

條件式存取管理員Conditional Access Administrator

具備此角色的使用者能夠管理 Azure Active Directory 條件式存取設定。Users with this role have the ability to manage Azure Active Directory Conditional Access settings.

動作Actions 描述Description
microsoft directory/conditionalAccessPolicies/createmicrosoft.directory/conditionalAccessPolicies/create 建立條件式存取原則Create conditional access policies
microsoft 目錄/conditionalAccessPolicies/deletemicrosoft.directory/conditionalAccessPolicies/delete 刪除條件式存取原則Delete conditional access policies
microsoft. directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/standard/read 讀取原則的條件式存取Read conditional access for policies
microsoft 目錄/conditionalAccessPolicies/擁有者/讀取microsoft.directory/conditionalAccessPolicies/owners/read 讀取條件式存取原則的擁有者Read the owners of conditional access policies
microsoft. directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/read 讀取條件式存取原則的 [套用至] 屬性Read the "applied to" property for conditional access policies
microsoft directory/conditionalAccessPolicies/basic/updatemicrosoft.directory/conditionalAccessPolicies/basic/update 更新條件式存取原則的基本屬性Update basic properties for conditional access policies
microsoft 目錄/conditionalAccessPolicies/擁有者/更新microsoft.directory/conditionalAccessPolicies/owners/update 更新條件式存取原則的擁有者Update owners for conditional access policies
microsoft directory/conditionalAccessPolicies/Policies.tenantdefault/updatemicrosoft.directory/conditionalAccessPolicies/tenantDefault/update 更新條件式存取原則的預設租使用者Update the default tenant for conditional access policies
microsoft directory/crossTenantAccessPolicies/createmicrosoft.directory/crossTenantAccessPolicies/create 建立跨租使用者存取原則Create cross-tenant access policies
microsoft 目錄/crossTenantAccessPolicies/deletemicrosoft.directory/crossTenantAccessPolicies/delete 刪除跨租使用者存取原則Delete cross-tenant access policies
microsoft. directory/crossTenantAccessPolicies/standard/readmicrosoft.directory/crossTenantAccessPolicies/standard/read 讀取跨租使用者存取原則的基本屬性Read basic properties of cross-tenant access policies
microsoft 目錄/crossTenantAccessPolicies/擁有者/讀取microsoft.directory/crossTenantAccessPolicies/owners/read 讀取跨租使用者存取原則的擁有者Read owners of cross-tenant access policies
microsoft. directory/crossTenantAccessPolicies/policyAppliedTo/readmicrosoft.directory/crossTenantAccessPolicies/policyAppliedTo/read 讀取跨租使用者存取原則的 policyAppliedTo 屬性Read the policyAppliedTo property of cross-tenant access policies
microsoft directory/crossTenantAccessPolicies/basic/updatemicrosoft.directory/crossTenantAccessPolicies/basic/update 更新跨租使用者存取原則的基本屬性Update basic properties of cross-tenant access policies
microsoft 目錄/crossTenantAccessPolicies/擁有者/更新microsoft.directory/crossTenantAccessPolicies/owners/update 更新跨租使用者存取原則的擁有者Update owners of cross-tenant access policies
microsoft directory/crossTenantAccessPolicies/Policies.tenantdefault/updatemicrosoft.directory/crossTenantAccessPolicies/tenantDefault/update 更新跨租使用者存取原則的預設租使用者Update the default tenant for cross-tenant access policies

客戶 LockBox 存取核准者Customer LockBox Access Approver

管理您組織中的客戶加密箱要求Manages Customer Lockbox requests in your organization. 他們會收到「客戶加密箱」要求的電子郵件通知,並且可以核准和拒絕來自 Microsoft 365 系統管理中心的要求。They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. 他們也可以開啟或關閉「客戶加密箱」功能。They can also turn the Customer Lockbox feature on or off. 只有全域管理員可以重設指派給此角色之人員的密碼。Only Global Administrators can reset the passwords of people assigned to this role.

動作Actions 描述Description
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理客戶加密箱的所有層面Manage all aspects of Customer Lockbox
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

電腦分析系統管理員Desktop Analytics Administrator

具備此角色的使用者可以管理電腦分析及 Office 自訂和原則服務。Users in this role can manage the Desktop Analytics and Office Customization & Policy services. 在電腦分析中,此角色能夠檢視資產清查、建立部署計畫、檢視部署和健康狀態。For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. 對於 Office 自訂和原則服務,此角色可讓使用者管理 Office 原則。For Office Customization & Policy service, this role enables users to manage Office policies.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理電腦分析的所有層面Manage all aspects of Desktop Analytics
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

目錄讀取器Directory Readers

具備此角色的使用者可讀取基本目錄資訊。Users in this role can read basic directory information. 此角色應用於:This role should be used for:

  • 將讀取權限授予一組特定的來賓使用者,而不是將其授予所有來賓使用者。Granting a specific set of guest users read access instead of granting it to all guest users.
  • 當 [僅限系統管理員存取 Azure AD 入口網站] 設為 [是] 時,將 Azure 入口網站的存取權授予一組特定的非系統管理員使用者。Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal to admins only" is set to "Yes".
  • 如果 Directory.Read.All 不是選項,將目錄的存取權授予服務主體。Granting service principals access to directory where Directory.Read.All is not an option.
動作Actions 描述Description
microsoft. directory/administrativeUnits/standard/readmicrosoft.directory/administrativeUnits/standard/read 讀取管理單位的基本屬性Read basic properties on administrative units
microsoft.directory/administrativeUnits/members/readmicrosoft.directory/administrativeUnits/members/read 讀取管理單位的成員Read members of administrative units
microsoft. 目錄/應用程式/標準/讀取microsoft.directory/applications/standard/read 讀取應用程式的標準屬性Read standard properties of applications
microsoft.directory/applications/owners/readmicrosoft.directory/applications/owners/read 讀取應用程式的擁有者Read owners of applications
microsoft.directory/applications/policies/readmicrosoft.directory/applications/policies/read 讀取應用程式的原則Read policies of applications
microsoft. directory/contacts/standard/readmicrosoft.directory/contacts/standard/read 讀取 Azure AD 中連絡人的基本屬性Read basic properties on contacts in Azure AD
microsoft.directory/contacts/memberOf/readmicrosoft.directory/contacts/memberOf/read 讀取 Azure AD 中所有連絡人的群組成員資格Read the group membership for all contacts in Azure AD
microsoft 目錄/合約/標準/讀取microsoft.directory/contracts/standard/read 讀取夥伴合約的基本屬性Read basic properties on partner contracts
microsoft 目錄/裝置/標準/讀取microsoft.directory/devices/standard/read 讀取裝置上的基本屬性Read basic properties on devices
microsoft.directory/devices/memberOf/readmicrosoft.directory/devices/memberOf/read 讀取裝置成員資格Read device memberships
microsoft.directory/devices/registeredOwners/readmicrosoft.directory/devices/registeredOwners/read 讀取裝置的已註冊擁有者Read registered owners of devices
microsoft.directory/devices/registeredUsers/readmicrosoft.directory/devices/registeredUsers/read 讀取裝置的註冊使用者Read registered users of devices
microsoft. directory/directoryRoles/standard/readmicrosoft.directory/directoryRoles/standard/read 更新 Azure AD 角色中的基本屬性Update basic properties in Azure AD roles
microsoft.directory/directoryRoles/eligibleMembers/readmicrosoft.directory/directoryRoles/eligibleMembers/read 閱讀 Azure AD 角色的合格成員Read the eligible members of Azure AD roles
microsoft.directory/directoryRoles/members/readmicrosoft.directory/directoryRoles/members/read 讀取 Azure AD 角色的所有成員Read all members of Azure AD roles
microsoft 目錄/網域/標準/讀取microsoft.directory/domains/standard/read 讀取網域的基本屬性Read basic properties on domains
microsoft. 目錄/群組/標準/讀取microsoft.directory/groups/standard/read 讀取群組的基本屬性Read basic properties on groups
microsoft.directory/groups/appRoleAssignments/readmicrosoft.directory/groups/appRoleAssignments/read 讀取群組的應用程式角色指派Read application role assignments of groups
microsoft.directory/groups/memberOf/readmicrosoft.directory/groups/memberOf/read 讀取群組為其成員的群組 Azure ADRead the groups of which a group is a member in Azure AD
microsoft.directory/groups/members/readmicrosoft.directory/groups/members/read 讀取群組的成員Read members of groups
microsoft.directory/groups/owners/readmicrosoft.directory/groups/owners/read 讀取群組的擁有者Read owners of groups
microsoft.directory/groups/settings/readmicrosoft.directory/groups/settings/read 讀取群組的設定Read settings of groups
microsoft. directory/groupSettings/standard/readmicrosoft.directory/groupSettings/standard/read 讀取群組設定的基本屬性Read basic properties on group settings
microsoft. directory/groupSettingTemplates/standard/readmicrosoft.directory/groupSettingTemplates/standard/read 讀取群組設定範本的基本屬性Read basic properties on group setting templates
microsoft. directory/oAuth2PermissionGrants/standard/readmicrosoft.directory/oAuth2PermissionGrants/standard/read 讀取 OAuth 2.0 許可權授與的基本屬性Read basic properties on OAuth 2.0 permission grants
microsoft 目錄/組織/標準/讀取microsoft.directory/organization/standard/read 讀取組織的基本屬性Read basic properties on an organization
microsoft.directory/organization/trustedCAsForPasswordlessAuth/readmicrosoft.directory/organization/trustedCAsForPasswordlessAuth/read 讀取無密碼 authentication 的受信任憑證授權單位單位Read trusted certificate authorities for passwordless authentication
microsoft.directory/applicationPolicies/standard/readmicrosoft.directory/applicationPolicies/standard/read 讀取應用程式原則的標準屬性Read standard properties of application policies
microsoft. directory/roleAssignments/standard/readmicrosoft.directory/roleAssignments/standard/read 讀取角色指派的基本屬性Read basic properties on role assignments
microsoft. directory/roleDefinitions/standard/readmicrosoft.directory/roleDefinitions/standard/read 讀取角色定義的基本屬性Read basic properties on role definitions
microsoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 讀取服務主體角色指派Read service principal role assignments
microsoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 讀取指派給服務主體的角色指派Read role assignments assigned to service principals
microsoft.directory/servicePrincipals/standard/readmicrosoft.directory/servicePrincipals/standard/read 讀取服務主體的基本屬性Read basic properties of service principals
microsoft.directory/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 讀取服務主體的群組成員資格Read the group memberships on service principals
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/read 讀取服務主體的委派許可權授與Read delegated permission grants on service principals
microsoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/owners/read 讀取服務主體的擁有者Read owners of service principals
microsoft.directory/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 讀取服務主體的擁有物件Read owned objects of service principals
microsoft.directory/servicePrincipals/policies/readmicrosoft.directory/servicePrincipals/policies/read 讀取服務主體的原則Read policies of service principals
microsoft. directory/subscribedSkus/standard/readmicrosoft.directory/subscribedSkus/standard/read 讀取訂用帳戶的基本屬性Read basic properties on subscriptions
microsoft 目錄/使用者/標準/讀取microsoft.directory/users/standard/read 讀取使用者的基本屬性Read basic properties on users
microsoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/appRoleAssignments/read 讀取使用者的應用程式角色指派Read application role assignments of users
microsoft.directory/users/directReports/readmicrosoft.directory/users/directReports/read 讀取使用者的直接報告Read the direct reports for users
microsoft.directory/users/manager/readmicrosoft.directory/users/manager/read 讀取使用者的管理員Read manager of users
microsoft.directory/users/memberOf/readmicrosoft.directory/users/memberOf/read 讀取使用者的群組成員資格Read the group memberships of users
microsoft 目錄/users/oAuth2PermissionGrants/readmicrosoft.directory/users/oAuth2PermissionGrants/read 讀取使用者的委派許可權授與Read delegated permission grants on users
microsoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedDevices/read 讀取使用者的擁有裝置Read owned devices of users
microsoft.directory/users/ownedObjects/readmicrosoft.directory/users/ownedObjects/read 讀取使用者的擁有物件Read owned objects of users
microsoft.directory/users/registeredDevices/readmicrosoft.directory/users/registeredDevices/read 讀取使用者的已註冊裝置Read registered devices of users

目錄同步處理帳戶Directory Synchronization Accounts

請勿使用。Do not use. 此角色會自動指派給 Azure AD Connect 服務,不適用於也不支援任何其他用途。This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

動作Actions 描述Description
microsoft.directory/applications/createmicrosoft.directory/applications/create 建立所有類型的應用程式Create all types of applications
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 刪除所有類型的應用程式Delete all types of applications
microsoft 目錄/應用程式/appRoles/更新microsoft.directory/applications/appRoles/update 更新所有類型之應用程式的 appRoles 屬性Update the appRoles property on all types of applications
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新應用程式的物件屬性Update the audience property for applications
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新應用程式的基本屬性Update basic properties for applications
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新應用程式認證Update application credentials
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新應用程式的擁有者Update owners of applications
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新所有類型之應用程式的公開許可權和必要許可權Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft.directory/organization/dirSync/updatemicrosoft.directory/organization/dirSync/update 更新組織目錄同步屬性Update the organization directory sync property
microsoft.directory/policies/createmicrosoft.directory/policies/create 在 Azure AD 中建立原則Create policies in Azure AD
microsoft.directory/policies/deletemicrosoft.directory/policies/delete 刪除 Azure AD 中的原則Delete policies in Azure AD
microsoft.directory/policies/standard/readmicrosoft.directory/policies/standard/read 讀取原則的基本屬性Read basic properties on policies
microsoft.directory/policies/owners/readmicrosoft.directory/policies/owners/read 讀取原則的擁有者Read owners of policies
microsoft 目錄/原則/policyAppliedTo/readmicrosoft.directory/policies/policyAppliedTo/read 讀取 policyAppliedTo 屬性Read policies.policyAppliedTo property
microsoft.directory/policies/basic/updatemicrosoft.directory/policies/basic/update 更新原則的基本屬性Update basic properties on policies
microsoft.directory/policies/owners/updatemicrosoft.directory/policies/owners/update 更新原則的擁有者Update owners of policies
microsoft.directory/policies/tenantDefault/updatemicrosoft.directory/policies/tenantDefault/update 更新預設的組織原則Update default organization policies
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 建立服務主體Create service principals
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 刪除服務主體Delete service principals
microsoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/enable 啟用服務主體Enable service principals
microsoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/disable 停用服務主體Disable service principals
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials 管理服務主體的密碼單一登入認證Manage password single sign-on credentials on service principals
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials 讀取服務主體的密碼單一登入認證Read password single sign-on credentials on service principals
microsoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 讀取服務主體角色指派Read service principal role assignments
microsoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 讀取指派給服務主體的角色指派Read role assignments assigned to service principals
microsoft.directory/servicePrincipals/standard/readmicrosoft.directory/servicePrincipals/standard/read 讀取服務主體的基本屬性Read basic properties of service principals
microsoft.directory/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 讀取服務主體的群組成員資格Read the group memberships on service principals
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/read 讀取服務主體的委派許可權授與Read delegated permission grants on service principals
microsoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/owners/read 讀取服務主體的擁有者Read owners of service principals
microsoft.directory/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 讀取服務主體的擁有物件Read owned objects of service principals
microsoft.directory/servicePrincipals/policies/readmicrosoft.directory/servicePrincipals/policies/read 讀取服務主體的原則Read policies of service principals
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新服務主體的物件屬性Update audience properties on service principals
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新服務主體的驗證屬性Update authentication properties on service principals
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新服務主體的基本屬性Update basic properties on service principals
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新服務主體的認證Update credentials of service principals
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新服務主體的擁有者Update owners of service principals
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新服務主體的許可權Update permissions of service principals
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新服務主體的原則Update policies of service principals
microsoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/tag/update 更新服務主體的 tag 屬性Update the tag property for service principals

目錄撰寫者Directory Writers

此角色的使用者可以讀取及更新使用者、群組和服務主體的基本資訊。Users in this role can read and update basic information of users, groups, and service principals. 僅將此角色指派給不支援 同意架構的應用程式。Assign this role only to applications that don’t support the Consent Framework. 不應將它指派給任何使用者。It should not be assigned to any users.

動作Actions 描述Description
microsoft directory/groups/assignLicensemicrosoft.directory/groups/assignLicense 針對群組型授權將產品授權指派給群組Assign product licenses to groups for group-based licensing
microsoft.directory/groups/createmicrosoft.directory/groups/create 建立群組,不包括角色可指派群組Create groups, excluding role-assignable groups
microsoft directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/reprocessLicenseAssignment 重新處理以群組為基礎之授權的授權指派Reprocess license assignments for group-based licensing
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新群組的基本屬性,不包括角色可指派的群組Update basic properties on groups, excluding role-assignable groups
microsoft 目錄/群組/分類/更新microsoft.directory/groups/classification/update 更新群組的分類屬性,但不包括角色可指派的群組Update the classification property of groups, excluding role-assignable groups
microsoft 目錄/群組/Groups.dynamicmembershiprule/更新microsoft.directory/groups/dynamicMembershipRule/update 更新群組的動態成員資格規則,但不包括角色可指派的群組Update dynamic membership rule of groups, excluding role-assignable groups
microsoft 目錄/群組/groupType/更新microsoft.directory/groups/groupType/update 更新群組的 groupType 屬性Update the groupType property for a group
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新群組的成員,但不包括角色可指派的群組Update members of groups, excluding role-assignable groups
microsoft 目錄/群組/onPremWriteBack/更新microsoft.directory/groups/onPremWriteBack/update 使用 Azure AD Connect 來更新要回寫至內部部署 Azure Active Directory 群組Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新群組的擁有者,但不包括角色可指派的群組Update owners of groups, excluding role-assignable groups
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新群組的設定Update settings of groups
microsoft 目錄/群組/可見度/更新microsoft.directory/groups/visibility/update 更新群組的可見度屬性Update the visibility property of groups
microsoft.directory/groupSettings/createmicrosoft.directory/groupSettings/create 建立群組設定Create group settings
microsoft.directory/groupSettings/deletemicrosoft.directory/groupSettings/delete 刪除群組設定Delete group settings
microsoft.directory/groupSettings/basic/updatemicrosoft.directory/groupSettings/basic/update 更新群組設定上的基本屬性Update basic properties on group settings
microsoft directory/oAuth2PermissionGrants/createmicrosoft.directory/oAuth2PermissionGrants/create 建立 OAuth 2.0 許可權授與Create OAuth 2.0 permission grants
microsoft directory/oAuth2PermissionGrants/basic/updatemicrosoft.directory/oAuth2PermissionGrants/basic/update 更新 OAuth 2.0 許可權授與Update OAuth 2.0 permission grants
microsoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationCredentials/manage 管理應用程式布建的密碼和認證Manage application provisioning secrets and credentials
microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage 啟動、重新開機及暫停應用程式布建同步作業Start, restart, and pause application provisioning syncronization jobs
microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage 建立及管理應用程式布建同步處理作業和架構Create and manage application provisioning syncronization jobs and schema
microsoft directory/servicePrincipals/managePermissionGrantsForGroup. microsoft-all-application-permissionsmicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions 將群組資料的直接存取權授與服務主體Grant a service principal direct access to a group's data
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理使用者授權Manage user licenses
microsoft.directory/users/createmicrosoft.directory/users/create 新增使用者Add users
microsoft 目錄/使用者/停用microsoft.directory/users/disable 停用使用者Disable users
microsoft 目錄/使用者/啟用microsoft.directory/users/enable 啟用使用者Enable users
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft directory/users/reprocessLicenseAssignmentmicrosoft.directory/users/reprocessLicenseAssignment 重新處理使用者的授權指派Reprocess license assignments for users
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新使用者的基本屬性Update basic properties on users
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 適用于使用者的更新管理員Update manager for users
microsoft.directory/users/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新使用者的使用者主體名稱Update User Principal Name of users

功能變數名稱管理員Domain Name Administrator

具有此角色的使用者可以管理 (讀取、新增、驗證、更新和刪除) 的功能變數名稱。Users with this role can manage (read, add, verify, update, and delete) domain names. 它們也可以讀取有關使用者、群組和應用程式的目錄資訊,因為這些物件具有網域相依性。They can also read directory information about users, groups, and applications, as these objects possess domain dependencies. 針對內部部署環境,具有此角色的使用者可以設定同盟的功能變數名稱,讓相關聯的使用者一律在內部部署中進行驗證。For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. 然後,這些使用者就可以透過單一登入,以其內部部署密碼登入 Azure AD 型服務。These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. 同盟設定必須透過 Azure AD Connect 同步處理,因此使用者也擁有管理 Azure AD Connect 的許可權。Federation settings need to be synced via Azure AD Connect, so users also have permissions to manage Azure AD Connect.

動作Actions 描述Description
microsoft.directory/domains/allProperties/allTasksmicrosoft.directory/domains/allProperties/allTasks 建立和刪除網域,以及讀取和更新所有屬性Create and delete domains, and read and update all properties
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests

Dynamics 365 系統管理員Dynamics 365 Administrator

此角色的使用者具有 Microsoft Dynamics 365 Online (如其存在) 的全域權限,並能管理支援票證及監視服務的健康情況。Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. 如需詳細資訊,請參閱使用服務管理員角色管理您的 Azure AD 組織More information at Use the service admin role to manage your Azure AD organization.

注意

在 Microsoft Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Dynamics 365 服務管理員」。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." Azure 入口網站中則是「Dynamics 365 管理員」。It is "Dynamics 365 Administrator" in the Azure portal.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.dynamics365/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasks 管理 Dynamics 365 的所有層面Manage all aspects of Dynamics 365
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Exchange 系統管理員Exchange Administrator

此角色的使用者具有 Microsoft Exchange Online (如其存在) 的全域權限。Users with this role have global permissions within Microsoft Exchange Online, when the service is present. 也可以建立和管理所有 Microsoft 365 群組、管理支援票證,以及監視服務健康情況。Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. 有關 Microsoft 365 系統管理員角色的詳細資訊。More information at About Microsoft 365 admin roles.

注意

在 Microsoft Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Exchange 服務管理員」。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." Azure 入口網站中則是「Exchange 管理員」。It is "Exchange Administrator" in the Azure portal. Exchange 系統管理中心中則是「Exchange Online 管理員」。It is "Exchange Online administrator" in the Exchange admin center.

動作Actions 描述Description
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 讀取群組的隱藏成員Read hidden members of a group
microsoft 目錄/群組。統一/建立microsoft.directory/groups.unified/create 建立具有角色可指派群組的 Microsoft 365 群組Create Microsoft 365 groups with the exclusion of role-assignable groups
microsoft. 目錄/群組。統一/刪除microsoft.directory/groups.unified/delete 刪除具有角色可指派群組的 Microsoft 365 群組Delete Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/還原microsoft.directory/groups.unified/restore 還原 Microsoft 365 群組Restore Microsoft 365 groups
microsoft. 目錄/群組. 統一/基本/更新microsoft.directory/groups.unified/basic/update 以角色可指派的群組排除,更新 Microsoft 365 群組的基本屬性Update basic properties on Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/成員/更新microsoft.directory/groups.unified/members/update 以角色可指派的群組排除,更新 Microsoft 365 群組的成員Update members of Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/擁有者/更新microsoft.directory/groups.unified/owners/update 使用角色可指派群組的排除來更新 Microsoft 365 群組的擁有者Update owners of Microsoft 365 groups with the exclusion of role-assignable groups
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
office365. exchange/allEntities/basic/allTasksmicrosoft.office365.exchange/allEntities/basic/allTasks 管理 Exchange Online 的所有層面Manage all aspects of Exchange Online
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Exchange 收件者系統管理員Exchange Recipient Administrator

具有此角色的使用者具有收件者的讀取權限,以及 Exchange Online 中這些收件者屬性的寫入權限。Users with this role have read access to recipients and write access to the attributes of those recipients in Exchange Online. Exchange收件者的詳細資訊。More information at Exchange Recipients.

動作Actions 描述Description
office365. exchange/allRecipients/allProperties/allTasksmicrosoft.office365.exchange/allRecipients/allProperties/allTasks 建立和刪除所有收件者,以及在 Exchange Online 中讀取和更新所有收件者屬性Create and delete all recipients, and read and update all properties of recipients in Exchange Online
office365. exchange/messageTracking/allProperties/allTasksmicrosoft.office365.exchange/messageTracking/allProperties/allTasks 在 Exchange Online 中管理訊息追蹤中的所有工作Manage all tasks in message tracking in Exchange Online
office365. exchange/遷移/allProperties/allTasksmicrosoft.office365.exchange/migration/allProperties/allTasks 管理與 Exchange Online 中的收件者遷移相關的所有工作Manage all tasks related to migration of recipients in Exchange Online

外部識別碼使用者流程管理員External ID User Flow Administrator

具有此角色的使用者可以建立和管理使用者流程 (也稱為 Azure 入口網站中) 的「內建」原則。Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. 這些使用者可以自訂 HTML/CSS/JavaScript 內容、變更 MFA 需求、選取權杖中的宣告、管理 API 連接器,以及設定 Azure AD 組織中所有使用者流程的會話設定。These users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token, manage API connectors, and configure session settings for all user flows in the Azure AD organization. 另一方面,此角色不包含檢查使用者資料的能力,或對組織架構中包含的屬性進行變更。On the other hand, this role does not include the ability to review user data or make changes to the attributes that are included in the organization schema. Identity Experience Framework 原則的變更 (也稱為自訂原則) 也在此角色的範圍之外。Changes to Identity Experience Framework policies (also known as custom policies) are also outside the scope of this role.

動作Actions 描述Description
microsoft directory/b2cUserFlow/allProperties/allTasksmicrosoft.directory/b2cUserFlow/allProperties/allTasks 在 Azure Active Directory B2C 中讀取及設定使用者屬性Read and configure user attributes in Azure Active Directory B2C

外部識別碼使用者流程屬性管理員External ID User Flow Attribute Administrator

具備此角色的使用者可新增或刪除 Azure AD 組織中所有使用者流程可用的自訂屬性。Users with this role add or delete custom attributes available to all user flows in the Azure AD organization.  因此,具備此角色的使用者可以變更項目,或將其新增至終端使用者結構描述,而影響所有使用者流程的行為,進而間接變更可能要求的終端使用者資料,最後以宣告的形式傳送給應用程式。此角色無法編輯使用者流程。As such, users with this role can change or add new elements to the end-user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications.  此角色無法編輯使用者流程。This role cannot edit user flows.

動作Actions 描述Description
microsoft directory/b2cUserAttribute/allProperties/allTasksmicrosoft.directory/b2cUserAttribute/allProperties/allTasks 在 Azure Active Directory B2C 中讀取及設定自訂原則Read and configure custom policies in Azure Active Directory B2C

外部識別提供者管理員External Identity Provider Administrator

此管理員可管理 Azure AD 組織與外部識別提供者之間的同盟。This administrator manages federation between Azure AD organizations and external identity providers.  具備此角色,使用者可以新增識別提供者及設定所有可用的設定 (例如,驗證路徑、服務識別碼、指派的金鑰容器)。With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers).  此使用者可讓 Azure AD 組織信任來自外部識別提供者的驗證。This user can enable the Azure AD organization to trust authentications from external identity providers.  對終端使用者體驗所產生的影響取決於組織類型:The resulting impact on end-user experiences depends on the type of organization:

  • 適用于員工和合作夥伴的 Azure AD 組織:新增同盟 (例如使用 Gmail) 會立即影響尚未兌換的所有來賓邀請。Azure AD organizations for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. 請參閱將 Google 新增為 B2B 來賓使用者的識別提供者See Adding Google as an identity provider for B2B guest users.
  • Azure Active Directory B2C 組織:在識別提供者新增為使用者流程 (也稱為內建原則) 中的選項之前,新增同盟 (例如與 Facebook,或與另一個 Azure AD 組織) 並不會立即影響終端使用者流程。Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). 如需範例,請參閱將 Microsoft 帳戶設為識別提供者See Configuring a Microsoft account as an identity provider for an example.  若要變更使用者流程,需要有「B2C 使用者流程管理員」的受限角色。To change user flows, the limited role of "B2C User Flow Administrator" is required.
動作Actions 描述Description
microsoft directory/identityProviders/allProperties/allTasksmicrosoft.directory/identityProviders/allProperties/allTasks 在 Azure Active Directory B2C 中讀取及設定識別提供者Read and configure identity providers in Azure Active Directory B2C

全域管理員Global Administrator

具有此角色的使用者可以存取 Azure Active Directory 中所有的系統管理功能,以及使用 Azure Active Directory 身分識別的服務,例如 Microsoft 365 資訊安全中心、Microsoft 365 合規性中心、Exchange Online、SharePoint Online 和商務用 Skype Online。Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. 此外,全域管理員可以提高 其存取權 ,以管理所有 Azure 訂用帳戶和管理群組。Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. 這可讓全域系統管理員使用各自的 Azure AD 租使用者,取得所有 Azure 資源的完整存取權。This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. 註冊 Azure AD 組織的人員將成為全域管理員。The person who signs up for the Azure AD organization becomes a Global Administrator. 您的公司可能有一個以上的全域管理員。There can be more than one Global Administrator at your company. 全域系統管理員可以為任何使用者和所有其他系統管理員重設密碼。Global Administrators can reset the password for any user and all other administrators.

注意

Microsoft 建議的最佳作法是將全域管理員角色指派給您組織中的五人以上。As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. 如需詳細資訊,請參閱 Azure AD 角色的最佳作法For more information, see Best practices for Azure AD roles.

動作Actions 描述Description
microsoft directory/accessReviews/allProperties/allTasksmicrosoft.directory/accessReviews/allProperties/allTasks 在 Azure AD 中建立和刪除存取權評論,以及讀取和更新存取權評論的所有屬性Create and delete access reviews, and read and update all properties of access reviews in Azure AD
microsoft.directory/administrativeUnits/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasks 建立及管理系統管理單位 (包括成員)Create and manage administrative units (including members)
microsoft.directory/applications/allProperties/allTasksmicrosoft.directory/applications/allProperties/allTasks 建立和刪除應用程式,以及讀取和更新所有屬性Create and delete applications, and read and update all properties
microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read 讀取與應用程式物件相關聯的佈建設定Read provisioning settings associated with the application object
microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate 從應用程式範本具現化資源庫應用程式Instantiate gallery applications from application templates
microsoft.directory/appRoleAssignments/allProperties/allTasksmicrosoft.directory/appRoleAssignments/allProperties/allTasks 建立和刪除 appRoleAssignments,以及讀取和更新所有屬性Create and delete appRoleAssignments, and read and update all properties
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft directory/authorizationPolicy/allProperties/allTasksmicrosoft.directory/authorizationPolicy/allProperties/allTasks 管理授權原則的所有層面Manage all aspects of authorization policies
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft directory/>portal.cloudappsecurity.com/allProperties/allTasksmicrosoft.directory/cloudAppSecurity/allProperties/allTasks 在 Microsoft Cloud App Security 中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in Microsoft Cloud App Security
microsoft.directory/connectors/createmicrosoft.directory/connectors/create 建立應用程式 proxy 連接器Create application proxy connectors
microsoft 目錄/連接器/allProperties/readmicrosoft.directory/connectors/allProperties/read 讀取應用程式 proxy 連接器的所有屬性Read all properties of application proxy connectors
microsoft.directory/connectorGroups/createmicrosoft.directory/connectorGroups/create 建立應用程式 proxy 連接器群組Create application proxy connector groups
microsoft.directory/connectorGroups/deletemicrosoft.directory/connectorGroups/delete 刪除應用程式 proxy 連接器群組Delete application proxy connector groups
microsoft. directory/connectorGroups/allProperties/readmicrosoft.directory/connectorGroups/allProperties/read 讀取應用程式 proxy 連接器群組的所有屬性Read all properties of application proxy connector groups
microsoft directory/connectorGroups/allProperties/updatemicrosoft.directory/connectorGroups/allProperties/update 更新應用程式 proxy 連接器群組的所有屬性Update all properties of application proxy connector groups
microsoft.directory/contacts/allProperties/allTasksmicrosoft.directory/contacts/allProperties/allTasks 建立和刪除連絡人,以及讀取和更新所有屬性Create and delete contacts, and read and update all properties
microsoft.directory/contracts/allProperties/allTasksmicrosoft.directory/contracts/allProperties/allTasks 建立和刪除夥伴合約,以及讀取和更新所有屬性Create and delete partner contracts, and read and update all properties
microsoft.directory/devices/allProperties/allTasksmicrosoft.directory/devices/allProperties/allTasks 建立和刪除裝置,以及讀取和更新所有屬性Create and delete devices, and read and update all properties
microsoft. directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceManagementPolicies/standard/read 讀取裝置管理應用程式原則的標準屬性Read standard properties on device management application policies
microsoft directory/deviceManagementPolicies/basic/updatemicrosoft.directory/deviceManagementPolicies/basic/update 更新裝置管理應用程式原則的基本屬性Update basic properties on device management application policies
microsoft. directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/read 讀取裝置註冊原則的標準屬性Read standard properties on device registration policies
microsoft directory/deviceRegistrationPolicy/basic/updatemicrosoft.directory/deviceRegistrationPolicy/basic/update 更新裝置註冊原則的基本屬性Update basic properties on device registration policies
microsoft.directory/directoryRoles/allProperties/allTasksmicrosoft.directory/directoryRoles/allProperties/allTasks 建立和刪除目錄角色,以及讀取和更新所有屬性Create and delete directory roles, and read and update all properties
microsoft.directory/directoryRoleTemplates/allProperties/allTasksmicrosoft.directory/directoryRoleTemplates/allProperties/allTasks 建立和刪除 Azure AD 角色範本,以及讀取和更新所有屬性Create and delete Azure AD role templates, and read and update all properties
microsoft.directory/domains/allProperties/allTasksmicrosoft.directory/domains/allProperties/allTasks 建立和刪除網域,以及讀取和更新所有屬性Create and delete domains, and read and update all properties
microsoft directory/entitlementManagement/allProperties/allTasksmicrosoft.directory/entitlementManagement/allProperties/allTasks 在 Azure AD 權利管理中建立和刪除資源,以及讀取和更新所有屬性Create and delete resources, and read and update all properties in Azure AD entitlement management
microsoft.directory/groups/allProperties/allTasksmicrosoft.directory/groups/allProperties/allTasks 建立和刪除群組,以及讀取和更新所有屬性Create and delete groups, and read and update all properties
microsoft directory/groupsAssignableToRoles/createmicrosoft.directory/groupsAssignableToRoles/create 建立可指派角色的群組Create role-assignable groups
microsoft 目錄/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/delete 刪除可指派角色的群組Delete role-assignable groups
microsoft 目錄/groupsAssignableToRoles/restoremicrosoft.directory/groupsAssignableToRoles/restore 還原角色可指派的群組Restore role-assignable groups
microsoft directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/groupsAssignableToRoles/allProperties/update 更新角色可指派的群組Update role-assignable groups
microsoft.directory/groupSettings/allProperties/allTasksmicrosoft.directory/groupSettings/allProperties/allTasks 建立和刪除群組設定,以及讀取和更新所有屬性Create and delete group settings, and read and update all properties
microsoft.directory/groupSettingTemplates/allProperties/allTasksmicrosoft.directory/groupSettingTemplates/allProperties/allTasks 建立和刪除群組設定範本,以及讀取和更新所有屬性Create and delete group setting templates, and read and update all properties
microsoft directory/Microsoft.aad.identityprotection/allProperties/allTasksmicrosoft.directory/identityProtection/allProperties/allTasks 在 Azure AD Identity Protection 中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in Azure AD Identity Protection
microsoft directory/loginOrganizationBranding/allProperties/allTasksmicrosoft.directory/loginOrganizationBranding/allProperties/allTasks 建立和刪除 loginTenantBranding,以及讀取和更新所有屬性Create and delete loginTenantBranding, and read and update all properties
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft.directory/organization/allProperties/allTasksmicrosoft.directory/organization/allProperties/allTasks 建立和刪除組織,以及讀取和更新所有屬性Create and delete organizations, and read and update all properties
microsoft.directory/policies/allProperties/allTasksmicrosoft.directory/policies/allProperties/allTasks 建立和刪除原則,以及讀取和更新所有屬性Create and delete policies, and read and update all properties
microsoft directory/conditionalAccessPolicies/allProperties/allTasksmicrosoft.directory/conditionalAccessPolicies/allProperties/allTasks 管理條件式存取原則的所有屬性Manage all properties of conditional access policies
microsoft. directory/Microsoft.aad.privilegedidentitymanagement/allProperties/readmicrosoft.directory/privilegedIdentityManagement/allProperties/read 讀取 Privileged Identity Management 中的所有資源Read all resources in Privileged Identity Management
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 建立和刪除角色指派,以及讀取和更新所有角色指派屬性Create and delete role assignments, and read and update all role assignment properties
microsoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 建立和刪除角色定義,以及讀取和更新所有屬性Create and delete role definitions, and read and update all properties
microsoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasks 建立和刪除 scopedRoleMemberships,以及讀取和更新所有屬性Create and delete scopedRoleMemberships, and read and update all properties
microsoft.directory/serviceAction/activateServicemicrosoft.directory/serviceAction/activateService 可以執行服務的 [啟動服務] 動作Can perform the "activate service" action for a service
microsoft.directory/serviceAction/disableDirectoryFeaturemicrosoft.directory/serviceAction/disableDirectoryFeature 可以執行「停用目錄功能」服務動作Can perform the "disable directory feature" service action
microsoft.directory/serviceAction/enableDirectoryFeaturemicrosoft.directory/serviceAction/enableDirectoryFeature 可以執行「啟用目錄功能」服務動作Can perform the "enable directory feature" service action
microsoft.directory/serviceAction/getAvailableExtentionPropertiesmicrosoft.directory/serviceAction/getAvailableExtentionProperties 可以執行 getAvailableExtentionProperties 服務動作Can perform the getAvailableExtentionProperties service action
microsoft.directory/servicePrincipals/allProperties/allTasksmicrosoft.directory/servicePrincipals/allProperties/allTasks 建立和刪除服務主體,以及讀取和更新所有屬性Create and delete service principals, and read and update all properties
microsoft directory/servicePrincipals/managePermissionGrantsForAll. microsoft-company-adminmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin 將任何許可權的同意授與任何應用程式Grant consent for any permission to any application
microsoft directory/servicePrincipals/managePermissionGrantsForGroup. microsoft-all-application-permissionsmicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions 將群組資料的直接存取權授與服務主體Grant a service principal direct access to a group's data
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 讀取與服務主體相關聯的佈建設定Read provisioning settings associated with your service principal
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.directory/subscribedSkus/allProperties/allTasksmicrosoft.directory/subscribedSkus/allProperties/allTasks 購買和管理訂用帳戶並刪除訂閱Buy and manage subscriptions and delete subscriptions
microsoft.directory/users/allProperties/allTasksmicrosoft.directory/users/allProperties/allTasks 建立和刪除使用者,以及讀取和更新所有屬性Create and delete users, and read and update all properties
microsoft.directory/permissionGrantPolicies/createmicrosoft.directory/permissionGrantPolicies/create 建立許可權授與原則Create permission grant policies
microsoft.directory/permissionGrantPolicies/deletemicrosoft.directory/permissionGrantPolicies/delete 刪除許可權授與原則Delete permission grant policies
microsoft.directory/permissionGrantPolicies/standard/readmicrosoft.directory/permissionGrantPolicies/standard/read 讀取權限授與原則的標準屬性Read standard properties of permission grant policies
microsoft.directory/permissionGrantPolicies/basic/updatemicrosoft.directory/permissionGrantPolicies/basic/update 更新許可權授與原則的基本屬性Update basic properties of permission grant policies
microsoft directory/servicePrincipalCreationPolicies/createmicrosoft.directory/servicePrincipalCreationPolicies/create 建立服務主體建立原則Create service principal creation policies
microsoft 目錄/servicePrincipalCreationPolicies/deletemicrosoft.directory/servicePrincipalCreationPolicies/delete 刪除服務主體建立原則Delete service principal creation policies
microsoft. directory/servicePrincipalCreationPolicies/standard/readmicrosoft.directory/servicePrincipalCreationPolicies/standard/read 讀取服務主體建立原則的標準屬性Read standard properties of service principal creation policies
microsoft directory/servicePrincipalCreationPolicies/basic/updatemicrosoft.directory/servicePrincipalCreationPolicies/basic/update 更新服務主體建立原則的基本屬性Update basic properties of service principal creation policies
advancedThreatProtection/allEntities/allTasksmicrosoft.azure.advancedThreatProtection/allEntities/allTasks 管理 Azure 進階威脅防護的所有層面Manage all aspects of Azure Advanced Threat Protection
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 資訊保護的所有層面Manage all aspects of Azure Information Protection
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理 Office 365 帳單的所有層面Manage all aspects of Office 365 billing
microsoft.dynamics365/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasks 管理 Dynamics 365 的所有層面Manage all aspects of Dynamics 365
microsoft.flow/allEntities/allTasksmicrosoft.flow/allEntities/allTasks 管理 Microsoft Power Automate 的所有層面Manage all aspects of Microsoft Power Automate
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Microsoft Intune 的所有層面Manage all aspects of Microsoft Intune
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合規性管理員的所有層面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理電腦分析的所有層面Manage all aspects of Desktop Analytics
office365. exchange/allEntities/basic/allTasksmicrosoft.office365.exchange/allEntities/basic/allTasks 管理 Exchange Online 的所有層面Manage all aspects of Exchange Online
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理客戶加密箱的所有層面Manage all aspects of Customer Lockbox
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 在 Microsoft 365 系統管理中心中閱讀訊息中心的安全性訊息Read security messages in Message Center in the Microsoft 365 admin center
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
office365. Microsoft.office365.protectioncenter/allEntities/allProperties/allTasksmicrosoft.office365.protectionCenter/allEntities/allProperties/allTasks 管理安全性與合規性中心的所有層面Manage all aspects of the Security and Compliance centers
office365 搜尋/內容/管理microsoft.office365.search/content/manage 在 Microsoft Search 中建立和刪除內容,以及讀取和更新所有屬性Create and delete content, and read and update all properties in Microsoft Search
microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 在 Microsoft 365 安全性與合規性中心中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in the Microsoft 365 Security and Compliance Center
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
office365. sharePoint/allEntities/allTasksmicrosoft.office365.sharePoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 SharePoint 中的標準屬性Create and delete all resources, and read and update standard properties in SharePoint
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面Manage all aspects of Skype for Business Online
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.userCommunication/allEntities/allTasksmicrosoft.office365.userCommunication/allEntities/allTasks 讀取和更新新消息的可見度Read and update what's new messages visibility
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft.powerApps/allEntities/allTasksmicrosoft.powerApps/allEntities/allTasks 管理 Power Apps 的所有層面Manage all aspects of Power Apps
microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的所有層面Manage all aspects of Power BI
Microsoft.windows.defenderadvancedthreatprotection/allEntities/allTasksmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks 管理 Microsoft Defender for Endpoint 的所有層面Manage all aspects of Microsoft Defender for Endpoint

全域讀者Global Reader

擔任此角色的使用者可以讀取各種 Microsoft 365 服務的設定和系統管理資訊,但無法執行管理動作。Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. 全域讀取器是全域管理員的唯讀對應。Global reader is the read-only counterpart to Global Administrator. 指派全域讀取器,而非全域管理員,以進行規劃、審核或調查。Assign Global reader instead of Global Administrator for planning, audits, or investigations. 使用全域讀取者搭配其他受限的管理員角色 (例如 Exchange 管理員),不需指派全域管理員角色,就能輕鬆完成工作。Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. 全域讀取者適用於 Microsoft 365 系統管理中心、Exchange 系統管理中心、SharePoint 系統管理中心、Teams 系統管理中心、資訊安全中心、合規性中心、Azure AD 系統管理中心,以及裝置管理系統管理中心。Global reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.

注意

全域讀取者角色現在有幾項限制:Global reader role has a few limitations right now -

這些功能目前正在開發中。These features are currently in development.

動作Actions 描述Description
microsoft.directory/applications/applicationProxy/readmicrosoft.directory/applications/applicationProxy/read 讀取所有應用程式 proxy 屬性Read all application proxy properties
microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read 讀取與應用程式物件相關聯的佈建設定Read provisioning settings associated with the application object
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft 目錄/連接器/allProperties/readmicrosoft.directory/connectors/allProperties/read 讀取應用程式 proxy 連接器的所有屬性Read all properties of application proxy connectors
microsoft. directory/connectorGroups/allProperties/readmicrosoft.directory/connectorGroups/allProperties/read 讀取應用程式 proxy 連接器群組的所有屬性Read all properties of application proxy connector groups
microsoft. directory/entitlementManagement/allProperties/readmicrosoft.directory/entitlementManagement/allProperties/read 讀取 Azure AD 權利管理中的所有屬性Read all properties in Azure AD entitlement management
microsoft. directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceManagementPolicies/standard/read 讀取裝置管理應用程式原則的標準屬性Read standard properties on device management application policies
microsoft. directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/read 讀取裝置註冊原則的標準屬性Read standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 讀取群組的隱藏成員Read hidden members of a group
microsoft.directory/policies/standard/readmicrosoft.directory/policies/standard/read 讀取原則的基本屬性Read basic properties on policies
microsoft.directory/policies/owners/readmicrosoft.directory/policies/owners/read 讀取原則的擁有者Read owners of policies
microsoft 目錄/原則/policyAppliedTo/readmicrosoft.directory/policies/policyAppliedTo/read 讀取 policyAppliedTo 屬性Read policies.policyAppliedTo property
microsoft. directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/standard/read 讀取原則的條件式存取Read conditional access for policies
microsoft 目錄/conditionalAccessPolicies/擁有者/讀取microsoft.directory/conditionalAccessPolicies/owners/read 讀取條件式存取原則的擁有者Read the owners of conditional access policies
microsoft. directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/read 讀取條件式存取原則的 [套用至] 屬性Read the "applied to" property for conditional access policies
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft directory/servicePrincipals/authentication/readmicrosoft.directory/servicePrincipals/authentication/read 讀取服務主體的驗證屬性Read authentication properties on service principals
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 讀取與服務主體相關聯的佈建設定Read provisioning settings associated with your service principal
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.directory/users/strongAuthentication/readmicrosoft.directory/users/strongAuthentication/read 讀取使用者的增強式驗證屬性Read the strong authentication property for users
microsoft.commerce.billing/allEntities/readmicrosoft.commerce.billing/allEntities/read 讀取 Office 365 帳單的所有資源Read all resources of Office 365 billing
office365. exchange/allEntities/standard/readmicrosoft.office365.exchange/allEntities/standard/read 讀取 Exchange Online 的所有資源Read all resources of Exchange Online
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 在 Microsoft 365 系統管理中心中閱讀訊息中心的安全性訊息Read security messages in Message Center in the Microsoft 365 admin center
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
office365. Microsoft.office365.protectioncenter/allEntities/allProperties/readmicrosoft.office365.protectionCenter/allEntities/allProperties/read 讀取安全性與合規性中心的所有屬性Read all properties in the Security and Compliance centers
microsoft.office365.securityComplianceCenter/allEntities/readmicrosoft.office365.securityComplianceCenter/allEntities/read 讀取 Microsoft 365 安全性與合規性中心的標準屬性Read standard properties in Microsoft 365 Security and Compliance Center
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

群組管理員Groups Administrator

具備此角色的使用者可以建立/管理群組及其設定 (例如命名和到期原則)。Users in this role can create/manage groups and its settings like naming and expiration policies. 請務必瞭解,將使用者指派給這個角色,他就能夠在除了 Outlook 以外的各種工作負載 (例如 Teams、SharePoint、Yammer) 上管理組織中的所有群組。It is important to understand that assigning a user to this role gives them the ability to manage all groups in the organization across various workloads like Teams, SharePoint, Yammer in addition to Outlook. 此外,該使用者也能夠在各種系統管理入口網站 (例如 Microsoft 系統管理中心、Azure 入口網站,以及 Teams 和 SharePoint 系統管理中心之類的工作負載專屬入口網站) 中管理各種群組設定。Also the user will be able to manage the various groups settings across various admin portals like Microsoft Admin Center, Azure portal, as well as workload specific ones like Teams and SharePoint Admin Centers.

動作Actions 描述Description
microsoft directory/groups/assignLicensemicrosoft.directory/groups/assignLicense 針對群組型授權將產品授權指派給群組Assign product licenses to groups for group-based licensing
microsoft.directory/groups/createmicrosoft.directory/groups/create 建立群組,不包括角色可指派群組Create groups, excluding role-assignable groups
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 刪除群組,不包括角色可指派群組Delete groups, excluding role-assignable group
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 讀取群組的隱藏成員Read hidden members of a group
microsoft directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/reprocessLicenseAssignment 重新處理以群組為基礎之授權的授權指派Reprocess license assignments for group-based licensing
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 還原已刪除的群組Restore deleted groups
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新群組的基本屬性,不包括角色可指派的群組Update basic properties on groups, excluding role-assignable groups
microsoft 目錄/群組/分類/更新microsoft.directory/groups/classification/update 更新群組的分類屬性,但不包括角色可指派的群組Update the classification property of groups, excluding role-assignable groups
microsoft 目錄/群組/Groups.dynamicmembershiprule/更新microsoft.directory/groups/dynamicMembershipRule/update 更新群組的動態成員資格規則,但不包括角色可指派的群組Update dynamic membership rule of groups, excluding role-assignable groups
microsoft 目錄/群組/groupType/更新microsoft.directory/groups/groupType/update 更新群組的 groupType 屬性Update the groupType property for a group
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新群組的成員,但不包括角色可指派的群組Update members of groups, excluding role-assignable groups
microsoft 目錄/群組/onPremWriteBack/更新microsoft.directory/groups/onPremWriteBack/update 使用 Azure AD Connect 來更新要回寫至內部部署 Azure Active Directory 群組Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新群組的擁有者,但不包括角色可指派的群組Update owners of groups, excluding role-assignable groups
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新群組的設定Update settings of groups
microsoft 目錄/群組/可見度/更新microsoft.directory/groups/visibility/update 更新群組的可見度屬性Update the visibility property of groups
microsoft directory/servicePrincipals/managePermissionGrantsForGroup. microsoft-all-application-permissionsmicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions 將群組資料的直接存取權授與服務主體Grant a service principal direct access to a group's data
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

來賓邀請者Guest Inviter

當 [成員可邀請] 使用者設定為 [否] 時,此角色中的使用者可以管理 Azure Active Directory B2B 來賓使用者的邀請Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can invite user setting is set to No. 關於 Azure AD B2B 共同作業中查看 B2B 共同作業的詳細資訊。More information about B2B collaboration at About Azure AD B2B collaboration. 這不包含任何其他權限。It does not include any other permissions.

動作Actions 描述Description
microsoft.directory/users/inviteGuestmicrosoft.directory/users/inviteGuest 邀請來賓使用者Invite guest users
microsoft 目錄/使用者/標準/讀取microsoft.directory/users/standard/read 讀取使用者的基本屬性Read basic properties on users
microsoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/appRoleAssignments/read 讀取使用者的應用程式角色指派Read application role assignments of users
microsoft.directory/users/directReports/readmicrosoft.directory/users/directReports/read 讀取使用者的直接報告Read the direct reports for users
microsoft.directory/users/manager/readmicrosoft.directory/users/manager/read 讀取使用者的管理員Read manager of users
microsoft.directory/users/memberOf/readmicrosoft.directory/users/memberOf/read 讀取使用者的群組成員資格Read the group memberships of users
microsoft 目錄/users/oAuth2PermissionGrants/readmicrosoft.directory/users/oAuth2PermissionGrants/read 讀取使用者的委派許可權授與Read delegated permission grants on users
microsoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedDevices/read 讀取使用者的擁有裝置Read owned devices of users
microsoft.directory/users/ownedObjects/readmicrosoft.directory/users/ownedObjects/read 讀取使用者的擁有物件Read owned objects of users
microsoft.directory/users/registeredDevices/readmicrosoft.directory/users/registeredDevices/read 讀取使用者的已註冊裝置Read registered devices of users

服務台系統管理員Helpdesk Administrator

具備此角色的使用者可以變更密碼、讓重新整理權杖失效、管理服務要求,以及監視服務健康情況。Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. 讓重新整理權杖失效會強制使用者重新登入。Invalidating a refresh token forces the user to sign in again. 技術服務人員系統管理員是否可以重設使用者的密碼,以及使重新整理權杖失效,取決於使用者所指派的角色。Whether a Helpdesk Administrator can reset a user's password and invalidate refresh tokens depends on the role the user is assigned. 如需技術支援中心系統管理員可以重設密碼並使重新整理權杖不正確角色清單,請參閱 密碼重設許可權For a list of the roles that a Helpdesk Administrator can reset passwords for and invalidate refresh tokens, see Password reset permissions.

重要

具備此角色的使用者可以變更可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員密碼。Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的密碼表示可承擔該使用者身分識別和權限。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與技術支援中心系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. 技術支援中心系統管理員可以透過此路徑承擔應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步承擔特殊權限應用程式的身分識別。Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們具有機密或私人資訊或者 Azure 中重要組態的存取權。Azure subscription owners, who might have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Microsoft 365 群組擁有者,他們可以管理群組成員資格。Security Group and Microsoft 365 group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

將系統管理許可權委派給使用者的子集,並將原則套用到使用者子集,可能會有系統 管理單位Delegating administrative permissions over subsets of users and applying policies to a subset of users is possible with Administrative Units.

此角色先前在 Azure 入口網站中稱為「密碼管理員」。This role was previously called "Password Administrator" in the Azure portal. Azure AD 中的「服務台管理員」名稱現在符合其在 Azure AD PowerShell 和 Microsoft Graph API 中的名稱。The "Helpdesk Administrator" name in Azure AD now matches its name in Azure AD PowerShell and the Microsoft Graph API.

動作Actions 描述Description
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 重設所有使用者的密碼Reset passwords for all users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

混合式身分識別管理員Hybrid Identity Administrator

此角色的使用者可以建立、管理布建設定,並將其從 AD 部署到 Azure AD 使用雲端布建,以及管理 Azure AD Connect 和同盟設定。Users in this role can create, manage and deploy provisioning configuration setup from AD to Azure AD using Cloud Provisioning as well as manage Azure AD Connect and federation settings. 使用者也可以使用此角色針對記錄進行疑難排解和監視。Users can also troubleshoot and monitor logs using this role.

動作Actions 描述Description
microsoft.directory/applications/createmicrosoft.directory/applications/create 建立所有類型的應用程式Create all types of applications
microsoft.directory/applications/deletemicrosoft.directory/applications/delete 刪除所有類型的應用程式Delete all types of applications
microsoft 目錄/應用程式/appRoles/更新microsoft.directory/applications/appRoles/update 更新所有類型之應用程式的 appRoles 屬性Update the appRoles property on all types of applications
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新應用程式的物件屬性Update the audience property for applications
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新應用程式的基本屬性Update basic properties for applications
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新應用程式認證Update application credentials
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新應用程式的擁有者Update owners of applications
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新所有類型之應用程式的公開許可權和必要許可權Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft.directory/applications/synchronization/standard/readmicrosoft.directory/applications/synchronization/standard/read 讀取與應用程式物件相關聯的佈建設定Read provisioning settings associated with the application object
microsoft.directory/applicationTemplates/instantiatemicrosoft.directory/applicationTemplates/instantiate 從應用程式範本具現化資源庫應用程式Instantiate gallery applications from application templates
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft.directory/cloudProvisioning/allProperties/allTasksmicrosoft.directory/cloudProvisioning/allProperties/allTasks 讀取及設定 Azure AD 雲端佈建服務的所有屬性。Read and configure all properties of Azure AD Cloud Provisioning service.
microsoft 目錄/網域/allProperties/讀取microsoft.directory/domains/allProperties/read 讀取網域的所有屬性Read all properties of domains
microsoft 目錄/網域/同盟/更新microsoft.directory/domains/federation/update 更新網域的同盟屬性Update federation property of domains
microsoft.directory/organization/dirSync/updatemicrosoft.directory/organization/dirSync/update 更新組織目錄同步屬性Update the organization directory sync property
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/create 建立服務主體Create service principals
microsoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 刪除服務主體Delete service principals
microsoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/disable 停用服務主體Disable service principals
microsoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/enable 啟用服務主體Enable service principals
microsoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationCredentials/manage 管理應用程式布建的密碼和認證Manage application provisioning secrets and credentials
microsoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationJobs/manage 啟動、重新開機及暫停應用程式布建同步作業Start, restart, and pause application provisioning syncronization jobs
microsoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/synchronizationSchema/manage 建立及管理應用程式布建同步處理作業和架構Create and manage application provisioning syncronization jobs and schema
microsoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/audience/update 更新服務主體的物件屬性Update audience properties on service principals
microsoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/authentication/update 更新服務主體的驗證屬性Update authentication properties on service principals
microsoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/basic/update 更新服務主體的基本屬性Update basic properties on service principals
microsoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/credentials/update 更新服務主體的認證Update credentials of service principals
microsoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/owners/update 更新服務主體的擁有者Update owners of service principals
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新服務主體的許可權Update permissions of service principals
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新服務主體的原則Update policies of service principals
microsoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/tag/update 更新服務主體的 tag 屬性Update the tag property for service principals
microsoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/read 讀取與服務主體相關聯的佈建設定Read provisioning settings associated with your service principal
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Insights 管理員Insights Administrator

此角色中的使用者可以存取 M365 Insights 應用程式中的完整管理功能集。Users in this role can access the full set of administrative capabilities in the M365 Insights application. 此角色具有讀取目錄資訊、監視服務健康狀態、檔案支援票證,以及存取深入解析管理員設定方面的能力。This role has the ability to read directory information, monitor service health, file support tickets, and access the Insights admin settings aspects.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft insights/allEntities/allTasksmicrosoft.insights/allEntities/allTasks 管理深入解析應用程式的所有層面Manage all aspects of Insights app
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Insights 商務領導人Insights Business Leader

此角色的使用者可透過 M365 insights 應用程式存取一組儀表板和深入解析。Users in this role can access a set of dashboards and insights via the M365 Insights application. 這包括所有儀表板的完整存取權,以及提供的深入解析和資料探索功能。This includes full access to all dashboards and presented insights and data exploration functionality. 此角色中的使用者無法存取「產品設定」設定,這是「深入解析管理員」角色的責任。Users in this role do not have access to product configuration settings, which is the responsibility of the Insights Admin role.

動作Actions 描述Description
microsoft insights/reports/readmicrosoft.insights/reports/read 在 Insights 應用程式中查看報表和儀表板View reports and dashboard in Insights app
microsoft insights/程式/更新microsoft.insights/programs/update 在 Insights 應用程式中部署和管理程式Deploy and manage programs in Insights app

Intune 管理員Intune Administrator

此角色的使用者具有 Microsoft Intune Online (如其存在) 的全域權限。Users with this role have global permissions within Microsoft Intune Online, when the service is present. 此外,此角色包含管理使用者和裝置的能力,可相關聯原則以及建立和管理群組。Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. 如需詳細資訊,請參閱將角色型系統管理控制用於 Microsoft IntuneMore information at Role-based administration control (RBAC) with Microsoft Intune.

此角色可以建立和管理所有安全性群組。This role can create and manage all security groups. 不過,Intune 管理員沒有 Office 群組的系統管理權限。However, Intune Admin does not have admin rights over Office groups. 這表示此管理員無法更新組織中所有 Office 群組的擁有者或成員資格。That means the admin cannot update owners or memberships of all Office groups in the organization. 不過,他/她可以管理其所建立的 Office 群組,這屬於其終端使用者權限的一部分。However, he/she can manage the Office group that he creates which comes as a part of his/her end-user privileges. 因此,他/她所建立的任何 Office 群組 (而不是安全性群組),都應該根據其配額 250 個來計算。So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250.

注意

在 Microsoft Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Intune 服務管理員」。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Intune Service Administrator." Azure 入口網站中則是「Intune 管理員」。It is "Intune Administrator" in the Azure portal.

動作Actions 描述Description
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft.directory/contacts/createmicrosoft.directory/contacts/create 建立連絡人Create contacts
microsoft.directory/contacts/deletemicrosoft.directory/contacts/delete 刪除連絡人Delete contacts
microsoft.directory/contacts/basic/updatemicrosoft.directory/contacts/basic/update 更新連絡人的基本屬性Update basic properties on contacts
microsoft.directory/devices/createmicrosoft.directory/devices/create 在 Azure AD) 中建立 (註冊的裝置Create devices (enroll in Azure AD)
microsoft.directory/devices/deletemicrosoft.directory/devices/delete 從 Azure AD 刪除裝置Delete devices from Azure AD
microsoft.directory/devices/disablemicrosoft.directory/devices/disable 在 Azure AD 中停用裝置Disable devices in Azure AD
microsoft.directory/devices/enablemicrosoft.directory/devices/enable 在 Azure AD 中啟用裝置Enable devices in Azure AD
microsoft.directory/devices/basic/updatemicrosoft.directory/devices/basic/update 更新裝置上的基本屬性Update basic properties on devices
microsoft 目錄/裝置/Extensionattribute/更新microsoft.directory/devices/extensionAttributes/update 更新 Extensionattribute 屬性的所有值Update all values for devices.extensionAttributes property
microsoft.directory/devices/registeredOwners/updatemicrosoft.directory/devices/registeredOwners/update 更新裝置的已註冊擁有者Update registered owners of devices
microsoft.directory/devices/registeredUsers/updatemicrosoft.directory/devices/registeredUsers/update 更新裝置的註冊使用者Update registered users of devices
microsoft. directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceManagementPolicies/standard/read 讀取裝置管理應用程式原則的標準屬性Read standard properties on device management application policies
microsoft. directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/read 讀取裝置註冊原則的標準屬性Read standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 讀取群組的隱藏成員Read hidden members of a group
microsoft. 目錄/群組. 安全性/建立microsoft.directory/groups.security/create 使用角色可指派的群組排除來建立安全性群組Create Security groups with the exclusion of role-assignable groups
microsoft. 目錄/群組。安全性/刪除microsoft.directory/groups.security/delete 刪除具有角色可指派群組的安全性群組Delete Security groups with the exclusion of role-assignable groups
microsoft. 目錄/群組. 安全性/基本/更新microsoft.directory/groups.security/basic/update 以角色可指派的群組排除,更新安全性群組的基本屬性Update basic properties on Security groups with the exclusion of role-assignable groups
microsoft 目錄/群組。安全性/分類/更新microsoft.directory/groups.security/classification/update 以角色可指派的群組排除,更新安全性群組的分類屬性Update classification property of the Security groups with the exclusion of role-assignable groups
microsoft. 目錄/群組. 安全性/Groups.dynamicmembershiprule/更新microsoft.directory/groups.security/dynamicMembershipRule/update 以角色可指派的群組排除,更新安全性群組的 Groups.dynamicmembershiprule 屬性Update dynamicMembershipRule property of the Security groups with the exclusion of role-assignable groups
microsoft 目錄/群組。安全性/成員/更新microsoft.directory/groups.security/members/update 以角色可指派的群組排除,更新安全性群組的成員Update members of Security groups with the exclusion of role-assignable groups
microsoft 目錄/群組。安全性/擁有者/更新microsoft.directory/groups.security/owners/update 以角色可指派群組的排除來更新安全性群組的擁有者Update owners of Security groups with the exclusion of role-assignable groups
microsoft 目錄/群組。安全性/可見度/更新microsoft.directory/groups.security/visibility/update 以角色可指派群組排除的安全性群組更新可見度屬性Update visibility property of the Security groups with the exclusion of role-assignable groups
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新使用者的基本屬性Update basic properties on users
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 適用于使用者的更新管理員Update manager for users
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Microsoft Intune 的所有層面Manage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Kaizala 管理員Kaizala Administrator

具備此角色的使用者有全域權限可管理 Microsoft Kaizala (如其存在) 內的設定,還能夠管理支援票證及監視服務健康情況。Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. 此外,該使用者也可存取與組織成員採用和使用 Kaizala 相關的報告,以及使用 Kaizala 動作所產生的商務報告。Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.

動作Actions 描述Description
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

知識管理員Knowledge Administrator

此角色的使用者可以完整存取 Microsoft 365 系統管理中心中的所有知識、學習和智慧型功能設定。Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. 他們對產品套件、授權詳細資料有大致的瞭解,並負責控制存取權。They have a general understanding of the suite of products, licensing details and has responsibility to control access. 知識管理員可以建立和管理內容,例如主題、縮寫和學習資源。Knowledge administrator can create and manage content, like topics, acronyms and learning resources. 此外,這些使用者可以建立內容中心、監視服務健康狀態,以及建立服務要求。Additionally, these users can create content centers, monitor service health, and create service requests.

動作Actions 描述Description
microsoft. 目錄/群組. 安全性/建立microsoft.directory/groups.security/create 使用角色可指派的群組排除來建立安全性群組Create Security groups with the exclusion of role-assignable groups
microsoft. 目錄/群組. 安全性/createAsOwnermicrosoft.directory/groups.security/createAsOwner 建立具有角色可指派群組的安全性群組,並將建立者新增為第一個擁有者Create Security groups with the exclusion of role-assignable groups and creator is added as the first owner
microsoft. 目錄/群組。安全性/刪除microsoft.directory/groups.security/delete 刪除具有角色可指派群組的安全性群組Delete Security groups with the exclusion of role-assignable groups
microsoft. 目錄/群組. 安全性/基本/更新microsoft.directory/groups.security/basic/update 以角色可指派的群組排除,更新安全性群組的基本屬性Update basic properties on Security groups with the exclusion of role-assignable groups
microsoft 目錄/群組。安全性/成員/更新microsoft.directory/groups.security/members/update 以角色可指派的群組排除,更新安全性群組的成員Update members of Security groups with the exclusion of role-assignable groups
microsoft 目錄/群組。安全性/擁有者/更新microsoft.directory/groups.security/owners/update 以角色可指派群組的排除來更新安全性群組的擁有者Update owners of Security groups with the exclusion of role-assignable groups
office365. 知識/contentUnderstanding/allProperties/allTasksmicrosoft.office365.knowledge/contentUnderstanding/allProperties/allTasks 在 Microsoft 365 系統管理中心中讀取和更新內容理解的所有屬性Read and update all properties of content understanding in Microsoft 365 admin center
office365. 知識/knowledgeNetwork/allProperties/allTasksmicrosoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks 在 Microsoft 365 系統管理中心中讀取和更新知識網路的所有屬性Read and update all properties of knowledge network in Microsoft 365 admin center
office365. Microsoft.office365.protectioncenter/sensitivityLabels/allProperties/readmicrosoft.office365.protectionCenter/sensitivityLabels/allProperties/read 讀取安全性與合規性中心的所有敏感度標籤屬性Read all properties of sensitivity labels in the Security and Compliance centers
office365. sharePoint/allEntities/allTasksmicrosoft.office365.sharePoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 SharePoint 中的標準屬性Create and delete all resources, and read and update standard properties in SharePoint
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

授權管理員License Administrator

此角色中的使用者可新增、移除和更新使用者和群組的授權指派 (使用群組型授權),以及管理使用者的使用位置。Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. 此角色不會授與購買或管理訂用帳戶、建立或管理群組,或在使用位置以外建立或管理使用者的能力。The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

動作Actions 描述Description
microsoft directory/groups/assignLicensemicrosoft.directory/groups/assignLicense 針對群組型授權將產品授權指派給群組Assign product licenses to groups for group-based licensing
microsoft directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/reprocessLicenseAssignment 重新處理以群組為基礎之授權的授權指派Reprocess license assignments for group-based licensing
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理使用者授權Manage user licenses
microsoft directory/users/reprocessLicenseAssignmentmicrosoft.directory/users/reprocessLicenseAssignment 重新處理使用者的授權指派Reprocess license assignments for users
microsoft.directory/users/usageLocation/updatemicrosoft.directory/users/usageLocation/update 更新使用者的使用位置Update usage location of users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

訊息中心隱私權讀取者Message Center Privacy Reader

具備此角色的使用者可以監視訊息中心內的所有通知,包括資料隱私權訊息。Users in this role can monitor all notifications in the Message Center, including data privacy messages. 訊息中心隱私權讀取者會收到電子郵件通知 (包括資料隱私權相關通知),並可利用「訊息中心喜好設定」來取消訂閱。Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. 只有全域管理員和訊息中心隱私權讀取者可以讀取資料隱私權訊息。Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. 此外,此角色包含檢視群組、網域和訂閱的能力。Additionally, this role contains the ability to view groups, domains, and subscriptions. 此角色沒有檢視、建立或管理服務要求的權限。This role has no permission to view, create, or manage service requests.

動作Actions 描述Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 在 Microsoft 365 系統管理中心中閱讀訊息中心的安全性訊息Read security messages in Message Center in the Microsoft 365 admin center
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

訊息中心讀取者Message Center Reader

此角色的使用者可以在已設定的服務(例如 Exchange、Intune 和 Microsoft 小組)上,為其組織監視 訊息中心 內的通知和諮詢健康情況更新。Users in this role can monitor notifications and advisory health updates in Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. 訊息中心的讀者會收到文章、更新的每週電子郵件摘要,並可在 Microsoft 365 分享訊息中心貼文。Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Microsoft 365. 在 Azure AD 中,指派至此角色的使用者只會有 Azure AD 服務的唯讀存取權,與使用者和群組一樣。In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

動作Actions 描述Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

現代化商務使用者Modern Commerce User

請勿使用。Do not use. 此角色會從 Commerce 自動指派,不適用於、也不支援任何其他用途。This role is automatically assigned from Commerce, and is not intended or supported for any other use. 請參閱下面的詳細資料。See details below.

新式商務使用者角色會提供特定使用者存取 Microsoft 365 系統管理中心的許可權,並查看 首頁帳單支援 的左側導覽專案。The Modern Commerce User role gives certain users permission to access Microsoft 365 admin center and see the left navigation entries for Home, Billing, and Support. 這些區域中可用的內容是由指派給使用者的商務專用角色所控制,以管理其為自己或貴組織所購買的產品。The content available in these areas is controlled by commerce-specific roles assigned to users to manage products that they bought for themselves or your organization. 這可能包括支付帳單之類的工作,或對計費帳戶和帳單設定檔的存取權。This might include tasks like paying bills, or for access to billing accounts and billing profiles.

具有新式商務使用者角色的使用者通常會擁有其他 Microsoft 購買系統的系統管理許可權,但沒有用來存取系統管理中心的全域管理員或計費管理員角色。Users with the Modern Commerce User role typically have administrative permissions in other Microsoft purchasing systems, but do not have Global Administrator or Billing administrator roles used to access the admin center.

何時會指派新式 Commerce 使用者角色?When is the Modern Commerce User role assigned?

  • Microsoft 365 系統管理中心的自助式採購 - 自助式採購讓使用者有機會藉由自行購買或註冊來試用新產品。Self-service purchase in Microsoft 365 admin center – Self-service purchase gives users a chance to try out new products by buying or signing up for them on their own. 這些產品都是在系統管理中心進行管理。These products are managed in the admin center. 進行自助式購買的使用者會被指派 commerce 系統中的角色,以及新式的商務使用者角色,讓他們可以在系統管理中心管理他們的購買專案。Users who make a self-service purchase are assigned a role in the commerce system, and the Modern Commerce User role so they can manage their purchases in admin center. 系統管理員可透過 PowerShell 來封鎖自助式採購 (針對 Power BI、Power Apps、Power Automate)。Admins can block self-service purchases (for Power BI, Power Apps, Power automate) through PowerShell. 如需詳細資訊,請參閱自助式購買常見問題集For more information, see Self-service purchase FAQ.
  • 從 Microsoft 商業 Marketplace 購買 -與自助式購買類似,當使用者從 Microsoft AppSource 或 Azure Marketplace 購買產品或服務時,如果使用者沒有全域管理員或計費管理員角色,就會指派新式商務使用者角色。Purchases from Microsoft commercial marketplace – Similar to self-service purchase, when a user buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User role is assigned if they don’t have the Global Administrator or Billing admin role. 在某些情況下,使用者可能會遭到封鎖而無法進行採購。In some cases, users might be blocked from making these purchases. 如需詳細資訊,請參閱 Microsoft 商業市集For more information, see Microsoft commercial marketplace.
  • Microsoft 的提案 –提案是 microsoft 的正式供應專案,可讓您的組織購買 microsoft 產品和服務。Proposals from Microsoft – A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. 當接受提案的人沒有 Azure AD 中的全域管理員或計費管理員角色時,系統會將商務專屬角色指派給他們,以完成提案和新式商務使用者角色來存取系統管理中心。When the person who is accepting the proposal doesn’t have a Global Administrator or Billing admin role in Azure AD, they are assigned both a commerce-specific role to complete the proposal and the Modern Commerce User role to access admin center. 當他們存取系統管理中心時,只能使用其商務專用角色所授權的功能。When they access the admin center they can only use features that are authorized by their commerce-specific role.
  • 商務專用角色 – 某些使用者會被指派商務專用角色。Commerce-specific roles – Some users are assigned commerce-specific roles. 如果使用者不是全域或帳單系統管理員,他們會取得新式商務使用者角色,讓他們可以存取系統管理中心。If a user isn't a Global or Billing admin, they get the Modern Commerce User role so they can access the admin center.

如果使用者未指派新式商務使用者角色,就會失去 Microsoft 365 系統管理中心的存取權。If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center. 如果他們正為自己或貴組織管理任何產品,將無法管理這些產品。If they were managing any products, either for themselves or for your organization, they won’t be able to manage them. 這可能包括指派授權、變更付款方式、支付帳單,或其他管理訂用帳戶的工作。This might include assigning licenses, changing payment methods, paying bills, or other tasks for managing subscriptions.

動作Actions 描述Description
microsoft.commerce.billing/partners/readmicrosoft.commerce.billing/partners/read Microsoft 365 計費的讀取夥伴屬性Read partner property of Microsoft 365 Billing
microsoft.commerce.volumeLicenseServiceCenter/allEntities/allTasksmicrosoft.commerce.volumeLicenseServiceCenter/allEntities/allTasks 管理大量授權服務中心的所有層面Manage all aspects of Volume Licensing Service Center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

網路管理員Network Administrator

具備此角色的使用者可以根據來自其使用者位置的網路遙測,檢閱 Microsoft 的網路周邊架構建議。Users in this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Microsoft 365 的網路效能依賴于謹慎的企業客戶網路周邊架構(通常是使用者位置)。Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture which is generally user location specific. 此角色可讓您編輯探索到的使用者位置,以及這些位置的網路參數設定,以協助改善遙測量測和設計建議This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations

動作Actions 描述Description
microsoft.office365.network/locations/allProperties/allTasksmicrosoft.office365.network/locations/allProperties/allTasks 管理網路位置的所有層面Manage all aspects of network locations
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Office 應用程式管理員Office Apps Administrator

此角色的使用者可以管理 Microsoft 365 apps 的雲端設定。Users in this role can manage Microsoft 365 apps' cloud settings. 這包括管理雲端原則、自助式下載管理,以及檢視 Office 應用程式相關報告的功能。This includes managing cloud policies, self-service download management and the ability to view Office apps related report. 此外,這個角色還能夠管理支援票證,以及監視主要系統管理中心內的服務健康情況。This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. 指派給此角色的使用者也可以管理 Office 應用程式中新功能的通訊。Users assigned to this role can also manage communication of new features in Office apps.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.userCommunication/allEntities/allTasksmicrosoft.office365.userCommunication/allEntities/allTasks 讀取和更新新消息的可見度Read and update what's new messages visibility
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

合作夥伴第 1 層支援Partner Tier1 Support

請勿使用。Do not use. 此角色已被取代,而且未來將從 Azure AD 中移除。This role has been deprecated and will be removed from Azure AD in the future. 此角色僅供少數 Microsoft 轉售合作夥伴使用,不適用於一般用途。This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

重要

此角色可以重設密碼,並使非系統管理員的重新整理權杖失效。This role can reset passwords and invalidate refresh tokens for only non-administrators. 不應使用此角色,因為它已被取代,而且不會再以 API 傳回。This role should not be used as it is deprecated and it will no longer be returned in API.

動作Actions 描述Description
microsoft 目錄/應用程式/appRoles/更新microsoft.directory/applications/appRoles/update 更新所有類型之應用程式的 appRoles 屬性Update the appRoles property on all types of applications
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新應用程式的物件屬性Update the audience property for applications
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新應用程式的基本屬性Update basic properties for applications
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新應用程式認證Update application credentials
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新應用程式的擁有者Update owners of applications
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新所有類型之應用程式的公開許可權和必要許可權Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft.directory/contacts/createmicrosoft.directory/contacts/create 建立連絡人Create contacts
microsoft.directory/contacts/deletemicrosoft.directory/contacts/delete 刪除連絡人Delete contacts
microsoft.directory/contacts/basic/updatemicrosoft.directory/contacts/basic/update 更新連絡人的基本屬性Update basic properties on contacts
microsoft.directory/groups/createmicrosoft.directory/groups/create 建立群組,不包括角色可指派群組Create groups, excluding role-assignable groups
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 刪除群組,不包括角色可指派群組Delete groups, excluding role-assignable group
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 還原已刪除的群組Restore deleted groups
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新群組的成員,但不包括角色可指派的群組Update members of groups, excluding role-assignable groups
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新群組的擁有者,但不包括角色可指派的群組Update owners of groups, excluding role-assignable groups
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理使用者授權Manage user licenses
microsoft.directory/users/createmicrosoft.directory/users/create 新增使用者Add users
microsoft.directory/users/deletemicrosoft.directory/users/delete 刪除使用者Delete users
microsoft 目錄/使用者/停用microsoft.directory/users/disable 停用使用者Disable users
microsoft 目錄/使用者/啟用microsoft.directory/users/enable 啟用使用者Enable users
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft.directory/users/restoremicrosoft.directory/users/restore 還原已刪除的使用者Restore deleted users
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新使用者的基本屬性Update basic properties on users
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 適用于使用者的更新管理員Update manager for users
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 重設所有使用者的密碼Reset passwords for all users
microsoft.directory/users/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新使用者的使用者主體名稱Update User Principal Name of users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

合作夥伴第 2 層支援Partner Tier2 Support

請勿使用。Do not use. 此角色已被取代,而且未來將從 Azure AD 中移除。This role has been deprecated and will be removed from Azure AD in the future. 此角色僅供少數 Microsoft 轉售合作夥伴使用,不適用於一般用途。This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

重要

此角色可以重設密碼,並使所有非系統管理員和系統管理員的重新整理權杖失效, (包括全域管理員) 。This role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). 不應使用此角色,因為它已被取代,而且不會再以 API 傳回。This role should not be used as it is deprecated and it will no longer be returned in API.

動作Actions 描述Description
microsoft 目錄/應用程式/appRoles/更新microsoft.directory/applications/appRoles/update 更新所有類型之應用程式的 appRoles 屬性Update the appRoles property on all types of applications
microsoft.directory/applications/audience/updatemicrosoft.directory/applications/audience/update 更新應用程式的物件屬性Update the audience property for applications
microsoft.directory/applications/authentication/updatemicrosoft.directory/applications/authentication/update 更新所有類型之應用程式的驗證Update authentication on all types of applications
microsoft.directory/applications/basic/updatemicrosoft.directory/applications/basic/update 更新應用程式的基本屬性Update basic properties for applications
microsoft.directory/applications/credentials/updatemicrosoft.directory/applications/credentials/update 更新應用程式認證Update application credentials
microsoft.directory/applications/owners/updatemicrosoft.directory/applications/owners/update 更新應用程式的擁有者Update owners of applications
microsoft.directory/applications/permissions/updatemicrosoft.directory/applications/permissions/update 更新所有類型之應用程式的公開許可權和必要許可權Update exposed permissions and required permissions on all types of applications
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft.directory/contacts/createmicrosoft.directory/contacts/create 建立連絡人Create contacts
microsoft.directory/contacts/deletemicrosoft.directory/contacts/delete 刪除連絡人Delete contacts
microsoft.directory/contacts/basic/updatemicrosoft.directory/contacts/basic/update 更新連絡人的基本屬性Update basic properties on contacts
microsoft.directory/domains/allProperties/allTasksmicrosoft.directory/domains/allProperties/allTasks 建立和刪除網域,以及讀取和更新所有屬性Create and delete domains, and read and update all properties
microsoft.directory/groups/createmicrosoft.directory/groups/create 建立群組,不包括角色可指派群組Create groups, excluding role-assignable groups
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 刪除群組,不包括角色可指派群組Delete groups, excluding role-assignable group
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 還原已刪除的群組Restore deleted groups
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新群組的成員,但不包括角色可指派的群組Update members of groups, excluding role-assignable groups
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新群組的擁有者,但不包括角色可指派的群組Update owners of groups, excluding role-assignable groups
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft.directory/organization/basic/updatemicrosoft.directory/organization/basic/update 更新組織的基本屬性Update basic properties on organization
microsoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 建立和刪除角色指派,以及讀取和更新所有角色指派屬性Create and delete role assignments, and read and update all role assignment properties
microsoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 建立和刪除角色定義,以及讀取和更新所有屬性Create and delete role definitions, and read and update all properties
microsoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasks 建立和刪除 scopedRoleMemberships,以及讀取和更新所有屬性Create and delete scopedRoleMemberships, and read and update all properties
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft. directory/subscribedSkus/standard/readmicrosoft.directory/subscribedSkus/standard/read 讀取訂用帳戶的基本屬性Read basic properties on subscriptions
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理使用者授權Manage user licenses
microsoft.directory/users/createmicrosoft.directory/users/create 新增使用者Add users
microsoft.directory/users/deletemicrosoft.directory/users/delete 刪除使用者Delete users
microsoft 目錄/使用者/停用microsoft.directory/users/disable 停用使用者Disable users
microsoft 目錄/使用者/啟用microsoft.directory/users/enable 啟用使用者Enable users
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft.directory/users/restoremicrosoft.directory/users/restore 還原已刪除的使用者Restore deleted users
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新使用者的基本屬性Update basic properties on users
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 適用于使用者的更新管理員Update manager for users
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 重設所有使用者的密碼Reset passwords for all users
microsoft.directory/users/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新使用者的使用者主體名稱Update User Principal Name of users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

密碼管理員Password Administrator

具有此角色的使用者管理密碼的能力有限。Users with this role have limited ability to manage passwords. 此角色無法管理服務要求或監視服務健康情況。This role does not grant the ability to manage service requests or monitor service health. 密碼系統管理員是否可以重設使用者的密碼,需視使用者指派的角色而定。Whether a Password Administrator can reset a user's password depends on the role the user is assigned. 如需密碼管理員可以重設密碼的角色清單,請參閱 密碼重設許可權For a list of the roles that a Password Administrator can reset passwords for, see Password reset permissions.

動作Actions 描述Description
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 重設所有使用者的密碼Reset passwords for all users
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Power BI 管理員Power BI Administrator

此角色的使用者具有 Microsoft Power BI (如其存在) 的全域權限,並能管理支援票證及監視服務的健康情況。Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. 如需詳細資訊,請參閱了解 Power BI 管理員角色More information at Understanding the Power BI admin role.

注意

在 Microsoft Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Power BI 服務管理員」。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". Azure 入口網站中則是「Power BI 管理員」。It is "Power BI Administrator" in the Azure portal.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的所有層面Manage all aspects of Power BI

Power Platform 管理員Power Platform Administrator

具備此角色的使用者可以建立及管理環境、PowerApps、流程、資料外洩防護原則的所有層面。Users in this role can create and manage all aspects of environments, PowerApps, Flows, Data Loss Prevention policies. 此外,具有此角色的使用者能夠管理支援票證及監視服務健康情況。Additionally, users with this role have the ability to manage support tickets and monitor service health.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.dynamics365/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasks 管理 Dynamics 365 的所有層面Manage all aspects of Dynamics 365
microsoft.flow/allEntities/allTasksmicrosoft.flow/allEntities/allTasks 管理 Microsoft Power Automate 的所有層面Manage all aspects of Microsoft Power Automate
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft.powerApps/allEntities/allTasksmicrosoft.powerApps/allEntities/allTasks 管理 Power Apps 的所有層面Manage all aspects of Power Apps

印表機管理員Printer Administrator

具備此角色的使用者可以註冊印表機,以及管理 Microsoft 通用列印解決方案中所有印表機設定的所有層面,包括通用列印連接器設定。Users in this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. 他們可以同意所有委派的列印權限要求。They can consent to all delegated print permission requests. 印表機管理員也具有列印報告的權限。Printer Administrators also have access to print reports.

動作Actions 描述Description
microsoft.azure.print/allEntities/allProperties/allTasksmicrosoft.azure.print/allEntities/allProperties/allTasks 建立和刪除印表機和連接器,以及在 Microsoft Print 中讀取和更新所有屬性Create and delete printers and connectors, and read and update all properties in Microsoft Print

印表機技術人員Printer Technician

具備此角色的使用者可以在 Microsoft 通用列印解決方案中註冊印表機和管理印表機狀態。Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. 他們也可以讀取所有連接器資訊。They can also read all connector information. 印表機技術人員無法執行的重要工作,就是在印表機上設定使用者權限和共用印表機。Key task a Printer Technician cannot do is set user permissions on printers and sharing printers.

動作Actions 描述Description
microsoft.azure.print/connectors/allProperties/readmicrosoft.azure.print/connectors/allProperties/read 在 Microsoft Print 中讀取連接器的所有屬性Read all properties of connectors in Microsoft Print
microsoft.azure.print/printers/allProperties/readmicrosoft.azure.print/printers/allProperties/read 在 Microsoft Print 中讀取印表機的所有屬性Read all properties of printers in Microsoft Print
microsoft.azure.print/printers/registermicrosoft.azure.print/printers/register 在 Microsoft Print 中註冊印表機Register printers in Microsoft Print
microsoft.azure.print/printers/unregistermicrosoft.azure.print/printers/unregister 在 Microsoft Print 中取消註冊印表機Unregister printers in Microsoft Print
microsoft.azure.print/printers/basic/updatemicrosoft.azure.print/printers/basic/update 在 Microsoft Print 中更新印表機的基本屬性Update basic properties of printers in Microsoft Print

特殊權限驗證管理員Privileged Authentication Administrator

具有此角色的使用者可以設定或重設任何驗證方法, (包括全域管理員在內的任何使用者密碼) 。Users with this role can set or reset any authentication method (including passwords) for any user, including Global Administrators. 特殊權限驗證管理員可以強制使用者針對現有的非密碼認證 (例如 MFA 或 FIDO) 重新註冊,以及撤銷「在裝置上記住 MFA」(其會在所有使用者下次登入時提示 MFA)。Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users.

驗證管理員 」角色具有許可權,可為標準使用者和具有某些系統管理員角色的使用者強制重新註冊和多重要素驗證。The Authentication administrator role has permission to force re-registration and multi-factor authentication for standard users and users with some admin roles.

驗證原則系統管理員角色具有設定租使用者驗證方法原則的許可權,以決定每個使用者可註冊和使用的方法。The Authentication policy administrator role has permissions to set the tenant's authentication method policy that determines which methods each user can register and use.

角色Role 管理使用者的驗證方法Manage user's auth methods 管理每個使用者的 MFAManage per-user MFA 管理 MFA 設定Manage MFA settings 管理驗證方法原則Manage auth method policy 管理密碼保護原則Manage password protection policy
驗證系統管理員Authentication administrator 是,對於某些使用者 (請參閱上述) Yes for some users (see above) 是,對於某些使用者 (請參閱上述) Yes for some users (see above) No No No
特殊權限驗證管理員Privileged authentication administrator 是適用于所有使用者Yes for all users 是適用于所有使用者Yes for all users No No No
驗證原則系統管理員Authentication policy administrator No No Yes Yes Yes

重要

對於可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員,具備此角色的使用者可以變更認證。Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的認證表示可承擔該使用者身分識別和權限。Changing the credentials of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與驗證系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. 透過此路徑,驗證系統管理員可以假設應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步假設特殊許可權應用程式的身分識別。Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們具有機密或私人資訊或者 Azure 中重要組態的存取權。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Microsoft 365 群組擁有者,他們可以管理群組成員資格。Security Group and Microsoft 365 group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

重要

此角色目前無法在舊版 MFA 管理入口網站中管理每個使用者的 MFA。This role is not currently capable of managing per-user MFA in the legacy MFA management portal. 您可以使用 set-msoluser 的 Commandlet Azure AD Powershell 模組來完成相同的功能。The same functions can be accomplished using the Set-MsolUser commandlet Azure AD Powershell module.

動作Actions 描述Description
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft.directory/users/strongAuthentication/updatemicrosoft.directory/users/strongAuthentication/update 更新使用者的增強式驗證屬性Update the strong authentication property for users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

特殊權限角色管理員Privileged Role Administrator

具備此角色的使用者可以管理 Azure Active Directory 中,以及 Azure AD Privileged Identity Management 內的角色指派。Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. 他們可以建立和管理可指派給 Azure AD 角色的群組。They can create and manage groups that can be assigned to Azure AD roles. 此外,這個角色允許管理 Privileged Identity Management 的各個層面和管理單位。In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.

重要

此角色能夠管理所有 Azure AD 角色 (包括全域管理員角色) 的指派。This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. 此角色不包含 Azure AD 中的任何其他特殊權限能力,例如建立或更新使用者。This role does not include any other privileged abilities in Azure AD like creating or updating users. 不過,指派給這個角色的使用者可以藉由指派額外的角色,來授與自己或其他人額外權限。However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.

動作Actions 描述Description
microsoft.directory/administrativeUnits/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasks 建立及管理系統管理單位 (包括成員)Create and manage administrative units (including members)
microsoft.directory/appRoleAssignments/allProperties/allTasksmicrosoft.directory/appRoleAssignments/allProperties/allTasks 建立和刪除 appRoleAssignments,以及讀取和更新所有屬性Create and delete appRoleAssignments, and read and update all properties
microsoft directory/authorizationPolicy/allProperties/allTasksmicrosoft.directory/authorizationPolicy/allProperties/allTasks 管理授權原則的所有層面Manage all aspects of authorization policies
microsoft.directory/directoryRoles/allProperties/allTasksmicrosoft.directory/directoryRoles/allProperties/allTasks 建立和刪除目錄角色,以及讀取和更新所有屬性Create and delete directory roles, and read and update all properties
microsoft directory/groupsAssignableToRoles/createmicrosoft.directory/groupsAssignableToRoles/create 建立可指派角色的群組Create role-assignable groups
microsoft 目錄/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/delete 刪除可指派角色的群組Delete role-assignable groups
microsoft 目錄/groupsAssignableToRoles/restoremicrosoft.directory/groupsAssignableToRoles/restore 還原角色可指派的群組Restore role-assignable groups
microsoft directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/groupsAssignableToRoles/allProperties/update 更新角色可指派的群組Update role-assignable groups
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft directory/Microsoft.aad.privilegedidentitymanagement/allProperties/allTasksmicrosoft.directory/privilegedIdentityManagement/allProperties/allTasks 在 Privileged Identity Management 中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in Privileged Identity Management
microsoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 建立和刪除角色指派,以及讀取和更新所有角色指派屬性Create and delete role assignments, and read and update all role assignment properties
microsoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 建立和刪除角色定義,以及讀取和更新所有屬性Create and delete role definitions, and read and update all properties
microsoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasks 建立和刪除 scopedRoleMemberships,以及讀取和更新所有屬性Create and delete scopedRoleMemberships, and read and update all properties
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/permissions/update 更新服務主體的許可權Update permissions of service principals
microsoft directory/servicePrincipals/managePermissionGrantsForAll. microsoft-company-adminmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin 將任何許可權的同意授與任何應用程式Grant consent for any permission to any application
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

報告讀者Reports Reader

具備此角色的使用者可檢視 Microsoft 365 系統管理中心內的使用報告資料與報告儀表板,以及 PowerBI 中的採用內容套件。Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. 此外,此角色還可讓使用者存取 Azure AD 中的登入報告與活動,以及 Microsoft Graph 報告 API 所傳回的資料。Additionally, the role provides access to sign-in reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. 獲指派「報告讀者」角色的使用者只能存取相關的使用情況和採用計量。A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. 他們並不具備任何系統管理權限,因此無法進行設定或存取產品特定的系統管理中心 (例如 Exchange)。They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

動作Actions 描述Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

搜尋管理員Search Administrator

具備此角色的使用者具有 Microsoft 365 系統管理中心內所有 Microsoft 搜尋管理功能的完整存取權。Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. 此外,這些使用者可以檢視訊息中心、監視服務健康情況,以及建立服務要求。Additionally, these users can view the message center, monitor service health, and create service requests.

動作Actions 描述Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
office365 搜尋/內容/管理microsoft.office365.search/content/manage 在 Microsoft Search 中建立和刪除內容,以及讀取和更新所有屬性Create and delete content, and read and update all properties in Microsoft Search
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

搜尋編輯者Search Editor

具備此角色的使用者可以建立、管理及刪除 Microsoft 365 系統管理中心中 Microsoft 搜尋的內容,包括書籤、問與答和位置。Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.

動作Actions 描述Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 Microsoft 365 系統管理中心訊息中心中的訊息,但不包括安全性訊息Read messages in Message Center in the Microsoft 365 admin center, excluding security messages
office365 搜尋/內容/管理microsoft.office365.search/content/manage 在 Microsoft Search 中建立和刪除內容,以及讀取和更新所有屬性Create and delete content, and read and update all properties in Microsoft Search
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

安全性系統管理員Security Administrator

具備此角色的使用者有權限管理 Microsoft 365 資訊安全中心、Azure Active Directory Identity Protection、Azure Active Directory 驗證、Azure 資訊保護和 Office 365 安全性與合規性中心的安全性相關功能。Users with this role have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center. 如需 Office 365 許可權的詳細資訊,請參閱 安全性 & 合規性中心的許可權More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.

In 可以執行Can do
Microsoft 365 資訊安全中心Microsoft 365 security center 監視所有 Microsoft 365 服務的安全性相關原則Monitor security-related policies across Microsoft 365 services
管理安全性威脅和警示Manage security threats and alerts
檢視報表View reports
身分識別防護中心Identity Protection Center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
此外,還能夠執行除了重設密碼以外的所有身分識別防護中心作業Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementPrivileged Identity Management 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
無法 管理 Azure AD 角色指派或設定Cannot manage Azure AD role assignments or settings
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 管理安全性原則Manage security policies
檢視、調查及回應安全性威脅View, investigate, and respond to security threats
檢視報表View reports
Azure 進階威脅防護Azure Advanced Threat Protection 監視及回應可疑的安全性活動Monitor and respond to suspicious security activity
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 指派角色Assign roles
管理電腦群組Manage machine groups
設定端點威脅偵測和自動補救Configure endpoint threat detection and automated remediation
檢視、調查及回應警示View, investigate, and respond to alerts
IntuneIntune 檢視使用者、裝置、註冊、設定及應用程式資訊Views user, device, enrollment, configuration, and application information
無法對 Intune 進行變更Cannot make changes to Intune
Cloud App SecurityCloud App Security 新增管理員、新增原則和設定、上傳記錄及執行治理動作Add admins, add policies and settings, upload logs and perform governance actions
Azure 資訊安全中心Azure Security Center 可檢視安全性原則、檢視安全性狀態、編輯安全性原則、檢視警示和建議、關閉警示和建議Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations
Microsoft 365 服務健康狀態Microsoft 365 service health 查看 Microsoft 365 服務的健全狀況View the health of Microsoft 365 services
智慧鎖定Smart lockout 定義發生登入失敗事件時鎖定的閾值和持續時間。Define the threshold and duration for lockouts when failed sign-in events happen.
密碼保護Password Protection 設定自訂禁用密碼清單或內部部署密碼保護。Configure custom banned password list or on-premises password protection.
動作Actions 描述Description
microsoft.directory/applications/policies/updatemicrosoft.directory/applications/policies/update 更新應用程式的原則Update policies of applications
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft. directory/entitlementManagement/allProperties/readmicrosoft.directory/entitlementManagement/allProperties/read 讀取 Azure AD 權利管理中的所有屬性Read all properties in Azure AD entitlement management
microsoft. directory/Microsoft.aad.identityprotection/allProperties/readmicrosoft.directory/identityProtection/allProperties/read 讀取 Azure AD Identity Protection 中的所有資源Read all resources in Azure AD Identity Protection
microsoft directory/Microsoft.aad.identityprotection/allProperties/updatemicrosoft.directory/identityProtection/allProperties/update 更新 Azure AD Identity Protection 中的所有資源Update all resources in Azure AD Identity Protection
microsoft.directory/policies/createmicrosoft.directory/policies/create 在 Azure AD 中建立原則Create policies in Azure AD
microsoft.directory/policies/deletemicrosoft.directory/policies/delete 刪除 Azure AD 中的原則Delete policies in Azure AD
microsoft.directory/policies/basic/updatemicrosoft.directory/policies/basic/update 更新原則的基本屬性Update basic properties on policies
microsoft.directory/policies/owners/updatemicrosoft.directory/policies/owners/update 更新原則的擁有者Update owners of policies
microsoft.directory/policies/tenantDefault/updatemicrosoft.directory/policies/tenantDefault/update 更新預設的組織原則Update default organization policies
microsoft directory/conditionalAccessPolicies/createmicrosoft.directory/conditionalAccessPolicies/create 建立條件式存取原則Create conditional access policies
microsoft 目錄/conditionalAccessPolicies/deletemicrosoft.directory/conditionalAccessPolicies/delete 刪除條件式存取原則Delete conditional access policies
microsoft. directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/standard/read 讀取原則的條件式存取Read conditional access for policies
microsoft 目錄/conditionalAccessPolicies/擁有者/讀取microsoft.directory/conditionalAccessPolicies/owners/read 讀取條件式存取原則的擁有者Read the owners of conditional access policies
microsoft. directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/read 讀取條件式存取原則的 [套用至] 屬性Read the "applied to" property for conditional access policies
microsoft directory/conditionalAccessPolicies/basic/updatemicrosoft.directory/conditionalAccessPolicies/basic/update 更新條件式存取原則的基本屬性Update basic properties for conditional access policies
microsoft 目錄/conditionalAccessPolicies/擁有者/更新microsoft.directory/conditionalAccessPolicies/owners/update 更新條件式存取原則的擁有者Update owners for conditional access policies
microsoft directory/conditionalAccessPolicies/Policies.tenantdefault/updatemicrosoft.directory/conditionalAccessPolicies/tenantDefault/update 更新條件式存取原則的預設租使用者Update the default tenant for conditional access policies
microsoft. directory/Microsoft.aad.privilegedidentitymanagement/allProperties/readmicrosoft.directory/privilegedIdentityManagement/allProperties/read 讀取 Privileged Identity Management 中的所有資源Read all resources in Privileged Identity Management
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/policies/update 更新服務主體的原則Update policies of service principals
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
office365. Microsoft.office365.protectioncenter/allEntities/standard/readmicrosoft.office365.protectionCenter/allEntities/standard/read 讀取安全性與合規性中心內所有資源的標準屬性Read standard properties of all resources in the Security and Compliance centers
office365. Microsoft.office365.protectioncenter/allEntities/basic/updatemicrosoft.office365.protectionCenter/allEntities/basic/update 更新安全性與合規性中心內所有資源的基本屬性Update basic properties of all resources in the Security and Compliance centers
office365. Microsoft.office365.protectioncenter/attackSimulator/承載/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks 在攻擊模擬器中建立和管理攻擊承載Create and manage attack payloads in Attack Simulator
office365. Microsoft.office365.protectioncenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/read 讀取攻擊模擬回應和相關定型的報告Read reports of attack simulation responses and associated training
office365. Microsoft.office365.protectioncenter/attackSimulator/模擬/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks 在攻擊模擬器中建立和管理攻擊模擬範本Create and manage attack simulation templates in Attack Simulator
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

安全性操作員Security Operator

具備此角色的使用者可以管理警示,且有安全性相關功能的全域唯讀存取權,包含 Microsoft 365 安全性中心、Azure Active Directory、Identity Protection、Privileged Identity Management 和 Office 365 安全性與合規性中心中的所有資訊。Users with this role can manage alerts and have global read-only access on security-related features, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management and Office 365 Security & Compliance Center. 如需 Office 365 許可權的詳細資訊,請參閱 安全性 & 合規性中心的許可權More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.

In 可以執行Can do
Microsoft 365 資訊安全中心Microsoft 365 security center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
檢視、調查及回應安全性威脅警示View, investigate, and respond to security threats alerts
Azure AD Identity ProtectionAzure AD Identity Protection 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
此外,除了重設密碼及設定警示電子郵件之外,還能夠執行所有 Identity Protection Center 作業。Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords and configuring alert e-mails.
Privileged Identity ManagementPrivileged Identity Management 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
檢視、調查及回應安全性警示View, investigate, and respond to security alerts
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
檢視、調查及回應安全性警示View, investigate, and respond to security alerts
IntuneIntune 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
Cloud App SecurityCloud App Security 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
Microsoft 365 服務健康狀態Microsoft 365 service health 查看 Microsoft 365 服務的健全狀況View the health of Microsoft 365 services
動作Actions 描述Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft directory/>portal.cloudappsecurity.com/allProperties/allTasksmicrosoft.directory/cloudAppSecurity/allProperties/allTasks 在 Microsoft Cloud App Security 中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in Microsoft Cloud App Security
microsoft directory/Microsoft.aad.identityprotection/allProperties/allTasksmicrosoft.directory/identityProtection/allProperties/allTasks 在 Azure AD Identity Protection 中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in Azure AD Identity Protection
microsoft. directory/Microsoft.aad.privilegedidentitymanagement/allProperties/readmicrosoft.directory/privilegedIdentityManagement/allProperties/read 讀取 Privileged Identity Management 中的所有資源Read all resources in Privileged Identity Management
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
advancedThreatProtection/allEntities/allTasksmicrosoft.azure.advancedThreatProtection/allEntities/allTasks 管理 Azure 進階威脅防護的所有層面Manage all aspects of Azure Advanced Threat Protection
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft. intune/allEntities/readmicrosoft.intune/allEntities/read 讀取 Microsoft Intune 中的所有資源Read all resources in Microsoft Intune
microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 在 Microsoft 365 安全性與合規性中心中建立和刪除所有資源,以及讀取和更新標準屬性Create and delete all resources, and read and update standard properties in the Microsoft 365 Security and Compliance Center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
Microsoft.windows.defenderadvancedthreatprotection/allEntities/allTasksmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks 管理 Microsoft Defender for Endpoint 的所有層面Manage all aspects of Microsoft Defender for Endpoint

安全性讀取者Security Reader

具備此角色的使用者具有安全性相關功能的全域唯讀存取權 (含 Microsoft 365 資訊安全中心、Azure Active Directory、Identity Protection、Privileged Identity Management 中的所有資訊),並能讀取 Azure Active Directory 登入報告與稽核記錄,且具有 Office 365 安全性與合規性中心的全域唯讀存取權。Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. 如需 Office 365 許可權的詳細資訊,請參閱 安全性 & 合規性中心的許可權More information about Office 365 permissions is available at Permissions in the Security & Compliance Center.

In 可以執行Can do
Microsoft 365 資訊安全中心Microsoft 365 security center 檢視所有 Microsoft 365 服務的安全性相關原則View security-related policies across Microsoft 365 services
檢視安全性威脅和警示View security threats and alerts
檢視報表View reports
身分識別防護中心Identity Protection Center 讀取安全性功能的所有安全性報告和設定資訊Read all security reports and settings information for security features
  • 反垃圾郵件Anti-spam
  • 加密Encryption
  • 資料外洩防護Data loss prevention
  • 反惡意程式碼Anti-malware
  • 進階威脅防護Advanced threat protection
  • 防網路釣魚Anti-phishing
  • 郵件流程規則Mail flow rules
Privileged Identity ManagementPrivileged Identity Management 以唯讀方式存取 Azure AD Privileged Identity Management 中所顯示的一切資訊︰Azure AD 角色指派和安全性審查的原則與報告。Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.
無法 註冊 Azure AD Privileged Identity Management 或對其進行任何變更。Cannot sign up for Azure AD Privileged Identity Management or make any changes to it. 在 Privileged Identity Management 入口網站或透過 PowerShell,此角色中的某人可以啟用其他角色 (例如,全域管理員或特殊許可權角色管理員) (如果使用者符合資格)。In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Administrator or Privileged Role Administrator), if the user is eligible for them.
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 檢視安全性原則View security policies
檢視及調查安全性威脅View and investigate security threats
檢視報表View reports
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 檢視和調查警示。View and investigate alerts. 當您在 Windows Defender ATP 中開啟角色型存取控制時,具有唯讀權限 (例如 Azure AD 安全性讀取者角色) 的使用者會在指派給 Windows Defender ATP 角色之前喪失存取權。When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security reader role lose access until they are assigned to a Windows Defender ATP role.
IntuneIntune 檢視使用者、裝置、註冊、設定及應用程式資訊。Views user, device, enrollment, configuration, and application information. 無法對 Intune 進行變更。Cannot make changes to Intune.
Cloud App SecurityCloud App Security 具有唯讀權限,並可管理警示Has read-only permissions and can manage alerts
Azure 資訊安全中心Azure Security Center 可檢視建議和警示、檢視安全性原則、檢視安全性狀態,但無法進行變更Can view recommendations and alerts, view security policies, view security states, but cannot make changes
Microsoft 365 服務健康狀態Microsoft 365 service health 查看 Microsoft 365 服務的健全狀況View the health of Microsoft 365 services
動作Actions 描述Description
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取審核記錄的所有屬性,包括具有特殊許可權的屬性Read all properties on audit logs, including privileged properties
microsoft. directory/bitlockerKeys/key/readmicrosoft.directory/bitlockerKeys/key/read 讀取裝置上的 bitlocker 中繼資料和金鑰Read bitlocker metadata and key on devices
microsoft. directory/entitlementManagement/allProperties/readmicrosoft.directory/entitlementManagement/allProperties/read 讀取 Azure AD 權利管理中的所有屬性Read all properties in Azure AD entitlement management
microsoft. directory/Microsoft.aad.identityprotection/allProperties/readmicrosoft.directory/identityProtection/allProperties/read 讀取 Azure AD Identity Protection 中的所有資源Read all resources in Azure AD Identity Protection
microsoft.directory/policies/standard/readmicrosoft.directory/policies/standard/read 讀取原則的基本屬性Read basic properties on policies
microsoft.directory/policies/owners/readmicrosoft.directory/policies/owners/read 讀取原則的擁有者Read owners of policies
microsoft 目錄/原則/policyAppliedTo/readmicrosoft.directory/policies/policyAppliedTo/read 讀取 policyAppliedTo 屬性Read policies.policyAppliedTo property
microsoft. directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/standard/read 讀取原則的條件式存取Read conditional access for policies
microsoft 目錄/conditionalAccessPolicies/擁有者/讀取microsoft.directory/conditionalAccessPolicies/owners/read 讀取條件式存取原則的擁有者Read the owners of conditional access policies
microsoft. directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/read 讀取條件式存取原則的 [套用至] 屬性Read the "applied to" property for conditional access policies
microsoft. directory/Microsoft.aad.privilegedidentitymanagement/allProperties/readmicrosoft.directory/privilegedIdentityManagement/allProperties/read 讀取 Privileged Identity Management 中的所有資源Read all resources in Privileged Identity Management
microsoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/read 讀取佈建記錄的所有屬性Read all properties of provisioning logs
microsoft.directory/signInReports/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取登入報告上的所有屬性,包括具有特殊許可權的屬性Read all properties on sign-in reports, including privileged properties
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
office365. Microsoft.office365.protectioncenter/allEntities/standard/readmicrosoft.office365.protectionCenter/allEntities/standard/read 讀取安全性與合規性中心內所有資源的標準屬性Read standard properties of all resources in the Security and Compliance centers
office365. Microsoft.office365.protectioncenter/attackSimulator/承載/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/payload/allProperties/read 讀取受攻擊模擬器中攻擊承載的所有屬性Read all properties of attack payloads in Attack Simulator
office365. Microsoft.office365.protectioncenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/read 讀取攻擊模擬回應和相關定型的報告Read reports of attack simulation responses and associated training
office365. Microsoft.office365.protectioncenter/attackSimulator/模擬/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/simulation/allProperties/read 讀取攻擊模擬器中受攻擊模擬範本的所有屬性Read all properties of attack simulation templates in Attack Simulator
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

服務支援管理員Service Support Administrator

具有此角色的使用者可以開啟 Microsoft for Azure 和 Microsoft 365 服務的支援要求,並在 Azure 入口網站Microsoft 365 系統管理中心中查看服務儀表板和訊息中心。Users with this role can open support requests with Microsoft for Azure and Microsoft 365 services, and views the service dashboard and message center in the Azure portal and Microsoft 365 admin center. 如需詳細資訊,請參閱關於管理員角色More information at About admin roles.

注意

先前,此角色在 Azure 入口網站Microsoft 365 系統管理中心內稱為「服務管理員」。Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. 我們已將其重新命名為「服務支援管理員」,以符合 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中的現有名稱。We have renamed it to "Service Support Administrator" to align with the exsiting name in Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

SharePoint 管理員SharePoint Administrator

具有此角色的使用者在有 Microsoft SharePoint Online 服務時,會在該服務內具有全域許可權,以及建立和管理所有 Microsoft 365 群組、管理支援票證,以及監視服務健康情況的能力。Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. 如需詳細資訊,請參閱關於管理員角色More information at About admin roles.

注意

在 Microsoft Graph API 和 Azure AD PowerShell 中,會將此角色識別為「SharePoint 服務管理員」。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." Azure 入口網站中則是「SharePoint 管理員」。It is "SharePoint Administrator" in the Azure portal.

注意

此角色也會授與 Microsoft Intune 的 Microsoft Graph API 範圍許可權,以允許管理和設定與 SharePoint 和 OneDrive 資源相關的原則。This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources.

動作Actions 描述Description
microsoft 目錄/群組。統一/建立microsoft.directory/groups.unified/create 建立具有角色可指派群組的 Microsoft 365 群組Create Microsoft 365 groups with the exclusion of role-assignable groups
microsoft. 目錄/群組。統一/刪除microsoft.directory/groups.unified/delete 刪除具有角色可指派群組的 Microsoft 365 群組Delete Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/還原microsoft.directory/groups.unified/restore 還原 Microsoft 365 群組Restore Microsoft 365 groups
microsoft. 目錄/群組. 統一/基本/更新microsoft.directory/groups.unified/basic/update 以角色可指派的群組排除,更新 Microsoft 365 群組的基本屬性Update basic properties on Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/成員/更新microsoft.directory/groups.unified/members/update 以角色可指派的群組排除,更新 Microsoft 365 群組的成員Update members of Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/擁有者/更新microsoft.directory/groups.unified/owners/update 使用角色可指派群組的排除來更新 Microsoft 365 群組的擁有者Update owners of Microsoft 365 groups with the exclusion of role-assignable groups
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
office365. sharePoint/allEntities/allTasksmicrosoft.office365.sharePoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 SharePoint 中的標準屬性Create and delete all resources, and read and update standard properties in SharePoint
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

商務用 Skype 的管理員Skype for Business Administrator

在有 Microsoft 商務用 Skype 服務時,具備此角色的使用者在該服務內會具有全域權限,以及在 Azure Active Directory 中管理 Skype 特定的使用者屬性。Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. 此外,此角色會授與管理支援票證及監視服務健康情況的能力,以及存取 Microsoft Teams 和商務用 Skype 系統管理中心的能力。Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. 此帳戶也必須獲得 Microsoft Teams 授權,否則就無法執行 Microsoft Teams PowerShell Cmdlet。The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. 如需詳細資訊,請參閱關於商務用 Skype 系統管理員角色,如需 Microsoft Teams 的授權資訊,請參閱商務用 Skype 和 Microsoft Teams 附加授權More information at About the Skype for Business admin role and Teams licensing information at Skype for Business and Microsoft Teams add-on licensing

注意

在 Microsoft Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Lync 服務管理員」。In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator." Azure 入口網站中則是「商務用 Skype 管理員」。It is "Skype for Business Administrator" in the Azure portal.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面Manage all aspects of Skype for Business Online
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

Microsoft Teams 管理員Teams Administrator

此角色的使用者可以透過 Microsoft Teams 和商務用 Skype 系統管理中心以及個別的 PowerShell 模組,管理 Microsoft Teams 工作負載的所有層面。Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. 這包括所有與電話語音、傳訊、會議和小組本身相關的管理工具以及其他領域。This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. 此角色會另外授與建立和管理所有 Microsoft 365 群組、管理支援票證,以及監視服務健康情況的能力。This role additionally grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health.

動作Actions 描述Description
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 讀取群組的隱藏成員Read hidden members of a group
microsoft 目錄/群組。統一/建立microsoft.directory/groups.unified/create 建立具有角色可指派群組的 Microsoft 365 群組Create Microsoft 365 groups with the exclusion of role-assignable groups
microsoft. 目錄/群組。統一/刪除microsoft.directory/groups.unified/delete 刪除具有角色可指派群組的 Microsoft 365 群組Delete Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/還原microsoft.directory/groups.unified/restore 還原 Microsoft 365 群組Restore Microsoft 365 groups
microsoft. 目錄/群組. 統一/基本/更新microsoft.directory/groups.unified/basic/update 以角色可指派的群組排除,更新 Microsoft 365 群組的基本屬性Update basic properties on Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/成員/更新microsoft.directory/groups.unified/members/update 以角色可指派的群組排除,更新 Microsoft 365 群組的成員Update members of Microsoft 365 groups with the exclusion of role-assignable groups
microsoft 目錄/群組。統一/擁有者/更新microsoft.directory/groups.unified/owners/update 使用角色可指派群組的排除來更新 Microsoft 365 群組的擁有者Update owners of Microsoft 365 groups with the exclusion of role-assignable groups
microsoft directory/servicePrincipals/managePermissionGrantsForGroup. microsoft-all-application-permissionsmicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions 將群組資料的直接存取權授與服務主體Grant a service principal direct access to a group's data
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面Manage all aspects of Skype for Business Online
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft. 團隊/allEntities/allProperties/allTasksmicrosoft.teams/allEntities/allProperties/allTasks 管理小組中的所有資源Manage all resources in Teams

Microsoft Teams 通訊系統管理員Teams Communications Administrator

此角色的使用者可以管理 Microsoft Teams 在語音和電話語音相關工作負載的各個層面。Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. 這包括電話號碼指派管理工具、語音和會議原則,以及呼叫分析工具組的完整存取權。This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面Manage all aspects of Skype for Business Online
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
office365. usageReports/allEntities/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/read 讀取 Office 365 使用量報表Read Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft. 小組/callQuality/allProperties/readmicrosoft.teams/callQuality/allProperties/read 讀取 [通話品質] 儀表板中的所有資料 (CQD) Read all data in the Call Quality Dashboard (CQD)
microsoft. 團隊/會議/allProperties/allTasksmicrosoft.teams/meetings/allProperties/allTasks 管理會議,包括會議原則、設定和會議橋接器Manage meetings including meeting policies, configurations, and conference bridges
microsoft. 小組/語音/allProperties/allTasksmicrosoft.teams/voice/allProperties/allTasks 管理語音,包括通話原則及電話號碼清查和指派Manage voice including calling policies and phone number inventory and assignment

Microsoft Teams 通訊支援工程師Teams Communications Support Engineer

此角色的使用者可以使用 Microsoft Teams 和商務用 Skype 系統管理中心內的使用者呼叫疑難排解工具,針對 Microsoft Teams 和商務用 Skype 內的通訊問題進行疑難排解。Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 此角色的使用者可以檢視所有相關參與者的完整呼叫記錄資訊。Users in this role can view full call record information for all participants involved. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面Manage all aspects of Skype for Business Online
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft. 小組/callQuality/allProperties/readmicrosoft.teams/callQuality/allProperties/read 讀取 [通話品質] 儀表板中的所有資料 (CQD) Read all data in the Call Quality Dashboard (CQD)

Microsoft Teams 通訊支援專家Teams Communications Support Specialist

此角色的使用者可以使用 Microsoft Teams 和商務用 Skype 系統管理中心內的使用者呼叫疑難排解工具,針對 Microsoft Teams 和商務用 Skype 內的通訊問題進行疑難排解。Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 此角色的使用者只能檢視其所查閱特定使用者的呼叫中所含有的使用者詳細資料。Users in this role can only view user details in the call for the specific user they have looked up. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

動作Actions 描述Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面Manage all aspects of Skype for Business Online
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft. 團隊/callQuality/standard/readmicrosoft.teams/callQuality/standard/read 在 [通話品質] 儀表板中讀取基本資料 (CQD) Read basic data in the Call Quality Dashboard (CQD)

Teams 裝置管理員Teams Devices Administrator

具有此角色的使用者可以從小組系統管理中心管理 經過團隊認證的裝置Users with this role can manage Teams-certified devices from the Teams Admin Center. 此角色可讓您一眼就能查看所有裝置,並能夠搜尋和篩選裝置。This role allows viewing all devices at single glance, with ability to search and filter devices. 使用者可以查看每個裝置的詳細資料,包括已登入的帳戶、製作裝置和型號。The user can check details of each device including logged-in account, make and model of the device. 使用者可以變更裝置上的設定,並更新軟體版本。The user can change the settings on the device and update the software versions. 此角色不會授與檢查小組活動和呼叫裝置品質的許可權。This role does not grant permissions to check Teams activity and call quality of the device.

動作Actions 描述Description
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center
microsoft. 小組/裝置/標準/讀取microsoft.teams/devices/standard/read 管理團隊認證裝置的所有層面,包括設定原則Manage all aspects of Teams-certified devices including configuration policies

使用量摘要報表讀者Usage Summary Reports Reader

具有此角色的使用者可以存取 Microsoft 365 系統管理中心內的租使用者層級匯總資料和相關見解,以取得使用量和生產力分數,但無法存取任何使用者層級的詳細資料或深入資訊。Users with this role can access tenant level aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score but cannot access any user level details or insights. 在兩份報告的 Microsoft 365 系統管理中心,我們會區分租使用者層級的匯總資料和使用者層級的詳細資料。In Microsoft 365 Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details. 此角色可針對個別使用者識別資料提供額外一層保護,這是由客戶和法律團隊所要求。This role gives an extra layer of protection on individual user identifiable data, which was requested by both customers and legal teams.

動作Actions 描述Description
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.network/performance/allProperties/read 讀取 Microsoft 365 系統管理中心中的所有網路效能屬性Read all network performance properties in the Microsoft 365 admin center
office365. usageReports/allEntities/standard/readmicrosoft.office365.usageReports/allEntities/standard/read 讀取租使用者層級的匯總 Office 365 使用量報表Read tenant-level aggregated Office 365 usage reports
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

使用者管理員User Administrator

具有此角色的使用者可以建立使用者,以及管理使用者的所有層面,但有一些限制 (查看資料表) ,而且可以更新密碼到期原則。Users with this role can create users, and manage all aspects of users with some restrictions (see the table), and can update password expiration policies. 此外,具有此角色的使用者可以建立與管理所有群組。Additionally, users with this role can create and manage all groups. 此角色也包含建立和管理使用者檢視、管理支援票證,以及監視服務健康情況的能力。This role also includes the ability to create and manage user views, manage support tickets, and monitor service health. 對於具有大部分系統管理員角色的使用者,使用者管理員沒有權限可管理其某些使用者屬性。User administrators don't have permission to manage some user properties for users in most administrator roles. 具有此角色的使用者沒有管理 MFA 的權限。User with this role do not have permissions to manage MFA. 下表列出此限制的例外角色。The roles that are exceptions to this restriction are listed in the following table.

使用者系統管理員許可權User Administrator permission 備註Notes
建立 [使用者和群組]Create users and groups
建立和管理使用者檢視Create and manage user views
建立 Office 支援票證Manage Office support tickets
更新密碼到期原則Update password expiration policies
管理授權Manage licenses
管理使用者主體名稱以外的所有使用者屬性Manage all user properties except User Principal Name
適用于所有使用者,包括所有系統管理員Applies to all users, including all admins
刪除及還原Delete and restore
停用和啟用Disable and enable
管理包含使用者主體名稱的所有使用者屬性Manage all user properties including User Principal Name
更新 (FIDO) 裝置金鑰Update (FIDO) device keys
適用于非系統管理員或下列任何角色的使用者:Applies to users who are non-admins or in any of the following roles:
  • 服務台系統管理員Helpdesk Administrator
  • 沒有角色的使用者User with no role
  • 使用者管理員User Administrator
使重新整理權杖失效Invalidate refresh Tokens
重設密碼Reset password
如需使用者系統管理員可以重設密碼並使重新整理權杖不正確角色清單,請參閱 密碼重設許可權For a list of the roles that a User Administrator can reset passwords for and invalidate refresh tokens, see Password reset permissions.

重要

具備此角色的使用者可以變更可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員密碼。Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的密碼表示可承擔該使用者身分識別和權限。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與使用者系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. 使用者系統管理員可以透過此路徑承擔應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步承擔特殊權限應用程式的身分識別。Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們具有機密或私人資訊或者 Azure 中重要組態的存取權。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Microsoft 365 群組擁有者,他們可以管理群組成員資格。Security Group and Microsoft 365 group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
動作Actions 描述Description
microsoft.directory/appRoleAssignments/createmicrosoft.directory/appRoleAssignments/create 建立應用程式角色指派Create application role assignments
microsoft.directory/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 刪除應用程式角色指派Delete application role assignments
microsoft directory/appRoleAssignments/basic/updatemicrosoft.directory/appRoleAssignments/basic/update 更新應用程式角色指派的基本屬性Update basic properties of application role assignments
microsoft.directory/contacts/createmicrosoft.directory/contacts/create 建立連絡人Create contacts
microsoft.directory/contacts/deletemicrosoft.directory/contacts/delete 刪除連絡人Delete contacts
microsoft.directory/contacts/basic/updatemicrosoft.directory/contacts/basic/update 更新連絡人的基本屬性Update basic properties on contacts
microsoft directory/entitlementManagement/allProperties/allTasksmicrosoft.directory/entitlementManagement/allProperties/allTasks 在 Azure AD 權利管理中建立和刪除資源,以及讀取和更新所有屬性Create and delete resources, and read and update all properties in Azure AD entitlement management
microsoft directory/groups/assignLicensemicrosoft.directory/groups/assignLicense 針對群組型授權將產品授權指派給群組Assign product licenses to groups for group-based licensing
microsoft.directory/groups/createmicrosoft.directory/groups/create 建立群組,不包括角色可指派群組Create groups, excluding role-assignable groups
microsoft.directory/groups/deletemicrosoft.directory/groups/delete 刪除群組,不包括角色可指派群組Delete groups, excluding role-assignable group
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/hiddenMembers/read 讀取群組的隱藏成員Read hidden members of a group
microsoft directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/reprocessLicenseAssignment 重新處理以群組為基礎之授權的授權指派Reprocess license assignments for group-based licensing
microsoft.directory/groups/restoremicrosoft.directory/groups/restore 還原已刪除的群組Restore deleted groups
microsoft.directory/groups/basic/updatemicrosoft.directory/groups/basic/update 更新群組的基本屬性,不包括角色可指派的群組Update basic properties on groups, excluding role-assignable groups
microsoft 目錄/群組/分類/更新microsoft.directory/groups/classification/update 更新群組的分類屬性,但不包括角色可指派的群組Update the classification property of groups, excluding role-assignable groups
microsoft 目錄/群組/Groups.dynamicmembershiprule/更新microsoft.directory/groups/dynamicMembershipRule/update 更新群組的動態成員資格規則,但不包括角色可指派的群組Update dynamic membership rule of groups, excluding role-assignable groups
microsoft 目錄/群組/groupType/更新microsoft.directory/groups/groupType/update 更新群組的 groupType 屬性Update the groupType property for a group
microsoft.directory/groups/members/updatemicrosoft.directory/groups/members/update 更新群組的成員,但不包括角色可指派的群組Update members of groups, excluding role-assignable groups
microsoft 目錄/群組/onPremWriteBack/更新microsoft.directory/groups/onPremWriteBack/update 使用 Azure AD Connect 來更新要回寫至內部部署 Azure Active Directory 群組Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect
microsoft.directory/groups/owners/updatemicrosoft.directory/groups/owners/update 更新群組的擁有者,但不包括角色可指派的群組Update owners of groups, excluding role-assignable groups
microsoft.directory/groups/settings/updatemicrosoft.directory/groups/settings/update 更新群組的設定Update settings of groups
microsoft 目錄/群組/可見度/更新microsoft.directory/groups/visibility/update 更新群組的可見度屬性Update the visibility property of groups
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 OAuth 2.0 許可權授與,以及讀取和更新所有屬性Create and delete OAuth 2.0 permission grants, and read and update all properties
microsoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新服務主體角色指派Update service principal role assignments
microsoft.directory/users/assignLicensemicrosoft.directory/users/assignLicense 管理使用者授權Manage user licenses
microsoft.directory/users/createmicrosoft.directory/users/create 新增使用者Add users
microsoft.directory/users/deletemicrosoft.directory/users/delete 刪除使用者Delete users
microsoft 目錄/使用者/停用microsoft.directory/users/disable 停用使用者Disable users
microsoft 目錄/使用者/啟用microsoft.directory/users/enable 啟用使用者Enable users
microsoft.directory/users/inviteGuestmicrosoft.directory/users/inviteGuest 邀請來賓使用者Invite guest users
microsoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 藉由讓使用者重新整理權杖失效來強制登出Force sign-out by invalidating user refresh tokens
microsoft directory/users/reprocessLicenseAssignmentmicrosoft.directory/users/reprocessLicenseAssignment 重新處理使用者的授權指派Reprocess license assignments for users
microsoft.directory/users/restoremicrosoft.directory/users/restore 還原已刪除的使用者Restore deleted users
microsoft.directory/users/basic/updatemicrosoft.directory/users/basic/update 更新使用者的基本屬性Update basic properties on users
microsoft.directory/users/manager/updatemicrosoft.directory/users/manager/update 適用于使用者的更新管理員Update manager for users
microsoft.directory/users/password/updatemicrosoft.directory/users/password/update 重設所有使用者的密碼Reset passwords for all users
microsoft.directory/users/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新使用者的使用者主體名稱Update User Principal Name of users
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康狀態Read and configure Azure Service Health
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立及管理 Azure 支援票證Create and manage Azure support tickets
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 在 Microsoft 365 系統管理中心中讀取及設定服務健康狀態Read and configure Service Health in the Microsoft 365 admin center
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立及管理 Microsoft 365 服務要求Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 Microsoft 365 系統管理中心中所有資源的基本屬性Read basic properties on all resources in the Microsoft 365 admin center

如何瞭解角色許可權How to understand role permissions

許可權的架構鬆散遵循 Microsoft Graph 的 REST 格式:The schema for permissions loosely follows the REST format of Microsoft Graph:

<namespace>/<entity>/<propertySet>/<action>

例如:For example:

microsoft.directory/applications/credentials/update

許可權元素Permission element DescriptionDescription
命名空間namespace 公開工作並在前面加上的產品或服務 microsoftProduct or service that exposes the task and is prepended with microsoft. 例如,Azure AD 中的所有工作都會使用 microsoft.directory 命名空間。For example, all tasks in Azure AD use the microsoft.directory namespace.
實體entity 服務在 Microsoft Graph 中公開的邏輯功能或元件。Logical feature or component exposed by the service in Microsoft Graph. 例如,Azure AD 公開使用者和群組、OneNote 公開便箋,以及 Exchange 公開信箱和行事曆。For example, Azure AD exposes User and Groups, OneNote exposes Notes, and Exchange exposes Mailboxes and Calendars. 有一個特殊 allEntities 關鍵字可用於指定命名空間中的所有實體。There is a special allEntities keyword for specifying all entities in a namespace. 這通常用於授與存取權給整個產品的角色。This is often used in roles that grant access to an entire product.
propertySetpropertySet 將授與存取權之實體的特定屬性或層面。Specific properties or aspects of the entity for which access is being granted. 例如, microsoft.directory/applications/authentication/read 在 Azure AD 中,授與讀取應用程式物件之回復 URL、登出 URL 和隱含流程屬性的能力。For example, microsoft.directory/applications/authentication/read grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Azure AD.
  • allProperties 指定實體的所有屬性,包括具有特殊許可權的屬性。allProperties designates all properties of the entity, including privileged properties.
  • standard 指定通用屬性,但不包括與動作相關的特殊許可權 readstandard designates common properties, but excludes privileged ones related to read action. 例如, microsoft.directory/user/standard/read 包括讀取標準屬性(例如公用電話號碼和電子郵件地址)的能力,而不是用於多重要素驗證的私人次要電話號碼或電子郵件地址。For example, microsoft.directory/user/standard/read includes the ability to read standard properties like public phone number and email address, but not the private secondary phone number or email address used for multi-factor authentication.
  • basic 指定通用屬性,但不包括與動作相關的特殊許可權 updatebasic designates common properties, but excludes privileged ones related to the update action. 您可以讀取的一組屬性可能會與您可以更新的內容不同。The set of properties that you can read may be different from what you can update. 這就是為什麼有 standardbasic 關鍵字可反映這一點。That’s why there are standard and basic keywords to reflect that.
動作action 正在授與的作業,最常見的 (CRUD) 建立、讀取、更新或刪除。Operation being granted, most typically create, read, update, or delete (CRUD). 有一個特殊 allTasks 關鍵字可指定上述所有功能 (建立、讀取、更新和刪除) 。There is a special allTasks keyword for specifying all of the above abilities (create, read, update, and delete).

已被取代的角色Deprecated roles

以下是不應使用的角色。The following roles should not be used. 它們已被取代,而且未來將從 Azure AD 中移除。They have been deprecated and will be removed from Azure AD in the future.

  • AdHoc 授權管理員AdHoc License Administrator
  • 加入裝置Device Join
  • 裝置管理員Device Managers
  • 裝置使用者Device Users
  • 傳送電子郵件給經過驗證的使用者建立者Email Verified User Creator
  • 信箱管理員Mailbox Administrator
  • 加入工作場所裝置Workplace Device Join

入口網站中未顯示的角色Roles not shown in the portal

並非 PowerShell 或 MS Graph API 所傳回的每個角色都可以在 Azure 入口網站中看到。Not every role returned by PowerShell or MS Graph API is visible in Azure portal. 下表將組織這些差異。The following table organizes those differences.

API 名稱API name Azure 入口網站名稱Azure portal name 注意Notes
加入裝置Device Join 已被取代Deprecated 已淘汰的角色文件Deprecated roles documentation
裝置管理員Device Managers 已被取代Deprecated 已淘汰的角色文件Deprecated roles documentation
裝置使用者Device Users 已被取代Deprecated 已淘汰的角色文件Deprecated roles documentation
目錄同步處理帳戶Directory Synchronization Accounts 未顯示,因為不得使用Not shown because it shouldn't be used 目錄同步處理帳戶文件Directory Synchronization Accounts documentation
來賓使用者Guest User 未顯示,因為不能使用Not shown because it can't be used NANA
合作夥伴第 1 層支援Partner Tier 1 Support 未顯示,因為不得使用Not shown because it shouldn't be used 合作夥伴第 1 層支援文件Partner Tier1 Support documentation
合作夥伴第 2 層支援Partner Tier 2 Support 未顯示,因為不得使用Not shown because it shouldn't be used 合作夥伴第 2 層支援文件Partner Tier2 Support documentation
受限制的來賓使用者Restricted Guest User 未顯示,因為不能使用Not shown because it can't be used NANA
UserUser 未顯示,因為不能使用Not shown because it can't be used NANA
加入工作場所裝置Workplace Device Join 已被取代Deprecated 已淘汰的角色文件Deprecated roles documentation

密碼重設許可權Password reset permissions

欄位標題代表可以重設密碼的角色。Column headings represent the roles that can reset passwords. 資料表資料列包含可重設其密碼的角色。Table rows contain the roles for which their password can be reset.

可以重設密碼Password can be reset 密碼管理員Password Admin 技術服務人員管理Helpdesk Admin 驗證管理員Authentication Admin 使用者管理User Admin 特殊許可權驗證管理員Privileged Authentication Admin 全域管理員Global Admin
驗證管理員Authentication Admin     ✔️   ✔️ ✔️
目錄讀取器Directory Readers ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
全域管理員Global Admin         ✔️ ✔️**
群組管理員Groups Admin       ✔️ ✔️ ✔️
來賓邀請者Guest Inviter ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
技術服務人員管理Helpdesk Admin   ✔️   ✔️ ✔️ ✔️
訊息中心讀取者Message Center Reader   ✔️ ✔️ ✔️ ✔️ ✔️
密碼管理員Password Admin ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
特殊許可權驗證管理員Privileged Authentication Admin         ✔️ ✔️
特殊許可權角色管理員Privileged Role Admin         ✔️ ✔️
報告讀者Reports Reader   ✔️ ✔️ ✔️ ✔️ ✔️
使用者 (沒有管理員角色) User (no admin role) ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
使用者管理User Admin       ✔️ ✔️ ✔️
使用量摘要報表讀者Usage Summary Reports Reader   ✔️ ✔️ ✔️ ✔️ ✔️

* 全域管理員無法移除自己的全域系統管理員指派。* A Global Administrator cannot remove their own Global Administrator assignment. 這是為了避免組織有0個全域系統管理員的情況。This is to prevent a situation where an organization has 0 Global Administrators.

下一步Next steps