Azure Active Directory 中的系統管理員角色權限Administrator role permissions in Azure Active Directory

使用 Azure Active Directory (Azure AD),您可以指定有限的系統管理員,以較低許可權的角色來管理身分識別工作。Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. 指派系統管理員的目的,是為了新增或變更使用者、指派系統管理角色、重設使用者密碼、管理使用者授權,以及管理功能變數名稱等。Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. 只能在 Azure AD 中的使用者設定中變更預設使用者權限。The default user permissions can be changed only in user settings in Azure AD.

限制全域管理員的使用Limit the use of Global administrator

指派給全域管理員角色的使用者可以讀取和修改您 Azure AD 組織中的每個系統管理設定。Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization. 根據預設,註冊 Azure 訂用帳戶的人員會獲指派 Azure AD 組織的全域管理員角色。By default, the person who signs up for an Azure subscription is assigned the Global administrator role for the Azure AD organization. 只有全域管理員和特殊許可權角色管理員可以委派系統管理員角色。Only Global administrators and Privileged Role administrators can delegate administrator roles. 若要降低業務的風險,建議您將此角色指派給組織中最少的人員。To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.

建議的最佳作法是將此角色指派給組織中少於5名的人員。As a best practice, we recommend that you assign this role to fewer than 5 people in your organization. 如果您在組織中有超過五個指派給全域管理員角色的使用者,以下是一些減少其使用方式的方法。If you have over five users assigned to the Global Administrator role in your organization, here are some ways to reduce its use.

尋找您所需的角色Find the role you need

如果您在許多角色清單中找不到需要的角色,Azure AD 可以根據角色類別來顯示角色的子集。If it's frustrating for you to find the role you need out of a list of many roles, Azure AD can show you subsets of the roles based on role categories. 查看適用于Azure AD 角色和系統管理員的新類型篩選,只顯示所選類型中的角色。Check out our new Type filter for Azure AD Roles and administrators to show you only the roles in the selected type.

當您指派全域管理員角色時,現在角色已存在A role exists now that didn’t exist when you assigned the Global administrator role

角色或角色可能已新增至 Azure AD,以提供更細微的許可權,讓某些使用者在全域管理員時無法使用此選項。It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not an option when you elevated some users to Global administrator. 經過一段時間,我們會推出其他角色,以完成隻有全域管理員角色才可執行檔工作。Over time, we are rolling out additional roles that accomplish tasks that only the Global administrator role could do before. 您可以看到這些反映在下列可用的角色中。You can see these reflected in the following Available roles.

指派或移除系統管理員角色Assign or remove administrator roles

若要了解如何將系統管理角色指派給 Azure Active Directory 中的使用者,請參閱在 Azure Active Directory 中檢視和指派系統管理員角色To learn how to assign administrative roles to a user in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

可用的角色Available roles

可用的系統管理員角色如下:The following administrator roles are available:

應用程式系統管理員Application Administrator

此角色中的使用者可以建立和管理企業應用程式、應用程式註冊和應用程式 Proxy 設定的所有層面。Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. 請注意,在建立新的應用程式註冊或企業應用程式時,指派給此角色的使用者不會新增為擁有者。Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

應用程式系統管理員可以管理應用程式認證,讓他們模擬應用程式。Application Administrators can manage application credentials that allows them to impersonate the application. 因此,指派給這個角色的使用者只能管理未指派給任何 Azure AD 角色或指派給下列系統管理員角色之應用程式的應用程式認證:So, users assigned to this role can manage application credentials of only those applications that are either not assigned to any Azure AD roles or those assigned to following admin roles only:

  • 應用程式系統管理員Application Administrator
  • 應用程式開發人員Application Developer
  • 雲端應用程式系統管理員Cloud Application Administrator
  • 目錄讀取器Directory Readers

如果將應用程式指派給上述未提及的任何其他角色,則應用程式系統管理員將無法管理該應用程式的認證。If an application is assigned to any other role that are not mentioned above, then Application Administrator cannot manage credentials of that application.

此角色也會授與_同意_委派許可權和應用程式許可權的能力,但 Microsoft Graph 和 Azure AD 圖形上的許可權除外。This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph and Azure AD Graph.

重要

這個例外狀況表示您仍然可以同意_其他_應用程式(例如,您已註冊的協力廠商應用程式或應用程式)的許可權,但不是對 Azure AD 本身的許可權。This exception means that you can still consent to permissions for other apps (e.g. third party apps or apps that you have registered), but not to permissions on Azure AD itself. 您仍然可以在應用程式註冊過程中_要求_這些許可權 _,但授_與(亦即同意)這些許可權需要 Azure AD 系統管理員。這表示惡意使用者無法輕鬆提升其許可權,例如,建立並同意可寫入整個目錄的應用程式,以及透過該應用程式的許可權,將自己提升為全域管理員。You can still request these permissions as part of the app registration, but granting (i.e. consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a global admin.

應用程式開發人員Application Developer

將「使用者可以註冊應用程式」設定設為「否」時,此角色中的使用者可以建立應用程式註冊。Users in this role can create application registrations when the "Users can register applications" setting is set to No. 當「使用者可以同意應用程式代表自己存取公司資料」設定設為 [否] 時,此角色也會授與許可權以代表自己的同意。This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. 在建立新的應用程式註冊或企業應用程式時,指派給此角色的使用者會被新增為擁有者。Users assigned to this role are added as owners when creating new application registrations or enterprise applications.

驗證系統管理員Authentication Administrator

具有此角色的使用者可以設定或重設非密碼認證,並且可以更新所有使用者的密碼。Users with this role can set or reset non-password credentials and can update passwords for all users. 驗證系統管理員可以要求使用者針對現有的非密碼認證(例如,MFA 或 FIDO)重新註冊,並撤銷裝置上的 [記住 mfa],這會在下一次登入非系統管理員或僅指派下列角色的使用者登入時提示 mfa:Authentication Administrators can require users to re-register against existing non-password credential (for example, MFA or FIDO) and revoke remember MFA on the device, which prompts for MFA on the next sign-in of users who are non-administrators or assigned the following roles only:

  • 驗證系統管理員Authentication Administrator
  • 目錄讀取器Directory Readers
  • 來賓邀請者Guest Inviter
  • 訊息中心讀取者Message Center Reader
  • 報告讀者Reports Reader

重要

對於可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員,具備此角色的使用者可以變更認證。Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的認證表示可承擔該使用者身分識別和權限。Changing the credentials of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與驗證系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. 透過此路徑,驗證系統管理員可以假設應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步假設特殊許可權應用程式的識別。Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們具有機密或私人資訊或者 Azure 中重要組態的存取權。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Office 365 群組擁有者,他們可以管理群組成員資格。Security Group and Office 365 Group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

Azure DevOps 系統管理員Azure DevOps Administrator

具有此角色的使用者可以管理 Azure DevOps 原則,將新的 Azure DevOps 組織建立限制為一組可設定的使用者或群組。Users with this role can manage the Azure DevOps policy to restrict new Azure DevOps organization creation to a set of configurable users or groups. 此角色中的使用者可以透過任何支援公司 Azure AD 組織的 Azure DevOps 組織來管理此原則。Users in this role can manage this policy through any Azure DevOps organization that is backed the company’s Azure AD organization.

此角色中的使用者可以管理所有企業 Azure DevOps 的原則。All enterprise Azure DevOps policies can be managed by users in this role.

Azure 資訊保護系統管理員Azure Information Protection Administrator

具有此角色的使用者在 Azure 資訊保護服務上擁有所有權限。Users with this role have all permissions in the Azure Information Protection service. 此角色允許設定「Azure 資訊保護」原則的標籤、管理保護範本,以及啟用保護。This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. 此角色並未授與「Identity Protection 中心」、Privileged Identity Management、「監視 Office 365 服務健康情況」及「Office 365 安全與規範中心」中的任何權限。This role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center.

B2C 使用者流程管理員B2C User Flow Administrator

具有此角色的使用者可以建立和管理 Azure 入口網站中的 B2C 消費者流程(也稱為「內建」原則)。Users with this role can create and manage B2C User Flows (also called "built-in" policies) in the Azure portal. 藉由建立或編輯使用者流程,這些使用者可以變更使用者體驗的 html/CSS/javascript 內容、變更每個使用者流程的 MFA 需求、變更權杖中的宣告,以及調整租使用者中所有原則的會話設定。 By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token and adjust session settings for all policies in the tenant. 另一方面,此角色並不包括檢查使用者資料的能力,或對租使用者架構中包含的屬性進行變更。On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the tenant schema. Identity Experience Framework (也稱為「自訂」)原則的變更也不在此角色的範圍內。 Changes to Identity Experience Framework (also known as Custom) policies is also outside the scope of this role.

B2C 使用者流程屬性管理員B2C User Flow Attribute Administrator

具有此角色的使用者可在租使用者中的所有使用者流程中,新增或刪除自訂屬性。Users with this role add or delete custom attributes available to all user flows in the tenant. 因此,具備此角色的使用者可以變更或新增元素至使用者架構,並影響所有使用者流程的行為,並間接導致使用者可能會要求哪些資料的變更,最後以宣告的形式傳送給應用程式。 As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. 此角色無法編輯使用者流程。 This role cannot edit user flows.

B2C IEF 索引鍵集管理員B2C IEF Keyset Administrator

使用者可以建立和管理權杖加密、權杖簽章和宣告加密/解密的原則金鑰和密碼。User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. 藉由將新金鑰新增至現有的金鑰容器,此有限的系統管理員可以視需要變換秘密,而不會影響現有的應用程式。 By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. 此使用者可以查看這些秘密的完整內容及其到期日,即使在建立之後也一樣。 This user can see the full content of these secrets and their expiration dates even after their creation.

重要

這是敏感性角色。This is a sensitive role. 在生產前和生產期間,應謹慎地仔細測試並指派金鑰集系統管理員角色。 The keyset administrator role should be carefully audited and assigned with care during pre-production and production.

B2C IEF 原則管理員B2C IEF Policy Administrator

此角色的使用者能夠在 Azure AD B2C 中建立、讀取、更新及刪除所有自訂原則,因此可以完全控制相關 Azure AD B2C 租使用者中的 Identity Experience Framework。Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant. 藉由編輯原則,此使用者可以與外部身分識別提供者建立直接同盟、變更目錄架構、變更所有使用者面向內容(HTML、CSS、JavaScript)、變更需求以完成驗證、建立新使用者、傳送使用者資料到外部系統,包括完整的遷移,以及編輯所有使用者資訊,包括密碼和電話號碼等敏感欄位。By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. 相反地,此角色無法變更加密金鑰,或編輯用於租使用者中同盟的秘密。Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the tenant.

重要

B2 IEF 原則系統管理員是高度敏感的角色,應針對生產環境中的租使用者以非常有限的基礎加以指派。The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for tenants in production. 這些使用者的活動應該仔細地進行審核,特別是針對生產環境中的租使用者。 Activities by these users should be closely audited, especially for tenants in production.

計費管理員Billing Administrator

進行採購、管理訂用帳戶、管理支援票證,以及監控服務健全狀況。Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

雲端應用程式系統管理員Cloud Application Administrator

此角色中的使用者具有與應用程式系統管理員角色相同的權限,但不包括管理應用程式 Proxy 的能力。Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. 此角色會授與能力來建立和管理企業應用程式和應用程式註冊的所有層面。This role grants the ability to create and manage all aspects of enterprise applications and application registrations. 此角色也會授與能力來同意委派的權限以及 Microsoft Graph 和 Azure AD Graph 以外的應用程式權限。This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. 在建立新的應用程式註冊或企業應用程式時,不會將指派給此角色的使用者新增為擁有者。Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

雲端應用程式系統管理員可以管理應用程式認證,讓他們模擬應用程式。Cloud Application Administrators can manage application credentials that allows them to impersonate the application. 因此,指派給這個角色的使用者只能管理未指派給任何 Azure AD 角色或指派給下列系統管理員角色之應用程式的應用程式認證:So, users assigned to this role can manage application credentials of only those applications that are either not assigned to any Azure AD roles or those assigned to following admin roles only:

  • 應用程式開發人員Application Developer
  • 雲端應用程式系統管理員Cloud Application Administrator
  • 目錄讀取器Directory Readers

如果將應用程式指派給上述未提及的任何其他角色,則雲端應用程式系統管理員無法管理該應用程式的認證。If an application is assigned to any other role that are not mentioned above, then Cloud Application Administrator cannot manage credentials of that application.

雲端裝置管理員Cloud Device Administrator

此角色的使用者可以啟用、停用和刪除 Azure AD 中的裝置,並在 Azure 入口網站中讀取 Windows 10 BitLocker 金鑰 (如果有的話)。Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. 此角色不會授與可供管理裝置上任何其他屬性的權限。The role does not grant permissions to manage any other properties on the device.

合規性管理員Compliance Administrator

具備此角色的使用者有權限管理 Microsoft 365 合規性中心、Microsoft 365 系統管理中心、Azure 和 Office 365 安全性與合規性中心中的合規性相關功能。Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. 「代理人」也可以管理 Exchange 系統管理中心內的所有功能,以及 & 「商務用 Skype 系統管理中心」的小組,並建立 Azure 和 Microsoft 365 的支援票證。Assignees can also manage all features within the Exchange admin center and Teams & Skype for Business admin centers and create support tickets for Azure and Microsoft 365. 如需詳細資訊,請參閱關於 Office 365 管理員角色More information is available at About Office 365 admin roles.

In 可以執行Can do
Microsoft 365 合規性中心Microsoft 365 compliance center 保護和管理您組織在所有 Microsoft 365 服務中的資料Protect and manage your organization’s data across Microsoft 365 services
管理合規性警示Manage compliance alerts
合規性管理員Compliance Manager 追蹤、指派和確認您組織的法規合規性活動Track, assign, and verify your organization's regulatory compliance activities
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 管理資料治理Manage data governance
執行法律和資料的調查Perform legal and data investigation
管理資料主體要求Manage Data Subject Request

此角色具有與 Office 365 安全性 & 合規性中心角色型存取控制中的相容性系統管理員 RoleGroup相同的許可權。This role has the same permissions as the Compliance Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control.
IntuneIntune 檢視所有的 Intune 稽核資料View all Intune audit data
Cloud App SecurityCloud App Security 具有唯讀權限,並可管理警示Has read-only permissions and can manage alerts
可建立和修改檔案原則,並允許檔案治理動作Can create and modify file policies and allow file governance actions
可檢視 [資料管理] 下的所有內建報告Can view all the built-in reports under Data Management

合規性資料管理員Compliance Data Administrator

具有此角色的使用者具有在 Microsoft 365 合規性中心、Microsoft 365 系統管理中心和 Azure 中追蹤資料的許可權。Users with this role have permissions to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. 使用者也可以追蹤 Exchange 系統管理中心、合規性管理員和小組 & 商務用 Skype 系統管理中心的相容性資料,並建立 Azure 和 Microsoft 365 的支援票證。Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365.

In 可以執行Can do
Microsoft 365 合規性中心Microsoft 365 compliance center 監視跨 Microsoft 365 服務的合規性相關原則Monitor compliance-related policies across Microsoft 365 services
管理合規性警示Manage compliance alerts
合規性管理員Compliance Manager 追蹤、指派和確認您組織的法規合規性活動Track, assign, and verify your organization's regulatory compliance activities
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 管理資料治理Manage data governance
執行法律和資料的調查Perform legal and data investigation
管理資料主體要求Manage Data Subject Request

此角色具有與 Office 365 安全性 & 合規性中心角色型存取控制中的相容性資料管理員 RoleGroup相同的許可權。This role has the same permissions as the Compliance Data Administrator RoleGroup in Office 365 Security & Compliance Center role-based access control.
IntuneIntune 檢視所有的 Intune 稽核資料View all Intune audit data
Cloud App SecurityCloud App Security 具有唯讀權限,並可管理警示Has read-only permissions and can manage alerts
可建立和修改檔案原則,並允許檔案治理動作Can create and modify file policies and allow file governance actions
可檢視 [資料管理] 下的所有內建報告Can view all the built-in reports under Data Management

條件式存取系統管理員Conditional Access Administrator

具有此角色的使用者能夠管理 Azure Active Directory 的條件式存取設定。Users with this role have the ability to manage Azure Active Directory Conditional Access settings.

注意

若要在 Azure 中部署 Exchange ActiveSync 條件式存取原則,使用者也必須是全域管理員。To deploy Exchange ActiveSync Conditional Access policy in Azure, the user must also be a Global Administrator.

客戶加密箱存取核准者Customer Lockbox access approver

管理您組織中的客戶加密箱要求Manages Customer Lockbox requests in your organization. 他們會收到「客戶加密箱」要求的電子郵件通知,並且可以核准和拒絕來自 Microsoft 365 系統管理中心的要求。They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. 他們也可以開啟或關閉「客戶加密箱」功能。They can also turn the Customer Lockbox feature on or off. 只有全域管理員可以重設指派給此角色之人員的密碼。Only global admins can reset the passwords of people assigned to this role.

電腦分析系統管理員Desktop Analytics Administrator

此角色中的使用者可以管理電腦分析和 Office 自訂 & 原則服務。Users in this role can manage the Desktop Analytics and Office Customization & Policy services. 針對電腦分析,這包括能夠查看資產清查、建立部署計畫、查看部署和健康狀態。For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. 若為 Office 自訂 & 原則服務,此角色可讓使用者管理 Office 原則。For Office Customization & Policy service, this role enables users to manage Office policies.

裝置系統管理員Device Administrator

此角色僅供指派為裝置設定中的其他本機系統管理員。This role is available for assignment only as an additional local administrator in Device settings. 具有此角色的使用者,會在已加入 Azure Active Directory 的所有 Windows 10 裝置上,成為本機電腦系統管理員。Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. 它們並沒有在 Azure Active Directory 中管理裝置物件的能力。They do not have the ability to manage devices objects in Azure Active Directory.

目錄讀取器Directory Readers

此角色中的使用者可以讀取基本目錄資訊。Users in this role can read basic directory information. 此角色應用於:This role should be used for:

  • 授與一組特定的來賓使用者讀取權限,而不是將其授與所有來賓使用者。Granting a specific set of guest users read access instead of granting it to all guest users.
  • 將一組特定的非系統管理員使用者存取權授與 Azure 入口網站在「僅限系統管理員存取 Azure AD 入口網站」設定為 [是] 時。Granting a specific set of non-admin users access to Azure portal when “Restrict access to Azure AD portal to admins only” is set to “Yes”.
  • 將目錄. Read 的存取權授與服務主體。 All 不是選項。Granting service principals access to directory where Directory.Read.All is not an option.

目錄同步處理帳戶Directory Synchronization Accounts

請勿使用。Do not use. 此角色會自動指派給 Azure AD Connect 服務,不適用於也不支援任何其他用途。This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

目錄寫入器Directory Writers

這是舊版角色,可指派給不支援同意架構的應用程式。This is a legacy role that is to be assigned to applications that do not support the Consent Framework. 不應將它指派給任何使用者。It should not be assigned to any users.

Dynamics 365 管理員/CRM 管理員Dynamics 365 administrator / CRM Administrator

此角色的使用者具有 Microsoft Dynamics 365 Online (如其存在) 的全域權限,並能管理支援票證及監視服務的健康情況。Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. 如需詳細資訊,請參閱使用服務管理員角色管理您的租用戶More information at Use the service admin role to manage your tenant.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Dynamics 365 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." Azure 入口網站中則是「Dynamics 365 管理員」。It is "Dynamics 365 Administrator" in the Azure portal.

Exchange 系統管理員Exchange Administrator

此角色的使用者具有 Microsoft Exchange Online (如其存在) 的全域權限。Users with this role have global permissions within Microsoft Exchange Online, when the service is present. 此外,也具備建立和管理所有「Office 365 群組」、管理支援票證,以及監視服務健康情況的能力。Also has the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health. 如需詳細資訊,請參閱 關於 Office 365 管理員角色More information at About Office 365 admin roles.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Exchange 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." Azure 入口網站中則是「Exchange 管理員」。It is "Exchange Administrator" in the Azure portal. 這是exchange 系統管理中心內的「exchange Online 系統管理員」。It is "Exchange Online administrator" in the Exchange admin center.

外部識別提供者系統管理員External Identity Provider Administrator

此系統管理員會管理 Azure Active Directory 租使用者與外部身分識別提供者之間的同盟。This administrator manages federation between Azure Active Directory tenants and external identity providers. 使用此角色,使用者可以加入新的身分識別提供者,並設定所有可用的設定(例如,驗證路徑、服務識別碼、指派的金鑰容器)。 With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). 此使用者可以讓租使用者信任來自外部識別提供者的驗證。 This user can enable the tenant to trust authentications from external identity providers. 對終端使用者體驗產生的影響取決於租使用者的類型: The resulting impact on end user experiences depends on the type of tenant:

  • Azure Active Directory 員工和合作夥伴的租使用者:新增同盟(例如使用 Gmail)會立即影響尚未兌換的所有來賓邀請。Azure Active Directory tenants for employees and partners: The addition  of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. 請參閱將 Google 新增為 B2B 來賓使用者的身分識別提供者See Adding Google as an identity provider for B2B guest users.
  • Azure Active Directory B2C 租使用者:新增同盟(例如,使用 Facebook 或與另一個 Azure AD 組織)不會立即影響使用者流程,直到將身分識別提供者新增為使用者流程中的選項(也稱為內建)原則)。Azure Active Directory B2C tenants: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end user flows until the identity provider is added as an option in a user flow (also called a built-in policy). 如需範例,請參閱設定Microsoft 帳戶做為身分識別提供者See Configuring a Microsoft account as an identity provider for an example. 若要變更使用者流程,需要「B2C 使用者流程管理員」的有限角色。 To change user flows, the limited role of "B2C User Flow Administrator" is required.

全域管理員/公司系統管理員Global Administrator / Company Administrator

具有此角色的使用者可以存取 Azure Active Directory 中所有的系統管理功能,以及使用 Azure Active Directory 身分識別的服務,例如 Microsoft 365 資訊安全中心、Microsoft 365 合規性中心、Exchange Online、SharePoint Online 和商務用 Skype Online。Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. 註冊 Azure Active Directory 租用戶的人員會變成全域管理員。The person who signs up for the Azure Active Directory tenant becomes a global administrator. 只有全域管理員才能指派其他系統管理員角色。Only global administrators can assign other administrator roles. 您的公司可以有多位全域管理員。There can be more than one global administrator at your company. 全域系統管理員可以為任何使用者和所有其他系統管理員重設密碼。Global admins can reset the password for any user and all other administrators.

注意

在 Microsoft Graph API、Azure AD Graph API 及 Azure AD PowerShell 中,是將此角色識別為「公司系統管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". 它是 Azure 入口網站中的「全域管理員」。It is "Global Administrator" in the Azure portal.

全域讀者Global Reader

此角色中的使用者可以跨 Microsoft 365 服務讀取設定和系統管理資訊,但無法採取管理動作。Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. 全域讀取器是全域管理員的唯讀對應。Global reader is the read-only counterpart to Global administrator. 指派全域讀取者,而不是全域管理員進行規劃、審核或調查。Assign Global reader instead of Global administrator for planning, audits, or investigations. 將全域讀取器與其他有限的系統管理員角色(例如 Exchange 系統管理員)搭配使用,可讓您在沒有指派全域系統管理員角色的情況下,更輕鬆地完成工作。Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. 全域讀取者可與 Microsoft 365 系統管理中心、Exchange 系統管理中心、小組系統管理中心、安全中心、合規性中心、Azure AD 系統管理中心和裝置管理系統管理中心搭配運作。Global reader works with Microsoft 365 admin center, Exchange admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.

注意

全域讀取者角色現在有幾個限制:Global reader role has a few limitations right now -

這些功能目前正在開發中。These features are currently in development.

群組管理員Group Administrator

此角色中的使用者可以建立/管理群組及其設定(例如命名和到期原則)。Users in this role can create/manage groups and its settings like naming and expiration policies. 請務必瞭解,將使用者指派給這個角色,讓他們能夠在除了 Outlook 以外的各種工作負載(例如小組、SharePoint、Yammer)上管理租使用者中的所有群組。It is important to understand that assigning a user to this role gives them the ability to manage all groups in the tenant across various workloads like Teams, SharePoint, Yammer in addition to Outlook. 此外,使用者也可以在各種不同的系統管理入口網站(例如 Microsoft 系統管理中心、Azure 入口網站,以及小組和 SharePoint 系統管理中心之類的工作負載)中管理各種群組設定。Also the user will be able to manage the various groups settings across various admin portals like Microsoft Admin Center, Azure portal, as well as workload specific ones like Teams and SharePoint Admin Centers.

來賓邀請者Guest Inviter

當 [成員可以邀請] 使用者設定設為 [否] 時,此角色中的使用者可以管理 Azure Active Directory B2B 來賓使用者邀請。Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can invite user setting is set to No. 關於 Azure AD B2B 共同作業中查看 B2B 共同作業的詳細資訊。More information about B2B collaboration at About Azure AD B2B collaboration. 這不包含任何其他權限。It does not include any other permissions.

技術服務管理員Helpdesk Administrator

具備此角色的使用者可以變更密碼、讓重新整理權杖失效、管理服務要求,以及監視服務健康情況。Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. 讓重新整理權杖失效會強制使用者重新登入。Invalidating a refresh token forces the user to sign in again. 技術服務管理員可以重設密碼,並使非系統管理員的其他使用者重新整理權杖失效,或只指派下列角色:Helpdesk administrators can reset passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following roles only:

  • 目錄讀取器Directory Readers
  • 來賓邀請者Guest Inviter
  • 服務台系統管理員Helpdesk Administrator
  • 訊息中心讀取者Message Center Reader
  • 報告讀者Reports Reader

重要

具備此角色的使用者可以變更可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員密碼。Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的密碼表示可承擔該使用者身分識別和權限。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與技術支援中心系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. 技術支援中心系統管理員可以透過此路徑承擔應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步承擔特殊權限應用程式的身分識別。Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們可以存取機密或私人資訊,或 Azure 中的重要設定。Azure subscription owners, who might have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Office 365 群組擁有者,他們可以管理群組成員資格。Security Group and Office 365 Group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

將系統管理許可權委派給使用者子集,並將原則套用到使用者子集,可以使用管理單位(現在處於公開預覽狀態)Delegating administrative permissions over subsets of users and applying policies to a subset of users is possible with Administrative Units (now in public preview).

此角色先前在Azure 入口網站中稱為「密碼管理員」。This role was previously called "Password Administrator" in the Azure portal. Azure AD 中的「技術服務管理員」名稱現在符合其在 Azure AD PowerShell 中的名稱,Azure AD 圖形 API 和 Microsoft Graph API。The "Helpdesk Administrator" name in Azure AD now matches its name in Azure AD PowerShell, Azure AD Graph API and Microsoft Graph API.

Intune 系統管理員Intune Administrator

此角色的使用者具有 Microsoft Intune Online (如其存在) 的全域權限。Users with this role have global permissions within Microsoft Intune Online, when the service is present. 此外,此角色包含管理使用者和裝置的能力,可相關聯原則以及建立和管理群組。Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. 以角色為基礎的系統管理控制(RBAC)與 Microsoft Intune的詳細資訊。More information at Role-based administration control (RBAC) with Microsoft Intune.

此角色可以建立和管理所有安全性群組。This role can create and manage all security groups. 不過,Intune 系統管理員沒有 Office 群組的系統管理許可權。However, Intune Admin does not have admin rights over Office groups. 這表示系統管理員無法更新租使用者中所有 Office 群組的擁有者或成員資格。That means the admin cannot update owners or memberships of all Office groups in the tenant. 不過,他/她可以管理他所建立的 Office 群組,這是他/她的使用者權限之一部分。However, he/she can manage the Office group that he creates which comes as a part of his/her end user privileges. 因此,他/她所建立的任何 Office 群組(而不是安全性群組),都應該根據其250的配額來計算。So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Intune 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Intune Service Administrator ". Azure 入口網站中則是「Intune 管理員」。It is "Intune Administrator" in the Azure portal.

Kaizala 系統管理員Kaizala Administrator

具有此角色的使用者具有全域許可權,可管理 Microsoft Kaizala 中的設定(當服務存在時),以及管理支援票證和監控服務健康情況的能力。Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. 此外,使用者也可以存取與採用 & 使用 Kaizala by 組織成員和使用 Kaizala 動作產生的商務報表相關的報表。Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.

授權管理員License Administrator

此角色中的使用者可新增、移除和更新使用者和群組的授權指派 (使用群組型授權),以及管理使用者的使用位置。Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. 此角色不會授與購買或管理訂用帳戶、建立或管理群組,或在使用位置以外建立或管理使用者的能力。The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

訊息中心隱私權讀者Message Center Privacy Reader

此角色中的使用者可以監視訊息中心內的所有通知,包括資料隱私權訊息。Users in this role can monitor all notifications in the Message Center, including data privacy messages. 訊息中心隱私權讀者會收到電子郵件通知,包括資料隱私權的相關資訊,並可使用訊息中心喜好設定取消訂閱。Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. 只有全域管理員和訊息中心隱私權讀取者可以讀取資料隱私權訊息。Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. 此外,此角色包含可供您查看群組、網域和訂閱的功能。Additionally, this role contains the ability to view groups, domains, and subscriptions. 此角色沒有任何許可權可查看、建立或管理服務要求。This role has no permission to view, create, or manage service requests.

訊息中心讀者Message Center Reader

此角色中的使用者可以在已設定的服務(例如 Exchange、Intune 和 Microsoft 小組)上,監視Office 365 訊息中心內的通知和諮詢健康情況更新。Users in this role can monitor notifications and advisory health updates in Office 365 Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. 訊息中心讀者每週會收到貼文的電子郵件摘要和更新,並且可以在 Office 365 中分享訊息中心的貼文。Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Office 365. 在 Azure AD 中,指派至此角色的使用者只會有 Azure AD 服務的唯讀存取權,與使用者和群組一樣。In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

Office 應用程式系統管理員Office Apps Administrator

此角色中的使用者可以管理 Office 365 應用程式的雲端設定。Users in this role can manage Office 365 apps' cloud settings. 這包括管理雲端原則、自助式下載管理,以及可查看 Office 應用程式相關報表的功能。This includes managing cloud policies, self-service download management and the ability to view Office apps related report. 此角色還會授與管理支援票證的能力,以及監視主要系統管理中心內的服務健康情況。This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. 指派給此角色的使用者也可以管理 Office 應用程式中新功能的通訊。Users assigned to this role can also manage communication of new features in Office apps.

合作夥伴第1層支援Partner Tier1 Support

請勿使用。Do not use. 此角色已被取代,而且未來將從 Azure AD 中移除。This role has been deprecated and will be removed from Azure AD in the future. 此角色僅供少數 Microsoft 轉售合作夥伴使用,不適用於一般用途。This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

合作夥伴第2層支援Partner Tier2 Support

請勿使用。Do not use. 此角色已被取代,而且未來將從 Azure AD 中移除。This role has been deprecated and will be removed from Azure AD in the future. 此角色僅供少數 Microsoft 轉售合作夥伴使用,不適用於一般用途。This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

密碼管理員Password Administrator

具有此角色的使用者管理密碼的能力有限。Users with this role have limited ability to manage passwords. 此角色不會授與管理服務要求或監視服務健全狀況的能力。This role does not grant the ability to manage service requests or monitor service health. 密碼管理員可以重設非系統管理員或下列角色成員的其他使用者的密碼:Password administrators can reset passwords of other users who are non-administrators or members of the following roles only:

  • 目錄讀取器Directory Readers
  • 來賓邀請者Guest Inviter
  • 密碼管理員Password Administrator

Power BI 系統管理員Power BI Administrator

此角色的使用者具有 Microsoft Power BI (如其存在) 的全域權限,並能管理支援票證及監視服務的健康情況。Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. 如需詳細資訊,請參閱了解 Power BI 管理員角色More information at Understanding the Power BI admin role.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Power BI 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". Azure 入口網站中則是「Power BI 管理員」。It is "Power BI Administrator" in the Azure portal.

Power 平臺系統管理員Power Platform Administrator

此角色中的使用者可以建立及管理環境、PowerApps、流程、資料遺失防護原則的所有層面。Users in this role can create and manage all aspects of environments, PowerApps, Flows, Data Loss Prevention policies. 此外,具備此角色的使用者能夠管理支援票證及監視服務的健康情況。Additionally, users with this role have the ability to manage support tickets and monitor service health.

特殊許可權驗證管理員Privileged Authentication Administrator

具有此角色的使用者可以為所有使用者設定或重設非密碼認證,包括全域管理員,而且可以更新所有使用者的密碼。Users with this role can set or reset non-password credentials for all users, including global administrators, and can update passwords for all users. 特殊許可權驗證系統管理員可以強制使用者針對現有的非密碼認證(例如 MFA、FIDO)重新註冊,並撤銷「在裝置上記住 MFA」,在下次登入所有使用者時提示 MFA。Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users.

特殊許可權角色管理員Privileged Role Administrator

具備此角色的使用者可以管理 Azure Active Directory 中,以及 Azure AD Privileged Identity Management 內的角色指派。Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. 此外,此角色可讓您管理 Privileged Identity Management 和管理單位的所有層面。In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.

重要

此角色會授與管理所有 Azure AD 角色指派的能力,包括全域管理員角色。This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. 此角色不包含 Azure AD 中的任何其他特殊權限能力,例如建立或更新使用者。This role does not include any other privileged abilities in Azure AD like creating or updating users. 不過,指派給這個角色的使用者可以藉由指派額外的角色,來授與自己或其他人額外權限。However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.

報告讀取者Reports Reader

具有此角色的使用者可以在 Microsoft 365 系統管理中心和 Power BI 中的採用內容套件中,查看使用方式報告資料和報告儀表板。Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. 此外,此角色還可讓使用者存取 Azure AD 中的登入報告與活動,以及 Microsoft Graph 報告 API 所傳回的資料。Additionally, the role provides access to sign-in reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. 獲指派「報告讀者」角色的使用者只能存取相關的使用情況和採用計量。A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. 他們並不具備任何系統管理權限,因此無法進行設定或存取產品特定的系統管理中心 (例如 Exchange)。They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

搜尋系統管理員Search Administrator

此角色中的使用者具有 Microsoft 365 系統管理中心內所有 Microsoft 搜尋管理功能的完整存取權。Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. 搜尋系統管理員可以將 [搜尋管理員] 和 [搜尋編輯器] 角色委派給使用者,以及建立和管理內容,例如書簽、Q & As 和位置。Search Administrators can delegate the Search Administrators and Search Editor roles to users, and create and manage content, like bookmarks, Q&As, and locations. 此外,這些使用者可以查看訊息中心、監視服務健全狀況,以及建立服務要求。Additionally, these users can view the message center, monitor service health, and create service requests.

搜尋編輯器Search Editor

此角色中的使用者可以在 Microsoft 365 系統管理中心內建立、管理及刪除 Microsoft Search 的內容,包括書簽、Q & As 和位置。Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.

安全性系統管理員Security Administrator

具備此角色的使用者有權限管理 Microsoft 365 資訊安全中心、Azure Active Directory Identity Protection、Azure 資訊保護和 Office 365 安全性與合規性中心中的安全性相關功能。Users with this role have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Information Protection, and Office 365 Security & Compliance Center. 關於 Office 365 權限的詳細資訊可在 Office 365 安全性與法規遵循中心的權限中取得。More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

In 可以執行Can do
Microsoft 365 資訊安全中心Microsoft 365 security center 監視所有 Microsoft 365 服務的安全性相關原則Monitor security-related policies across Microsoft 365 services
管理安全性威脅和警示Manage security threats and alerts
檢視報告View reports
身分識別防護中心Identity Protection Center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
此外,還能夠執行除了重設密碼以外的所有身分識別防護中心作業Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementPrivileged Identity Management 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
無法管理 Azure AD 角色指派或設定Cannot manage Azure AD role assignments or settings
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 管理安全性原則Manage security policies
檢視、調查及回應安全性威脅View, investigate, and respond to security threats
檢視報告View reports
Azure 進階威脅防護Azure Advanced Threat Protection 監視及回應可疑的安全性活動Monitor and respond to suspicious security activity
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 指派角色Assign roles
管理電腦群組Manage machine groups
設定端點威脅偵測和自動補救Configure endpoint threat detection and automated remediation
檢視、調查及回應警示View, investigate, and respond to alerts
IntuneIntune 檢視使用者、裝置、註冊、設定及應用程式資訊Views user, device, enrollment, configuration, and application information
無法對 Intune 進行變更Cannot make changes to Intune
Cloud App SecurityCloud App Security 新增管理員、新增原則和設定、上傳記錄及執行治理動作Add admins, add policies and settings, upload logs and perform governance actions
Azure 資訊安全中心Azure Security Center 可檢視安全性原則、檢視安全性狀態、編輯安全性原則、檢視警示和建議、關閉警示和建議Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations
Office 365 服務健康情況Office 365 service health 檢視 Office 365 服務的健康情況View the health of Office 365 services

安全性運算子Security operator

具有此角色的使用者可以管理警示,並具有安全性相關功能的全域唯讀存取權,包括 Microsoft 365 資訊安全中心、Azure Active Directory、身分識別保護、Privileged Identity Management 和 Office 365 中的所有資訊安全性 & 合規性中心。Users with this role can manage alerts and have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management and Office 365 Security & Compliance Center. 關於 Office 365 權限的詳細資訊可在 Office 365 安全性與法規遵循中心的權限中取得。More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

In 可以執行Can do
Microsoft 365 資訊安全中心Microsoft 365 security center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
查看、調查及回應安全性威脅警示View, investigate, and respond to security threats alerts
身分識別防護中心Identity Protection Center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
此外,還能夠執行除了重設密碼以外的所有身分識別防護中心作業Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementPrivileged Identity Management 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
查看、調查及回應安全性警示View, investigate, and respond to security alerts
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
查看、調查及回應安全性警示View, investigate, and respond to security alerts
IntuneIntune 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
Cloud App SecurityCloud App Security 「安全性讀取者」角色的所有權限All permissions of the Security Reader role
Office 365 服務健康情況Office 365 service health 檢視 Office 365 服務的健康情況View the health of Office 365 services

安全性讀取者Security Reader

具備此角色的使用者具有安全性相關功能的全域唯讀存取權 (含 Microsoft 365 資訊安全中心、Azure Active Directory、Identity Protection、Privileged Identity Management 中的所有資訊),並能讀取 Azure Active Directory 登入報告與稽核記錄,且具有 Office 365 安全性與合規性中心的全域唯讀存取權。Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. 關於 Office 365 權限的詳細資訊可在 Office 365 安全性與法規遵循中心的權限中取得。More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.

In 可以執行Can do
Microsoft 365 資訊安全中心Microsoft 365 security center 檢視所有 Microsoft 365 服務的安全性相關原則View security-related policies across Microsoft 365 services
檢視安全性威脅和警示View security threats and alerts
檢視報告View reports
身分識別防護中心Identity Protection Center 讀取安全性功能的所有安全性報告和設定資訊Read all security reports and settings information for security features
  • 反垃圾郵件Anti-spam
  • 加密Encryption
  • 資料外洩防護Data loss prevention
  • 反惡意程式碼Anti-malware
  • 進階威脅防護Advanced threat protection
  • 防網路釣魚Anti-phishing
  • 郵件流程規則Mailflow rules
Privileged Identity ManagementPrivileged Identity Management 具有 Azure AD Privileged Identity Management 中呈現的所有資訊的唯讀存取權: Azure AD 角色指派和安全性評論的原則和報告。Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.
無法註冊 Azure AD Privileged Identity Management 或對它進行任何變更。Cannot sign up for Azure AD Privileged Identity Management or make any changes to it. 在 Privileged Identity Management 入口網站或透過 PowerShell,此角色中的人員可以啟用其他角色(例如,全域管理員或特殊許可權角色管理員)(如果使用者有資格)。In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is eligible for them.
Office 365 安全性與合規性中心Office 365 Security & Compliance Center 檢視安全性原則View security policies
檢視及調查安全性威脅View and investigate security threats
檢視報告View reports
Windows Defender ATP 和 EDRWindows Defender ATP and EDR 查看和調查警示。View and investigate alerts. 當您在 Windows Defender ATP 中開啟角色型存取控制時,具有唯讀許可權(例如 Azure AD 安全性讀取者角色)的使用者會失去存取權,直到指派給 Windows Defender ATP 角色為止。When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security reader role lose access until they are assigned to a Windows Defender ATP role.
IntuneIntune 檢視使用者、裝置、註冊、設定及應用程式資訊。Views user, device, enrollment, configuration, and application information. 無法對 Intune 進行變更。Cannot make changes to Intune.
Cloud App SecurityCloud App Security 具有唯讀權限,並可管理警示Has read-only permissions and can manage alerts
Azure 資訊安全中心Azure Security Center 可檢視建議和警示、檢視安全性原則、檢視安全性狀態,但無法進行變更Can view recommendations and alerts, view security policies, view security states, but cannot make changes
Office 365 服務健康情況Office 365 service health 檢視 Office 365 服務的健康情況View the health of Office 365 services

服務支援系統管理員Service Support Administrator

具有此角色的使用者可以開啟 Microsoft for Azure 和 Office 365 服務的支援要求,並在 [ Azure 入口網站] 和 [ Microsoft 365 系統管理中心] 中查看服務儀表板和訊息中心。Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Microsoft 365 admin center. 有關系統管理員角色的詳細資訊。More information at About admin roles.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「服務支援管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Service Support Administrator." 這是Azure 入口網站Microsoft 365 系統管理中心和 Intune 入口網站中的「服務管理員」。It is "Service Administrator" in the Azure portal, the Microsoft 365 admin center, and the Intune portal.

SharePoint 系統管理員SharePoint Administrator

具備此角色的使用者在有 Microsoft SharePoint Online 服務時,於該服務內具有全域權限,以及建立和管理所有 Office 365 群組、管理支援票證和監控服務健康情況的能力。Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health. 有關系統管理員角色的詳細資訊。More information at About admin roles.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「SharePoint 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." Azure 入口網站中則是「SharePoint 管理員」。It is "SharePoint Administrator" in the Azure portal.

商務用 Skype/Lync 管理員Skype for Business / Lync Administrator

在有 Microsoft 商務用 Skype 服務時,具備此角色的使用者在該服務內會具有全域權限,以及在 Azure Active Directory 中管理 Skype 特定的使用者屬性。Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. 此外,此角色會授與管理支援票證及監視服務健康情況的能力,以及存取 Microsoft Teams 和商務用 Skype 系統管理中心的能力。Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. 此帳戶也必須獲得 Microsoft Teams 授權,否則就無法執行 Microsoft Teams PowerShell Cmdlet。The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. 如需詳細資訊,請參閱關於商務用 Skype 系統管理員角色,如需 Microsoft Teams 的授權資訊,請參閱商務用 Skype 和 Microsoft Teams 附加授權More information at About the Skype for Business admin role and Teams licensing information at Skype for Business and Microsoft Teams add-on licensing

注意

在 Microsoft Graph API、Azure AD 圖形 API 和 Azure AD PowerShell 中,會將此角色識別為「Lync 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Lync Service Administrator." Azure 入口網站中則是「商務用 Skype 管理員」。It is "Skype for Business Administrator" in the Azure portal.

小組系統管理員Teams Administrator

此角色的使用者可以透過 Microsoft Teams 和商務用 Skype 系統管理中心以及個別的 PowerShell 模組,管理 Microsoft Teams 工作負載的所有層面。Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. 這包括所有與電話語音、傳訊、會議和小組本身相關的管理工具以及其他領域。This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. 這個角色會額外獲得授與建立和管理所有 Office 365 群組、管理支援票證,以及監視服務健康情況的能力。This role additionally grants the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health.

注意

在 Microsoft Graph API、Azure AD Graph API 和 Azure AD PowerShell 中,會將此角色識別為「Microsoft Teams 服務管理員」。In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Teams Service Administrator ". Azure 入口網站中則是「Microsoft Teams 管理員」。It is "Teams Administrator" in the Azure portal.

小組通訊管理員Teams Communications Administrator

此角色的使用者可以管理 Microsoft Teams 在語音和電話語音相關工作負載的各個層面。Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. 這包括電話號碼指派管理工具、語音和會議原則,以及呼叫分析工具組的完整存取權。This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.

小組通訊支援工程師Teams Communications Support Engineer

此角色的使用者可以使用 Microsoft Teams 和商務用 Skype 系統管理中心內的使用者呼叫疑難排解工具,針對 Microsoft Teams 和商務用 Skype 內的通訊問題進行疑難排解。Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 此角色的使用者可以檢視所有相關參與者的完整呼叫記錄資訊。Users in this role can view full call record information for all participants involved. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

小組通訊支援專家Teams Communications Support Specialist

此角色的使用者可以使用 Microsoft Teams 和商務用 Skype 系統管理中心內的使用者呼叫疑難排解工具,針對 Microsoft Teams 和商務用 Skype 內的通訊問題進行疑難排解。Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. 此角色的使用者只能檢視其所查閱特定使用者的呼叫中所含有的使用者詳細資料。Users in this role can only view user details in the call for the specific user they have looked up. 這個角色沒有檢視、建立或管理支援票證的存取權。This role has no access to view, create, or manage support tickets.

使用者管理員User Administrator

具有此角色的使用者可以建立使用者,以及管理具有一些限制的使用者所有層面(如下所示),並可更新密碼到期原則。Users with this role can create users, and manage all aspects of users with some restrictions (see below), and can update password expiration policies. 此外,具有此角色的使用者可以建立與管理所有群組。Additionally, users with this role can create and manage all groups. 此角色也包含建立和管理使用者檢視、管理支援票證,以及監視服務健康情況的能力。This role also includes the ability to create and manage user views, manage support tickets, and monitor service health. 使用者系統管理員沒有許可權,無法管理大部分管理員角色中使用者的某些使用者屬性。User administrators don't have permission to manage some user properties for users in most administrator roles. 下表列出此限制的例外狀況角色。The roles that are exceptions to this restriction are listed in the following table.

一般權限General permissions

建立 [使用者和群組]Create users and groups

建立和管理使用者檢視Create and manage user views

建立 Office 支援票證Manage Office support tickets

更新密碼到期原則Update password expiration policies

所有使用者,包括所有管理員On all users, including all admins

管理授權Manage licenses

管理使用者主體名稱以外的所有使用者屬性Manage all user properties except User Principal Name

只有非管理員或者下列任何有限管理員角色的使用者:Only on users who are non-admins or in any of the following limited admin roles:
  • 目錄讀取器Directory Readers
  • 來賓邀請者Guest Inviter
  • 服務台系統管理員Helpdesk Administrator
  • 訊息中心讀取者Message Center Reader
  • 報告讀者Reports Reader
  • 使用者管理員User Administrator

刪除及還原Delete and restore

停用和啟用Disable and enable

使重新整理權杖失效Invalidate refresh Tokens

管理包含使用者主體名稱的所有使用者屬性Manage all user properties including User Principal Name

重設密碼Reset password

更新 (FIDO) 裝置金鑰Update (FIDO) device keys

重要

具備此角色的使用者可以變更可存取機密或私人資訊或 Azure Active Directory 內外重要組態的人員密碼。Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. 變更使用者的密碼表示可承擔該使用者身分識別和權限。Changing the password of a user may mean the ability to assume that user's identity and permissions. 例如:For example:

  • 應用程式註冊和企業應用程式擁有者,他們可以管理他們自己的應用程式認證。Application Registration and Enterprise Application owners, who can manage credentials of apps they own. 這些應用程式在 Azure AD 中可能有特殊權限,而在其他地方未授與使用者系統管理員。Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. 使用者系統管理員可以透過此路徑承擔應用程式擁有者的身分識別,然後藉由更新應用程式的認證,進一步承擔特殊權限應用程式的身分識別。Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure 訂用帳戶擁有者,他們具有機密或私人資訊或者 Azure 中重要組態的存取權。Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • 安全性群組和 Office 365 群組擁有者,他們可以管理群組成員資格。Security Group and Office 365 Group owners, who can manage group membership. 這個群組可以存取機密或私人資訊或者 Azure AD 和其他位置中的重要組態。Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Azure AD 外部其他服務 (例如,Exchange Online、Office 安全性與合規性中心和人力資源系統) 中的系統管理員。Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • 非系統管理員,例如主管、法律顧問和人力資源員工,他們可以存取機密或私人資訊。Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

角色權限Role Permissions

下表說明 Azure Active Directory 中賦予每個角色的特定權限。The following tables describe the specific permissions in Azure Active Directory given to each role. 某些角色在 Azure Active Directory 以外的 Microsoft 服務中可能有額外的權限。Some roles may have additional permissions in Microsoft services outside of Azure Active Directory.

應用程式系統管理員許可權Application Administrator permissions

能夠建立及管理應用程式註冊與企業應用程式的所有層面。Can create and manage all aspects of app registrations and enterprise apps.

動作Actions 說明Description
microsoft 目錄/應用程式/appProxyAuthentication/更新microsoft.directory/Application/appProxyAuthentication/update 更新 Azure Active Directory 中服務主體的應用程式 Proxy 驗證屬性。Update App Proxy authentication properties on service principals in Azure Active Directory.
microsoft 目錄/應用程式/appProxyUrlSettings/更新microsoft.directory/Application/appProxyUrlSettings/update 更新 Azure Active Directory 中的應用程式 proxy 內部和外部 URL。Update application proxy internal and external URLS in Azure Active Directory.
microsoft 目錄/應用程式/applicationProxy/讀取microsoft.directory/applications/applicationProxy/read 讀取所有應用程式 Proxy 屬性。Read all of App Proxy properties.
microsoft 目錄/應用程式/applicationProxy/更新microsoft.directory/applications/applicationProxy/update 更新所有應用程式 Proxy 屬性。Update all of App Proxy properties.
microsoft 目錄/應用程式/物件/更新microsoft.directory/applications/audience/update 在 Azure Active Directory 中更新 applications.audience 屬性。Update applications.audience property in Azure Active Directory.
microsoft 目錄/應用程式/驗證/更新microsoft.directory/applications/authentication/update 在 Azure Active Directory 中更新 applications.authentication 屬性。Update applications.authentication property in Azure Active Directory.
microsoft 目錄/應用程式/基本/更新microsoft.directory/applications/basic/update 更新 Azure Active Directory 中 Applications 的基本屬性。Update basic properties on applications in Azure Active Directory.
microsoft 目錄/應用程式/建立microsoft.directory/applications/create 在 Azure Active Directory 中建立應用程式。Create applications in Azure Active Directory.
microsoft 目錄/應用程式/認證/更新microsoft.directory/applications/credentials/update 在 Azure Active Directory 中更新 applications.credentials 屬性。Update applications.credentials property in Azure Active Directory.
microsoft 目錄/應用程式/刪除microsoft.directory/applications/delete 刪除 Azure Active Directory 中的應用程式。Delete applications in Azure Active Directory.
microsoft 目錄/應用程式/擁有者/更新microsoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 屬性。Update applications.owners property in Azure Active Directory.
microsoft 目錄/應用程式/許可權/更新microsoft.directory/applications/permissions/update 在 Azure Active Directory 中更新 applications.permissions 屬性。Update applications.permissions property in Azure Active Directory.
microsoft 目錄/應用程式/原則/更新microsoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 屬性。Update applications.policies property in Azure Active Directory.
microsoft 目錄/appRoleAssignments/建立microsoft.directory/appRoleAssignments/create 在 Azure Active Directory 中建立 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/readmicrosoft.directory/appRoleAssignments/read 讀取 Azure Active Directory 中的 appRoleAssignments。Read appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/更新microsoft.directory/appRoleAssignments/update 更新在 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 刪除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/connectorGroups/所有內容/讀取microsoft.directory/connectorGroups/everything/read 讀取 Azure Active Directory 中的應用程式 proxy 連接器群組屬性。Read application proxy connector group properties in Azure Active Directory.
microsoft 目錄/connectorGroups/所有專案/更新microsoft.directory/connectorGroups/everything/update 更新 Azure Active Directory 中的所有應用程式 proxy 連接器群組屬性。Update all application proxy connector group properties in Azure Active Directory.
microsoft 目錄/connectorGroups/建立microsoft.directory/connectorGroups/create 在 Azure Active Directory 中建立應用程式 proxy 連接器群組。Create application proxy connector groups in Azure Active Directory.
microsoft 目錄/connectorGroups/deletemicrosoft.directory/connectorGroups/delete 在 Azure Active Directory 中刪除應用程式 proxy 連接器群組。Delete application proxy connector groups in Azure Active Directory.
microsoft 目錄/連接器/所有內容/讀取microsoft.directory/connectors/everything/read 讀取 Azure Active Directory 中的所有應用程式 proxy 連接器屬性。Read all application proxy connector properties in Azure Active Directory.
microsoft 目錄/連接器/建立microsoft.directory/connectors/create 在 Azure Active Directory 中建立應用程式 proxy 連接器。Create application proxy connectors in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/基本/讀取microsoft.directory/policies/applicationConfiguration/basic/read 讀取 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/基本/更新microsoft.directory/policies/applicationConfiguration/basic/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/createmicrosoft.directory/policies/applicationConfiguration/create 在 Azure Active Directory 中建立原則。Create policies in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/deletemicrosoft.directory/policies/applicationConfiguration/delete 刪除 Azure Active Directory 中的原則。Delete policies in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/擁有者/讀取microsoft.directory/policies/applicationConfiguration/owners/read 讀取 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/擁有者/更新microsoft.directory/policies/applicationConfiguration/owners/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/policyAppliedTo/readmicrosoft.directory/policies/applicationConfiguration/policyAppliedTo/read 讀取 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft directory/servicePrincipals/Serviceprincipals.approleassignedto/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 屬性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 屬性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/servicePrincipals/物件/更新microsoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 屬性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft 目錄/servicePrincipals/驗證/更新microsoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 屬性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft 目錄/servicePrincipals/基本/更新microsoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本屬性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/建立microsoft.directory/servicePrincipals/create 在 Azure Active Directory 中建立 servicePrincipals。Create servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/認證/更新microsoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 屬性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft 目錄/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 刪除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/擁有者/更新microsoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 屬性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft 目錄/servicePrincipals/許可權/更新microsoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 屬性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/更新microsoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 屬性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

應用程式開發人員許可權Application Developer permissions

可建立與 [使用者可註冊應用程式] 設定不相關的應用程式註冊。Can create application registrations independent of the ‘Users can register applications’ setting.

動作Actions 說明Description
microsoft 目錄/應用程式/createAsOwnermicrosoft.directory/applications/createAsOwner 在 Azure Active Directory 中建立應用程式。Create applications in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/appRoleAssignments/createAsOwnermicrosoft.directory/appRoleAssignments/createAsOwner 在 Azure Active Directory 中建立 appRoleAssignments。Create appRoleAssignments in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/oAuth2PermissionGrants/createAsOwnermicrosoft.directory/oAuth2PermissionGrants/createAsOwner 在 Azure Active Directory 中建立 oAuth2PermissionGrants。Create oAuth2PermissionGrants in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/servicePrincipals/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwner 在 Azure Active Directory 中建立 servicePrincipals。Create servicePrincipals in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.

驗證系統管理員許可權Authentication Administrator permissions

可存取以檢視、設定及重設所有非管理員使用者的驗證方法資訊。Allowed to view, set and reset authentication method information for any non-admin user.

動作Actions 說明Description
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/Users.strongauthentication/更新microsoft.directory/users/strongAuthentication/update 更新 MFA 認證資訊等增強式驗證屬性。Update strong authentication properties like MFA credential information.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 更新 Office 365 組織中所有使用者的密碼。Update passwords for all users in the Office 365 organization. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.

Azure DevOps 系統管理員許可權Azure DevOps Administrator permissions

可以管理 Azure DevOps 的組織原則和設定。Can manage Azure DevOps organization policy and settings.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱上述角色說明For more information, see role description above.

動作Actions 說明Description
devOps/allEntities/allTasksmicrosoft.azure.devOps/allEntities/allTasks 讀取和設定 Azure DevOps。Read and configure Azure DevOps.

Azure 資訊保護系統管理員許可權Azure Information Protection Administrator permissions

可以管理 Azure 資訊保護服務的所有層面。Can manage all aspects of the Azure Information Protection service.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱上述角色說明For more information, see role description above.

動作Actions 說明Description
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 資訊保護的所有層面。Manage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

B2C 使用者流程系統管理員許可權B2C User Flow Administrator permissions

建立和管理使用者流程的所有層面。Create and manage all aspects of user flows.

動作Actions 說明Description
microsoft. aad. b2c/userFlows/allTasksmicrosoft.aad.b2c/userFlows/allTasks 在 Azure Active Directory B2C 中讀取和設定使用者流程。Read and configure user flows in  Azure Active Directory B2C.

B2C 使用者流程屬性系統管理員許可權B2C User Flow Attribute Administrator permissions

建立及管理所有使用者流程可用的屬性架構。Create and manage the attribute schema available to all user flows.

動作Actions 說明Description
microsoft. aad. b2c/userAttributes/allTasksmicrosoft.aad.b2c/userAttributes/allTasks 在 Azure Active Directory B2C 中讀取和設定使用者屬性。Read and configure user attributes in  Azure Active Directory B2C.

B2C IEF 金鑰組系統管理員許可權B2C IEF Keyset Administrator permissions

在 Identity Experience Framework 中管理同盟和加密的秘密。Manage secrets for federation and encryption in the Identity Experience Framework.

動作Actions 說明Description
trustFramework/索引鍵集/allTasksmicrosoft.aad.b2c/trustFramework/keySets/allTasks 在 Azure Active Directory B2C 中讀取和設定金鑰集。Read and configure key sets in  Azure Active Directory B2C.

B2C IEF 原則系統管理員許可權B2C IEF Policy Administrator permissions

在 Identity Experience Framework 中建立和管理信任架構原則。Create and manage trust framework policies in the Identity Experience Framework.

動作Actions 說明Description
trustFramework/原則/allTasksmicrosoft.aad.b2c/trustFramework/policies/allTasks 在 Azure Active Directory B2C 中讀取和設定自訂原則。Read and configure custom policies in  Azure Active Directory B2C.

計費管理員許可權Billing Administrator permissions

能夠執行一般計費相關工作,例如更新付款資訊。Can perform common billing related tasks like updating payment information.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/組織/基本/更新microsoft.directory/organization/basic/update 更新 Azure Active Directory 中 organization 的基本屬性。Update basic properties on organization in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理 Office 365 帳單的所有層面。Manage all aspects of Office 365 billing.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

雲端應用程式系統管理員許可權Cloud Application Administrator permissions

能夠建立及管理應用程式註冊與企業應用程式的所有層面,但應用程式 Proxy 除外。Can create and manage all aspects of app registrations and enterprise apps except App Proxy.

動作Actions 說明Description
microsoft 目錄/應用程式/物件/更新microsoft.directory/applications/audience/update 在 Azure Active Directory 中更新 applications.audience 屬性。Update applications.audience property in Azure Active Directory.
microsoft 目錄/應用程式/驗證/更新microsoft.directory/applications/authentication/update 在 Azure Active Directory 中更新 applications.authentication 屬性。Update applications.authentication property in Azure Active Directory.
microsoft 目錄/應用程式/基本/更新microsoft.directory/applications/basic/update 更新 Azure Active Directory 中 Applications 的基本屬性。Update basic properties on applications in Azure Active Directory.
microsoft 目錄/應用程式/建立microsoft.directory/applications/create 在 Azure Active Directory 中建立應用程式。Create applications in Azure Active Directory.
microsoft 目錄/應用程式/認證/更新microsoft.directory/applications/credentials/update 在 Azure Active Directory 中更新 applications.credentials 屬性。Update applications.credentials property in Azure Active Directory.
microsoft 目錄/應用程式/刪除microsoft.directory/applications/delete 刪除 Azure Active Directory 中的應用程式。Delete applications in Azure Active Directory.
microsoft 目錄/應用程式/擁有者/更新microsoft.directory/applications/owners/update 更新 Azure Active Directory 中的 applications.owners 屬性。Update applications.owners property in Azure Active Directory.
microsoft 目錄/應用程式/許可權/更新microsoft.directory/applications/permissions/update 在 Azure Active Directory 中更新 applications.permissions 屬性。Update applications.permissions property in Azure Active Directory.
microsoft 目錄/應用程式/原則/更新microsoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 屬性。Update applications.policies property in Azure Active Directory.
microsoft 目錄/appRoleAssignments/建立microsoft.directory/appRoleAssignments/create 在 Azure Active Directory 中建立 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/更新microsoft.directory/appRoleAssignments/update 更新在 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 刪除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/createmicrosoft.directory/policies/applicationConfiguration/create 在 Azure Active Directory 中建立原則。Create policies in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/基本/讀取microsoft.directory/policies/applicationConfiguration/basic/read 讀取 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/基本/更新microsoft.directory/policies/applicationConfiguration/basic/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/deletemicrosoft.directory/policies/applicationConfiguration/delete 刪除 Azure Active Directory 中的原則。Delete policies in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/擁有者/讀取microsoft.directory/policies/applicationConfiguration/owners/read 讀取 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/擁有者/更新microsoft.directory/policies/applicationConfiguration/owners/update 更新 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Update policies.applicationConfiguration property in Azure Active Directory.
microsoft 目錄/原則/Policies.applicationconfiguration/policyAppliedTo/readmicrosoft.directory/policies/applicationConfiguration/policyAppliedTo/read 讀取 Azure Active Directory 中的 policies.applicationConfiguration 屬性。Read policies.applicationConfiguration property in Azure Active Directory.
microsoft directory/servicePrincipals/Serviceprincipals.approleassignedto/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 屬性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 屬性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/servicePrincipals/物件/更新microsoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 屬性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft 目錄/servicePrincipals/驗證/更新microsoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 屬性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft 目錄/servicePrincipals/基本/更新microsoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本屬性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/建立microsoft.directory/servicePrincipals/create 在 Azure Active Directory 中建立 servicePrincipals。Create servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/認證/更新microsoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 屬性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft 目錄/servicePrincipals/deletemicrosoft.directory/servicePrincipals/delete 刪除 Azure Active Directory 中的 servicePrincipals。Delete servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/擁有者/更新microsoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 屬性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft 目錄/servicePrincipals/許可權/更新microsoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 屬性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/更新microsoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 屬性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

雲端裝置系統管理員許可權Cloud Device Administrator permissions

在 Azure AD 中管理裝置的完整存取。Full access to manage devices in Azure AD.

動作Actions 說明Description
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/裝置/Devices.bitlockerrecoverykeys/讀取microsoft.directory/devices/bitLockerRecoveryKeys/read 讀取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 屬性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft 目錄/裝置/刪除microsoft.directory/devices/delete 刪除 Azure Active Directory 中的 devices。Delete devices in Azure Active Directory.
microsoft 目錄/裝置/停用microsoft.directory/devices/disable 停用 Azure Active Directory 中的 devices。Disable devices in Azure Active Directory.
microsoft 目錄/裝置/啟用microsoft.directory/devices/enable 啟用 Azure Active Directory 中的裝置。Enable devices in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.

公司系統管理員許可權Company Administrator permissions

可管理使用 Azure AD 身分識別的 Azure AD 與 Microsoft 服務的所有層面。Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.aad.cloudAppSecurity/allEntities/allTasksmicrosoft.aad.cloudAppSecurity/allEntities/allTasks 建立和刪除所有資源,同時讀取及更新 microsoft.aad.cloudAppSecurity 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.aad.cloudAppSecurity.
microsoft 目錄/administrativeUnits/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasks 建立和刪除 administrativeUnits,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete administrativeUnits, and read and update all properties in Azure Active Directory.
microsoft 目錄/應用程式/allProperties/allTasksmicrosoft.directory/applications/allProperties/allTasks 建立和刪除應用程式,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete applications, and read and update all properties in Azure Active Directory.
microsoft 目錄/appRoleAssignments/allProperties/allTasksmicrosoft.directory/appRoleAssignments/allProperties/allTasks 建立和刪除 appRoleAssignments,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete appRoleAssignments, and read and update all properties in Azure Active Directory.
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/contacts/allProperties/allTasksmicrosoft.directory/contacts/allProperties/allTasks 建立和刪除合約,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete contacts, and read and update all properties in Azure Active Directory.
microsoft 目錄/合約/allProperties/allTasksmicrosoft.directory/contracts/allProperties/allTasks 建立和刪除合約,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete contracts, and read and update all properties in Azure Active Directory.
microsoft 目錄/devices/allProperties/allTasksmicrosoft.directory/devices/allProperties/allTasks 建立和刪除裝置,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete devices, and read and update all properties in Azure Active Directory.
microsoft 目錄/directoryRoles/allProperties/allTasksmicrosoft.directory/directoryRoles/allProperties/allTasks 建立和刪除 directoryRoles,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete directoryRoles, and read and update all properties in Azure Active Directory.
microsoft 目錄/directoryRoleTemplates/allProperties/allTasksmicrosoft.directory/directoryRoleTemplates/allProperties/allTasks 建立和刪除 directoryRoleTemplates,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete directoryRoleTemplates, and read and update all properties in Azure Active Directory.
microsoft 目錄/網域/allProperties/allTasksmicrosoft.directory/domains/allProperties/allTasks 建立和刪除 domains,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete domains, and read and update all properties in Azure Active Directory.
microsoft. directory/groups/allProperties/allTasksmicrosoft.directory/groups/allProperties/allTasks 建立和刪除 groups,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete groups, and read and update all properties in Azure Active Directory.
microsoft 目錄/groupSettings/allProperties/allTasksmicrosoft.directory/groupSettings/allProperties/allTasks 建立和刪除 groupSettings,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete groupSettings, and read and update all properties in Azure Active Directory.
microsoft 目錄/groupSettingTemplates/allProperties/allTasksmicrosoft.directory/groupSettingTemplates/allProperties/allTasks 建立和刪除 groupSettingTemplates,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete groupSettingTemplates, and read and update all properties in Azure Active Directory.
microsoft 目錄/loginTenantBranding/allProperties/allTasksmicrosoft.directory/loginTenantBranding/allProperties/allTasks 建立和刪除 loginTenantBranding,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete loginTenantBranding, and read and update all properties in Azure Active Directory.
microsoft 目錄/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasks 建立和刪除 oAuth2PermissionGrants,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete oAuth2PermissionGrants, and read and update all properties in Azure Active Directory.
microsoft 目錄/組織/allProperties/allTasksmicrosoft.directory/organization/allProperties/allTasks 建立和刪除 organization,同時讀取及更新 Azure Active Directory 中的所有屬性。Create and delete organization, and read and update all properties in Azure Active Directory.
microsoft 目錄/原則/allProperties/allTasksmicrosoft.directory/policies/allProperties/allTasks 建立和刪除 policies,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete policies, and read and update all properties in Azure Active Directory.
microsoft 目錄/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 建立與刪除 roleAssignments,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete roleAssignments, and read and update all properties in Azure Active Directory.
microsoft 目錄/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 建立與刪除 roleDefinitions,以及讀取與更新 Azure Active Directory 中的所有屬性。Create and delete roleDefinitions, and read and update all properties in Azure Active Directory.
microsoft 目錄/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasks 建立和刪除 scopedRoleMemberships,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete scopedRoleMemberships, and read and update all properties in Azure Active Directory.
microsoft 目錄/serviceAction/activateServicemicrosoft.directory/serviceAction/activateService 可以在 Azure Active Directory 中執行 Activateservice 服務動作Can perform the Activateservice service action in Azure Active Directory
microsoft 目錄/serviceAction/disableDirectoryFeaturemicrosoft.directory/serviceAction/disableDirectoryFeature 可以在 Azure Active Directory 中執行 Disabledirectoryfeature 服務動作Can perform the Disabledirectoryfeature service action in Azure Active Directory
microsoft 目錄/serviceAction/enableDirectoryFeaturemicrosoft.directory/serviceAction/enableDirectoryFeature 可以在 Azure Active Directory 中執行 Enabledirectoryfeature 服務動作Can perform the Enabledirectoryfeature service action in Azure Active Directory
microsoft 目錄/serviceAction/getAvailableExtentionPropertiesmicrosoft.directory/serviceAction/getAvailableExtentionProperties 可以在 Azure Active Directory 中執行 Getavailableextentionproperties 服務動作Can perform the Getavailableextentionproperties service action in Azure Active Directory
microsoft 目錄/servicePrincipals/allProperties/allTasksmicrosoft.directory/servicePrincipals/allProperties/allTasks 建立和刪除 servicePrincipals,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete servicePrincipals, and read and update all properties in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft 目錄/subscribedSkus/allProperties/allTasksmicrosoft.directory/subscribedSkus/allProperties/allTasks 建立和刪除 subscribedSkus,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete subscribedSkus, and read and update all properties in Azure Active Directory.
microsoft directory/users/allProperties/allTasksmicrosoft.directory/users/allProperties/allTasks 建立和刪除 users,以及在 Azure Active Directory 中讀取和更新所有屬性。Create and delete users, and read and update all properties in Azure Active Directory.
directorySync/allEntities/allTasksmicrosoft.directorySync/allEntities/allTasks 執行 Azure AD Connect 中的所有動作。Perform all actions in Azure AD Connect.
microsoft.aad.identityProtection/allEntities/allTasksmicrosoft.aad.identityProtection/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.aad.identityProtection 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 讀取 microsoft.aad.privilegedIdentityManagement 中的所有資源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.advancedThreatProtection/allEntities/readmicrosoft.azure.advancedThreatProtection/allEntities/read 讀取 microsoft.aad.advancedThreatProtection 中的所有資源。Read all resources in microsoft.azure.advancedThreatProtection.
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 資訊保護的所有層面。Manage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.commerce.billing/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasks 管理 Office 365 帳單的所有層面。Manage all aspects of Office 365 billing.
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的所有層面。Manage all aspects of Intune.
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合規性管理員的所有層面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理電腦分析的所有層面。Manage all aspects of Desktop Analytics.
microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的所有層面。Manage all aspects of Exchange Online.
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理 Office 365 客戶加密箱的所有層面Manage all aspects of Office 365 Customer Lockbox
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 讀取 microsoft.office365.messageCenter 中的 securityMessages。Read securityMessages in microsoft.office365.messageCenter.
microsoft.office365.protectionCenter/allEntities/allTasksmicrosoft.office365.protectionCenter/allEntities/allTasks 管理 Office 365 防護中心的所有層面。Manage all aspects of Office 365 Protection Center.
microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.office365.securityComplianceCenter 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.office365.securityComplianceCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.office365.sharepoint 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面。Manage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.powerApps.dynamics365/allEntities/allTasksmicrosoft.powerApps.dynamics365/allEntities/allTasks 管理 Dynamics 365 的所有層面。Manage all aspects of Dynamics 365.
microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的所有層面。Manage all aspects of Power BI.
microsoft.windows.defenderAdvancedThreatProtection/allEntities/readmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/read 讀取 microsoft.aad.defenderAdvancedThreatProtection 中的所有資源。Read all resources in microsoft.windows.defenderAdvancedThreatProtection.

合規性系統管理員許可權Compliance Administrator permissions

可讀取和管理合規性設定及 Azure AD 與 Office 365 中的報告。Can read and manage compliance configuration and reports in Azure AD and Office 365.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合規性管理員的所有層面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的所有層面。Manage all aspects of Exchange Online.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.office365.sharepoint 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面。Manage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

合規性資料管理員許可權Compliance Data Administrator permissions

建立和管理合規性內容。Creates and manages compliance content.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.aad.cloudAppSecurity/allEntities/allTasksmicrosoft.aad.cloudAppSecurity/allEntities/allTasks 讀取和設定 Microsoft Cloud App Security。Read and configure Microsoft Cloud App Security.
microsoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasks 管理 Azure 資訊保護的所有層面。Manage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasks 管理 Office 365 合規性管理員的所有層面Manage all aspects of Office 365 Compliance Manager
microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的所有層面。Manage all aspects of Exchange Online.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.office365.sharepoint 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面。Manage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

條件式存取系統管理員許可權Conditional Access Administrator permissions

可以管理條件式存取功能。Can manage Conditional Access capabilities.

動作Actions 說明Description
microsoft 目錄/原則/Policies.conditionalaccess/基本/讀取microsoft.directory/policies/conditionalAccess/basic/read 讀取 Azure Active Directory 中的 policies.conditionalAccess 屬性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/基本/更新microsoft.directory/policies/conditionalAccess/basic/update 更新 Azure Active Directory 中的 policies.conditionalAccess 屬性。Update policies.conditionalAccess property in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/createmicrosoft.directory/policies/conditionalAccess/create 在 Azure Active Directory 中建立原則。Create policies in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/deletemicrosoft.directory/policies/conditionalAccess/delete 刪除 Azure Active Directory 中的原則。Delete policies in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/擁有者/讀取microsoft.directory/policies/conditionalAccess/owners/read 讀取 Azure Active Directory 中的 policies.conditionalAccess 屬性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/擁有者/更新microsoft.directory/policies/conditionalAccess/owners/update 更新 Azure Active Directory 中的 policies.conditionalAccess 屬性。Update policies.conditionalAccess property in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/Policies.policiesappliedto/readmicrosoft.directory/policies/conditionalAccess/policiesAppliedTo/read 讀取 Azure Active Directory 中的 policies.conditionalAccess 屬性。Read policies.conditionalAccess property in Azure Active Directory.
microsoft 目錄/原則/Policies.conditionalaccess/Policies.tenantdefault/updatemicrosoft.directory/policies/conditionalAccess/tenantDefault/update 更新 Azure Active Directory 中的 policies.conditionalAccess 屬性。Update policies.conditionalAccess property in Azure Active Directory.

CRM 服務管理員許可權CRM Service Administrator permissions

可管理 Dynamics 365 產品的所有層面。Can manage all aspects of the Dynamics 365 product.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.powerApps.dynamics365/allEntities/allTasksmicrosoft.powerApps.dynamics365/allEntities/allTasks 管理 Dynamics 365 的所有層面。Manage all aspects of Dynamics 365.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

客戶加密箱存取核准者許可權Customer LockBox Access Approver permissions

可核准 Microsoft 支援要求,以存取客戶組織的資料。Can approve Microsoft support requests to access customer organizational data.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.lockbox/allEntities/allTasks 管理 Office 365 客戶加密箱的所有層面Manage all aspects of Office 365 Customer Lockbox

電腦分析系統管理員許可權Desktop Analytics Administrator permissions

可以管理電腦分析和 Office 自訂 & 原則服務。Can manage the Desktop Analytics and Office Customization & Policy services. 針對電腦分析,這包括能夠查看資產清查、建立部署計畫、查看部署和健康狀態。For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. 若為 Office 自訂 & 原則服務,此角色可讓使用者管理 Office 原則。For Office Customization & Policy service, this role enables users to manage Office policies.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks 管理電腦分析的所有層面。Manage all aspects of Desktop Analytics.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

裝置系統管理員許可權Device Administrators permissions

指派給此角色的使用者會新增至已加入 Azure AD 的裝置上的本機系統管理員群組。Users assigned to this role are added to the local administrators group on Azure AD-joined devices.

動作Actions 說明Description
microsoft 目錄/groupSettings/基本/讀取microsoft.directory/groupSettings/basic/read 讀取 Azure Active Directory 中 groupSettings 的基本屬性。Read basic properties on groupSettings in Azure Active Directory.
microsoft 目錄/groupSettingTemplates/基本/讀取microsoft.directory/groupSettingTemplates/basic/read 讀取 Azure Active Directory 中 groupSettingTemplates 的基本屬性。Read basic properties on groupSettingTemplates in Azure Active Directory.

目錄讀取者許可權Directory Readers permissions

可讀取基本目錄資訊。Can read basic directory information. 用來授與應用程式的存取權,不適用於使用者。For granting access to applications, not intended for users.

動作Actions 說明Description
microsoft 目錄/administrativeUnits/基本/讀取microsoft.directory/administrativeUnits/basic/read 讀取 Azure Active Directory 中 administrativeUnits 的基本屬性。Read basic properties on administrativeUnits in Azure Active Directory.
microsoft 目錄/administrativeUnits/成員/讀取microsoft.directory/administrativeUnits/members/read 讀取 Azure Active Directory 中的 administrativeUnits.members 屬性。Read administrativeUnits.members property in Azure Active Directory.
microsoft 目錄/應用程式/基本/讀取microsoft.directory/applications/basic/read 讀取 Azure Active Directory 中 Applications 的基本屬性。Read basic properties on applications in Azure Active Directory.
microsoft 目錄/應用程式/擁有者/讀取microsoft.directory/applications/owners/read 讀取 Azure Active Directory 中的 applications.owners 屬性。Read applications.owners property in Azure Active Directory.
microsoft 目錄/應用程式/原則/讀取microsoft.directory/applications/policies/read 讀取 Azure Active Directory 中的 applications.policies 屬性。Read applications.policies property in Azure Active Directory.
microsoft 目錄/連絡人/基本/讀取microsoft.directory/contacts/basic/read 讀取 Azure Active Directory 中 contacts 的基本屬性。Read basic properties on contacts in Azure Active Directory.
microsoft 目錄/連絡人/memberOf/readmicrosoft.directory/contacts/memberOf/read 讀取 Azure Active Directory 中的 contacts.memberOf 屬性。Read contacts.memberOf property in Azure Active Directory.
microsoft 目錄/合約/基本/讀取microsoft.directory/contracts/basic/read 讀取 Azure Active Directory 中 contracts 的基本屬性。Read basic properties on contracts in Azure Active Directory.
microsoft 目錄/裝置/基本/讀取microsoft.directory/devices/basic/read 讀取 Azure Active Directory 中 devices 的基本屬性。Read basic properties on devices in Azure Active Directory.
microsoft 目錄/裝置/memberOf/readmicrosoft.directory/devices/memberOf/read 讀取 Azure Active Directory 中的 devices.memberOf 屬性。Read devices.memberOf property in Azure Active Directory.
microsoft 目錄/裝置/Devices.registeredowners/讀取microsoft.directory/devices/registeredOwners/read 讀取 Azure Active Directory 中的 devices.registeredOwners 屬性。Read devices.registeredOwners property in Azure Active Directory.
microsoft 目錄/裝置/Devices.registeredusers/讀取microsoft.directory/devices/registeredUsers/read 讀取 Azure Active Directory 中的 devices.registeredUsers 屬性。Read devices.registeredUsers property in Azure Active Directory.
microsoft 目錄/directoryRoles/基本/讀取microsoft.directory/directoryRoles/basic/read 讀取 Azure Active Directory 中 directoryRoles 的基本屬性。Read basic properties on directoryRoles in Azure Active Directory.
microsoft 目錄/directoryRoles/Directoryroles.eligiblemembers/readmicrosoft.directory/directoryRoles/eligibleMembers/read 讀取 Azure Active Directory 中的 directoryRoles.eligibleMembers 屬性。Read directoryRoles.eligibleMembers property in Azure Active Directory.
microsoft 目錄/directoryRoles/成員/讀取microsoft.directory/directoryRoles/members/read 讀取 Azure Active Directory 中的 directoryRoles.members 屬性。Read directoryRoles.members property in Azure Active Directory.
microsoft 目錄/網域/基本/讀取microsoft.directory/domains/basic/read 讀取 Azure Active Directory 中 domain 的基本屬性。Read basic properties on domains in Azure Active Directory.
microsoft 目錄/群組/appRoleAssignments/讀取microsoft.directory/groups/appRoleAssignments/read 讀取 Azure Active Directory 中的 groups.appRoleAssignments 屬性。Read groups.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/群組/基本/讀取microsoft.directory/groups/basic/read 讀取 Azure Active Directory 中 groups 的基本屬性。Read basic properties on groups in Azure Active Directory.
microsoft 目錄/群組/memberOf/readmicrosoft.directory/groups/memberOf/read 讀取 Azure Active Directory 中的 Read groups.memberOf 屬性。Read groups.memberOf property in Azure Active Directory.
microsoft 目錄/群組/成員/讀取microsoft.directory/groups/members/read 讀取 Azure Active Directory 中的 groups.members 屬性。Read groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/讀取microsoft.directory/groups/owners/read 讀取 Azure Active Directory 中的 groups.owners 屬性。Read groups.owners property in Azure Active Directory.
microsoft 目錄/群組/設定/讀取microsoft.directory/groups/settings/read 讀取 Azure Active Directory 中的 groups.settings 屬性。Read groups.settings property in Azure Active Directory.
microsoft 目錄/groupSettings/基本/讀取microsoft.directory/groupSettings/basic/read 讀取 Azure Active Directory 中 groupSettings 的基本屬性。Read basic properties on groupSettings in Azure Active Directory.
microsoft 目錄/groupSettingTemplates/基本/讀取microsoft.directory/groupSettingTemplates/basic/read 讀取 Azure Active Directory 中 groupSettingTemplates 的基本屬性。Read basic properties on groupSettingTemplates in Azure Active Directory.
microsoft 目錄/oAuth2PermissionGrants/基本/讀取microsoft.directory/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中 oAuth2PermissionGrants 的基本屬性。Read basic properties on oAuth2PermissionGrants in Azure Active Directory.
microsoft 目錄/組織/基本/讀取microsoft.directory/organization/basic/read 讀取 Azure Active Directory 中 organization 的基本屬性。Read basic properties on organization in Azure Active Directory.
microsoft 目錄/組織/trustedCAsForPasswordlessAuth/讀取microsoft.directory/organization/trustedCAsForPasswordlessAuth/read 讀取 Azure Active Directory 中的 organization.trustedCAsForPasswordlessAuth 屬性。Read organization.trustedCAsForPasswordlessAuth property in Azure Active Directory.
microsoft 目錄/roleAssignments/基本/讀取microsoft.directory/roleAssignments/basic/read 讀取 Azure Active Directory 中 roleAssignments 的基本屬性。Read basic properties on roleAssignments in Azure Active Directory.
microsoft 目錄/roleDefinitions/基本/讀取microsoft.directory/roleDefinitions/basic/read 讀取 Azure Active Directory 中 roleDefinitions 的基本屬性。Read basic properties on roleDefinitions in Azure Active Directory.
microsoft 目錄/servicePrincipals/Serviceprincipals.approleassignedto/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 讀取 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 屬性。Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft 目錄/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 讀取 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 屬性。Read servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/servicePrincipals/基本/讀取microsoft.directory/servicePrincipals/basic/read 讀取 Azure Active Directory 中 servicePrincipals 的基本屬性。Read basic properties on servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 讀取 Azure Active Directory 中的 servicePrincipals.memberOf 屬性。Read servicePrincipals.memberOf property in Azure Active Directory.
microsoft 目錄/servicePrincipals/oAuth2PermissionGrants/基本/讀取microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中的 servicePrincipals.oAuth2PermissionGrants 屬性。Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 讀取 Azure Active Directory 中的 servicePrincipals.ownedObjects 屬性。Read servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft 目錄/servicePrincipals/擁有者/讀取microsoft.directory/servicePrincipals/owners/read 讀取 Azure Active Directory 中的 servicePrincipals.owners 屬性。Read servicePrincipals.owners property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/讀取microsoft.directory/servicePrincipals/policies/read 讀取 Azure Active Directory 中的 servicePrincipals.policies 屬性。Read servicePrincipals.policies property in Azure Active Directory.
microsoft 目錄/subscribedSkus/基本/讀取microsoft.directory/subscribedSkus/basic/read 讀取 Azure Active Directory 中 subscribedSkus 的基本屬性。Read basic properties on subscribedSkus in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/讀取microsoft.directory/users/appRoleAssignments/read 讀取 Azure Active Directory 中的 users.appRoleAssignments 屬性。Read users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/基本/讀取microsoft.directory/users/basic/read 讀取 Azure Active Directory 中 users 的基本屬性。Read basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/directReports/讀取microsoft.directory/users/directReports/read 讀取 Azure Active Directory 中的 users.directReports 屬性。Read users.directReports property in Azure Active Directory.
microsoft 目錄/使用者/管理員/讀取microsoft.directory/users/manager/read 讀取 Azure Active Directory 中的 users.manager 屬性。Read users.manager property in Azure Active Directory.
microsoft 目錄/使用者/memberOf/readmicrosoft.directory/users/memberOf/read 讀取 Azure Active Directory 中的 users.memberOf 屬性。Read users.memberOf property in Azure Active Directory.
microsoft 目錄/使用者/oAuth2PermissionGrants/基本/讀取microsoft.directory/users/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中的 users.oAuth2PermissionGrants 屬性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/使用者/Users.owneddevices/讀取microsoft.directory/users/ownedDevices/read 讀取 Azure Active Directory 中的 users.ownedDevices 屬性。Read users.ownedDevices property in Azure Active Directory.
microsoft 目錄/使用者/ownedObjects/讀取microsoft.directory/users/ownedObjects/read 讀取 Azure Active Directory 中的 users.ownedObjects 屬性。Read users.ownedObjects property in Azure Active Directory.
microsoft 目錄/使用者/registeredDevices/讀取microsoft.directory/users/registeredDevices/read 讀取 Azure Active Directory 中的 users.registeredDevices 屬性。Read users.registeredDevices property in Azure Active Directory.

目錄同步作業帳戶許可權Directory Synchronization Accounts permissions

僅供 Azure AD Connect 服務使用。Only used by Azure AD Connect service.

動作Actions 說明Description
microsoft 目錄/組織/dirSync/更新microsoft.directory/organization/dirSync/update 更新 Azure Active Directory 中的 organization.dirSync 屬性。Update organization.dirSync property in Azure Active Directory.
microsoft 目錄/原則/建立microsoft.directory/policies/create 在 Azure Active Directory 中建立原則。Create policies in Azure Active Directory.
microsoft 目錄/原則/刪除microsoft.directory/policies/delete 刪除 Azure Active Directory 中的原則。Delete policies in Azure Active Directory.
microsoft 目錄/原則/基本/讀取microsoft.directory/policies/basic/read 讀取 Azure Active Directory 中 policies 的基本屬性。Read basic properties on policies in Azure Active Directory.
microsoft 目錄/原則/基本/更新microsoft.directory/policies/basic/update 更新 Azure Active Directory 中 policies 的基本屬性。Update basic properties on policies in Azure Active Directory.
microsoft 目錄/原則/擁有者/讀取microsoft.directory/policies/owners/read 讀取 Azure Active Directory 中的 policies.owners 屬性。Read policies.owners property in Azure Active Directory.
microsoft 目錄/原則/擁有者/更新microsoft.directory/policies/owners/update 更新 Azure Active Directory 中的 policies.owners 屬性。Update policies.owners property in Azure Active Directory.
microsoft 目錄/原則/Policies.policiesappliedto/readmicrosoft.directory/policies/policiesAppliedTo/read 讀取 Azure Active Directory 中的 policies.policiesAppliedTo 屬性。Read policies.policiesAppliedTo property in Azure Active Directory.
microsoft 目錄/原則/Policies.tenantdefault/更新microsoft.directory/policies/tenantDefault/update 更新 Azure Active Directory 中的 policies.tenantDefault 屬性。Update policies.tenantDefault property in Azure Active Directory.
microsoft 目錄/servicePrincipals/Serviceprincipals.approleassignedto/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 讀取 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 屬性。Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft directory/servicePrincipals/Serviceprincipals.approleassignedto/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 屬性。Update servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft 目錄/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 讀取 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 屬性。Read servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft directory/servicePrincipals/appRoleAssignments/updatemicrosoft.directory/servicePrincipals/appRoleAssignments/update 更新 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 屬性。Update servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/servicePrincipals/物件/更新microsoft.directory/servicePrincipals/audience/update 更新 Azure Active Directory 中的 servicePrincipals.audience 屬性。Update servicePrincipals.audience property in Azure Active Directory.
microsoft 目錄/servicePrincipals/驗證/更新microsoft.directory/servicePrincipals/authentication/update 更新 Azure Active Directory 中的 servicePrincipals.authentication 屬性。Update servicePrincipals.authentication property in Azure Active Directory.
microsoft 目錄/servicePrincipals/基本/讀取microsoft.directory/servicePrincipals/basic/read 讀取 Azure Active Directory 中 servicePrincipals 的基本屬性。Read basic properties on servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/基本/更新microsoft.directory/servicePrincipals/basic/update 更新 Azure Active Directory 中 servicePrincipals 的基本屬性。Update basic properties on servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/建立microsoft.directory/servicePrincipals/create 在 Azure Active Directory 中建立 servicePrincipals。Create servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/認證/更新microsoft.directory/servicePrincipals/credentials/update 更新 Azure Active Directory 中的 servicePrincipals.credentials 屬性。Update servicePrincipals.credentials property in Azure Active Directory.
microsoft 目錄/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 讀取 Azure Active Directory 中的 servicePrincipals.memberOf 屬性。Read servicePrincipals.memberOf property in Azure Active Directory.
microsoft 目錄/servicePrincipals/oAuth2PermissionGrants/基本/讀取microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中的 servicePrincipals.oAuth2PermissionGrants 屬性。Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/servicePrincipals/擁有者/讀取microsoft.directory/servicePrincipals/owners/read 讀取 Azure Active Directory 中的 servicePrincipals.owners 屬性。Read servicePrincipals.owners property in Azure Active Directory.
microsoft 目錄/servicePrincipals/擁有者/更新microsoft.directory/servicePrincipals/owners/update 更新 Azure Active Directory 中的 servicePrincipals.owners 屬性。Update servicePrincipals.owners property in Azure Active Directory.
microsoft 目錄/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 讀取 Azure Active Directory 中的 servicePrincipals.ownedObjects 屬性。Read servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft 目錄/servicePrincipals/許可權/更新microsoft.directory/servicePrincipals/permissions/update 更新 Azure Active Directory 中的 servicePrincipals.permissions 屬性。Update servicePrincipals.permissions property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/讀取microsoft.directory/servicePrincipals/policies/read 讀取 Azure Active Directory 中的 servicePrincipals.policies 屬性。Read servicePrincipals.policies property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/更新microsoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 屬性。Update servicePrincipals.policies property in Azure Active Directory.
directorySync/allEntities/allTasksmicrosoft.directorySync/allEntities/allTasks 執行 Azure AD Connect 中的所有動作。Perform all actions in Azure AD Connect.

目錄寫入器許可權Directory Writers permissions

可讀取和寫入基本目錄資訊。Can read & write basic directory information. 用來授與應用程式的存取權,不適用於使用者。For granting access to applications, not intended for users.

動作Actions 說明Description
microsoft. 目錄/群組/建立microsoft.directory/groups/create 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory.
microsoft 目錄/群組/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/群組/appRoleAssignments/更新microsoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 屬性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/群組/基本/更新microsoft.directory/groups/basic/update 更新 Azure Active Directory 中 groups 的基本屬性。Update basic properties on groups in Azure Active Directory.
microsoft 目錄/群組/成員/更新microsoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 屬性。Update groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/更新microsoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 屬性。Update groups.owners property in Azure Active Directory.
microsoft 目錄/群組/設定/更新microsoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 屬性。Update groups.settings property in Azure Active Directory.
microsoft 目錄/groupSettings/基本/更新microsoft.directory/groupSettings/basic/update 更新 Azure Active Directory 中 groupSettings 的基本屬性。Update basic properties on groupSettings in Azure Active Directory.
microsoft 目錄/groupSettings/建立microsoft.directory/groupSettings/create 在 Azure Active Directory 中建立 groupSettings。Create groupSettings in Azure Active Directory.
microsoft 目錄/groupSettings/deletemicrosoft.directory/groupSettings/delete 在 Azure Active Directory 中刪除 groupSettings。Delete groupSettings in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/更新microsoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 屬性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中的使用者授權。Manage licenses on users in Azure Active Directory.
microsoft 目錄/使用者/基本/更新microsoft.directory/users/basic/update 更新 Azure Active Directory 中 users 的基本屬性。Update basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/管理員/更新microsoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 屬性。Update users.manager property in Azure Active Directory.
microsoft 目錄/使用者/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新 Azure Active Directory 中的 users.userPrincipalName 屬性。Update users.userPrincipalName property in Azure Active Directory.

Exchange 服務管理員許可權Exchange Service Administrator permissions

可管理 Exchange 產品的所有層面。Can manage all aspects of the Exchange product.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/群組/整合/appRoleAssignments/更新microsoft.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 屬性。Update groups.unified property in Azure Active Directory.
microsoft 目錄/群組/統一/基本/更新microsoft.directory/groups/unified/basic/update 更新 Office 365 群組的基本屬性。Update basic properties of Office 365 Groups.
microsoft。目錄/群組/整合/建立microsoft.directory/groups/unified/create 建立 Office 365 群組。Create Office 365 Groups.
microsoft 目錄/群組/整合/刪除microsoft.directory/groups/unified/delete 刪除 Office 365 群組。Delete Office 365 Groups.
microsoft 目錄/群組/整合/成員/更新microsoft.directory/groups/unified/members/update 更新 Office 365 群組的成員資格。Update membership of Office 365 Groups.
microsoft。目錄/群組/整合/擁有者/更新microsoft.directory/groups/unified/owners/update 更新 Office 365 群組的擁有權。Update ownership of Office 365 Groups.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.exchange/allEntities/allTasksmicrosoft.office365.exchange/allEntities/allTasks 管理 Exchange Online 的所有層面。Manage all aspects of Exchange Online.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

外部識別提供者系統管理員許可權External Identity Provider Administrator permissions

設定要在直接同盟中使用的識別提供者。Configure identity providers for use in direct federation.

動作Actions 說明Description
microsoft. aad. b2c/identityProviders/allTasksmicrosoft.aad.b2c/identityProviders/allTasks 在 Azure Active Directory B2C 中讀取和設定識別提供者。Read and configure identity providers in  Azure Active Directory B2C.

全域讀取者許可權Global Reader permissions

可以讀取全域管理員可以進行的所有作業,但無法編輯任何專案。Can read everything that a Global Administrator can, but not edit anything.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱上述角色說明For more information, see role description above.

動作Actions 說明Description
microsoft commerce. 帳單/allEntities/讀取microsoft.commerce.billing/allEntities/read 閱讀 Office 365 帳單的所有層面。Read all aspects of Office 365 billing.
microsoft 目錄/administrativeUnits/基本/讀取microsoft.directory/administrativeUnits/basic/read 讀取 Azure Active Directory 中 administrativeUnits 的基本屬性。Read basic properties on administrativeUnits in Azure Active Directory.
microsoft 目錄/administrativeUnits/成員/讀取microsoft.directory/administrativeUnits/members/read 讀取 Azure Active Directory 中的 administrativeUnits.members 屬性。Read administrativeUnits.members property in Azure Active Directory.
microsoft 目錄/應用程式/基本/讀取microsoft.directory/applications/basic/read 讀取 Azure Active Directory 中 Applications 的基本屬性。Read basic properties on applications in Azure Active Directory.
microsoft 目錄/應用程式/擁有者/讀取microsoft.directory/applications/owners/read 讀取 Azure Active Directory 中的 applications.owners 屬性。Read applications.owners property in Azure Active Directory.
microsoft 目錄/應用程式/原則/讀取microsoft.directory/applications/policies/read 讀取 Azure Active Directory 中的 applications.policies 屬性。Read applications.policies property in Azure Active Directory.
microsoft 目錄/連絡人/基本/讀取microsoft.directory/contacts/basic/read 讀取 Azure Active Directory 中 contacts 的基本屬性。Read basic properties on contacts in Azure Active Directory.
microsoft 目錄/連絡人/memberOf/readmicrosoft.directory/contacts/memberOf/read 讀取 Azure Active Directory 中的 contacts.memberOf 屬性。Read contacts.memberOf property in Azure Active Directory.
microsoft 目錄/合約/基本/讀取microsoft.directory/contracts/basic/read 讀取 Azure Active Directory 中 contracts 的基本屬性。Read basic properties on contracts in Azure Active Directory.
microsoft 目錄/裝置/基本/讀取microsoft.directory/devices/basic/read 讀取 Azure Active Directory 中 devices 的基本屬性。Read basic properties on devices in Azure Active Directory.
microsoft 目錄/裝置/memberOf/readmicrosoft.directory/devices/memberOf/read 讀取 Azure Active Directory 中的 devices.memberOf 屬性。Read devices.memberOf property in Azure Active Directory.
microsoft 目錄/裝置/Devices.registeredowners/讀取microsoft.directory/devices/registeredOwners/read 讀取 Azure Active Directory 中的 devices.registeredOwners 屬性。Read devices.registeredOwners property in Azure Active Directory.
microsoft 目錄/裝置/Devices.registeredusers/讀取microsoft.directory/devices/registeredUsers/read 讀取 Azure Active Directory 中的 devices.registeredUsers 屬性。Read devices.registeredUsers property in Azure Active Directory.
microsoft 目錄/directoryRoles/基本/讀取microsoft.directory/directoryRoles/basic/read 讀取 Azure Active Directory 中 directoryRoles 的基本屬性。Read basic properties on directoryRoles in Azure Active Directory.
microsoft 目錄/directoryRoles/Directoryroles.eligiblemembers/readmicrosoft.directory/directoryRoles/eligibleMembers/read 讀取 Azure Active Directory 中的 directoryRoles.eligibleMembers 屬性。Read directoryRoles.eligibleMembers property in Azure Active Directory.
microsoft 目錄/directoryRoles/成員/讀取microsoft.directory/directoryRoles/members/read 讀取 Azure Active Directory 中的 directoryRoles.members 屬性。Read directoryRoles.members property in Azure Active Directory.
microsoft 目錄/網域/基本/讀取microsoft.directory/domains/basic/read 讀取 Azure Active Directory 中 domain 的基本屬性。Read basic properties on domains in Azure Active Directory.
microsoft 目錄/群組/appRoleAssignments/讀取microsoft.directory/groups/appRoleAssignments/read 讀取 Azure Active Directory 中的 groups.appRoleAssignments 屬性。Read groups.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/群組/基本/讀取microsoft.directory/groups/basic/read 讀取 Azure Active Directory 中 groups 的基本屬性。Read basic properties on groups in Azure Active Directory.
microsoft 目錄/群組/Groups.hiddenmembers/讀取microsoft.directory/groups/hiddenMembers/read 讀取 Azure Active Directory 中的 groups.hiddenMembers 屬性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft 目錄/群組/memberOf/readmicrosoft.directory/groups/memberOf/read 讀取 Azure Active Directory 中的 Read groups.memberOf 屬性。Read groups.memberOf property in Azure Active Directory.
microsoft 目錄/群組/成員/讀取microsoft.directory/groups/members/read 讀取 Azure Active Directory 中的 groups.members 屬性。Read groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/讀取microsoft.directory/groups/owners/read 讀取 Azure Active Directory 中的 groups.owners 屬性。Read groups.owners property in Azure Active Directory.
microsoft 目錄/群組/設定/讀取microsoft.directory/groups/settings/read 讀取 Azure Active Directory 中的 groups.settings 屬性。Read groups.settings property in Azure Active Directory.
microsoft 目錄/groupSettings/基本/讀取microsoft.directory/groupSettings/basic/read 讀取 Azure Active Directory 中 groupSettings 的基本屬性。Read basic properties on groupSettings in Azure Active Directory.
microsoft 目錄/groupSettingTemplates/基本/讀取microsoft.directory/groupSettingTemplates/basic/read 讀取 Azure Active Directory 中 groupSettingTemplates 的基本屬性。Read basic properties on groupSettingTemplates in Azure Active Directory.
microsoft 目錄/oAuth2PermissionGrants/基本/讀取microsoft.directory/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中 oAuth2PermissionGrants 的基本屬性。Read basic properties on oAuth2PermissionGrants in Azure Active Directory.
microsoft 目錄/組織/基本/讀取microsoft.directory/organization/basic/read 讀取 Azure Active Directory 中 organization 的基本屬性。Read basic properties on organization in Azure Active Directory.
microsoft 目錄/組織/trustedCAsForPasswordlessAuth/讀取microsoft.directory/organization/trustedCAsForPasswordlessAuth/read 讀取 Azure Active Directory 中的 organization.trustedCAsForPasswordlessAuth 屬性。Read organization.trustedCAsForPasswordlessAuth property in Azure Active Directory.
microsoft 目錄/原則/標準/讀取microsoft.directory/policies/standard/read 閱讀 Azure Active Directory 中的標準原則。Read standard policies in Azure Active Directory.
microsoft 目錄/roleAssignments/基本/讀取microsoft.directory/roleAssignments/basic/read 讀取 Azure Active Directory 中 roleAssignments 的基本屬性。Read basic properties on roleAssignments in Azure Active Directory.
microsoft 目錄/roleDefinitions/基本/讀取microsoft.directory/roleDefinitions/basic/read 讀取 Azure Active Directory 中 roleDefinitions 的基本屬性。Read basic properties on roleDefinitions in Azure Active Directory.
microsoft 目錄/servicePrincipals/Serviceprincipals.approleassignedto/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/read 讀取 Azure Active Directory 中的 servicePrincipals.appRoleAssignedTo 屬性。Read servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft 目錄/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/appRoleAssignments/read 讀取 Azure Active Directory 中的 servicePrincipals.appRoleAssignments 屬性。Read servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/servicePrincipals/基本/讀取microsoft.directory/servicePrincipals/basic/read 讀取 Azure Active Directory 中 servicePrincipals 的基本屬性。Read basic properties on servicePrincipals in Azure Active Directory.
microsoft 目錄/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/memberOf/read 讀取 Azure Active Directory 中的 servicePrincipals.memberOf 屬性。Read servicePrincipals.memberOf property in Azure Active Directory.
microsoft 目錄/servicePrincipals/oAuth2PermissionGrants/基本/讀取microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中的 servicePrincipals.oAuth2PermissionGrants 屬性。Read servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/ownedObjects/read 讀取 Azure Active Directory 中的 servicePrincipals.ownedObjects 屬性。Read servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft 目錄/servicePrincipals/擁有者/讀取microsoft.directory/servicePrincipals/owners/read 讀取 Azure Active Directory 中的 servicePrincipals.owners 屬性。Read servicePrincipals.owners property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/讀取microsoft.directory/servicePrincipals/policies/read 讀取 Azure Active Directory 中的 servicePrincipals.policies 屬性。Read servicePrincipals.policies property in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft 目錄/subscribedSkus/基本/讀取microsoft.directory/subscribedSkus/basic/read 讀取 Azure Active Directory 中 subscribedSkus 的基本屬性。Read basic properties on subscribedSkus in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/讀取microsoft.directory/users/appRoleAssignments/read 讀取 Azure Active Directory 中的 users.appRoleAssignments 屬性。Read users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/基本/讀取microsoft.directory/users/basic/read 讀取 Azure Active Directory 中 users 的基本屬性。Read basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/directReports/讀取microsoft.directory/users/directReports/read 讀取 Azure Active Directory 中的 users.directReports 屬性。Read users.directReports property in Azure Active Directory.
microsoft 目錄/使用者/管理員/讀取microsoft.directory/users/manager/read 讀取 Azure Active Directory 中的 users.manager 屬性。Read users.manager property in Azure Active Directory.
microsoft 目錄/使用者/memberOf/readmicrosoft.directory/users/memberOf/read 讀取 Azure Active Directory 中的 users.memberOf 屬性。Read users.memberOf property in Azure Active Directory.
microsoft 目錄/使用者/oAuth2PermissionGrants/基本/讀取microsoft.directory/users/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中的 users.oAuth2PermissionGrants 屬性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/使用者/Users.owneddevices/讀取microsoft.directory/users/ownedDevices/read 讀取 Azure Active Directory 中的 users.ownedDevices 屬性。Read users.ownedDevices property in Azure Active Directory.
microsoft 目錄/使用者/ownedObjects/讀取microsoft.directory/users/ownedObjects/read 讀取 Azure Active Directory 中的 users.ownedObjects 屬性。Read users.ownedObjects property in Azure Active Directory.
microsoft 目錄/使用者/registeredDevices/讀取microsoft.directory/users/registeredDevices/read 讀取 Azure Active Directory 中的 users.registeredDevices 屬性。Read users.registeredDevices property in Azure Active Directory.
microsoft 目錄/使用者/Users.strongauthentication/讀取microsoft.directory/users/strongAuthentication/read 讀取增強式驗證屬性,例如 MFA 認證資訊。Read strong authentication properties like MFA credential information.
office365。 exchange/allEntities/readmicrosoft.office365.exchange/allEntities/read 閱讀 Exchange Online 的所有層面。Read all aspects of Exchange Online.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 讀取 microsoft.office365.messageCenter 中的 securityMessages。Read securityMessages in microsoft.office365.messageCenter.
microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 讀取 Office 365 防護中心的所有層面。Read all aspects of Office 365 Protection Center.
office365. Microsoft.office365.securitycompliancecenter/allEntities/readmicrosoft.office365.securityComplianceCenter/allEntities/read 讀取 office365. Microsoft.office365.securitycompliancecenter 中的所有標準屬性。Read all standard properties in microsoft.office365.securityComplianceCenter.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.
office365. Microsoft.office365.webportal/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read 讀取 office365. Microsoft.office365.webportal 中所有資源的標準屬性。Read standard properties on all resources in microsoft.office365.webPortal.

群組系統管理員許可權Group Administrator permissions

可以管理群組和群組設定(例如命名和到期原則)的所有層面。Can manage all aspects of groups and group settings like naming and expiration policies.

動作Actions 說明Description
microsoft 目錄/群組/基本/讀取microsoft.directory/groups/basic/read 讀取 Azure Active Directory 中 Groups 的標準屬性。Read standard properties on Groups in Azure Active Directory.
microsoft 目錄/群組/基本/更新microsoft.directory/groups/basic/update 更新 Azure Active Directory 中 groups 的基本屬性。Update basic properties on groups in Azure Active Directory.
microsoft. 目錄/群組/建立microsoft.directory/groups/create 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory.
microsoft 目錄/群組/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/群組/刪除microsoft.directory/groups/delete 刪除 Azure Active Directory 中的 groups。Delete groups in Azure Active Directory.
microsoft 目錄/群組/Groups.hiddenmembers/讀取microsoft.directory/groups/hiddenMembers/read 讀取 Azure Active Directory 中的 groups.hiddenMembers 屬性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft 目錄/群組/成員/更新microsoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 屬性。Update groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/更新microsoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 屬性。Update groups.owners property in Azure Active Directory.
microsoft. 目錄/群組/還原microsoft.directory/groups/restore 還原 Azure Active Directory 中的 groups。Restore groups in Azure Active Directory.
microsoft 目錄/群組/設定/更新microsoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 屬性。Update groups.settings property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.

來賓邀請者許可權Guest Inviter permissions

能夠邀請不受 [成員能夠邀請來賓] 設定限制的來賓使用者。Can invite guest users independent of the ‘members can invite guests’ setting.

動作Actions 說明Description
microsoft 目錄/使用者/appRoleAssignments/讀取microsoft.directory/users/appRoleAssignments/read 讀取 Azure Active Directory 中的 users.appRoleAssignments 屬性。Read users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/基本/讀取microsoft.directory/users/basic/read 讀取 Azure Active Directory 中 users 的基本屬性。Read basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/directReports/讀取microsoft.directory/users/directReports/read 讀取 Azure Active Directory 中的 users.directReports 屬性。Read users.directReports property in Azure Active Directory.
microsoft 目錄/使用者/inviteGuestmicrosoft.directory/users/inviteGuest 邀請 Azure Active Directory 中的來賓使用者。Invite guest users in Azure Active Directory.
microsoft 目錄/使用者/管理員/讀取microsoft.directory/users/manager/read 讀取 Azure Active Directory 中的 users.manager 屬性。Read users.manager property in Azure Active Directory.
microsoft 目錄/使用者/memberOf/readmicrosoft.directory/users/memberOf/read 讀取 Azure Active Directory 中的 users.memberOf 屬性。Read users.memberOf property in Azure Active Directory.
microsoft 目錄/使用者/oAuth2PermissionGrants/基本/讀取microsoft.directory/users/oAuth2PermissionGrants/basic/read 讀取 Azure Active Directory 中的 users.oAuth2PermissionGrants 屬性。Read users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/使用者/Users.owneddevices/讀取microsoft.directory/users/ownedDevices/read 讀取 Azure Active Directory 中的 users.ownedDevices 屬性。Read users.ownedDevices property in Azure Active Directory.
microsoft 目錄/使用者/ownedObjects/讀取microsoft.directory/users/ownedObjects/read 讀取 Azure Active Directory 中的 users.ownedObjects 屬性。Read users.ownedObjects property in Azure Active Directory.
microsoft 目錄/使用者/registeredDevices/讀取microsoft.directory/users/registeredDevices/read 讀取 Azure Active Directory 中的 users.registeredDevices 屬性。Read users.registeredDevices property in Azure Active Directory.

技術支援中心系統管理員許可權Helpdesk Administrator permissions

能夠為非系統管理員與技術服務人員系統管理員重設密碼。Can reset passwords for non-administrators and Helpdesk Administrators.

動作Actions 說明Description
microsoft 目錄/裝置/Devices.bitlockerrecoverykeys/讀取microsoft.directory/devices/bitLockerRecoveryKeys/read 讀取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 屬性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 在 Azure Active Directory 中更新所有使用者的密碼。Update passwords for all users in Azure Active Directory. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

Intune 服務管理員許可權Intune Service Administrator permissions

可管理 Intune 產品的所有層面。Can manage all aspects of the Intune product.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/連絡人/基本/更新microsoft.directory/contacts/basic/update 更新 Azure Active Directory 中 contacts 的基本屬性。Update basic properties on contacts in Azure Active Directory.
microsoft 目錄/連絡人/建立microsoft.directory/contacts/create 在 Azure Active Directory 中建立 contacts。Create contacts in Azure Active Directory.
microsoft 目錄/連絡人/刪除microsoft.directory/contacts/delete 刪除 Azure Active Directory 中的 contacts。Delete contacts in Azure Active Directory.
microsoft 目錄/裝置/基本/更新microsoft.directory/devices/basic/update 更新 Azure Active Directory 中 devices 的基本屬性。Update basic properties on devices in Azure Active Directory.
microsoft 目錄/裝置/Devices.bitlockerrecoverykeys/讀取microsoft.directory/devices/bitLockerRecoveryKeys/read 讀取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 屬性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft 目錄/裝置/建立microsoft.directory/devices/create 在 Azure Active Directory 中建立 devices。Create devices in Azure Active Directory.
microsoft 目錄/裝置/刪除microsoft.directory/devices/delete 刪除 Azure Active Directory 中的 devices。Delete devices in Azure Active Directory.
microsoft 目錄/裝置/Devices.registeredowners/更新microsoft.directory/devices/registeredOwners/update 更新 Azure Active Directory 中的 devices.registeredOwners 屬性。Update devices.registeredOwners property in Azure Active Directory.
microsoft 目錄/裝置/Devices.registeredusers/更新microsoft.directory/devices/registeredUsers/update 更新 Azure Active Directory 中的 devices.registeredUsers 屬性。Update devices.registeredUsers property in Azure Active Directory.
microsoft 目錄/群組/appRoleAssignments/更新microsoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 屬性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/群組/基本/更新microsoft.directory/groups/basic/update 更新 Azure Active Directory 中 groups 的基本屬性。Update basic properties on groups in Azure Active Directory.
microsoft. 目錄/群組/建立microsoft.directory/groups/create 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory.
microsoft 目錄/群組/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/群組/刪除microsoft.directory/groups/delete 刪除 Azure Active Directory 中的 groups。Delete groups in Azure Active Directory.
microsoft 目錄/群組/Groups.hiddenmembers/讀取microsoft.directory/groups/hiddenMembers/read 讀取 Azure Active Directory 中的 groups.hiddenMembers 屬性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft 目錄/群組/成員/更新microsoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 屬性。Update groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/更新microsoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 屬性。Update groups.owners property in Azure Active Directory.
microsoft. 目錄/群組/還原microsoft.directory/groups/restore 還原 Azure Active Directory 中的 groups。Restore groups in Azure Active Directory.
microsoft 目錄/群組/設定/更新microsoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 屬性。Update groups.settings property in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/更新microsoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 屬性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/基本/更新microsoft.directory/users/basic/update 更新 Azure Active Directory 中 users 的基本屬性。Update basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/管理員/更新microsoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 屬性。Update users.manager property in Azure Active Directory.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的所有層面。Manage all aspects of Intune.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.

Kaizala 系統管理員許可權Kaizala Administrator permissions

可以管理 Microsoft Kaizala 的設定。Can manage settings for Microsoft Kaizala.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 閱讀 Office 365 系統管理中心。Read Office 365 admin center.

授權管理員許可權License Administrator permissions

可管理使用者和群組的產品授權。Can manage product licenses on users and groups.

動作Actions 說明Description
microsoft 目錄/使用者/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中的使用者授權。Manage licenses on users in Azure Active Directory.
microsoft 目錄/使用者/usageLocation/更新microsoft.directory/users/usageLocation/update 更新 Azure Active Directory 中的 users.usageLocation 屬性。Update users.usageLocation property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.

Lync 服務管理員許可權Lync Service Administrator permissions

可管理商務用 Skype 產品的所有層面。Can manage all aspects of the Skype for Business product.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasks 管理商務用 Skype Online 的所有層面。Manage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

訊息中心隱私權讀者許可權Message Center Privacy Reader permissions

可以讀取訊息中心文章、資料隱私權訊息、群組、網域和訂閱。Can read Message Center posts, data privacy messages, groups, domains and subscriptions.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readmicrosoft.office365.messageCenter/securityMessages/read 讀取 microsoft.office365.messageCenter 中的 securityMessages。Read securityMessages in microsoft.office365.messageCenter.

訊息中心讀取者許可權Message Center Reader permissions

只可在 Office 365 訊息中心讀取及更新其組織的訊息。Can read messages and updates for their organization in Office 365 Message Center only.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.

Office 應用程式系統管理員許可權Office Apps Administrator permissions

可以管理 Office 應用程式的雲端服務,包括原則和設定管理,以及管理對終端使用者裝置選取、取消選取和發佈「新功能」功能內容的能力。Can manage Office apps' cloud services, including policy and settings management, and manage the ability to select, unselect and publish "what's new" feature content to end-user’s devices.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.
office365. userCommunication/allEntities/allTasksmicrosoft.office365.userCommunication/allEntities/allTasks 閱讀及更新新消息的可見度。Read and update What’s New messages visibility.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.

合作夥伴第1層支援許可權Partner Tier1 Support permissions

請勿使用 - 不適用於一般用途。Do not use - not intended for general use.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/連絡人/基本/更新microsoft.directory/contacts/basic/update 更新 Azure Active Directory 中 contacts 的基本屬性。Update basic properties on contacts in Azure Active Directory.
microsoft 目錄/連絡人/建立microsoft.directory/contacts/create 在 Azure Active Directory 中建立 contacts。Create contacts in Azure Active Directory.
microsoft 目錄/連絡人/刪除microsoft.directory/contacts/delete 刪除 Azure Active Directory 中的 contacts。Delete contacts in Azure Active Directory.
microsoft. 目錄/群組/建立microsoft.directory/groups/create 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory.
microsoft 目錄/群組/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/群組/成員/更新microsoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 屬性。Update groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/更新microsoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 屬性。Update groups.owners property in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/更新microsoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 屬性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中的使用者授權。Manage licenses on users in Azure Active Directory.
microsoft 目錄/使用者/基本/更新microsoft.directory/users/basic/update 更新 Azure Active Directory 中 users 的基本屬性。Update basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/刪除microsoft.directory/users/delete 刪除 Azure Active Directory 中的 users。Delete users in Azure Active Directory.
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/管理員/更新microsoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 屬性。Update users.manager property in Azure Active Directory.
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 在 Azure Active Directory 中更新所有使用者的密碼。Update passwords for all users in Azure Active Directory. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.
microsoft 目錄/使用者/還原microsoft.directory/users/restore 還原 Azure Active Directory 中已刪除的使用者。Restore deleted users in Azure Active Directory.
microsoft 目錄/使用者/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新 Azure Active Directory 中的 users.userPrincipalName 屬性。Update users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

合作夥伴第2層支援許可權Partner Tier2 Support permissions

請勿使用 - 不適用於一般用途。Do not use - not intended for general use.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/連絡人/基本/更新microsoft.directory/contacts/basic/update 更新 Azure Active Directory 中 contacts 的基本屬性。Update basic properties on contacts in Azure Active Directory.
microsoft 目錄/連絡人/建立microsoft.directory/contacts/create 在 Azure Active Directory 中建立 contacts。Create contacts in Azure Active Directory.
microsoft 目錄/連絡人/刪除microsoft.directory/contacts/delete 刪除 Azure Active Directory 中的 contacts。Delete contacts in Azure Active Directory.
microsoft 目錄/網域/allTasksmicrosoft.directory/domains/allTasks 建立和刪除 domains,以及在 Azure Active Directory 中讀取和更新標準屬性。Create and delete domains, and read and update standard properties in Azure Active Directory.
microsoft. 目錄/群組/建立microsoft.directory/groups/create 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory.
microsoft 目錄/群組/刪除microsoft.directory/groups/delete 刪除 Azure Active Directory 中的 groups。Delete groups in Azure Active Directory.
microsoft 目錄/群組/成員/更新microsoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 屬性。Update groups.members property in Azure Active Directory.
microsoft. 目錄/群組/還原microsoft.directory/groups/restore 還原 Azure Active Directory 中的 groups。Restore groups in Azure Active Directory.
microsoft 目錄/組織/基本/更新microsoft.directory/organization/basic/update 更新 Azure Active Directory 中 organization 的基本屬性。Update basic properties on organization in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/更新microsoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 屬性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中的使用者授權。Manage licenses on users in Azure Active Directory.
microsoft 目錄/使用者/基本/更新microsoft.directory/users/basic/update 更新 Azure Active Directory 中 users 的基本屬性。Update basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/刪除microsoft.directory/users/delete 刪除 Azure Active Directory 中的 users。Delete users in Azure Active Directory.
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/管理員/更新microsoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 屬性。Update users.manager property in Azure Active Directory.
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 在 Azure Active Directory 中更新所有使用者的密碼。Update passwords for all users in Azure Active Directory. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.
microsoft 目錄/使用者/還原microsoft.directory/users/restore 還原 Azure Active Directory 中已刪除的使用者。Restore deleted users in Azure Active Directory.
microsoft 目錄/使用者/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新 Azure Active Directory 中的 users.userPrincipalName 屬性。Update users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

密碼管理員許可權Password Administrator permissions

可以重設非系統管理員和密碼管理員的密碼。Can reset passwords for non-administrators and Password administrators.

動作Actions 說明Description
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 在 Azure Active Directory 中更新所有使用者的密碼。Update passwords for all users in Azure Active Directory. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.

Power BI 服務系統管理員許可權Power BI Service Administrator permissions

可管理 Power BI 產品的所有層面。Can manage all aspects of the Power BI product.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.powerApps.powerBI/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasks 管理 Power BI 的所有層面。Manage all aspects of Power BI.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

Power Platform 系統管理員許可權Power Platform Administrator permissions

可以建立及管理 Microsoft Dynamics 365、PowerApps 和 Microsoft Flow 的所有層面。Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
dynamics365/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasks 管理 Dynamics 365 的所有層面。Manage all aspects of Dynamics 365.
microsoft flow/allEntities/allTasksmicrosoft.flow/allEntities/allTasks 管理 Microsoft Flow 的所有層面。Manage all aspects of Microsoft Flow.
microsoft powerApps/allEntities/allTasksmicrosoft.powerApps/allEntities/allTasks 管理 PowerApps 的所有層面。Manage all aspects of PowerApps.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

特殊許可權驗證管理員許可權Privileged Authentication Administrator permissions

允許針對任何使用者(管理員或非系統管理員)來查看、設定及重設驗證方法資訊。Allowed to view, set and reset authentication method information for any user (admin or non-admin).

動作Actions 說明Description
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/Users.strongauthentication/更新microsoft.directory/users/strongAuthentication/update 更新 MFA 認證資訊等增強式驗證屬性。Update strong authentication properties like MFA credential information.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 更新 Office 365 組織中所有使用者的密碼。Update passwords for all users in the Office 365 organization. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.

特殊許可權角色管理員許可權Privileged Role Administrator permissions

可以管理 Azure AD 中的角色指派,以及 Privileged Identity Management 的所有層面。Can manage role assignments in Azure AD,and all aspects of Privileged Identity Management.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.aad.privilegedIdentityManagement/allEntities/allTasksmicrosoft.aad.privilegedIdentityManagement/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.aad.privilegedIdentityManagement 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.aad.privilegedIdentityManagement.
microsoft 目錄/servicePrincipals/Serviceprincipals.approleassignedto/allTasksmicrosoft.directory/servicePrincipals/appRoleAssignedTo/allTasks 讀取和設定 Azure Active Directory 中的 Serviceprincipals.approleassignedto 屬性。Read and configure servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft 目錄/servicePrincipals/oAuth2PermissionGrants/allTasksmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/allTasks 讀取和設定 Azure Active Directory 中的 oAuth2PermissionGrants 屬性。Read and configure servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft 目錄/administrativeUnits/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasks 建立和管理管理單位(包括成員)Create and manage administrative units (including members)
microsoft 目錄/roleAssignments/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasks 建立和管理角色指派。Create and manage role assignments.
microsoft 目錄/roleDefinitions/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasks 建立和管理角色定義。Create and manage role definitions.

報告讀者許可權Reports Reader permissions

可讀取登入與稽核報告。Can read sign-in and audit reports.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.

搜尋系統管理員許可權Search Administrator permissions

可以建立及管理 Microsoft 搜尋設定的所有層面。Can create and manage all aspects of Microsoft Search settings.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
office365。 search/allEntities/allProperties/allTasksmicrosoft.office365.search/allEntities/allProperties/allTasks 建立和刪除所有資源,以及讀取和更新 office365 中的所有屬性。Create and delete all resources, and read and update all properties in microsoft.office365.search.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.

搜尋編輯器許可權Search Editor permissions

可以建立及管理編輯內容,例如書簽、Q 和 As、位置、floorplan。Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/messages/read 讀取 microsoft.office365.messageCenter 中的訊息。Read messages in microsoft.office365.messageCenter.
office365/content/allProperties/allTasksmicrosoft.office365.search/content/allProperties/allTasks 建立和刪除內容,以及讀取和更新 office365 中的所有屬性。Create and delete content, and read and update all properties in microsoft.office365.search.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.

安全性系統管理員許可權Security Administrator permissions

可以讀取安全性資訊與報表,以及管理 Azure AD 和 Office 365 中的設定。Can read security information and reports,and manage configuration in Azure AD and Office 365.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/應用程式/原則/更新microsoft.directory/applications/policies/update 更新 Azure Active Directory 中的 applications.policies 屬性。Update applications.policies property in Azure Active Directory.
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/裝置/Devices.bitlockerrecoverykeys/讀取microsoft.directory/devices/bitLockerRecoveryKeys/read 讀取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 屬性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft 目錄/原則/基本/更新microsoft.directory/policies/basic/update 更新 Azure Active Directory 中 policies 的基本屬性。Update basic properties on policies in Azure Active Directory.
microsoft 目錄/原則/建立microsoft.directory/policies/create 在 Azure Active Directory 中建立原則。Create policies in Azure Active Directory.
microsoft 目錄/原則/刪除microsoft.directory/policies/delete 刪除 Azure Active Directory 中的原則。Delete policies in Azure Active Directory.
microsoft 目錄/原則/擁有者/更新microsoft.directory/policies/owners/update 更新 Azure Active Directory 中的 policies.owners 屬性。Update policies.owners property in Azure Active Directory.
microsoft 目錄/原則/Policies.tenantdefault/更新microsoft.directory/policies/tenantDefault/update 更新 Azure Active Directory 中的 policies.tenantDefault 屬性。Update policies.tenantDefault property in Azure Active Directory.
microsoft 目錄/servicePrincipals/原則/更新microsoft.directory/servicePrincipals/policies/update 更新 Azure Active Directory 中的 servicePrincipals.policies 屬性。Update servicePrincipals.policies property in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.aad.identityProtection/allEntities/readmicrosoft.aad.identityProtection/allEntities/read 讀取 microsoft.aad.identityProtection 中的所有資源。Read all resources in microsoft.aad.identityProtection.
microsoft.aad.identityProtection/allEntities/updatemicrosoft.aad.identityProtection/allEntities/update 更新 microsoft.aad.identityProtection 中的所有資源。Update all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 讀取 microsoft.aad.privilegedIdentityManagement 中的所有資源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 讀取 Office 365 防護中心的所有層面。Read all aspects of Office 365 Protection Center.
microsoft.office365.protectionCenter/allEntities/updatemicrosoft.office365.protectionCenter/allEntities/update 更新 microsoft.office365.protectionCenter 中的所有資源。Update all resources in microsoft.office365.protectionCenter.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.

安全性操作員許可權Security Operator permissions

建立和管理安全性事件。Creates and manages security events.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.aad.cloudAppSecurity/allEntities/allTasksmicrosoft.aad.cloudAppSecurity/allEntities/allTasks 讀取和設定 Microsoft Cloud App Security。Read and configure Microsoft Cloud App Security.
microsoft.aad.identityProtection/allEntities/readmicrosoft.aad.identityProtection/allEntities/read 讀取 microsoft.aad.identityProtection 中的所有資源。Read all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 讀取 microsoft.aad.privilegedIdentityManagement 中的所有資源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.advancedThreatProtection/allEntities/readmicrosoft.azure.advancedThreatProtection/allEntities/read 閱讀並設定 Azure AD Advanced 威脅防護。Read and configure Azure AD Advanced Threat Protection.
microsoft.intune/allEntities/allTasksmicrosoft.intune/allEntities/allTasks 管理 Intune 的所有層面。Manage all aspects of Intune.
microsoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.securityComplianceCenter/allEntities/allTasks 閱讀並設定安全性 & 合規性中心。Read and configure Security & Compliance Center.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.
microsoft.windows.defenderAdvancedThreatProtection/allEntities/readmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/read 讀取和設定 Windows Defender Advanced 威脅防護。Read and configure Windows Defender Advanced Threat Protection.

安全性讀取者許可權Security Reader permissions

可讀取安全性資訊及 Azure AD 與 Office 365 中的報告。Can read security information and reports in Azure AD and Office 365.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/auditLogs/allProperties/readmicrosoft.directory/auditLogs/allProperties/read 讀取 Azure Active Directory 中的 auditLogs 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft 目錄/裝置/Devices.bitlockerrecoverykeys/讀取microsoft.directory/devices/bitLockerRecoveryKeys/read 讀取 Azure Active Directory 中的 devices.bitLockerRecoveryKeys 屬性。Read devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft 目錄/Signinreports 所包含/allProperties/readmicrosoft.directory/signInReports/allProperties/read 讀取 Azure Active Directory 中的 signInReports 所包含的所有屬性 (包括特殊權限的屬性)。Read all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.aad.identityProtection/allEntities/readmicrosoft.aad.identityProtection/allEntities/read 讀取 microsoft.aad.identityProtection 中的所有資源。Read all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readmicrosoft.aad.privilegedIdentityManagement/allEntities/read 讀取 microsoft.aad.privilegedIdentityManagement 中的所有資源。Read all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.protectionCenter/allEntities/readmicrosoft.office365.protectionCenter/allEntities/read 讀取 Office 365 防護中心的所有層面。Read all aspects of Office 365 Protection Center.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.

服務支援系統管理員許可權Service Support Administrator permissions

可讀取服務健康情況資訊及管理支援票證。Can read service health information and manage support tickets.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

SharePoint 服務管理員許可權SharePoint Service Administrator permissions

可管理 SharePoint 服務的所有層面。Can manage all aspects of the SharePoint service.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/群組/整合/appRoleAssignments/更新microsoft.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 屬性。Update groups.unified property in Azure Active Directory.
microsoft 目錄/群組/統一/基本/更新microsoft.directory/groups/unified/basic/update 更新 Office 365 群組的基本屬性。Update basic properties of Office 365 Groups.
microsoft。目錄/群組/整合/建立microsoft.directory/groups/unified/create 建立 Office 365 群組。Create Office 365 Groups.
microsoft 目錄/群組/整合/刪除microsoft.directory/groups/unified/delete 刪除 Office 365 群組。Delete Office 365 Groups.
microsoft 目錄/群組/整合/成員/更新microsoft.directory/groups/unified/members/update 更新 Office 365 群組的成員資格。Update membership of Office 365 Groups.
microsoft。目錄/群組/整合/擁有者/更新microsoft.directory/groups/unified/owners/update 更新 Office 365 群組的擁有權。Update ownership of Office 365 Groups.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksmicrosoft.office365.sharepoint/allEntities/allTasks 建立和刪除所有資源,以及讀取和更新 microsoft.office365.sharepoint 中的標準屬性。Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

小組通訊系統管理員許可權Teams Communications Administrator permissions

能夠管理 Microsoft Teams 服務內的呼叫和會議功能。Can manage calling and meetings features within the Microsoft Teams service.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.

小組通訊支援工程師的許可權Teams Communications Support Engineer permissions

能夠使用進階工具針對 Microsoft Teams 內的通訊問題進行疑難排解。Can troubleshoot communications issues within Teams using advanced tools.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.

小組通訊支援專家許可權Teams Communications Support Specialist permissions

能夠使用基本工具針對 Microsoft Teams 內的通訊問題進行疑難排解。Can troubleshoot communications issues within Teams using basic tools.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.

小組服務系統管理員許可權Teams Service Administrator permissions

能夠管理 Microsoft Teams 服務。Can manage the Microsoft Teams service.

注意

此角色具有 Azure Active Directory 以外的其他權限。This role has additional permissions outside of Azure Active Directory. 如需詳細資訊,請參閱前述角色說明。For more information, see role description above.

動作Actions 說明Description
microsoft 目錄/群組/Groups.hiddenmembers/讀取microsoft.directory/groups/hiddenMembers/read 讀取 Azure Active Directory 中的 groups.hiddenMembers 屬性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft 目錄/群組/整合/appRoleAssignments/更新microsoft.directory/groups/unified/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.unified 屬性。Update groups.unified property in Azure Active Directory.
microsoft 目錄/群組/統一/基本/更新microsoft.directory/groups/unified/basic/update 更新 Office 365 群組的基本屬性。Update basic properties of Office 365 Groups.
microsoft。目錄/群組/整合/建立microsoft.directory/groups/unified/create 建立 Office 365 群組。Create Office 365 Groups.
microsoft 目錄/群組/整合/刪除microsoft.directory/groups/unified/delete 刪除 Office 365 群組。Delete Office 365 Groups.
microsoft 目錄/群組/整合/成員/更新microsoft.directory/groups/unified/members/update 更新 Office 365 群組的成員資格。Update membership of Office 365 Groups.
microsoft。目錄/群組/整合/擁有者/更新microsoft.directory/groups/unified/owners/update 更新 Office 365 群組的擁有權。Update ownership of Office 365 Groups.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readmicrosoft.office365.usageReports/allEntities/read 讀取 Office 365 使用量報告。Read Office 365 usage reports.

使用者系統管理員許可權User Administrator permissions

能夠管理使用者與群組的所有層面,包含為受限制的管理員重設密碼。Can manage all aspects of users and groups, including resetting passwords for limited admins.

動作Actions 說明Description
microsoft 目錄/appRoleAssignments/建立microsoft.directory/appRoleAssignments/create 在 Azure Active Directory 中建立 appRoleAssignments。Create appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/deletemicrosoft.directory/appRoleAssignments/delete 刪除 Azure Active Directory 中的 appRoleAssignments。Delete appRoleAssignments in Azure Active Directory.
microsoft 目錄/appRoleAssignments/更新microsoft.directory/appRoleAssignments/update 更新在 Azure Active Directory 中的 appRoleAssignments。Update appRoleAssignments in Azure Active Directory.
microsoft 目錄/連絡人/基本/更新microsoft.directory/contacts/basic/update 更新 Azure Active Directory 中 contacts 的基本屬性。Update basic properties on contacts in Azure Active Directory.
microsoft 目錄/連絡人/建立microsoft.directory/contacts/create 在 Azure Active Directory 中建立 contacts。Create contacts in Azure Active Directory.
microsoft 目錄/連絡人/刪除microsoft.directory/contacts/delete 刪除 Azure Active Directory 中的 contacts。Delete contacts in Azure Active Directory.
microsoft 目錄/群組/appRoleAssignments/更新microsoft.directory/groups/appRoleAssignments/update 更新 Azure Active Directory 中的 groups.appRoleAssignments 屬性。Update groups.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/群組/基本/更新microsoft.directory/groups/basic/update 更新 Azure Active Directory 中 groups 的基本屬性。Update basic properties on groups in Azure Active Directory.
microsoft. 目錄/群組/建立microsoft.directory/groups/create 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory.
microsoft 目錄/群組/createAsOwnermicrosoft.directory/groups/createAsOwner 在 Azure Active Directory 中建立 groups。Create groups in Azure Active Directory. 建立者會新增為第一個擁有者,而建立的物件會算在建立者的 250 個建立物件配額中。Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft 目錄/群組/刪除microsoft.directory/groups/delete 刪除 Azure Active Directory 中的 groups。Delete groups in Azure Active Directory.
microsoft 目錄/群組/Groups.hiddenmembers/讀取microsoft.directory/groups/hiddenMembers/read 讀取 Azure Active Directory 中的 groups.hiddenMembers 屬性。Read groups.hiddenMembers property in Azure Active Directory.
microsoft 目錄/群組/成員/更新microsoft.directory/groups/members/update 更新 Azure Active Directory 中的 groups.members 屬性。Update groups.members property in Azure Active Directory.
microsoft。目錄/群組/擁有者/更新microsoft.directory/groups/owners/update 更新 Azure Active Directory 中的 groups.owners 屬性。Update groups.owners property in Azure Active Directory.
microsoft. 目錄/群組/還原microsoft.directory/groups/restore 還原 Azure Active Directory 中的 groups。Restore groups in Azure Active Directory.
microsoft 目錄/群組/設定/更新microsoft.directory/groups/settings/update 更新 Azure Active Directory 中的 groups.settings 屬性。Update groups.settings property in Azure Active Directory.
microsoft 目錄/使用者/appRoleAssignments/更新microsoft.directory/users/appRoleAssignments/update 更新 Azure Active Directory 中的 users.appRoleAssignments 屬性。Update users.appRoleAssignments property in Azure Active Directory.
microsoft 目錄/使用者/assignLicensemicrosoft.directory/users/assignLicense 管理 Azure Active Directory 中的使用者授權。Manage licenses on users in Azure Active Directory.
microsoft 目錄/使用者/基本/更新microsoft.directory/users/basic/update 更新 Azure Active Directory 中 users 的基本屬性。Update basic properties on users in Azure Active Directory.
microsoft 目錄/使用者/建立microsoft.directory/users/create 在 Azure Active Directory 中建立 users。Create users in Azure Active Directory.
microsoft 目錄/使用者/刪除microsoft.directory/users/delete 刪除 Azure Active Directory 中的 users。Delete users in Azure Active Directory.
microsoft 目錄/使用者/invalidateAllRefreshTokensmicrosoft.directory/users/invalidateAllRefreshTokens 使 Azure Active Directory 中的所有使用者重新整理權杖失效。Invalidate all user refresh tokens in Azure Active Directory.
microsoft 目錄/使用者/管理員/更新microsoft.directory/users/manager/update 更新 Azure Active Directory 中的 users.manager 屬性。Update users.manager property in Azure Active Directory.
microsoft 目錄/使用者/密碼/更新microsoft.directory/users/password/update 在 Azure Active Directory 中更新所有使用者的密碼。Update passwords for all users in Azure Active Directory. 如需詳細資訊,請參閱線上文件。See online documentation for more detail.
microsoft 目錄/使用者/還原microsoft.directory/users/restore 還原 Azure Active Directory 中已刪除的使用者。Restore deleted users in Azure Active Directory.
microsoft 目錄/使用者/userPrincipalName/updatemicrosoft.directory/users/userPrincipalName/update 更新 Azure Active Directory 中的 users.userPrincipalName 屬性。Update users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasks 讀取及設定 Azure 服務健康情況。Read and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasks 建立和管理 Azure 支援票證。Create and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readmicrosoft.office365.webPortal/allEntities/basic/read 讀取 microsoft.office365.webPortal 中所有資源的基本屬性。Read basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks 讀取及設定 Office 365 服務健康情況。Read and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasks 建立和管理 Office 365 支援票證。Create and manage Office 365 support tickets.

角色範本識別碼Role template IDs

角色範本識別碼主要是由圖形 API 或 PowerShell 使用者所使用。Role template IDs are used mainly by Graph API or PowerShell users.

圖表 displayNameGraph displayName Azure 入口網站顯示名稱Azure portal display name directoryRoleTemplateIddirectoryRoleTemplateId
應用程式系統管理員Application Administrator 應用程式管理員Application administrator 9B895D92-2CD3-44C7-9D02-A6AC2D5EA5C39B895D92-2CD3-44C7-9D02-A6AC2D5EA5C3
應用程式開發人員Application Developer 應用程式開發人員Application developer CF1C38E5-3621-4004-A7CB-879624DCED7CCF1C38E5-3621-4004-A7CB-879624DCED7C
驗證系統管理員Authentication Administrator 驗證管理員Authentication administrator c4e39bd9-1100-46d3-8c65-fb160da0071fc4e39bd9-1100-46d3-8c65-fb160da0071f
Azure DevOps 系統管理員Azure DevOps Administrator Azure DevOps 系統管理員Azure DevOps administrator e3973bdf-4987-49ae-837a-ba8e231c7286e3973bdf-4987-49ae-837a-ba8e231c7286
Azure 資訊保護系統管理員Azure Information Protection Administrator Azure 資訊保護系統管理員Azure Information Protection administrator 7495fdc4-34c4-4d15-a289-98788ce399fd7495fdc4-34c4-4d15-a289-98788ce399fd
B2C 使用者流程管理員B2C User flow Administrator B2C 使用者流程管理員B2C User flow Administrator 6e591065-9bad-43ed-90f3-e9424366d2f06e591065-9bad-43ed-90f3-e9424366d2f0
B2C 使用者流程屬性管理員B2C User Flow Attribute Administrator B2C 使用者流程屬性管理員B2C User Flow Attribute Administrator 0f971eea-41eb-4569-a71e-57bb8a3eff1e0f971eea-41eb-4569-a71e-57bb8a3eff1e
B2C IEF 索引鍵集管理員B2C IEF Keyset Administrator B2C IEF 索引鍵集管理員B2C IEF Keyset Administrator aaf43236-0c0d-4d5f-883a-6955382ac081aaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF 原則管理員B2C IEF Policy Administrator B2C IEF 原則管理員B2C IEF Policy Administrator 3edaf663-341e-4475-9f94-5c398ef6c0703edaf663-341e-4475-9f94-5c398ef6c070
計費管理員Billing Administrator 計費管理員Billing administrator b0f54661-2d74-4c50-afa3-1ec803f12efeb0f54661-2d74-4c50-afa3-1ec803f12efe
雲端應用程式系統管理員Cloud Application Administrator 雲端應用程式系統管理員Cloud application administrator 158c047a-c907-4556-b7ef-446551a6b5f7158c047a-c907-4556-b7ef-446551a6b5f7
雲端裝置管理員Cloud Device Administrator 雲端裝置管理員Cloud device administrator 7698a772-787b-4ac8-901f-60d6b08affd27698a772-787b-4ac8-901f-60d6b08affd2
公司系統管理員Company Administrator 全域管理員Global administrator 62e90394-69f5-4237-9190-012177145e1062e90394-69f5-4237-9190-012177145e10
規範管理員Compliance Administrator 規範管理員Compliance administrator 17315797-102d-40b4-93e0-432062caca1817315797-102d-40b4-93e0-432062caca18
合規性資料管理員Compliance Data Administrator 合規性資料管理員Compliance data administrator e6d1a23a-da11-4be4-9570-befc86d067a7e6d1a23a-da11-4be4-9570-befc86d067a7
條件式存取系統管理員Conditional Access Administrator 條件式存取系統管理員Conditional Access administrator b1be1c3e-b65d-4f19-8427-f6fa0d97feb9b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
CRM 服務管理員CRM Service Administrator Dynamics 365 管理員Dynamics 365 administrator 44367163-eba1-44c3-98af-f5787879f96a44367163-eba1-44c3-98af-f5787879f96a
客戶 LockBox 存取核准者Customer LockBox Access Approver 客戶加密箱存取核准者Customer Lockbox access approver 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc915c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
電腦分析系統管理員Desktop Analytics Administrator 電腦分析系統管理員Desktop Analytics Administrator 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a438a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
裝置系統管理員Device Administrators 裝置系統管理員Device administrators 9f06204d-73c1-4d4c-880a-6edb90606fd89f06204d-73c1-4d4c-880a-6edb90606fd8
加入裝置Device Join 裝置加入Device join 9c094953-4995-41c8-84c8-3ebb9b32c93f9c094953-4995-41c8-84c8-3ebb9b32c93f
裝置管理員Device Managers 裝置管理員Device managers 2b499bcd-da44-4968-8aec-78e1674fa64d2b499bcd-da44-4968-8aec-78e1674fa64d
裝置使用者Device Users 裝置使用者Device users d405c6df-0af8-4e3b-95e4-4d06e542189ed405c6df-0af8-4e3b-95e4-4d06e542189e
目錄讀取器Directory Readers 目錄讀取器Directory readers 88d8e3e3-8f55-4a1e-953a-9b9898b8876b88d8e3e3-8f55-4a1e-953a-9b9898b8876b
目錄同步處理帳戶Directory Synchronization Accounts 目錄同步處理帳戶Directory synchronization accounts d29b2b05-8046-44ba-8758-1e26182fcf32d29b2b05-8046-44ba-8758-1e26182fcf32
目錄撰寫者Directory Writers 目錄寫入器Directory writers 9360feb5-f418-4baa-8175-e2a00bac43019360feb5-f418-4baa-8175-e2a00bac4301
Exchange 服務管理員Exchange Service Administrator Exchange 系統管理員Exchange administrator 29232cdf-9323-42fd-ade2-1d097af3e4de29232cdf-9323-42fd-ade2-1d097af3e4de
外部識別提供者系統管理員External Identity Provider Administrator 外部識別提供者系統管理員External Identity Provider Administrator be2f45a1-457d-42af-a067-6ec1fa63bc45be2f45a1-457d-42af-a067-6ec1fa63bc45
全域讀者Global Reader 全域讀者Global reader f2ef992c-3afb-46b9-b7cf-a126ee74c451f2ef992c-3afb-46b9-b7cf-a126ee74c451
群組管理員Group Administrator 群組管理員Group administrator fdd7a751-b60b-444a-984c-02652fe8fa1cfdd7a751-b60b-444a-984c-02652fe8fa1c
來賓邀請者Guest Inviter 來賓邀請者Guest inviter 95e79109-95c0-4d8e-aee3-d01accf2d47b95e79109-95c0-4d8e-aee3-d01accf2d47b
服務台系統管理員Helpdesk Administrator 密碼管理員Password administrator 729827e3-9c14-49f7-bb1b-9608f156bbb8729827e3-9c14-49f7-bb1b-9608f156bbb8
Intune 服務管理員Intune Service Administrator Intune 管理員Intune administrator 3a2c62db-5318-420d-8d74-23affee5d9d53a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala 系統管理員Kaizala Administrator Kaizala 系統管理員Kaizala administrator 74ef975b-6605-40af-a5d2-b9539d83635374ef975b-6605-40af-a5d2-b9539d836353
授權管理員License Administrator 授權管理員License administrator 4d6ac14f-3453-41d0-bef9-a3e0c569773a4d6ac14f-3453-41d0-bef9-a3e0c569773a
Lync 服務管理員Lync Service Administrator 商務用 Skype 的管理員Skype for Business administrator 75941009-915a-4869-abe7-691bff18279e75941009-915a-4869-abe7-691bff18279e
訊息中心隱私權讀者Message Center Privacy Reader 訊息中心隱私權讀者Message center privacy reader ac16e43d-7b2d-40e0-ac05-243ff356ab5bac16e43d-7b2d-40e0-ac05-243ff356ab5b
訊息中心讀取者Message Center Reader 訊息中心讀者Message center reader 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
Office 應用程式系統管理員Office Apps Administrator Office 應用程式系統管理員Office apps administrator 2b745bdf-0803-4d80-aa65-822c4493daac2b745bdf-0803-4d80-aa65-822c4493daac
合作夥伴第 1 層支援Partner Tier1 Support 合作夥伴第 1 層支援Partner tier1 support 4ba39ca4-527c-499a-b93d-d9b492c502464ba39ca4-527c-499a-b93d-d9b492c50246
合作夥伴第 2 層支援Partner Tier2 Support 合作夥伴第 2 層支援Partner tier2 support e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
密碼管理員Password Administrator 密碼管理員Password administrator 966707d0-3269-4727-9be2-8c3a10f19b9d966707d0-3269-4727-9be2-8c3a10f19b9d
Power BI 服務管理員Power BI Service Administrator Power BI 系統管理員Power BI administrator a9ea8996-122f-4c74-9520-8edcd192826ca9ea8996-122f-4c74-9520-8edcd192826c
Power 平臺系統管理員Power Platform Administrator Power 平臺系統管理員Power platform administrator 11648597-926c-4cf3-9c36-bcebb0ba8dcc11648597-926c-4cf3-9c36-bcebb0ba8dcc
特殊許可權驗證管理員Privileged Authentication Administrator 特殊許可權驗證管理員Privileged authentication administrator 7be44c8a-adaf-4e2a-84d6-ab2649e08a137be44c8a-adaf-4e2a-84d6-ab2649e08a13
特殊權限角色管理員Privileged Role Administrator 特殊權限角色管理員Privileged role administrator e8611ab8-c189-46e8-94e1-60213ab1f814e8611ab8-c189-46e8-94e1-60213ab1f814
報告讀者Reports Reader 報表讀者Reports reader 4a5d8f65-41da-4de4-8968-e035b65339cf4a5d8f65-41da-4de4-8968-e035b65339cf
搜尋系統管理員Search Administrator 搜尋系統管理員Search administrator 0964bb5e-9bdb-4d7b-ac29-58e794862a400964bb5e-9bdb-4d7b-ac29-58e794862a40
搜尋編輯器Search Editor 搜尋編輯器Search editor 8835291a-918c-4fd7-a9ce-faa49f0cf7d98835291a-918c-4fd7-a9ce-faa49f0cf7d9
安全性系統管理員Security Administrator 安全性系統管理員Security administrator 194ae4cb-b126-40b2-bd5b-6091b380977d194ae4cb-b126-40b2-bd5b-6091b380977d
安全性運算子Security Operator 安全性運算子Security operator 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
安全性讀取者Security Reader 安全性讀取者Security reader 5d6b6bb7-de71-4623-b4af-96380a3525095d6b6bb7-de71-4623-b4af-96380a352509
服務支援管理員Service Support Administrator 服務管理員Service administrator f023fd81-a637-4b56-95fd-791ac0226033f023fd81-a637-4b56-95fd-791ac0226033
SharePoint 服務管理員SharePoint Service Administrator SharePoint 管理員SharePoint administrator f28a1f50-f6e7-4571-818b-6a12f2af6b6cf28a1f50-f6e7-4571-818b-6a12f2af6b6c
Microsoft Teams 通訊系統管理員Teams Communications Administrator Microsoft Teams 通訊系統管理員Teams Communications Administrator baf37b3a-610e-45da-9e62-d9d1e5e8914bbaf37b3a-610e-45da-9e62-d9d1e5e8914b
Microsoft Teams 通訊支援工程師Teams Communications Support Engineer Microsoft Teams 通訊支援工程師Teams Communications Support Engineer f70938a0-fc10-4177-9e90-2178f8765737f70938a0-fc10-4177-9e90-2178f8765737
Microsoft Teams 通訊支援專家Teams Communications Support Specialist Microsoft Teams 通訊支援專家Teams Communications Support Specialist fcf91098-03e3-41a9-b5ba-6f0ec8188a12fcf91098-03e3-41a9-b5ba-6f0ec8188a12
Microsoft Teams 服務管理員Teams Service Administrator Microsoft Teams 服務管理員Teams Service Administrator 69091246-20e8-4a56-aa4d-066075b2a7a869091246-20e8-4a56-aa4d-066075b2a7a8
UserUser UserUser a0b1b346-4d3e-4e8b-98f8-753987be4970a0b1b346-4d3e-4e8b-98f8-753987be4970
使用者帳戶管理員User Account Administrator 使用者管理員User administrator fe930be7-5e62-47db-91af-98c3a49a38b1fe930be7-5e62-47db-91af-98c3a49a38b1
加入工作場所裝置Workplace Device Join 工作場所裝置加入Workplace device join c34f683f-4d5a-4403-affd-6615e00e3a7fc34f683f-4d5a-4403-affd-6615e00e3a7f

已被取代的角色Deprecated roles

以下是不應使用的角色。The following roles should not be used. 它們已被取代,而且未來將從 Azure AD 中移除。They have been deprecated and will be removed from Azure AD in the future.

  • AdHoc 授權管理員AdHoc License Administrator
  • 加入裝置Device Join
  • 裝置管理員Device Managers
  • 裝置使用者Device Users
  • 傳送電子郵件給經過驗證的使用者建立者Email Verified User Creator
  • 信箱管理員Mailbox Administrator
  • 加入工作場所裝置Workplace Device Join

後續步驟Next steps