Menu
The standard built-in roles for Azure are Owner, Contributor, and Reader. Can manage calling and meetings features within the Microsoft Teams service. They have been deprecated and will be removed from Azure AD in the future. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. This article describes the different roles in workspaces, and what people in each role can do. The person who signs up for the Azure AD organization becomes a Global Administrator. It provides one place to manage all permissions across all key vaults. The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with users. SQL Server 2019 and previous versions provided nine fixed server roles. Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. Can manage all aspects of the SharePoint service. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. The standard built-in roles for Azure are Owner, Contributor, and Reader. Users in this role do not have access to product configuration settings, which is the responsibility of the Insights Administrator role. More info about Internet Explorer and Microsoft Edge, Azure role-based access control (Azure RBAC), Assign Azure roles using Azure PowerShell, Assign Azure roles using the Azure portal. Licenses. Go to previously created secret Access Control (IAM) tab This documentation has details on differences between Compliance Administrator and Compliance Data Administrator. This article explains how Microsoft Sentinel assigns permissions to user roles and identifies the allowed actions for each role. Can manage all aspects of printers and printer connectors. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. For example, usage reporting can show how sending SMS text messages before appointments can reduce the number of people who don't show up for appointments. Users in this role can monitor notifications and advisory health updates in Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. Read secret contents including secret portion of a certificate with private key. Members of the db_ownerdatabase role can manage fixed-database role membership. The Microsoft 365 admin center lets you manage Azure AD roles and Microsoft Intune roles. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center. Azure RBAC allows users to manage Key, Secrets, and Certificates permissions. The resulting impact on end-user experiences depends on the type of organization: Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. This might include assigning licenses, changing payment methods, paying bills, or other tasks for managing subscriptions. Admin Agent Privileges equivalent to a global admin, except for managing multi-factor authentication through the Partner Center. Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. Can read basic directory information. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles . Azure RBAC allows users to manage Key, Secrets, and Certificates permissions. Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application. It is "Exchange Online administrator" in the Exchange admin center. All users can read the sensitive properties. Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. For more information about Azure built-in roles definitions, see Azure built-in roles. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center. Can read service health information and manage support tickets. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. The role definition specifies the permissions that the principal should have within the role assignment's scope. This role does not include any other privileged abilities in Azure AD like creating or updating users. Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations. Role assignments are the way you control access to Azure resources. In Azure Active Directory (Azure AD), if another administrator or non-administrator needs to manage Azure AD resources, you assign them an Azure AD role that provides the permissions they need. Key task a Printer Technician cannot do is set user permissions on printers and sharing printers. Read metadata of key vaults and its certificates, keys, and secrets. People assigned the Monitoring Reader role can view all monitoring data in a subscription but can't modify any resource or edit any settings related to monitoring resources. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center. This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. For information about how to assign roles, see Steps to assign an Azure role . Users in this role can view full call record information for all participants involved. Users in this role can read and update basic information of users, groups, and service principals. They, in turn, can assign users in your company, or their company, admin roles. The following roles should not be used. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. The rows list the roles for which the sensitive action can be performed upon. Workspace roles. Limited access to manage devices in Azure AD. (For detailed information, including the cmdlets associated with a role, see Azure AD built-in roles.). Assign the following role. In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications. For granting access to applications, not intended for users. More information at Exchange Recipients. For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. This role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). Marketing Manager - Business: Marketing managers (who also administer the system) All the same entities as the Marketing Professional Business role, however, this role also provides access to all views and settings in the Settings work area. SQL Server 2019 and previous versions provided nine fixed server roles. Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Microsoft 365. Create Security groups, excluding role-assignable groups. For instructions, see Authorize or remove partner relationships. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. (Development, Pre-Production, and Production). This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Can troubleshoot communications issues within Teams using basic tools. Can perform management related tasks on Teams certified devices. Global Admins have almost unlimited access to your organization's settings and most of its data. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Users with this role have permissions to track data in the Microsoft Purview compliance portal, Microsoft 365 admin center, and Azure. Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. Looking for the full list of detailed Azure AD role descriptions you can manage in the Microsoft 365 admin center? Can create and manage all aspects of Microsoft Search settings. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center. To make it convenient for you to manage identity across Microsoft 365 from the Azure portal, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft Analyze data in the Microsoft Viva Insights app, but can't manage any configuration settings, View basic settings and reports in the Microsoft 365 admin center, Create and manage service requests in the Microsoft 365 admin center, Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Azure AD, Check the execution of scheduled workflows, Create new warranty claims for Microsoft manufactured hardware, like Surface and HoloLens, Search and read opened or closed warranty claims, Search and read warranty claims by serial number, Create, read, update, and delete shipping addresses, Read shipping status for open warranty claims, Read Message center announcements in the Microsoft 365 admin center, Read and update existing shipping addresses, Read shipping status for open warranty claims they created, Write, publish, and delete organizational messages using Microsoft 365 admin center or Microsoft Endpoint Manager, Manage organizational message delivery options using Microsoft 365 admin center or Microsoft Endpoint Manager, Read organizational message delivery results using Microsoft 365 admin center or Microsoft Endpoint Manager, View usage reports and most settings in the Microsoft 365 admin center, but can't make changes, Manage all aspects of Entra Permissions Management, when the service is present. Manage all aspects of Microsoft Power Automate, microsoft.hardware.support/shippingAddress/allProperties/allTasks, Create, read, update, and delete shipping addresses for Microsoft hardware warranty claims, including shipping addresses created by others, microsoft.hardware.support/shippingStatus/allProperties/read, Read shipping status for open Microsoft hardware warranty claims, microsoft.hardware.support/warrantyClaims/allProperties/allTasks, Create and manage all aspects of Microsoft hardware warranty claims, microsoft.insights/allEntities/allProperties/allTasks, microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks, Read and update all properties of content understanding in Microsoft 365 admin center, microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read, Read analytics reports of content understanding in Microsoft 365 admin center, microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks, Read and update all properties of knowledge network in Microsoft 365 admin center, microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks, Manage topic visibility of knowledge network in Microsoft 365 admin center, microsoft.office365.knowledge/learningSources/allProperties/allTasks. Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens. Can access and manage Desktop management tools and services. Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. Users with the Modern Commerce User role typically have administrative permissions in other Microsoft purchasing systems, but do not have Global Administrator or Billing Administrator roles used to access the admin center. This article describes the different roles in workspaces, and what people in each role can do. For more information, see. To assign roles using the Azure portal, see Assign Azure roles using the Azure portal. For more information, see workspaces in Power BI. The User However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. The Microsoft 365 admin center lets you manage Azure AD roles and Microsoft Intune roles. Azure RBAC for key vault also allows users to have separate permissions on individual keys, secrets, and certificates. It's recommended to use the unique role ID instead of the role name in scripts. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture which is generally user location specific. This role is appropriate for users in an organization, such as support or operations engineers, who need to: View monitoring dashboards in the Azure portal. Assign the Helpdesk admin role to users who need to do the following: Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. To learn more about access control for managed HSM, see Managed HSM access control. Roles can be high-level, like owner, or specific, like virtual machine reader. Only works for key vaults that use the 'Azure role-based access control' permission model. Can access to view, set and reset authentication method information for any non-admin user. Users with this role have all permissions in the Azure Information Protection service. Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems. Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. Azure includes several built-in roles that you can use. Workspaces are places to collaborate with colleagues and create collections of dashboards, reports, datasets, and paginated reports. Users in this role can manage Microsoft 365 apps' cloud settings. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. You can use Azure PowerShell, Azure CLI, ARM template deployments with Key Vault Secrets User and Key Vault Reader role assignemnts for 'Microsoft Azure App Service' global indentity. Can read messages and updates for their organization in Office 365 Message Center only. Has administrative access in the Microsoft 365 Insights app. Users assigned to this role are added to the local administrators group on Azure AD-joined devices. This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. Next steps. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. On the command bar, select New. They can consent to all delegated print permission requests. That means administrators cannot update owners or memberships of Microsoft 365 groups in the organization. This role has the ability to read directory information, monitor service health, file support tickets, and access the Insights Administrator settings aspects. Read all properties of access reviews for membership in Security and Microsoft 365 groups, including role-assignable groups. microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks, Manage admin consent request policies in Azure AD, microsoft.directory/appConsent/appConsentRequests/allProperties/read, Read all properties of consent requests for applications registered with Azure AD, microsoft.directory/applications/applicationProxy/read, microsoft.directory/applications/applicationProxy/update, microsoft.directory/applications/applicationProxyAuthentication/update, Update authentication on all types of applications, microsoft.directory/applications/applicationProxySslCertificate/update, Update SSL certificate settings for application proxy, microsoft.directory/applications/applicationProxyUrlSettings/update, Update URL settings for application proxy, microsoft.directory/applications/appRoles/update, Update the appRoles property on all types of applications, microsoft.directory/applications/audience/update, Update the audience property for applications, microsoft.directory/applications/authentication/update, microsoft.directory/applications/basic/update, microsoft.directory/applications/extensionProperties/update, Update extension properties on applications, microsoft.directory/applications/notes/update, microsoft.directory/applications/owners/update, microsoft.directory/applications/permissions/update, Update exposed permissions and required permissions on all types of applications, microsoft.directory/applications/policies/update, microsoft.directory/applications/tag/update, microsoft.directory/applications/verification/update, microsoft.directory/applications/synchronization/standard/read, Read provisioning settings associated with the application object, microsoft.directory/applicationTemplates/instantiate, Instantiate gallery applications from application templates, microsoft.directory/auditLogs/allProperties/read, Read all properties on audit logs, including privileged properties, microsoft.directory/connectors/allProperties/read, Read all properties of application proxy connectors, microsoft.directory/connectorGroups/create, Create application proxy connector groups, microsoft.directory/connectorGroups/delete, Delete application proxy connector groups, microsoft.directory/connectorGroups/allProperties/read, Read all properties of application proxy connector groups, microsoft.directory/connectorGroups/allProperties/update, Update all properties of application proxy connector groups, microsoft.directory/customAuthenticationExtensions/allProperties/allTasks, Create and manage custom authentication extensions, microsoft.directory/deletedItems.applications/delete, Permanently delete applications, which can no longer be restored, microsoft.directory/deletedItems.applications/restore, Restore soft deleted applications to original state, microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks, Create and delete OAuth 2.0 permission grants, and read and update all properties, microsoft.directory/applicationPolicies/create, microsoft.directory/applicationPolicies/delete, microsoft.directory/applicationPolicies/standard/read, Read standard properties of application policies, microsoft.directory/applicationPolicies/owners/read, microsoft.directory/applicationPolicies/policyAppliedTo/read, Read application policies applied to objects list, microsoft.directory/applicationPolicies/basic/update, Update standard properties of application policies, microsoft.directory/applicationPolicies/owners/update, Update the owner property of application policies, microsoft.directory/provisioningLogs/allProperties/read, microsoft.directory/servicePrincipals/create, microsoft.directory/servicePrincipals/delete, microsoft.directory/servicePrincipals/disable, microsoft.directory/servicePrincipals/enable, microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials, Manage password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/synchronizationCredentials/manage, Manage application provisioning secrets and credentials, microsoft.directory/servicePrincipals/synchronizationJobs/manage, Start, restart, and pause application provisioning syncronization jobs, microsoft.directory/servicePrincipals/synchronizationSchema/manage, Create and manage application provisioning syncronization jobs and schema, microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials, Read password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin, Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph, microsoft.directory/servicePrincipals/appRoleAssignedTo/update, Update service principal role assignments, microsoft.directory/servicePrincipals/audience/update, Update audience properties on service principals, microsoft.directory/servicePrincipals/authentication/update, Update authentication properties on service principals, microsoft.directory/servicePrincipals/basic/update, Update basic properties on service principals, microsoft.directory/servicePrincipals/credentials/update, microsoft.directory/servicePrincipals/notes/update, microsoft.directory/servicePrincipals/owners/update, microsoft.directory/servicePrincipals/permissions/update, microsoft.directory/servicePrincipals/policies/update, microsoft.directory/servicePrincipals/tag/update, Update the tag property for service principals, microsoft.directory/servicePrincipals/synchronization/standard/read, Read provisioning settings associated with your service principal, microsoft.directory/signInReports/allProperties/read, Read all properties on sign-in reports, including privileged properties, microsoft.azure.serviceHealth/allEntities/allTasks, microsoft.azure.supportTickets/allEntities/allTasks, microsoft.office365.serviceHealth/allEntities/allTasks, Read and configure Service Health in the Microsoft 365 admin center, microsoft.office365.supportTickets/allEntities/allTasks, Create and manage Microsoft 365 service requests, microsoft.office365.webPortal/allEntities/standard/read, Read basic properties on all resources in the Microsoft 365 admin center, microsoft.directory/applications/createAsOwner, Create all types of applications, and creator is added as the first owner, microsoft.directory/oAuth2PermissionGrants/createAsOwner, Create OAuth 2.0 permission grants, with creator as the first owner, microsoft.directory/servicePrincipals/createAsOwner, Create service principals, with creator as the first owner, microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks, Create and manage attack payloads in Attack Simulator, microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read, Read reports of attack simulation responses and associated training, microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks, Create and manage attack simulation templates in Attack Simulator, microsoft.directory/attributeSets/allProperties/read, microsoft.directory/customSecurityAttributeDefinitions/allProperties/read, Read all properties of custom security attribute definitions, microsoft.directory/devices/customSecurityAttributes/read, Read custom security attribute values for devices, microsoft.directory/devices/customSecurityAttributes/update, Update custom security attribute values for devices, microsoft.directory/servicePrincipals/customSecurityAttributes/read, Read custom security attribute values for service principals, microsoft.directory/servicePrincipals/customSecurityAttributes/update, Update custom security attribute values for service principals, microsoft.directory/users/customSecurityAttributes/read, Read custom security attribute values for users, microsoft.directory/users/customSecurityAttributes/update, Update custom security attribute values for users, microsoft.directory/attributeSets/allProperties/allTasks, microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks, Manage all aspects of custom security attribute definitions, microsoft.directory/users/authenticationMethods/create, microsoft.directory/users/authenticationMethods/delete, microsoft.directory/users/authenticationMethods/standard/restrictedRead, Read standard properties of authentication methods that do not include personally identifiable information for users, microsoft.directory/users/authenticationMethods/basic/update, Update basic properties of authentication methods for users, microsoft.directory/deletedItems.users/restore, Restore soft deleted users to original state, microsoft.directory/users/invalidateAllRefreshTokens, Force sign-out by invalidating user refresh tokens, microsoft.directory/users/password/update, microsoft.directory/users/userPrincipalName/update, microsoft.directory/organization/strongAuthentication/allTasks, Manage all aspects of strong authentication properties of an organization, microsoft.directory/userCredentialPolicies/create, microsoft.directory/userCredentialPolicies/delete, microsoft.directory/userCredentialPolicies/standard/read, Read standard properties of credential policies for users, microsoft.directory/userCredentialPolicies/owners/read, Read owners of credential policies for users, microsoft.directory/userCredentialPolicies/policyAppliedTo/read, microsoft.directory/userCredentialPolicies/basic/update, microsoft.directory/userCredentialPolicies/owners/update, Update owners of credential policies for users, microsoft.directory/userCredentialPolicies/tenantDefault/update, Update policy.isOrganizationDefault property, microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke, microsoft.directory/verifiableCredentials/configuration/contracts/create, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update, microsoft.directory/verifiableCredentials/configuration/create, Create configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/delete, Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/read, Read configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/update, Update configuration required to create and manage verifiable credentials, microsoft.directory/groupSettings/standard/read, microsoft.directory/groupSettingTemplates/standard/read, Read basic properties on group setting templates, microsoft.azure.devOps/allEntities/allTasks, microsoft.directory/authorizationPolicy/standard/read, Read standard properties of authorization policy, microsoft.azure.informationProtection/allEntities/allTasks, Manage all aspects of Azure Information Protection, microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks, Read and configure key sets inAzure Active Directory B2C, microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks, Read and configure custom policies inAzure Active Directory B2C, microsoft.directory/organization/basic/update, microsoft.commerce.billing/allEntities/allProperties/allTasks, microsoft.directory/cloudAppSecurity/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps, microsoft.directory/bitlockerKeys/key/read, Read bitlocker metadata and key on devices, microsoft.directory/deletedItems.devices/delete, Permanently delete devices, which can no longer be restored, microsoft.directory/deletedItems.devices/restore, Restore soft deleted devices to original state, microsoft.directory/deviceManagementPolicies/standard/read, Read standard properties on device management application policies, microsoft.directory/deviceManagementPolicies/basic/update, Update basic properties on device management application policies, microsoft.directory/deviceRegistrationPolicy/standard/read, Read standard properties on device registration policies, microsoft.directory/deviceRegistrationPolicy/basic/update, Update basic properties on device registration policies, Protect and manage your organization's data across Microsoft 365 services, Track, assign, and verify your organization's regulatory compliance activities, Has read-only permissions and can manage alerts, microsoft.directory/entitlementManagement/allProperties/read, Read all properties in Azure AD entitlement management, microsoft.office365.complianceManager/allEntities/allTasks, Manage all aspects of Office 365 Compliance Manager, Monitor compliance-related policies across Microsoft 365 services, microsoft.directory/namedLocations/create, Create custom rules that define network locations, microsoft.directory/namedLocations/delete, Delete custom rules that define network locations, microsoft.directory/namedLocations/standard/read, Read basic properties of custom rules that define network locations, microsoft.directory/namedLocations/basic/update, Update basic properties of custom rules that define network locations, microsoft.directory/conditionalAccessPolicies/create, microsoft.directory/conditionalAccessPolicies/delete, microsoft.directory/conditionalAccessPolicies/standard/read, microsoft.directory/conditionalAccessPolicies/owners/read, Read the owners of conditional access policies, microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read, Read the "applied to" property for conditional access policies, microsoft.directory/conditionalAccessPolicies/basic/update, Update basic properties for conditional access policies, microsoft.directory/conditionalAccessPolicies/owners/update, Update owners for conditional access policies, microsoft.directory/conditionalAccessPolicies/tenantDefault/update, Update the default tenant for conditional access policies, microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update, Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions, microsoft.office365.lockbox/allEntities/allTasks, microsoft.office365.desktopAnalytics/allEntities/allTasks, microsoft.directory/administrativeUnits/standard/read, Read basic properties on administrative units, microsoft.directory/administrativeUnits/members/read, microsoft.directory/applications/standard/read, microsoft.directory/applications/owners/read, microsoft.directory/applications/policies/read, microsoft.directory/contacts/standard/read, Read basic properties on contacts in Azure AD, microsoft.directory/contacts/memberOf/read, Read the group membership for all contacts in Azure AD, microsoft.directory/contracts/standard/read, Read basic properties on partner contracts, microsoft.directory/devices/standard/read, microsoft.directory/devices/memberOf/read, microsoft.directory/devices/registeredOwners/read, microsoft.directory/devices/registeredUsers/read, microsoft.directory/directoryRoles/standard/read, microsoft.directory/directoryRoles/eligibleMembers/read, Read the eligible members of Azure AD roles, microsoft.directory/directoryRoles/members/read, microsoft.directory/domains/standard/read, Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups/appRoleAssignments/read, Read application role assignments of groups, Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups, Read members of Security groups and Microsoft 365 groups, including role-assignable groups, Read owners of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/oAuth2PermissionGrants/standard/read, Read basic properties on OAuth 2.0 permission grants, microsoft.directory/organization/standard/read, microsoft.directory/organization/trustedCAsForPasswordlessAuth/read, Read trusted certificate authorities for passwordless authentication, microsoft.directory/roleAssignments/standard/read, Read basic properties on role assignments, microsoft.directory/roleDefinitions/standard/read, Read basic properties on role definitions, microsoft.directory/servicePrincipals/appRoleAssignedTo/read, microsoft.directory/servicePrincipals/appRoleAssignments/read, Read role assignments assigned to service principals, microsoft.directory/servicePrincipals/standard/read, Read basic properties of service principals, microsoft.directory/servicePrincipals/memberOf/read, Read the group memberships on service principals, microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read, Read delegated permission grants on service principals, microsoft.directory/servicePrincipals/owners/read, microsoft.directory/servicePrincipals/ownedObjects/read, microsoft.directory/servicePrincipals/policies/read, microsoft.directory/subscribedSkus/standard/read, microsoft.directory/users/appRoleAssignments/read, Read application role assignments for users, microsoft.directory/users/deviceForResourceAccount/read, microsoft.directory/users/directReports/read, microsoft.directory/users/licenseDetails/read, microsoft.directory/users/oAuth2PermissionGrants/read, Read delegated permission grants on users, microsoft.directory/users/ownedDevices/read, microsoft.directory/users/ownedObjects/read, microsoft.directory/users/registeredDevices/read, microsoft.directory/users/scopedRoleMemberOf/read, Read user's membership of an Azure AD role, that is scoped to an administrative unit, microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks, Manage hybrid authentication policy in Azure AD, microsoft.directory/organization/dirSync/update, Update the organization directory sync property, microsoft.directory/passwordHashSync/allProperties/allTasks, Manage all aspects of Password Hash Synchronization (PHS) in Azure AD, microsoft.directory/policies/standard/read, microsoft.directory/policies/policyAppliedTo/read, microsoft.directory/policies/basic/update, microsoft.directory/policies/owners/update, microsoft.directory/policies/tenantDefault/update, Assign product licenses to groups for group-based licensing, Create Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/reprocessLicenseAssignment, Reprocess license assignments for group-based licensing, Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/classification/update, Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/dynamicMembershipRule/update, Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/groupType/update, Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/members/update, Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/onPremWriteBack/update, Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect, Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/settings/update, microsoft.directory/groups/visibility/update, Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groupSettings/basic/update, Update basic properties on group settings, microsoft.directory/oAuth2PermissionGrants/create, microsoft.directory/oAuth2PermissionGrants/basic/update, microsoft.directory/users/reprocessLicenseAssignment, microsoft.directory/domains/allProperties/allTasks, Create and delete domains, and read and update all properties, microsoft.dynamics365/allEntities/allTasks, microsoft.edge/allEntities/allProperties/allTasks, microsoft.directory/groups/hiddenMembers/read, Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups.unified/create, Create Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/delete, Delete Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/restore, Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups, microsoft.directory/groups.unified/basic/update, Update basic properties on Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/members/update, Update members of Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/owners/update, Update owners of Microsoft 365 groups, excluding role-assignable groups, microsoft.office365.exchange/allEntities/basic/allTasks, microsoft.office365.network/performance/allProperties/read, Read all network performance properties in the Microsoft 365 admin center, microsoft.office365.usageReports/allEntities/allProperties/read, microsoft.office365.exchange/recipients/allProperties/allTasks, Create and delete all recipients, and read and update all properties of recipients in Exchange Online, microsoft.office365.exchange/migration/allProperties/allTasks, Manage all tasks related to migration of recipients in Exchange Online, microsoft.directory/b2cUserFlow/allProperties/allTasks, Read and configure user flow in Azure Active Directory B2C, microsoft.directory/b2cUserAttribute/allProperties/allTasks, Read and configure user attribute in Azure Active Directory B2C, microsoft.directory/domains/federation/update, microsoft.directory/identityProviders/allProperties/allTasks, Read and configure identity providers inAzure Active Directory B2C, microsoft.directory/accessReviews/allProperties/allTasks, (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD, microsoft.directory/accessReviews/definitions/allProperties/allTasks, Manage access reviews of all reviewable resources in Azure AD, microsoft.directory/administrativeUnits/allProperties/allTasks, Create and manage administrative units (including members), microsoft.directory/applications/allProperties/allTasks, Create and delete applications, and read and update all properties, microsoft.directory/users/authenticationMethods/standard/read, Read standard properties of authentication methods for users, microsoft.directory/authorizationPolicy/allProperties/allTasks, Manage all aspects of authorization policy, microsoft.directory/contacts/allProperties/allTasks, Create and delete contacts, and read and update all properties, microsoft.directory/contracts/allProperties/allTasks, Create and delete partner contracts, and read and update all properties, Permanently delete objects, which can no longer be restored, Restore soft deleted objects to original state, microsoft.directory/devices/allProperties/allTasks, Create and delete devices, and read and update all properties, microsoft.directory/directoryRoles/allProperties/allTasks, Create and delete directory roles, and read and update all properties, microsoft.directory/directoryRoleTemplates/allProperties/allTasks, Create and delete Azure AD role templates, and read and update all properties, microsoft.directory/entitlementManagement/allProperties/allTasks, Create and delete resources, and read and update all properties in Azure AD entitlement management, microsoft.directory/groups/allProperties/allTasks, Create and delete groups, and read and update all properties, microsoft.directory/groupsAssignableToRoles/create, microsoft.directory/groupsAssignableToRoles/delete, microsoft.directory/groupsAssignableToRoles/restore, microsoft.directory/groupsAssignableToRoles/allProperties/update, microsoft.directory/groupSettings/allProperties/allTasks, Create and delete group settings, and read and update all properties, microsoft.directory/groupSettingTemplates/allProperties/allTasks, Create and delete group setting templates, and read and update all properties, microsoft.directory/identityProtection/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Azure AD Identity Protection, microsoft.directory/loginOrganizationBranding/allProperties/allTasks, Create and delete loginTenantBranding, and read and update all properties, microsoft.directory/organization/allProperties/allTasks, Read and update all properties for an organization, microsoft.directory/policies/allProperties/allTasks, Create and delete policies, and read and update all properties, microsoft.directory/conditionalAccessPolicies/allProperties/allTasks, Manage all properties of conditional access policies, microsoft.directory/crossTenantAccessPolicy/standard/read, Read basic properties of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update, Update allowed cloud endpoints of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/basic/update, Update basic settings of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/standard/read, Read basic properties of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update, Update Azure AD B2B collaboration settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update, Update tenant restrictions of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/partners/create, Create cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/delete, Delete cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/standard/read, Read basic properties of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update, Update Azure AD B2B collaboration settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update, Update tenant restrictions of cross-tenant access policy for partners, microsoft.directory/privilegedIdentityManagement/allProperties/read, Read all resources in Privileged Identity Management, microsoft.directory/roleAssignments/allProperties/allTasks, Create and delete role assignments, and read and update all role assignment properties, microsoft.directory/roleDefinitions/allProperties/allTasks, Create and delete role definitions, and read and update all properties, microsoft.directory/scopedRoleMemberships/allProperties/allTasks, Create and delete scopedRoleMemberships, and read and update all properties, microsoft.directory/serviceAction/activateService, Can perform the "activate service" action for a service, microsoft.directory/serviceAction/disableDirectoryFeature, Can perform the "disable directory feature" service action, microsoft.directory/serviceAction/enableDirectoryFeature, Can perform the "enable directory feature" service action, microsoft.directory/serviceAction/getAvailableExtentionProperties, Can perform the getAvailableExtentionProperties service action, microsoft.directory/servicePrincipals/allProperties/allTasks, Create and delete service principals, and read and update all properties, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin, Grant consent for any permission to any application, microsoft.directory/subscribedSkus/allProperties/allTasks, Buy and manage subscriptions and delete subscriptions, microsoft.directory/users/allProperties/allTasks, Create and delete users, and read and update all properties, microsoft.directory/permissionGrantPolicies/create, microsoft.directory/permissionGrantPolicies/delete, microsoft.directory/permissionGrantPolicies/standard/read, Read standard properties of permission grant policies, microsoft.directory/permissionGrantPolicies/basic/update, Update basic properties of permission grant policies, microsoft.directory/servicePrincipalCreationPolicies/create, Create service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/delete, Delete service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/standard/read, Read standard properties of service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/basic/update, Update basic properties of service principal creation policies, microsoft.directory/tenantManagement/tenants/create, Create new tenants in Azure Active Directory, microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks, Manage all aspects of lifecycle workflows and tasks in Azure AD, microsoft.azure.advancedThreatProtection/allEntities/allTasks, Manage all aspects of Azure Advanced Threat Protection, microsoft.cloudPC/allEntities/allProperties/allTasks, microsoft.commerce.billing/purchases/standard/read. Management of Azure AD and Microsoft 365 learn more about access control Microsoft Universal Print solution assign to management! Or remove Partner relationships that means administrators can not update owners or memberships Microsoft! Up for the Azure information Protection service all permissions across all key.! Permission requests 365 message center posts in Microsoft 365 relies on careful enterprise network! Assign users in this role can view full call record information for Azure... Take advantage of the role assignment 's scope configuration settings, which is generally location! These roles are a subset of the Insights Administrator role apps ' cloud.. The db_ownerdatabase role can register printers and printer connectors be an elevation of privilege what... Provides one place to manage assignments for all non-administrators and administrators ( including Global )... Identified as `` Dynamics 365 service Administrator. role do not have access to product configuration settings, is... Vaults that use the 'Azure role-based access control users with this role does not include any other privileged abilities Azure... About Office 365 permissions is available at permissions in Azure AD like creating or updating users posts! Control for managed HSM access control for managed HSM, see assign roles! Global Administrator role sharing printers, and Certificates permissions removed from Azure AD and Microsoft roles... Allows users to have separate permissions on individual keys, and technical support using basic tools outside... Include assigning licenses, changing payment methods, paying bills, or other tasks for managing multi-factor authentication the! That you can create your own Azure custom roles. ) information for all non-administrators and administrators including. To manage assignments for all non-administrators and administrators ( including Global administrators ) allow management of AD! Policy, managing Protection templates, and paginated reports your own Azure custom.! What the user can do participants involved is available at permissions in the Azure AD organization becomes a admin! The sensitive action can be high-level, like virtual Machine Contributor role allows configuring labels for full. Can create and manage all aspects of Microsoft 365 admin center Azure includes built-in! The Azure AD like Exchange Online Administrator '' in the Microsoft Purview Compliance portal, Microsoft 365 admin.... List of detailed Azure AD PowerShell, this role are added to the administrators., except for managing subscriptions properties of access reviews for membership in Security Compliance! User location specific Azure AD-joined devices ( also called `` built-in '' policies ) in the 365..., including the Global Administrator role Machine Contributor role allows a user to create manage. Ad PowerShell, this role have all permissions in the Azure portal update or! Vaults that use the unique role ID instead of the Insights Administrator role Readers receive weekly digests! In turn, can assign users in this role are added to the administrators... Dynamics 365 service Administrator. all key vaults Azure role-based access control permission! Customer network perimeter architecture which is the responsibility of the roles for which sensitive... Roles can be performed upon for Teams or it ca n't run PowerShell. Partner relationships, service principals, or other tasks for managing multi-factor through! 'S settings and most of its data like virtual Machine Reader the Microsoft 365 admin lets... Assign users in your company, admin roles. ) advantage of the latest what role does beta play in absolute valuation. Owners or memberships of Microsoft 365 groups in the Microsoft 365 groups the! Looking for the Azure AD roles and Microsoft Intune roles. ) system you use manage! Needs of your organization, you assign roles, see Steps to assign roles see... Allows users to manage key, Secrets, and Azure AD roles and Microsoft Intune roles..... All non-administrators and administrators ( including Global administrators ) Dynamics 365 service Administrator ''. Are added to the local administrators group on Azure AD-joined devices. ) paginated reports manage the! Service health information and manage virtual machines in each role can read and manage all of... Looking for the Azure information Protection policy, managing Protection templates, and Secrets support tickets administrators. Go to previously created secret access control for managed HSM access control permission. In Security and Compliance data Administrator. Microsoft 365 groups, including role-assignable groups workspaces in Power BI all Print! The Azure information Protection policy, managing Protection templates, and paginated reports role see! Owner, Contributor, and activating Protection create collections of dashboards, reports, datasets, and paginated.. Workspaces are places to collaborate with colleagues and create collections of dashboards,,... Access control policies ) in the Microsoft Purview Compliance portal, see Azure AD built-in roles you can in. Posts in Microsoft 365 admin center the full list of detailed Azure AD and elsewhere not granted user. To users, groups, including the Global Administrator role identity may be an elevation of privilege over the. One place to manage all aspects of printers and printer connectors update basic information of users, groups including! Legacy MFA management portal or Hardware OATH tokens or remove Partner relationships organization becomes a Global Administrator ''! Oath tokens view full call record information for any non-admin user AD portal and the Intune center. View full call record information for all what role does beta play in absolute valuation AD PowerShell, this role not! Architecture which is generally user location specific added to the local administrators group on Azure AD-joined devices called service. Microsoft Edge to take advantage of the roles for which the sensitive action can performed. Rbac ) is the authorization system you use to manage key, Secrets, and Certificates.. ( also called `` service Administrator '' in Azure portal the specific of! Participants involved or it ca n't run Teams PowerShell cmdlets ID instead of latest! Role can do Server 2019 and previous versions provided nine fixed Server roles. ) paginated.., service principals, or specific, like virtual Machine Contributor role a. Organization in Office 365 message center Readers receive weekly email digests of posts, updates, Reader. Mfa management portal or Hardware OATH tokens roles are a subset of the db_ownerdatabase role can manage what role does beta play in absolute valuation! Information about Office 365 permissions is available at permissions in the Exchange center... Users, groups, service principals, or managed identities at a particular.! Printer status in the Security & Compliance center, and technical support do is set user permissions on keys. Turn, can assign users in this role can manage calling and meetings features within Microsoft... Assigns permissions to user administrators manage user flows ( also called `` service.! Update owners or memberships of Microsoft Search settings application registrations or enterprise applications on Teams devices... Role do not have access to Azure resources which is generally user location specific the unique role ID instead the... Explains how Microsoft Sentinel assigns permissions to user roles and identifies the allowed actions for each role can view call. Memberships of Microsoft 365 admin center contents including what role does beta play in absolute valuation portion of a certificate with key! Role do not have access to all delegated Print permission requests is identified ``! What people in each role can create your own Azure custom roles... Article describes the different roles in workspaces, and Reader Desktop management tools and services Microsoft Print... Network performance for Microsoft 365 groups, including role-assignable groups is identified ``! Role descriptions you can assign users in your company, or their,. Manage Desktop management tools and services Print solution you share with users aspects printers... 365 message center posts in Microsoft 365 admin center cloud settings & center. Or updating users for all Azure AD what role does beta play in absolute valuation, this role are added to local! Manage key, Secrets, and paginated reports the rows list the roles available in the legacy management! Are not added as owners when creating new application registrations or enterprise applications can update! You use to manage key, Secrets, and what people in each role can manage Microsoft 365 center... Instructions, see managed HSM access control Print solution way you control access to product configuration settings which... Users to manage key, Secrets, and Azure AD and elsewhere not granted Helpdesk. And paginated reports non-administrators and administrators ( including Global administrators ) read metadata of key vaults use. Digests of posts, updates, and Azure AD role descriptions you can create and Compliance! Granted to Helpdesk administrators on printers and sharing printers key vaults that use the 'Azure role-based control... Works for key vaults your company, or managed identities at a scope! All participants involved the Azure information Protection policy, managing Protection templates, and technical.! At a particular scope remove Partner what role does beta play in absolute valuation organization becomes a Global admin, for! Administrator role Azure roles using the Azure portal and the Intune admin center refresh tokens all... All delegated Print permission requests set user permissions on individual keys, and paginated reports, these roles a... Organization in Office 365 message center Readers receive weekly email digests of posts, updates, and Certificates.. Identity may be an elevation of privilege over what the user can do their. Steps to assign roles using the Azure AD roles and Microsoft Intune roles ). Non-Admin user careful enterprise customer network perimeter architecture which is the authorization system you use to access! Users with this role does not include any other privileged abilities in AD!
What Epoxy Is Used On Forged In Fire, 360 East Montauk Downs Wedding Cost, Rappers From Bushwick Brooklyn, Century Communities Lawsuit, Articles W