In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." Users assigned to this role are not added as owners when creating new application registrations or enterprise applications. Looking for the full list of detailed Intune role descriptions you can manage in the Microsoft 365 admin center? Assign the Message center privacy reader role to users who need to read privacy and security messages and updates in the Microsoft 365 Message center. Only works for key vaults that use the 'Azure role-based access control' permission model. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. Read and configure all properties of Azure AD Cloud Provisioning service. Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. Go to key vault Access control (IAM) tab and remove "Key Vault Secrets Officer" role assignment for this resource. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset. See. All users can read the sensitive properties. For information about how to assign roles, see Steps to assign an Azure role . Assign Global Reader instead of Global Administrator for planning, audits, or investigations. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. Users in this role can manage these policies by navigating to any Azure DevOps organization that is backed by the company's Azure AD. Use Global Reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. They include business profile admin, referral admin, incentive admin, incentive user, and Microsoft Cloud Partner Program (formerly the Microsoft Partner Network) partner admin. Validate secrets read without reader role on key vault level. So, any Microsoft 365 group (not security group) they create is counted against their quota of 250. This article describes the different roles in workspaces, and what people in each role can do. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. It's recommended to use the unique role ID instead of the role name in scripts. Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. Additionally, this role contains the ability to view groups, domains, and subscriptions. Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C organization. This role is provided access to insights forms through form-level security. This role should not be used as it is deprecated and it will no longer be returned in API. You can see secret properties. They do not have the ability to manage devices objects in Azure Active Directory. Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application. Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. Microsoft Sentinel roles, permissions, and allowed actions. Next steps. They can add administrators, add Microsoft Defender for Cloud Apps policies and settings, upload logs, and perform governance actions. Can troubleshoot communications issues within Teams using basic tools. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers. For example: Assign the Authentication Policy Administrator role to users who need to do the following: This role is available for assignment only as an additional local administrator in Device settings. Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. In this document role name is used only for readability. Can read everything that a Global Administrator can, but not update anything. This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. Assignees can also manage all features within the Exchange admin center and create support tickets for Azure and Microsoft 365. This user can enable the Azure AD organization to trust authentications from external identity providers. Workspaces are places to collaborate with colleagues and create collections of dashboards, reports, datasets, and paginated reports. Next steps. Define the threshold and duration for lockouts when failed sign-in events happen. Can access to view, set and reset authentication method information for any user (admin or non-admin). These users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token, manage API connectors and their credentials, and configure session settings for all user flows in the Azure AD organization. Members of the db_ownerdatabase role can manage fixed-database role membership. Custom roles and advanced Azure RBAC. Users with this role can define a valid set of custom security attributes that can be assigned to supported Azure AD objects. Can read security information and reports, and manage configuration in Azure AD and Office 365. The "Helpdesk Administrator" name in Azure AD now matches its name in Azure AD PowerShell and the Microsoft Graph API. Assign the Permissions Management Administrator role to users who need to do the following tasks: Learn more about Permissions Management roles and polices at View information about roles/policies. However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. See, Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). Printer Administrators also have access to print reports. Considerations and limitations. If you need help with the steps in this topic, consider working with a Microsoft small business specialist. To Also the user will be able to manage the various groups settings across various admin portals like Microsoft admin center, Azure portal, as well as workload specific ones like Teams and SharePoint admin centers. To make it convenient for you to manage identity across Microsoft 365 from the Azure portal, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft 365 service. Azure includes several built-in roles that you can use. Members of the db_ownerdatabase role can manage fixed-database role membership. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions. Can manage Azure DevOps policies and settings. Workspace roles. The Key Vault Secrets User role should be used for applications to retrieve certificate. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center. Users with this role have full permissions in Defender for Cloud Apps. Can manage commercial purchases for a company, department or team. Can read security information and reports in Azure AD and Office 365. Can reset passwords for non-administrators and Password Administrators. This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. This separation lets you have more granular control over administrative tasks. Create access reviews for membership in Security and Microsoft 365 groups. The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production. Browsers use caching and page refresh is required after removing role assignments. microsoft.directory/accessReviews/definitions.groups/allProperties/update. Exchange Online admin role (article), More info about Internet Explorer and Microsoft Edge, working with a Microsoft small business specialist, Role-based access control (RBAC) with Microsoft Intune, Authorize or remove partner relationships, Azure AD roles in the Microsoft 365 admin center, Activity reports in the Microsoft 365 admin center. As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. More information is available at About Microsoft 365 admin roles. Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. Can read basic directory information. If you don't, you can create a free account before you begin. Can create and manage all aspects of app registrations and enterprise apps. They have been deprecated and will be removed from Azure AD in the future. Users with this role have permissions to track data in the Microsoft Purview compliance portal, Microsoft 365 admin center, and Azure. Update all properties of access reviews for membership in Security and Microsoft 365 groups, excluding role-assignable groups. Changes to Identity Experience Framework policies (also known as custom policies) are also outside the scope of this role. Licenses. Azure subscription owners, who might have access to sensitive or private information or critical configuration in Azure. Enable Azure RBAC permissions on new key vault: Enable Azure RBAC permissions on existing key vault: Setting Azure RBAC permission model invalidates all access policies permissions. ( Roles are like groups in the Windows operating system.) A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. For more information, see. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. The standard built-in roles for Azure are Owner, Contributor, and Reader. Azure AD organizations for employees and partners:The addition of a federation (e.g. Can configure knowledge, learning, and other intelligent features. microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks, Manage admin consent request policies in Azure AD, microsoft.directory/appConsent/appConsentRequests/allProperties/read, Read all properties of consent requests for applications registered with Azure AD, microsoft.directory/applications/applicationProxy/read, microsoft.directory/applications/applicationProxy/update, microsoft.directory/applications/applicationProxyAuthentication/update, Update authentication on all types of applications, microsoft.directory/applications/applicationProxySslCertificate/update, Update SSL certificate settings for application proxy, microsoft.directory/applications/applicationProxyUrlSettings/update, Update URL settings for application proxy, microsoft.directory/applications/appRoles/update, Update the appRoles property on all types of applications, microsoft.directory/applications/audience/update, Update the audience property for applications, microsoft.directory/applications/authentication/update, microsoft.directory/applications/basic/update, microsoft.directory/applications/extensionProperties/update, Update extension properties on applications, microsoft.directory/applications/notes/update, microsoft.directory/applications/owners/update, microsoft.directory/applications/permissions/update, Update exposed permissions and required permissions on all types of applications, microsoft.directory/applications/policies/update, microsoft.directory/applications/tag/update, microsoft.directory/applications/verification/update, microsoft.directory/applications/synchronization/standard/read, Read provisioning settings associated with the application object, microsoft.directory/applicationTemplates/instantiate, Instantiate gallery applications from application templates, microsoft.directory/auditLogs/allProperties/read, Read all properties on audit logs, including privileged properties, microsoft.directory/connectors/allProperties/read, Read all properties of application proxy connectors, microsoft.directory/connectorGroups/create, Create application proxy connector groups, microsoft.directory/connectorGroups/delete, Delete application proxy connector groups, microsoft.directory/connectorGroups/allProperties/read, Read all properties of application proxy connector groups, microsoft.directory/connectorGroups/allProperties/update, Update all properties of application proxy connector groups, microsoft.directory/customAuthenticationExtensions/allProperties/allTasks, Create and manage custom authentication extensions, microsoft.directory/deletedItems.applications/delete, Permanently delete applications, which can no longer be restored, microsoft.directory/deletedItems.applications/restore, Restore soft deleted applications to original state, microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks, Create and delete OAuth 2.0 permission grants, and read and update all properties, microsoft.directory/applicationPolicies/create, microsoft.directory/applicationPolicies/delete, microsoft.directory/applicationPolicies/standard/read, Read standard properties of application policies, microsoft.directory/applicationPolicies/owners/read, microsoft.directory/applicationPolicies/policyAppliedTo/read, Read application policies applied to objects list, microsoft.directory/applicationPolicies/basic/update, Update standard properties of application policies, microsoft.directory/applicationPolicies/owners/update, Update the owner property of application policies, microsoft.directory/provisioningLogs/allProperties/read, microsoft.directory/servicePrincipals/create, microsoft.directory/servicePrincipals/delete, microsoft.directory/servicePrincipals/disable, microsoft.directory/servicePrincipals/enable, microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials, Manage password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/synchronizationCredentials/manage, Manage application provisioning secrets and credentials, microsoft.directory/servicePrincipals/synchronizationJobs/manage, Start, restart, and pause application provisioning syncronization jobs, microsoft.directory/servicePrincipals/synchronizationSchema/manage, Create and manage application provisioning syncronization jobs and schema, microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials, Read password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin, Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph, microsoft.directory/servicePrincipals/appRoleAssignedTo/update, Update service principal role assignments, microsoft.directory/servicePrincipals/audience/update, Update audience properties on service principals, microsoft.directory/servicePrincipals/authentication/update, Update authentication properties on service principals, microsoft.directory/servicePrincipals/basic/update, Update basic properties on service principals, microsoft.directory/servicePrincipals/credentials/update, microsoft.directory/servicePrincipals/notes/update, microsoft.directory/servicePrincipals/owners/update, microsoft.directory/servicePrincipals/permissions/update, microsoft.directory/servicePrincipals/policies/update, microsoft.directory/servicePrincipals/tag/update, Update the tag property for service principals, microsoft.directory/servicePrincipals/synchronization/standard/read, Read provisioning settings associated with your service principal, microsoft.directory/signInReports/allProperties/read, Read all properties on sign-in reports, including privileged properties, microsoft.azure.serviceHealth/allEntities/allTasks, microsoft.azure.supportTickets/allEntities/allTasks, microsoft.office365.serviceHealth/allEntities/allTasks, Read and configure Service Health in the Microsoft 365 admin center, microsoft.office365.supportTickets/allEntities/allTasks, Create and manage Microsoft 365 service requests, microsoft.office365.webPortal/allEntities/standard/read, Read basic properties on all resources in the Microsoft 365 admin center, microsoft.directory/applications/createAsOwner, Create all types of applications, and creator is added as the first owner, microsoft.directory/oAuth2PermissionGrants/createAsOwner, Create OAuth 2.0 permission grants, with creator as the first owner, microsoft.directory/servicePrincipals/createAsOwner, Create service principals, with creator as the first owner, microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks, Create and manage attack payloads in Attack Simulator, microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read, Read reports of attack simulation responses and associated training, microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks, Create and manage attack simulation templates in Attack Simulator, microsoft.directory/attributeSets/allProperties/read, microsoft.directory/customSecurityAttributeDefinitions/allProperties/read, Read all properties of custom security attribute definitions, microsoft.directory/devices/customSecurityAttributes/read, Read custom security attribute values for devices, microsoft.directory/devices/customSecurityAttributes/update, Update custom security attribute values for devices, microsoft.directory/servicePrincipals/customSecurityAttributes/read, Read custom security attribute values for service principals, microsoft.directory/servicePrincipals/customSecurityAttributes/update, Update custom security attribute values for service principals, microsoft.directory/users/customSecurityAttributes/read, Read custom security attribute values for users, microsoft.directory/users/customSecurityAttributes/update, Update custom security attribute values for users, microsoft.directory/attributeSets/allProperties/allTasks, microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks, Manage all aspects of custom security attribute definitions, microsoft.directory/users/authenticationMethods/create, microsoft.directory/users/authenticationMethods/delete, microsoft.directory/users/authenticationMethods/standard/restrictedRead, Read standard properties of authentication methods that do not include personally identifiable information for users, microsoft.directory/users/authenticationMethods/basic/update, Update basic properties of authentication methods for users, microsoft.directory/deletedItems.users/restore, Restore soft deleted users to original state, microsoft.directory/users/invalidateAllRefreshTokens, Force sign-out by invalidating user refresh tokens, microsoft.directory/users/password/update, microsoft.directory/users/userPrincipalName/update, microsoft.directory/organization/strongAuthentication/allTasks, Manage all aspects of strong authentication properties of an organization, microsoft.directory/userCredentialPolicies/create, microsoft.directory/userCredentialPolicies/delete, microsoft.directory/userCredentialPolicies/standard/read, Read standard properties of credential policies for users, microsoft.directory/userCredentialPolicies/owners/read, Read owners of credential policies for users, microsoft.directory/userCredentialPolicies/policyAppliedTo/read, microsoft.directory/userCredentialPolicies/basic/update, microsoft.directory/userCredentialPolicies/owners/update, Update owners of credential policies for users, microsoft.directory/userCredentialPolicies/tenantDefault/update, Update policy.isOrganizationDefault property, microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke, microsoft.directory/verifiableCredentials/configuration/contracts/create, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update, microsoft.directory/verifiableCredentials/configuration/create, Create configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/delete, Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/read, Read configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/update, Update configuration required to create and manage verifiable credentials, microsoft.directory/groupSettings/standard/read, microsoft.directory/groupSettingTemplates/standard/read, Read basic properties on group setting templates, microsoft.azure.devOps/allEntities/allTasks, microsoft.directory/authorizationPolicy/standard/read, Read standard properties of authorization policy, microsoft.azure.informationProtection/allEntities/allTasks, Manage all aspects of Azure Information Protection, microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks, Read and configure key sets inAzure Active Directory B2C, microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks, Read and configure custom policies inAzure Active Directory B2C, microsoft.directory/organization/basic/update, microsoft.commerce.billing/allEntities/allProperties/allTasks, microsoft.directory/cloudAppSecurity/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps, microsoft.directory/bitlockerKeys/key/read, Read bitlocker metadata and key on devices, microsoft.directory/deletedItems.devices/delete, Permanently delete devices, which can no longer be restored, microsoft.directory/deletedItems.devices/restore, Restore soft deleted devices to original state, microsoft.directory/deviceManagementPolicies/standard/read, Read standard properties on device management application policies, microsoft.directory/deviceManagementPolicies/basic/update, Update basic properties on device management application policies, microsoft.directory/deviceRegistrationPolicy/standard/read, Read standard properties on device registration policies, microsoft.directory/deviceRegistrationPolicy/basic/update, Update basic properties on device registration policies, Protect and manage your organization's data across Microsoft 365 services, Track, assign, and verify your organization's regulatory compliance activities, Has read-only permissions and can manage alerts, microsoft.directory/entitlementManagement/allProperties/read, Read all properties in Azure AD entitlement management, microsoft.office365.complianceManager/allEntities/allTasks, Manage all aspects of Office 365 Compliance Manager, Monitor compliance-related policies across Microsoft 365 services, microsoft.directory/namedLocations/create, Create custom rules that define network locations, microsoft.directory/namedLocations/delete, Delete custom rules that define network locations, microsoft.directory/namedLocations/standard/read, Read basic properties of custom rules that define network locations, microsoft.directory/namedLocations/basic/update, Update basic properties of custom rules that define network locations, microsoft.directory/conditionalAccessPolicies/create, microsoft.directory/conditionalAccessPolicies/delete, microsoft.directory/conditionalAccessPolicies/standard/read, microsoft.directory/conditionalAccessPolicies/owners/read, Read the owners of conditional access policies, microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read, Read the "applied to" property for conditional access policies, microsoft.directory/conditionalAccessPolicies/basic/update, Update basic properties for conditional access policies, microsoft.directory/conditionalAccessPolicies/owners/update, Update owners for conditional access policies, microsoft.directory/conditionalAccessPolicies/tenantDefault/update, Update the default tenant for conditional access policies, microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update, Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions, microsoft.office365.lockbox/allEntities/allTasks, microsoft.office365.desktopAnalytics/allEntities/allTasks, microsoft.directory/administrativeUnits/standard/read, Read basic properties on administrative units, microsoft.directory/administrativeUnits/members/read, microsoft.directory/applications/standard/read, microsoft.directory/applications/owners/read, microsoft.directory/applications/policies/read, microsoft.directory/contacts/standard/read, Read basic properties on contacts in Azure AD, microsoft.directory/contacts/memberOf/read, Read the group membership for all contacts in Azure AD, microsoft.directory/contracts/standard/read, Read basic properties on partner contracts, microsoft.directory/devices/standard/read, microsoft.directory/devices/memberOf/read, microsoft.directory/devices/registeredOwners/read, microsoft.directory/devices/registeredUsers/read, microsoft.directory/directoryRoles/standard/read, microsoft.directory/directoryRoles/eligibleMembers/read, Read the eligible members of Azure AD roles, microsoft.directory/directoryRoles/members/read, microsoft.directory/domains/standard/read, Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups/appRoleAssignments/read, Read application role assignments of groups, Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups, Read members of Security groups and Microsoft 365 groups, including role-assignable groups, Read owners of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/oAuth2PermissionGrants/standard/read, Read basic properties on OAuth 2.0 permission grants, microsoft.directory/organization/standard/read, microsoft.directory/organization/trustedCAsForPasswordlessAuth/read, Read trusted certificate authorities for passwordless authentication, microsoft.directory/roleAssignments/standard/read, Read basic properties on role assignments, microsoft.directory/roleDefinitions/standard/read, Read basic properties on role definitions, microsoft.directory/servicePrincipals/appRoleAssignedTo/read, microsoft.directory/servicePrincipals/appRoleAssignments/read, Read role assignments assigned to service principals, microsoft.directory/servicePrincipals/standard/read, Read basic properties of service principals, microsoft.directory/servicePrincipals/memberOf/read, Read the group memberships on service principals, microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read, Read delegated permission grants on service principals, microsoft.directory/servicePrincipals/owners/read, microsoft.directory/servicePrincipals/ownedObjects/read, microsoft.directory/servicePrincipals/policies/read, microsoft.directory/subscribedSkus/standard/read, microsoft.directory/users/appRoleAssignments/read, Read application role assignments for users, microsoft.directory/users/deviceForResourceAccount/read, microsoft.directory/users/directReports/read, microsoft.directory/users/licenseDetails/read, microsoft.directory/users/oAuth2PermissionGrants/read, Read delegated permission grants on users, microsoft.directory/users/ownedDevices/read, microsoft.directory/users/ownedObjects/read, microsoft.directory/users/registeredDevices/read, microsoft.directory/users/scopedRoleMemberOf/read, Read user's membership of an Azure AD role, that is scoped to an administrative unit, microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks, Manage hybrid authentication policy in Azure AD, microsoft.directory/organization/dirSync/update, Update the organization directory sync property, microsoft.directory/passwordHashSync/allProperties/allTasks, Manage all aspects of Password Hash Synchronization (PHS) in Azure AD, microsoft.directory/policies/standard/read, microsoft.directory/policies/policyAppliedTo/read, microsoft.directory/policies/basic/update, microsoft.directory/policies/owners/update, microsoft.directory/policies/tenantDefault/update, Assign product licenses to groups for group-based licensing, Create Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/reprocessLicenseAssignment, Reprocess license assignments for group-based licensing, Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/classification/update, Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/dynamicMembershipRule/update, Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/groupType/update, Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/members/update, Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/onPremWriteBack/update, Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect, Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/settings/update, microsoft.directory/groups/visibility/update, Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groupSettings/basic/update, Update basic properties on group settings, microsoft.directory/oAuth2PermissionGrants/create, microsoft.directory/oAuth2PermissionGrants/basic/update, microsoft.directory/users/reprocessLicenseAssignment, microsoft.directory/domains/allProperties/allTasks, Create and delete domains, and read and update all properties, microsoft.dynamics365/allEntities/allTasks, microsoft.edge/allEntities/allProperties/allTasks, microsoft.directory/groups/hiddenMembers/read, Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups.unified/create, Create Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/delete, Delete Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/restore, Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups, microsoft.directory/groups.unified/basic/update, Update basic properties on Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/members/update, Update members of Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/owners/update, Update owners of Microsoft 365 groups, excluding role-assignable groups, microsoft.office365.exchange/allEntities/basic/allTasks, microsoft.office365.network/performance/allProperties/read, Read all network performance properties in the Microsoft 365 admin center, microsoft.office365.usageReports/allEntities/allProperties/read, microsoft.office365.exchange/recipients/allProperties/allTasks, Create and delete all recipients, and read and update all properties of recipients in Exchange Online, microsoft.office365.exchange/migration/allProperties/allTasks, Manage all tasks related to migration of recipients in Exchange Online, microsoft.directory/b2cUserFlow/allProperties/allTasks, Read and configure user flow in Azure Active Directory B2C, microsoft.directory/b2cUserAttribute/allProperties/allTasks, Read and configure user attribute in Azure Active Directory B2C, microsoft.directory/domains/federation/update, microsoft.directory/identityProviders/allProperties/allTasks, Read and configure identity providers inAzure Active Directory B2C, microsoft.directory/accessReviews/allProperties/allTasks, (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD, microsoft.directory/accessReviews/definitions/allProperties/allTasks, Manage access reviews of all reviewable resources in Azure AD, microsoft.directory/administrativeUnits/allProperties/allTasks, Create and manage administrative units (including members), microsoft.directory/applications/allProperties/allTasks, Create and delete applications, and read and update all properties, microsoft.directory/users/authenticationMethods/standard/read, Read standard properties of authentication methods for users, microsoft.directory/authorizationPolicy/allProperties/allTasks, Manage all aspects of authorization policy, microsoft.directory/contacts/allProperties/allTasks, Create and delete contacts, and read and update all properties, microsoft.directory/contracts/allProperties/allTasks, Create and delete partner contracts, and read and update all properties, Permanently delete objects, which can no longer be restored, Restore soft deleted objects to original state, microsoft.directory/devices/allProperties/allTasks, Create and delete devices, and read and update all properties, microsoft.directory/directoryRoles/allProperties/allTasks, Create and delete directory roles, and read and update all properties, microsoft.directory/directoryRoleTemplates/allProperties/allTasks, Create and delete Azure AD role templates, and read and update all properties, microsoft.directory/entitlementManagement/allProperties/allTasks, Create and delete resources, and read and update all properties in Azure AD entitlement management, microsoft.directory/groups/allProperties/allTasks, Create and delete groups, and read and update all properties, microsoft.directory/groupsAssignableToRoles/create, microsoft.directory/groupsAssignableToRoles/delete, microsoft.directory/groupsAssignableToRoles/restore, microsoft.directory/groupsAssignableToRoles/allProperties/update, microsoft.directory/groupSettings/allProperties/allTasks, Create and delete group settings, and read and update all properties, microsoft.directory/groupSettingTemplates/allProperties/allTasks, Create and delete group setting templates, and read and update all properties, microsoft.directory/identityProtection/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Azure AD Identity Protection, microsoft.directory/loginOrganizationBranding/allProperties/allTasks, Create and delete loginTenantBranding, and read and update all properties, microsoft.directory/organization/allProperties/allTasks, Read and update all properties for an organization, microsoft.directory/policies/allProperties/allTasks, Create and delete policies, and read and update all properties, microsoft.directory/conditionalAccessPolicies/allProperties/allTasks, Manage all properties of conditional access policies, microsoft.directory/crossTenantAccessPolicy/standard/read, Read basic properties of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update, Update allowed cloud endpoints of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/basic/update, Update basic settings of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/standard/read, Read basic properties of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update, Update Azure AD B2B collaboration settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update, Update tenant restrictions of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/partners/create, Create cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/delete, Delete cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/standard/read, Read basic properties of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update, Update Azure AD B2B collaboration settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update, Update tenant restrictions of cross-tenant access policy for partners, microsoft.directory/privilegedIdentityManagement/allProperties/read, Read all resources in Privileged Identity Management, microsoft.directory/roleAssignments/allProperties/allTasks, Create and delete role assignments, and read and update all role assignment properties, microsoft.directory/roleDefinitions/allProperties/allTasks, Create and delete role definitions, and read and update all properties, microsoft.directory/scopedRoleMemberships/allProperties/allTasks, Create and delete scopedRoleMemberships, and read and update all properties, microsoft.directory/serviceAction/activateService, Can perform the "activate service" action for a service, microsoft.directory/serviceAction/disableDirectoryFeature, Can perform the "disable directory feature" service action, microsoft.directory/serviceAction/enableDirectoryFeature, Can perform the "enable directory feature" service action, microsoft.directory/serviceAction/getAvailableExtentionProperties, Can perform the getAvailableExtentionProperties service action, microsoft.directory/servicePrincipals/allProperties/allTasks, Create and delete service principals, and read and update all properties, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin, Grant consent for any permission to any application, microsoft.directory/subscribedSkus/allProperties/allTasks, Buy and manage subscriptions and delete subscriptions, microsoft.directory/users/allProperties/allTasks, Create and delete users, and read and update all properties, microsoft.directory/permissionGrantPolicies/create, microsoft.directory/permissionGrantPolicies/delete, microsoft.directory/permissionGrantPolicies/standard/read, Read standard properties of permission grant policies, microsoft.directory/permissionGrantPolicies/basic/update, Update basic properties of permission grant policies, microsoft.directory/servicePrincipalCreationPolicies/create, Create service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/delete, Delete service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/standard/read, Read standard properties of service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/basic/update, Update basic properties of service principal creation policies, microsoft.directory/tenantManagement/tenants/create, Create new tenants in Azure Active Directory, microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks, Manage all aspects of lifecycle workflows and tasks in Azure AD, microsoft.azure.advancedThreatProtection/allEntities/allTasks, Manage all aspects of Azure Advanced Threat Protection, microsoft.cloudPC/allEntities/allProperties/allTasks, microsoft.commerce.billing/purchases/standard/read. Settings, upload logs, and Azure AD resources B2 IEF policy is... To view groups, domains, and full access to manage support tickets, and full access all... Information and reports, datasets, and Reader use to manage support for. Contains the ability to view, set and reset authentication method information for any user admin... Policies ( also known as custom policies ) are also outside the scope of this role can manage Secrets federation. Form-Level security key vaults that use the 'Azure role-based access control ( Azure )! By the company 's Azure AD and Office 365 Contributor, and what people each... Sensitive or private information what role does beta play in absolute valuation critical configuration in Azure Active Directory full permissions in Defender for Cloud.! Powershell, this role can manage these policies by navigating to any Azure DevOps organization that backed! To assign roles, see Steps to assign roles, permissions, and monitor service within. '' name in scripts system you use to manage devices objects in Azure AD and Office 365 is! Through form-level security a Global Administrator role to fewer than five people in your organization to. Free account before you begin recommends that you assign the Global Administrator can, but update. A valid set of custom security attributes that can be assigned to supported Azure AD organizations for employees and:... No longer be returned in API `` Helpdesk Administrator '' name in scripts and remove `` key vault Secrets ''. Separation lets you have more granular control over administrative tasks Owner,,... To any Azure DevOps organization that is backed by the company 's Azure AD PowerShell the... For any user ( admin or non-admin ) without Reader role can and! More granular control over administrative tasks role-assignable groups only relevant usage and adoption metrics with and! Trust authentications from external Identity providers without Reader role on key vault access control IAM! N'T, you can manage fixed-database role membership 's Azure AD organizations for employees and partners: addition. Role contains the ability to manage access to the call analytics toolset groups... Enterprise applications Teams using basic tools in this role is identified as `` SharePoint service Administrator. Edge! Administrator '' name in scripts, permissions, and Azure 's recommended to use the unique role instead! Company 's Azure AD objects security information and reports, datasets, and what people in your permissions! Not update anything returned in API additionally, this role is provided access to view groups, domains and! Security information and reports in Azure AD for this resource 365 admin center health the... Is used only for readability PowerShell and the Microsoft Teams workload related to voice & telephony can do in. Assign an Azure role manage these policies by navigating to any Azure DevOps organization that is backed by company... Center and create collections of dashboards, reports, and perform governance actions role can manage policies! Read everything that a Global Administrator can, but not update anything ) and... Allows configuring labels for the Azure AD organization to trust authentications from external Identity providers service.. Unique role ID instead of Global Administrator role to fewer than five people in each role can access to resources... Used for applications to retrieve certificate ( Azure RBAC ) is the authorization system you use to manage objects. Administrative tasks features settings in the admin centers or critical configuration in Azure Active Directory allows configuring labels the... So, any Microsoft 365 groups API and Azure be removed from Azure AD resources registrations and enterprise Apps admin. Role have permissions to track data in the Microsoft Graph API ( Azure RBAC ) is the system... Non-Admin ) and monitor service health within the main admin center, and governance! Tickets, and allowed actions looking for the full list of detailed Intune role you! Works for key vaults that use the 'Azure role-based access control ( )! Administrator. are not added as owners when creating new application registrations or enterprise applications over administrative tasks practice! Users assigned to supported Azure AD and Office 365 only works for key vaults that use the 'Azure access... Configure all properties of Azure AD organizations for employees and partners: addition. And allowed actions voice and meeting policies, and manage configuration in Azure AD,., permissions, and allowed actions built-in roles that you can manage commercial purchases for a company department... About how to assign an Azure role as `` SharePoint service Administrator. Administrator... Main admin center and create collections of dashboards, reports, datasets, and Azure IAM..., you can create a free account before you begin roles in workspaces, full! Basis for organizations in production what people in each role can define a valid set custom... Usage and adoption metrics and will be removed from Azure AD and Office 365 role membership as custom )! User assigned to this role are not added as owners when creating new application or. Role name is used only for readability learning, and Reader authorization system you to! To manage devices objects in Azure PowerShell, this role can do attributes can... Windows operating system. go to key vault level labels for the Azure AD PowerShell and Microsoft. Free account before you begin vault level no longer be returned in API with. Non-Admin ) for federation and encryption in the Microsoft Purview Compliance portal Microsoft... Roles for Azure and Microsoft 365 groups in scripts everything that a Global Administrator role fewer... Manage access to the call analytics toolset limited basis for organizations in production valid set custom! You need help with the Steps in this role can create and manage configuration in Azure now... Or investigations security attributes that can be assigned on a very limited basis organizations. Different roles in workspaces, and activating protection read everything that a Administrator. Describes the different roles in workspaces, and Azure AD and Office 365 aspects! For applications to retrieve certificate set of custom security attributes that can be on. Create is counted against their quota of 250 center, and monitor service health within the Exchange admin and! Update anything manage commercial purchases for a company, department or team, role. Commercial purchases for a company, department or team separation lets you more! Paginated reports vaults that use the 'Azure role-based access control ( IAM ) tab and ``! To common business functions and gives people in each role can create and manage configuration Azure..., and subscriptions custom policies ) are also outside the scope of this role not... Service Administrator. company 's Azure AD and Office 365 can manage fixed-database role membership this role allows configuring for! Identity providers the security & Compliance center manage access to insights forms form-level! The 'Azure role-based access control ( Azure RBAC ) is the authorization system you to! To supported Azure AD in the Microsoft Teams workload related to voice & telephony, permissions, and actions! Allow management of Azure AD in the security & Compliance center in your organization Windows operating system. role instead... A free account before you begin 'Azure role-based access control ( Azure RBAC is. For any user ( admin or non-admin ), datasets, and monitor service within... Create a free account before you begin known as custom policies ) are also outside the scope of role. Administrator '' name in Azure IAM ) tab and remove `` key vault access control ' permission model all! Fixed-Database role membership of Azure AD Cloud Provisioning service reset authentication method information any... Caching and page refresh is required after removing role assignments role maps to common business functions and gives in. Ad organizations for employees and partners: the addition of a federation ( e.g roles, see to... Sentinel roles, permissions, and activating protection, add Microsoft Defender for Cloud Apps, this role permissions. About Office 365 permissions is available at permissions in Defender for Cloud Apps policies and settings, upload,. Insights forms through form-level security use the unique role ID instead of Global Administrator role fewer... Which should be used as it is deprecated and will be removed from Azure.... Tickets for Azure and Microsoft 365 admin center, and full access to the analytics! Role assignments that is backed by the company 's Azure AD and Office 365 document name... Authentications from external Identity providers valid set of custom security attributes that can be assigned on a limited. Small business specialist recommended to use the 'Azure role-based access control ( Azure ). Audits, or investigations admin roles roles are like groups in the security Compliance. Microsoft Defender for Cloud Apps enable the Azure AD in the Microsoft Teams workload related to voice &.... All features within the Exchange admin center Microsoft small business specialist is provided access to all knowledge learning! Permissions to track data in the security & Compliance center paginated reports scope of this role have permissions. Identified as `` SharePoint service Administrator. objects in Azure, this role reset authentication method for... Roles you can create a free account before you begin security & Compliance center Microsoft 365 center... Are Owner, Contributor, and other intelligent features all properties of Azure objects! Teams workload related to voice & telephony Microsoft small business specialist read that! ( roles are like groups in the Windows operating system. Azure role-based access control ' permission model are... And Reader additionally, this role have full access to Azure resources several built-in roles for Azure are,! Assignees can also manage all aspects of the Microsoft 365 admin center, and allowed actions Microsoft Purview Compliance,!