Thursday, 12 September 2019

Administrator role permissions in Azure Active Directory

Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can be changed only in user settings in Azure AD.

Limit the use of Global administrator

Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization. By default, the person who signs up for an Azure subscription is assigned the Global administrator role for the Azure AD organization. Only Global administrators and Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.
As a best practice, we recommend that you assign this role to fewer than 5 people in your organization. If you have over five users assigned to the Global Administrator role in your organization, here are some ways to reduce its use.

Find the role you need

If it's frustrating for you to find the role you need out of a list of many roles, Azure AD can show you subsets of the roles based on role categories. Check out our new Type filter for Azure AD Roles and administrators to show you only the roles in the selected type.

A role exists now that didn’t exist when you assigned the Global administrator role

It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not an option when you elevated some users to Global administrator. Over time, we are rolling out additional roles that accomplish tasks that only the Global administrator role could do before. You can see these reflected in the following Available roles.

Assign or remove administrator roles

To learn how to assign administrative roles to a user in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

Available roles

The following administrator roles are available:

Application Administrator

Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
 Important
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to Azure Active Directory, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments in Azure AD. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.

Application Developer

Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications.

Authentication Administrator

Users with this role can set or reset non-password credentials and can update passwords for all users. Authentication Administrators can require users to re-register against existing non-password credential (for example, MFA or FIDO) and revoke remember MFA on the device, which prompts for MFA on the next sign-in of users who are non-administrators or assigned the following roles only:
  • Authentication Administrator
  • Directory Readers
  • Guest Inviter
  • Message Center Reader
  • Reports Reader
The Authentication administrator role is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
 Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
  • Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • Security Group and Office 365 Group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

Azure Information Protection Administrator

Users with this role have all permissions in the Azure Information Protection service. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. This role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center.

B2C User Flow Administrator

Users with this role can create and manage B2C User Flows (also called "built-in" policies) in the Azure portal. By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token and adjust session settings for all policies in the tenant. On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the tenant schema. Changes to Identity Experience Framework (also known as Custom) policies is also outside the scope of this role.

B2C User Flow Attribute Administrator

Users with this role add or delete custom attributes available to all user flows in the tenant. As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.

B2C IEF Keyset Administrator

User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation.
 Important
This is a sensitive role. The keyset administrator role should be carefully audited and assigned with care during pre-production and production.

B2C IEF Policy Administrator

Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript), change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the tenant.
 Important
The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for tenants in production. Activities by these users should be closely audited, especially for tenants in production.

Billing Administrator

Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Cloud Application Administrator

Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations. This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
 Important
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to Azure Active Directory, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments in Azure AD. It is important to understand that assigning a user to the Cloud Application Administrator role gives them the ability to impersonate an application’s identity.

Cloud Device Administrator

Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

Compliance Administrator

Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. Assignees can also manage all features within the Exchange admin center and Teams & Skype for Business admin centers and create support tickets for Azure and Microsoft 365. More information is available at About Office 365 admin roles.
InCan do
Microsoft 365 compliance centerProtect and manage your organization’s data across Microsoft 365 services
Manage compliance alerts
Compliance ManagerTrack, assign, and verify your organization's regulatory compliance activities
Office 365 Security & Compliance CenterManage data governance
Perform legal and data investigation
Manage Data Subject Request
IntuneView all Intune audit data
Cloud App SecurityHas read-only permissions and can manage alerts
Can create and modify file policies and allow file governance actions
Can view all the built-in reports under Data Management

Compliance Data Administrator

Users with this role have permissions to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. Users can also track compliance data within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365.
InCan do
Microsoft 365 compliance centerMonitor compliance-related policies across Microsoft 365 services
Manage compliance alerts
Compliance ManagerTrack, assign, and verify your organization's regulatory compliance activities
Office 365 Security & Compliance CenterManage data governance
Perform legal and data investigation
Manage Data Subject Request
IntuneView all Intune audit data
Cloud App SecurityHas read-only permissions and can manage alerts
Can create and modify file policies and allow file governance actions
Can view all the built-in reports under Data Management

Conditional Access Administrator

Users with this role have the ability to manage Azure Active Directory Conditional Access settings.
 Note
To deploy Exchange ActiveSync Conditional Access policy in Azure, the user must also be a Global Administrator.

Customer Lockbox access approver

Manages Customer Lockbox requests in your organization. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn the Customer Lockbox feature on or off. Only global admins can reset the passwords of people assigned to this role.

Desktop Analytics Administrator

Users in this role can manage the Desktop Analytics and Office Customization & Policy services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. For Office Customization & Policy service, this role enables users to manage Office policies.

Device Administrator

This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.

Directory Readers

This is a role that should be assigned only to legacy applications that do not support the Consent Framework. Don't assign it to users.

Directory Synchronization Accounts

Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

Directory Writers

This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.

Dynamics 365 administrator / CRM Administrator

Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at Use the service admin role to manage your tenant.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." It is "Dynamics 365 Administrator" in the Azure portal.

Exchange Administrator

Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Also has the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health. More information at About Office 365 admin roles.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." It is "Exchange Administrator" in the Azure portal. It is "Exchange Online administrator" in the Exchange admin center.

External Identity Provider Administrator

This administrator manages federation between Azure Active Directory tenants and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). This user can enable the tenant to trust authentications from external identity providers. The resulting impact on end user experiences depends on the type of tenant:
  • Azure Active Directory tenants for employees and partners: The addition  of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. See Adding Google as an identity provider for B2B guest users.
  • Azure Active Directory B2C tenants: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end user flows until the identity provider is added as an option in a user flow (also called a built-in policy). See Configuring a Microsoft account as an identity provider for an example. To change user flows, the limited role of "B2C User Flow Administrator" is required.

Global Administrator / Company Administrator

Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal.

Guest Inviter

Users in this role can manage Azure Active Directory B2B guest user invitations when the Members can invite user setting is set to No. More information about B2B collaboration at About Azure AD B2B collaboration. It does not include any other permissions.

Helpdesk Administrator

Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. Invalidating a refresh token forces the user to sign in again. Helpdesk administrators can reset passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following roles only:
  • Directory Readers
  • Guest Inviter
  • Helpdesk Administrator
  • Message Center Reader
  • Reports Reader
 Important
Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to assume that user's identity and permissions. For example:
  • Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. Through this path a Helpdesk Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • Security Group and Office 365 Group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
 Note
Delegating administrative permissions over subsets of users and applying policies to a subset of users is possible with Administrative Units (preview).
This role was previously called "Password Administrator" in the Azure portal. We have changed its name to "Helpdesk Administrator" to match its name in Azure AD PowerShell, Azure AD Graph API and Microsoft Graph API.

Intune Administrator

Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. More information at Role-based administration control (RBAC) with Microsoft Intune
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Intune Service Administrator ". It is "Intune Administrator" in the Azure portal.

Kaizala Administrator

Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.

License Administrator

Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no access to view, create, or manage support tickets.

Message Center Privacy Reader

Users in this role can monitor all notifications in the Message Center, including data privacy messages. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups, domains, and subscriptions. This role has no permission to view, create, or manage service requests.

Message Center Reader

Users in this role can monitor notifications and advisory health updates in Office 365 Message center for their organization on configured services such as Exchange, Intune, and Microsoft Teams. Message Center Readers receive weekly email digests of posts, updates, and can share message center posts in Office 365. In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups. This role has no access to view, create, or manage support tickets.

Partner Tier1 Support

Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

Partner Tier2 Support

Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.

Password Administrator

Users with this role have limited ability to manage passwords. This role does not grant the ability to manage service requests or monitor service health. Password administrators can reset passwords of other users who are non-administrators or members of the following roles only:
  • Directory Readers
  • Guest Inviter
  • Password Administrator

Power BI Administrator

Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at Understanding the Power BI admin role.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Power BI Service Administrator ". It is "Power BI Administrator" in the Azure portal.

Privileged Authentication Administrator

Users with this role can set or reset non-password credentials for all users, including global administrators, and can update passwords for all users. Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users.

Privileged Role Administrator

Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.
 Important
This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. This role does not include any other privileged abilities in Azure AD like creating or updating users. However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.

Reports Reader

Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Additionally, the role provides access to sign-in reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.

Search Administrator

Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Search Administrators can delegate the Search Administrators and Search Editor roles to users, and create and manage content, like bookmarks, Q&As, and locations. Additionally, these users can view the message center, monitor service health, and create service requests.

Search Editor

Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.

Security Administrator

Users with this role have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Information Protection, and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
InCan do
Microsoft 365 security centerMonitor security-related policies across Microsoft 365 services
Manage security threats and alerts
View reports
Identity Protection CenterAll permissions of the Security Reader role
Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementAll permissions of the Security Reader role
Cannot manage Azure AD role assignments or settings
Office 365 Security & Compliance CenterManage security policies
View, investigate, and respond to security threats
View reports
Azure Advanced Threat ProtectionMonitor and respond to suspicious security activity
Windows Defender ATP and EDRAssign roles
Manage machine groups
Configure endpoint threat detection and automated remediation
View, investigate, and respond to alerts
IntuneViews user, device, enrollment, configuration, and application information
Cannot make changes to Intune
Cloud App SecurityAdd admins, add policies and settings, upload logs and perform governance actions
Azure Security CenterCan view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations
Office 365 service healthView the health of Office 365 services

Security operator

Users with this role can manage alerts and have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
InCan do
Microsoft 365 security centerAll permissions of the Security Reader role
View, investigate, and respond to security threats alerts
Identity Protection CenterAll permissions of the Security Reader role
Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
Privileged Identity ManagementAll permissions of the Security Reader role
Office 365 Security & Compliance CenterAll permissions of the Security Reader role
View, investigate, and respond to security alerts
Windows Defender ATP and EDRAll permissions of the Security Reader role
View, investigate, and respond to security alerts
IntuneAll permissions of the Security Reader role
Cloud App SecurityAll permissions of the Security Reader role
Office 365 service healthView the health of Office 365 services

Security Reader

Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
InCan do
Microsoft 365 security centerView security-related policies across Microsoft 365 services
View security threats and alerts
View reports
Identity Protection CenterRead all security reports and settings information for security features
  • Anti-spam
  • Encryption
  • Data loss prevention
  • Anti-malware
  • Advanced threat protection
  • Anti-phishing
  • Mailflow rules
Privileged Identity ManagementHas read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.
Cannot sign up for Azure AD Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is eligible for them.
Office 365 Security & Compliance CenterView security policies
View and investigate security threats
View reports
Windows Defender ATP and EDRView and investigate alerts. When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security reader role lose access until they are assigned to a Windows Defender ATP role.
IntuneViews user, device, enrollment, configuration, and application information. Cannot make changes to Intune.
Cloud App SecurityHas read-only permissions and can manage alerts
Azure Security CenterCan view recommendations and alerts, view security policies, view security states, but cannot make changes
Office 365 service healthView the health of Office 365 services

Service Support Administrator

Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Microsoft 365 admin center. More information at About admin roles.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Service Support Administrator." It is "Service Administrator" in the Azure portal, the Microsoft 365 admin center, and the Intune portal.

SharePoint Administrator

Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health. More information at About admin roles.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "SharePoint Service Administrator." It is "SharePoint Administrator" in the Azure portal.

Skype for Business / Lync Administrator

Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. More information at About the Skype for Business admin role and Teams licensing information at Skype for Business and Microsoft Teams add-on licensing
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Lync Service Administrator." It is "Skype for Business Administrator" in the Azure portal.

Teams Administrator

Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role additionally grants the ability to create and manage all Office 365 Groups, manage support tickets, and monitor service health.
 Note
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Teams Service Administrator ". It is "Teams Administrator" in the Azure portal.

Teams Communications Administrator

Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.

Teams Communications Support Engineer

Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can view full call record information for all participants involved. This role has no access to view, create, or manage support tickets.

Teams Communications Support Specialist

Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can only view user details in the call for the specific user they have looked up. This role has no access to view, create, or manage support tickets.

User Administrator

Users with this role can create users, and manage all aspects of users with some restrictions (see below), and can update password expiration policies. Additionally, users with this role can create and manage all groups. This role also includes the ability to create and manage user views, manage support tickets, and monitor service health.
General permissions
Create users and groups
Create and manage user views
Manage Office support tickets
Update password expiration policies
On all users, including all admins
Manage licenses
Manage all user properties except User Principal Name
Only on users who are non-admins or in any of the following limited admin roles:
  • Directory Readers
  • Guest Inviter
  • Helpdesk Administrator
  • Message Center Reader
  • Reports Reader
  • User Administrator
Delete and restore
Disable and enable
Invalidate refresh Tokens
Manage all user properties including User Principal Name
Reset password
Update (FIDO) device keys
 Important
Users with this role can change passwords for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the password of a user may mean the ability to assume that user's identity and permissions. For example:
  • Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to User Administrators. Through this path a User Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • Security Group and Office 365 Group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

Role Permissions

The following tables describe the specific permissions in Azure Active Directory given to each role. Some roles may have additional permissions in Microsoft services outside of Azure Active Directory.

Application Administrator permissions

Can create and manage all aspects of app registrations and enterprise apps.
ActionsDescription
microsoft.directory/Application/appProxyAuthentication/updateUpdate App Proxy authentication properties on service principals in Azure Active Directory.
microsoft.directory/Application/appProxyUrlSettings/updateUpdate application proxy internal and external URLS in Azure Active Directory.
microsoft.directory/applications/applicationProxy/readRead all of App Proxy properties.
microsoft.directory/applications/applicationProxy/updateUpdate all of App Proxy properties.
microsoft.directory/applications/audience/updateUpdate applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updateUpdate applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updateUpdate basic properties on applications in Azure Active Directory.
microsoft.directory/applications/createCreate applications in Azure Active Directory.
microsoft.directory/applications/credentials/updateUpdate applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deleteDelete applications in Azure Active Directory.
microsoft.directory/applications/owners/updateUpdate applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updateUpdate applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updateUpdate applications.policies property in Azure Active Directory.
microsoft.directory/appRoleAssignments/createCreate appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/readRead appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/updateUpdate appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/deleteDelete appRoleAssignments in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/connectorGroups/everything/readRead application proxy connector group properties in Azure Active Directory.
microsoft.directory/connectorGroups/everything/updateUpdate all application proxy connector group properties in Azure Active Directory.
microsoft.directory/connectorGroups/createCreate application proxy connector groups in Azure Active Directory.
microsoft.directory/connectorGroups/deleteDelete application proxy connector groups in Azure Active Directory.
microsoft.directory/connectors/everything/readRead all application proxy connector properties in Azure Active Directory.
microsoft.directory/connectors/createCreate application proxy connectors in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/readRead policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/updateUpdate policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/createCreate policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/deleteDelete policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/readRead policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/updateUpdate policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/policyAppliedTo/readRead policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updateUpdate servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updateUpdate servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updateUpdate servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updateUpdate servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updateUpdate basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/createCreate servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updateUpdate servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deleteDelete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updateUpdate servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updateUpdate servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updateUpdate servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Application Developer permissions

Can create application registrations independent of the ‘Users can register applications’ setting.
ActionsDescription
microsoft.directory/applications/createAsOwnerCreate applications in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/appRoleAssignments/createAsOwnerCreate appRoleAssignments in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/oAuth2PermissionGrants/createAsOwnerCreate oAuth2PermissionGrants in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/servicePrincipals/createAsOwnerCreate servicePrincipals in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.

Authentication Administrator permissions

Allowed to view, set and reset authentication method information for any non-admin user.
ActionsDescription
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/strongAuthentication/updateUpdate strong authentication properties like MFA credential information.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.directory/users/password/updateUpdate passwords for all users in the Office 365 organization. See online documentation for more detail.

Azure Information Protection Administrator permissions

Can manage all aspects of the Azure Information Protection service.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.informationProtection/allEntities/allTasksManage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

B2C User Flow Administrator permissions

Create and manage all aspects of user flows.
ActionsDescription
microsoft.aad.b2c/userFlows/allTasksRead and configure user flows in  Azure Active Directory B2C.

B2C User Flow Attribute Administrator permissions

Create and manage the attribute schema available to all user flows.
ActionsDescription
microsoft.aad.b2c/userAttributes/allTasksRead and configure user attributes in  Azure Active Directory B2C.

B2C IEF Keyset Administrator permissions

Manage secrets for federation and encryption in the Identity Experience Framework.
ActionsDescription
microsoft.aad.b2c/trustFramework/keySets/allTasksRead and configure key sets in  Azure Active Directory B2C.

B2C IEF Policy Administrator permissions

Create and manage trust framework policies in the Identity Experience Framework.
ActionsDescription
microsoft.aad.b2c/trustFramework/policies/allTasksRead and configure custom policies in  Azure Active Directory B2C.

Billing Administrator permissions

Can perform common billing related tasks like updating payment information.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/organization/basic/updateUpdate basic properties on organization in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.commerce.billing/allEntities/allTasksManage all aspects of Office 365 billing.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Cloud Application Administrator permissions

Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
ActionsDescription
microsoft.directory/applications/audience/updateUpdate applications.audience property in Azure Active Directory.
microsoft.directory/applications/authentication/updateUpdate applications.authentication property in Azure Active Directory.
microsoft.directory/applications/basic/updateUpdate basic properties on applications in Azure Active Directory.
microsoft.directory/applications/createCreate applications in Azure Active Directory.
microsoft.directory/applications/credentials/updateUpdate applications.credentials property in Azure Active Directory.
microsoft.directory/applications/deleteDelete applications in Azure Active Directory.
microsoft.directory/applications/owners/updateUpdate applications.owners property in Azure Active Directory.
microsoft.directory/applications/permissions/updateUpdate applications.permissions property in Azure Active Directory.
microsoft.directory/applications/policies/updateUpdate applications.policies property in Azure Active Directory.
microsoft.directory/appRoleAssignments/createCreate appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/updateUpdate appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/deleteDelete appRoleAssignments in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/createCreate policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/readRead policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/basic/updateUpdate policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/deleteDelete policies in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/readRead policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/owners/updateUpdate policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/policies/applicationConfiguration/policyAppliedTo/readRead policies.applicationConfiguration property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updateUpdate servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updateUpdate servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updateUpdate servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updateUpdate servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updateUpdate basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/createCreate servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updateUpdate servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/deleteDelete servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updateUpdate servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updateUpdate servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updateUpdate servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Cloud Device Administrator permissions

Full access to manage devices in Azure AD.
ActionsDescription
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readRead devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/devices/deleteDelete devices in Azure Active Directory.
microsoft.directory/devices/disableDisable devices in Azure Active Directory.
microsoft.directory/devices/enableEnable devices in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.

Company Administrator permissions

Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.aad.cloudAppSecurity/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.aad.cloudAppSecurity.
microsoft.directory/administrativeUnits/allProperties/allTasksCreate and delete administrativeUnits, and read and update all properties in Azure Active Directory.
microsoft.directory/applications/allProperties/allTasksCreate and delete applications, and read and update all properties in Azure Active Directory.
microsoft.directory/appRoleAssignments/allProperties/allTasksCreate and delete appRoleAssignments, and read and update all properties in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/contacts/allProperties/allTasksCreate and delete contacts, and read and update all properties in Azure Active Directory.
microsoft.directory/contracts/allProperties/allTasksCreate and delete contracts, and read and update all properties in Azure Active Directory.
microsoft.directory/devices/allProperties/allTasksCreate and delete devices, and read and update all properties in Azure Active Directory.
microsoft.directory/directoryRoles/allProperties/allTasksCreate and delete directoryRoles, and read and update all properties in Azure Active Directory.
microsoft.directory/directoryRoleTemplates/allProperties/allTasksCreate and delete directoryRoleTemplates, and read and update all properties in Azure Active Directory.
microsoft.directory/domains/allProperties/allTasksCreate and delete domains, and read and update all properties in Azure Active Directory.
microsoft.directory/groups/allProperties/allTasksCreate and delete groups, and read and update all properties in Azure Active Directory.
microsoft.directory/groupSettings/allProperties/allTasksCreate and delete groupSettings, and read and update all properties in Azure Active Directory.
microsoft.directory/groupSettingTemplates/allProperties/allTasksCreate and delete groupSettingTemplates, and read and update all properties in Azure Active Directory.
microsoft.directory/loginTenantBranding/allProperties/allTasksCreate and delete loginTenantBranding, and read and update all properties in Azure Active Directory.
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasksCreate and delete oAuth2PermissionGrants, and read and update all properties in Azure Active Directory.
microsoft.directory/organization/allProperties/allTasksCreate and delete organization, and read and update all properties in Azure Active Directory.
microsoft.directory/policies/allProperties/allTasksCreate and delete policies, and read and update all properties in Azure Active Directory.
microsoft.directory/roleAssignments/allProperties/allTasksCreate and delete roleAssignments, and read and update all properties in Azure Active Directory.
microsoft.directory/roleDefinitions/allProperties/allTasksCreate and delete roleDefinitions, and read and update all properties in Azure Active Directory.
microsoft.directory/scopedRoleMemberships/allProperties/allTasksCreate and delete scopedRoleMemberships, and read and update all properties in Azure Active Directory.
microsoft.directory/serviceAction/activateServiceCan perform the Activateservice service action in Azure Active Directory
microsoft.directory/serviceAction/disableDirectoryFeatureCan perform the Disabledirectoryfeature service action in Azure Active Directory
microsoft.directory/serviceAction/enableDirectoryFeatureCan perform the Enabledirectoryfeature service action in Azure Active Directory
microsoft.directory/serviceAction/getAvailableExtentionPropertiesCan perform the Getavailableextentionproperties service action in Azure Active Directory
microsoft.directory/servicePrincipals/allProperties/allTasksCreate and delete servicePrincipals, and read and update all properties in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.directory/subscribedSkus/allProperties/allTasksCreate and delete subscribedSkus, and read and update all properties in Azure Active Directory.
microsoft.directory/users/allProperties/allTasksCreate and delete users, and read and update all properties in Azure Active Directory.
microsoft.directorySync/allEntities/allTasksPerform all actions in Azure AD Connect.
microsoft.aad.identityProtection/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readRead all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.advancedThreatProtection/allEntities/readRead all resources in microsoft.azure.advancedThreatProtection.
microsoft.azure.informationProtection/allEntities/allTasksManage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.commerce.billing/allEntities/allTasksManage all aspects of Office 365 billing.
microsoft.intune/allEntities/allTasksManage all aspects of Intune.
microsoft.office365.complianceManager/allEntities/allTasksManage all aspects of Office 365 Compliance Manager
microsoft.office365.desktopAnalytics/allEntities/allTasksManage all aspects of Desktop Analytics.
microsoft.office365.exchange/allEntities/allTasksManage all aspects of Exchange Online.
microsoft.office365.lockbox/allEntities/allTasksManage all aspects of Office 365 Customer Lockbox
microsoft.office365.messageCenter/messages/readRead messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readRead securityMessages in microsoft.office365.messageCenter.
microsoft.office365.protectionCenter/allEntities/allTasksManage all aspects of Office 365 Protection Center.
microsoft.office365.securityComplianceCenter/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.office365.securityComplianceCenter.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksManage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.powerApps.dynamics365/allEntities/allTasksManage all aspects of Dynamics 365.
microsoft.powerApps.powerBI/allEntities/allTasksManage all aspects of Power BI.
microsoft.windows.defenderAdvancedThreatProtection/allEntities/readRead all resources in microsoft.windows.defenderAdvancedThreatProtection.

Compliance Administrator permissions

Can read and manage compliance configuration and reports in Azure AD and Office 365.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.complianceManager/allEntities/allTasksManage all aspects of Office 365 Compliance Manager
microsoft.office365.exchange/allEntities/allTasksManage all aspects of Exchange Online.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksManage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Compliance Data Administrator permissions

Creates and manages compliance content.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.aad.cloudAppSecurity/allEntities/allTasksRead and configure Microsoft Cloud App Security.
microsoft.azure.informationProtection/allEntities/allTasksManage all aspects of Azure Information Protection.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.complianceManager/allEntities/allTasksManage all aspects of Office 365 Compliance Manager
microsoft.office365.exchange/allEntities/allTasksManage all aspects of Exchange Online.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.skypeForBusiness/allEntities/allTasksManage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Conditional Access Administrator permissions

Can manage Conditional Access capabilities.
ActionsDescription
microsoft.directory/policies/conditionalAccess/basic/readRead policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/basic/updateUpdate policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/createCreate policies in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/deleteDelete policies in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/owners/readRead policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/owners/updateUpdate policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/policiesAppliedTo/readRead policies.conditionalAccess property in Azure Active Directory.
microsoft.directory/policies/conditionalAccess/tenantDefault/updateUpdate policies.conditionalAccess property in Azure Active Directory.

CRM Service Administrator permissions

Can manage all aspects of the Dynamics 365 product.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.powerApps.dynamics365/allEntities/allTasksManage all aspects of Dynamics 365.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Customer LockBox Access Approver permissions

Can approve Microsoft support requests to access customer organizational data.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.lockbox/allEntities/allTasksManage all aspects of Office 365 Customer Lockbox

Desktop Analytics Administrator permissions

Can manage the Desktop Analytics and Office Customization & Policy services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. For Office Customization & Policy service, this role enables users to manage Office policies.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.desktopAnalytics/allEntities/allTasksManage all aspects of Desktop Analytics.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Device Administrators permissions

Users assigned to this role are added to the local administrators group on Azure AD-joined devices.
ActionsDescription
microsoft.directory/groupSettings/basic/readRead basic properties on groupSettings in Azure Active Directory.
microsoft.directory/groupSettingTemplates/basic/readRead basic properties on groupSettingTemplates in Azure Active Directory.

Directory Readers permissions

Can read basic directory information. For granting access to applications, not intended for users.
ActionsDescription
microsoft.directory/administrativeUnits/basic/readRead basic properties on administrativeUnits in Azure Active Directory.
microsoft.directory/administrativeUnits/members/readRead administrativeUnits.members property in Azure Active Directory.
microsoft.directory/applications/basic/readRead basic properties on applications in Azure Active Directory.
microsoft.directory/applications/owners/readRead applications.owners property in Azure Active Directory.
microsoft.directory/applications/policies/readRead applications.policies property in Azure Active Directory.
microsoft.directory/contacts/basic/readRead basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/memberOf/readRead contacts.memberOf property in Azure Active Directory.
microsoft.directory/contracts/basic/readRead basic properties on contracts in Azure Active Directory.
microsoft.directory/devices/basic/readRead basic properties on devices in Azure Active Directory.
microsoft.directory/devices/memberOf/readRead devices.memberOf property in Azure Active Directory.
microsoft.directory/devices/registeredOwners/readRead devices.registeredOwners property in Azure Active Directory.
microsoft.directory/devices/registeredUsers/readRead devices.registeredUsers property in Azure Active Directory.
microsoft.directory/directoryRoles/basic/readRead basic properties on directoryRoles in Azure Active Directory.
microsoft.directory/directoryRoles/eligibleMembers/readRead directoryRoles.eligibleMembers property in Azure Active Directory.
microsoft.directory/directoryRoles/members/readRead directoryRoles.members property in Azure Active Directory.
microsoft.directory/domains/basic/readRead basic properties on domains in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/readRead groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/readRead basic properties on groups in Azure Active Directory.
microsoft.directory/groups/memberOf/readRead groups.memberOf property in Azure Active Directory.
microsoft.directory/groups/members/readRead groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/readRead groups.owners property in Azure Active Directory.
microsoft.directory/groups/settings/readRead groups.settings property in Azure Active Directory.
microsoft.directory/groupSettings/basic/readRead basic properties on groupSettings in Azure Active Directory.
microsoft.directory/groupSettingTemplates/basic/readRead basic properties on groupSettingTemplates in Azure Active Directory.
microsoft.directory/oAuth2PermissionGrants/basic/readRead basic properties on oAuth2PermissionGrants in Azure Active Directory.
microsoft.directory/organization/basic/readRead basic properties on organization in Azure Active Directory.
microsoft.directory/organization/trustedCAsForPasswordlessAuth/readRead organization.trustedCAsForPasswordlessAuth property in Azure Active Directory.
microsoft.directory/roleAssignments/basic/readRead basic properties on roleAssignments in Azure Active Directory.
microsoft.directory/roleDefinitions/basic/readRead basic properties on roleDefinitions in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/readRead servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/readRead servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/readRead basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/memberOf/readRead servicePrincipals.memberOf property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/readRead servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/servicePrincipals/ownedObjects/readRead servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/readRead servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/readRead servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/subscribedSkus/basic/readRead basic properties on subscribedSkus in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/readRead users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/readRead basic properties on users in Azure Active Directory.
microsoft.directory/users/directReports/readRead users.directReports property in Azure Active Directory.
microsoft.directory/users/manager/readRead users.manager property in Azure Active Directory.
microsoft.directory/users/memberOf/readRead users.memberOf property in Azure Active Directory.
microsoft.directory/users/oAuth2PermissionGrants/basic/readRead users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/users/ownedDevices/readRead users.ownedDevices property in Azure Active Directory.
microsoft.directory/users/ownedObjects/readRead users.ownedObjects property in Azure Active Directory.
microsoft.directory/users/registeredDevices/readRead users.registeredDevices property in Azure Active Directory.

Directory Synchronization Accounts permissions

Only used by Azure AD Connect service.
ActionsDescription
microsoft.directory/organization/dirSync/updateUpdate organization.dirSync property in Azure Active Directory.
microsoft.directory/policies/createCreate policies in Azure Active Directory.
microsoft.directory/policies/deleteDelete policies in Azure Active Directory.
microsoft.directory/policies/basic/readRead basic properties on policies in Azure Active Directory.
microsoft.directory/policies/basic/updateUpdate basic properties on policies in Azure Active Directory.
microsoft.directory/policies/owners/readRead policies.owners property in Azure Active Directory.
microsoft.directory/policies/owners/updateUpdate policies.owners property in Azure Active Directory.
microsoft.directory/policies/policiesAppliedTo/readRead policies.policiesAppliedTo property in Azure Active Directory.
microsoft.directory/policies/tenantDefault/updateUpdate policies.tenantDefault property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/readRead servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignedTo/updateUpdate servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/readRead servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/appRoleAssignments/updateUpdate servicePrincipals.appRoleAssignments property in Azure Active Directory.
microsoft.directory/servicePrincipals/audience/updateUpdate servicePrincipals.audience property in Azure Active Directory.
microsoft.directory/servicePrincipals/authentication/updateUpdate servicePrincipals.authentication property in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/readRead basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/basic/updateUpdate basic properties on servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/createCreate servicePrincipals in Azure Active Directory.
microsoft.directory/servicePrincipals/credentials/updateUpdate servicePrincipals.credentials property in Azure Active Directory.
microsoft.directory/servicePrincipals/memberOf/readRead servicePrincipals.memberOf property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/basic/readRead servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/readRead servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/owners/updateUpdate servicePrincipals.owners property in Azure Active Directory.
microsoft.directory/servicePrincipals/ownedObjects/readRead servicePrincipals.ownedObjects property in Azure Active Directory.
microsoft.directory/servicePrincipals/permissions/updateUpdate servicePrincipals.permissions property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/readRead servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updateUpdate servicePrincipals.policies property in Azure Active Directory.
microsoft.directorySync/allEntities/allTasksPerform all actions in Azure AD Connect.

Directory Writers permissions

Can read & write basic directory information. For granting access to applications, not intended for users.
ActionsDescription
microsoft.directory/groups/createCreate groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnerCreate groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/appRoleAssignments/updateUpdate groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updateUpdate basic properties on groups in Azure Active Directory.
microsoft.directory/groups/members/updateUpdate groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updateUpdate groups.owners property in Azure Active Directory.
microsoft.directory/groups/settings/updateUpdate groups.settings property in Azure Active Directory.
microsoft.directory/groupSettings/basic/updateUpdate basic properties on groupSettings in Azure Active Directory.
microsoft.directory/groupSettings/createCreate groupSettings in Azure Active Directory.
microsoft.directory/groupSettings/deleteDelete groupSettings in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updateUpdate users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/assignLicenseManage licenses on users in Azure Active Directory.
microsoft.directory/users/basic/updateUpdate basic properties on users in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/manager/updateUpdate users.manager property in Azure Active Directory.
microsoft.directory/users/userPrincipalName/updateUpdate users.userPrincipalName property in Azure Active Directory.

Exchange Service Administrator permissions

Can manage all aspects of the Exchange product.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/groups/unified/appRoleAssignments/updateUpdate groups.unified property in Azure Active Directory.
microsoft.directory/groups/unified/basic/updateUpdate basic properties of Office 365 Groups.
microsoft.directory/groups/unified/createCreate Office 365 Groups.
microsoft.directory/groups/unified/deleteDelete Office 365 Groups.
microsoft.directory/groups/unified/members/updateUpdate membership of Office 365 Groups.
microsoft.directory/groups/unified/owners/updateUpdate ownership of Office 365 Groups.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.exchange/allEntities/allTasksManage all aspects of Exchange Online.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

External Identity Provider Administrator permissions

Configure identity providers for use in direct federation.
ActionsDescription
microsoft.aad.b2c/identityProviders/allTasksRead and configure identity providers in  Azure Active Directory B2C.

Guest Inviter permissions

Can invite guest users independent of the ‘members can invite guests’ setting.
ActionsDescription
microsoft.directory/users/appRoleAssignments/readRead users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/readRead basic properties on users in Azure Active Directory.
microsoft.directory/users/directReports/readRead users.directReports property in Azure Active Directory.
microsoft.directory/users/inviteGuestInvite guest users in Azure Active Directory.
microsoft.directory/users/manager/readRead users.manager property in Azure Active Directory.
microsoft.directory/users/memberOf/readRead users.memberOf property in Azure Active Directory.
microsoft.directory/users/oAuth2PermissionGrants/basic/readRead users.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/users/ownedDevices/readRead users.ownedDevices property in Azure Active Directory.
microsoft.directory/users/ownedObjects/readRead users.ownedObjects property in Azure Active Directory.
microsoft.directory/users/registeredDevices/readRead users.registeredDevices property in Azure Active Directory.

Helpdesk Administrator permissions

Can reset passwords for non-administrators and Helpdesk Administrators.
ActionsDescription
microsoft.directory/devices/bitLockerRecoveryKeys/readRead devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/password/updateUpdate passwords for all users in Azure Active Directory. See online documentation for more detail.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Intune Service Administrator permissions

Can manage all aspects of the Intune product.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/createCreate contacts in Azure Active Directory.
microsoft.directory/contacts/deleteDelete contacts in Azure Active Directory.
microsoft.directory/devices/basic/updateUpdate basic properties on devices in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readRead devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/devices/createCreate devices in Azure Active Directory.
microsoft.directory/devices/deleteDelete devices in Azure Active Directory.
microsoft.directory/devices/registeredOwners/updateUpdate devices.registeredOwners property in Azure Active Directory.
microsoft.directory/devices/registeredUsers/updateUpdate devices.registeredUsers property in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/updateUpdate groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updateUpdate basic properties on groups in Azure Active Directory.
microsoft.directory/groups/createCreate groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnerCreate groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/deleteDelete groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/readRead groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/members/updateUpdate groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updateUpdate groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoreRestore groups in Azure Active Directory.
microsoft.directory/groups/settings/updateUpdate groups.settings property in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updateUpdate users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/basic/updateUpdate basic properties on users in Azure Active Directory.
microsoft.directory/users/manager/updateUpdate users.manager property in Azure Active Directory.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.intune/allEntities/allTasksManage all aspects of Intune.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.

Kaizala Administrator permissions

Can manage settings for Microsoft Kaizala.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead Office 365 admin center.

License Administrator permissions

Can manage product licenses on users and groups.
ActionsDescription
microsoft.directory/users/assignLicenseManage licenses on users in Azure Active Directory.
microsoft.directory/users/usageLocation/updateUpdate users.usageLocation property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.

Lync Service Administrator permissions

Can manage all aspects of the Skype for Business product.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.skypeForBusiness/allEntities/allTasksManage all aspects of Skype for Business Online.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Message Center Privacy Reader permissions

Can read Message Center posts, data privacy messages, groups, domains and subscriptions.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.messageCenter/messages/readRead messages in microsoft.office365.messageCenter.
microsoft.office365.messageCenter/securityMessages/readRead securityMessages in microsoft.office365.messageCenter.

Message Center Reader permissions

Can read messages and updates for their organization in Office 365 Message Center only.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.messageCenter/messages/readRead messages in microsoft.office365.messageCenter.

Partner Tier1 Support permissions

Do not use - not intended for general use.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/createCreate contacts in Azure Active Directory.
microsoft.directory/contacts/deleteDelete contacts in Azure Active Directory.
microsoft.directory/groups/createCreate groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnerCreate groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/members/updateUpdate groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updateUpdate groups.owners property in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updateUpdate users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/assignLicenseManage licenses on users in Azure Active Directory.
microsoft.directory/users/basic/updateUpdate basic properties on users in Azure Active Directory.
microsoft.directory/users/deleteDelete users in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/manager/updateUpdate users.manager property in Azure Active Directory.
microsoft.directory/users/password/updateUpdate passwords for all users in Azure Active Directory. See online documentation for more detail.
microsoft.directory/users/restoreRestore deleted users in Azure Active Directory.
microsoft.directory/users/userPrincipalName/updateUpdate users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Partner Tier2 Support permissions

Do not use - not intended for general use.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/createCreate contacts in Azure Active Directory.
microsoft.directory/contacts/deleteDelete contacts in Azure Active Directory.
microsoft.directory/domains/allTasksCreate and delete domains, and read and update standard properties in Azure Active Directory.
microsoft.directory/groups/createCreate groups in Azure Active Directory.
microsoft.directory/groups/deleteDelete groups in Azure Active Directory.
microsoft.directory/groups/members/updateUpdate groups.members property in Azure Active Directory.
microsoft.directory/groups/restoreRestore groups in Azure Active Directory.
microsoft.directory/organization/basic/updateUpdate basic properties on organization in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updateUpdate users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/assignLicenseManage licenses on users in Azure Active Directory.
microsoft.directory/users/basic/updateUpdate basic properties on users in Azure Active Directory.
microsoft.directory/users/deleteDelete users in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/manager/updateUpdate users.manager property in Azure Active Directory.
microsoft.directory/users/password/updateUpdate passwords for all users in Azure Active Directory. See online documentation for more detail.
microsoft.directory/users/restoreRestore deleted users in Azure Active Directory.
microsoft.directory/users/userPrincipalName/updateUpdate users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Password Administrator permissions

Can reset passwords for non-administrators and Password administrators.
ActionsDescription
microsoft.directory/users/password/updateUpdate passwords for all users in Azure Active Directory. See online documentation for more detail.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.

Power BI Service Administrator permissions

Can manage all aspects of the Power BI product.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.powerApps.powerBI/allEntities/allTasksManage all aspects of Power BI.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Privileged Authentication Administrator permissions

Allowed to view, set and reset authentication method information for any user (admin or non-admin).
ActionsDescription
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/strongAuthentication/updateUpdate strong authentication properties like MFA credential information.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.directory/users/password/updateUpdate passwords for all users in the Office 365 organization. See online documentation for more detail.

Privileged Role Administrator permissions

Can manage role assignments in Azure AD,and all aspects of Privileged Identity Management.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.aad.privilegedIdentityManagement/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.aad.privilegedIdentityManagement.
microsoft.directory/servicePrincipals/appRoleAssignedTo/allTasksRead and configure servicePrincipals.appRoleAssignedTo property in Azure Active Directory.
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/allTasksRead and configure servicePrincipals.oAuth2PermissionGrants property in Azure Active Directory.
microsoft.directory/administrativeUnits/allProperties/allTasksCreate and manage administrative units (including members)
microsoft.directory/roleAssignments/allProperties/allTasksCreate and manage role assignments.
microsoft.directory/roleDefinitions/allProperties/allTasksCreate and manage role definitions.

Reports Reader permissions

Can read sign-in and audit reports.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.

Search Administrator permissions

Can create and manage all aspects of Microsoft Search settings.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.office365.messageCenter/messages/readRead messages in microsoft.office365.messageCenter.
microsoft.office365.search/allEntities/allProperties/allTasksCreate and delete all resources, and read and update all properties in microsoft.office365.search.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.

Search Editor permissions

Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.office365.messageCenter/messages/readRead messages in microsoft.office365.messageCenter.
microsoft.office365.search/content/allProperties/allTasksCreate and delete content, and read and update all properties in microsoft.office365.search.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.

Security Administrator permissions

Can read security information and reports,and manage configuration in Azure AD and Office 365.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/applications/policies/updateUpdate applications.policies property in Azure Active Directory.
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readRead devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/policies/basic/updateUpdate basic properties on policies in Azure Active Directory.
microsoft.directory/policies/createCreate policies in Azure Active Directory.
microsoft.directory/policies/deleteDelete policies in Azure Active Directory.
microsoft.directory/policies/owners/updateUpdate policies.owners property in Azure Active Directory.
microsoft.directory/policies/tenantDefault/updateUpdate policies.tenantDefault property in Azure Active Directory.
microsoft.directory/servicePrincipals/policies/updateUpdate servicePrincipals.policies property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.aad.identityProtection/allEntities/readRead all resources in microsoft.aad.identityProtection.
microsoft.aad.identityProtection/allEntities/updateUpdate all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readRead all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.protectionCenter/allEntities/readRead all aspects of Office 365 Protection Center.
microsoft.office365.protectionCenter/allEntities/updateUpdate all resources in microsoft.office365.protectionCenter.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.

Security Operator permissions

Creates and manages security events.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.aad.cloudAppSecurity/allEntities/allTasksRead and configure Microsoft Cloud App Security.
microsoft.aad.identityProtection/allEntities/readRead all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readRead all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.advancedThreatProtection/allEntities/readRead and configure Azure AD Advanced Threat Protection.
microsoft.intune/allEntities/allTasksManage all aspects of Intune.
microsoft.office365.securityComplianceCenter/allEntities/allTasksRead and configure Security & Compliance Center.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.
microsoft.windows.defenderAdvancedThreatProtection/allEntities/readRead and configure Windows Defender Advanced Threat Protection.

Security Reader permissions

Can read security information and reports in Azure AD and Office 365.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/auditLogs/allProperties/readRead all properties (including privileged properties) on auditLogs in Azure Active Directory.
microsoft.directory/devices/bitLockerRecoveryKeys/readRead devices.bitLockerRecoveryKeys property in Azure Active Directory.
microsoft.directory/signInReports/allProperties/readRead all properties (including privileged properties) on signInReports in Azure Active Directory.
microsoft.aad.identityProtection/allEntities/readRead all resources in microsoft.aad.identityProtection.
microsoft.aad.privilegedIdentityManagement/allEntities/readRead all resources in microsoft.aad.privilegedIdentityManagement.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.protectionCenter/allEntities/readRead all aspects of Office 365 Protection Center.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.

Service Support Administrator permissions

Can read service health information and manage support tickets.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

SharePoint Service Administrator permissions

Can manage all aspects of the SharePoint service.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/groups/unified/appRoleAssignments/updateUpdate groups.unified property in Azure Active Directory.
microsoft.directory/groups/unified/basic/updateUpdate basic properties of Office 365 Groups.
microsoft.directory/groups/unified/createCreate Office 365 Groups.
microsoft.directory/groups/unified/deleteDelete Office 365 Groups.
microsoft.directory/groups/unified/members/updateUpdate membership of Office 365 Groups.
microsoft.directory/groups/unified/owners/updateUpdate ownership of Office 365 Groups.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.sharepoint/allEntities/allTasksCreate and delete all resources, and read and update standard properties in microsoft.office365.sharepoint.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Teams Communications Administrator permissions

Can manage calling and meetings features within the Microsoft Teams service.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.

Teams Communications Support Engineer permissions

Can troubleshoot communications issues within Teams using advanced tools.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.

Teams Communications Support Specialist permissions

Can troubleshoot communications issues within Teams using basic tools.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.

Teams Service Administrator permissions

Can manage the Microsoft Teams service.
 Note
This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
ActionsDescription
microsoft.directory/groups/hiddenMembers/readRead groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/unified/appRoleAssignments/updateUpdate groups.unified property in Azure Active Directory.
microsoft.directory/groups/unified/basic/updateUpdate basic properties of Office 365 Groups.
microsoft.directory/groups/unified/createCreate Office 365 Groups.
microsoft.directory/groups/unified/deleteDelete Office 365 Groups.
microsoft.directory/groups/unified/members/updateUpdate membership of Office 365 Groups.
microsoft.directory/groups/unified/owners/updateUpdate ownership of Office 365 Groups.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.
microsoft.office365.usageReports/allEntities/readRead Office 365 usage reports.

User Administrator permissions

Can manage all aspects of users and groups, including resetting passwords for limited admins.
ActionsDescription
microsoft.directory/appRoleAssignments/createCreate appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/deleteDelete appRoleAssignments in Azure Active Directory.
microsoft.directory/appRoleAssignments/updateUpdate appRoleAssignments in Azure Active Directory.
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts in Azure Active Directory.
microsoft.directory/contacts/createCreate contacts in Azure Active Directory.
microsoft.directory/contacts/deleteDelete contacts in Azure Active Directory.
microsoft.directory/groups/appRoleAssignments/updateUpdate groups.appRoleAssignments property in Azure Active Directory.
microsoft.directory/groups/basic/updateUpdate basic properties on groups in Azure Active Directory.
microsoft.directory/groups/createCreate groups in Azure Active Directory.
microsoft.directory/groups/createAsOwnerCreate groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota.
microsoft.directory/groups/deleteDelete groups in Azure Active Directory.
microsoft.directory/groups/hiddenMembers/readRead groups.hiddenMembers property in Azure Active Directory.
microsoft.directory/groups/members/updateUpdate groups.members property in Azure Active Directory.
microsoft.directory/groups/owners/updateUpdate groups.owners property in Azure Active Directory.
microsoft.directory/groups/restoreRestore groups in Azure Active Directory.
microsoft.directory/groups/settings/updateUpdate groups.settings property in Azure Active Directory.
microsoft.directory/users/appRoleAssignments/updateUpdate users.appRoleAssignments property in Azure Active Directory.
microsoft.directory/users/assignLicenseManage licenses on users in Azure Active Directory.
microsoft.directory/users/basic/updateUpdate basic properties on users in Azure Active Directory.
microsoft.directory/users/createCreate users in Azure Active Directory.
microsoft.directory/users/deleteDelete users in Azure Active Directory.
microsoft.directory/users/invalidateAllRefreshTokensInvalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/manager/updateUpdate users.manager property in Azure Active Directory.
microsoft.directory/users/password/updateUpdate passwords for all users in Azure Active Directory. See online documentation for more detail.
microsoft.directory/users/restoreRestore deleted users in Azure Active Directory.
microsoft.directory/users/userPrincipalName/updateUpdate users.userPrincipalName property in Azure Active Directory.
microsoft.azure.serviceHealth/allEntities/allTasksRead and configure Azure Service Health.
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets.
microsoft.office365.webPortal/allEntities/basic/readRead basic properties on all resources in microsoft.office365.webPortal.
microsoft.office365.serviceHealth/allEntities/allTasksRead and configure Office 365 Service Health.
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Office 365 support tickets.

Role template IDs

Role template IDs are used mainly by Graph API or PowerShell users.
Graph displayNameAzure portal display namedirectoryRoleTemplateId
Application AdministratorApplication administrator9B895D92-2CD3-44C7-9D02-A6AC2D5EA5C3
Application DeveloperApplication developerCF1C38E5-3621-4004-A7CB-879624DCED7C
Authentication AdministratorAuthentication administratorc4e39bd9-1100-46d3-8c65-fb160da0071f
Azure Information Protection AdministratorAzure Information Protection administrator7495fdc4-34c4-4d15-a289-98788ce399fd
B2C User flow AdministratorB2C User flow Administrator6e591065-9bad-43ed-90f3-e9424366d2f0
B2C User Flow Attribute AdministratorB2C User Flow Attribute Administrator0f971eea-41eb-4569-a71e-57bb8a3eff1e
B2C IEF Keyset AdministratorB2C IEF Keyset Administratoraaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF Policy AdministratorB2C IEF Policy Administrator3edaf663-341e-4475-9f94-5c398ef6c070
Billing AdministratorBilling administratorb0f54661-2d74-4c50-afa3-1ec803f12efe
Cloud Application AdministratorCloud application administrator158c047a-c907-4556-b7ef-446551a6b5f7
Cloud Device AdministratorCloud device administrator7698a772-787b-4ac8-901f-60d6b08affd2
Company AdministratorGlobal administrator62e90394-69f5-4237-9190-012177145e10
Compliance AdministratorCompliance administrator17315797-102d-40b4-93e0-432062caca18
Compliance Data AdministratorCompliance data administratore6d1a23a-da11-4be4-9570-befc86d067a7
Conditional Access AdministratorConditional Access administratorb1be1c3e-b65d-4f19-8427-f6fa0d97feb9
CRM Service AdministratorDynamics 365 administrator44367163-eba1-44c3-98af-f5787879f96a
Customer LockBox Access ApproverCustomer Lockbox access approver5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
Desktop Analytics AdministratorDesktop Analytics Administrator38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
Device AdministratorsDevice administrators9f06204d-73c1-4d4c-880a-6edb90606fd8
Device JoinDevice join9c094953-4995-41c8-84c8-3ebb9b32c93f
Device ManagersDevice managers2b499bcd-da44-4968-8aec-78e1674fa64d
Device UsersDevice usersd405c6df-0af8-4e3b-95e4-4d06e542189e
Directory ReadersDirectory readers88d8e3e3-8f55-4a1e-953a-9b9898b8876b
Directory Synchronization AccountsDirectory synchronization accountsd29b2b05-8046-44ba-8758-1e26182fcf32
Directory WritersDirectory writers9360feb5-f418-4baa-8175-e2a00bac4301
Exchange Service AdministratorExchange administrator29232cdf-9323-42fd-ade2-1d097af3e4de
External Identity Provider AdministratorExternal Identity Provider Administratorbe2f45a1-457d-42af-a067-6ec1fa63bc45
Guest InviterGuest inviter95e79109-95c0-4d8e-aee3-d01accf2d47b
Helpdesk AdministratorPassword administrator729827e3-9c14-49f7-bb1b-9608f156bbb8
Intune Service AdministratorIntune administrator3a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala AdministratorKaizala administrator74ef975b-6605-40af-a5d2-b9539d836353
License AdministratorLicense administrator4d6ac14f-3453-41d0-bef9-a3e0c569773a
Lync Service AdministratorSkype for Business administrator75941009-915a-4869-abe7-691bff18279e
Message Center Privacy ReaderMessage center privacy readerac16e43d-7b2d-40e0-ac05-243ff356ab5b
Message Center ReaderMessage center reader790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
Partner Tier1 SupportPartner tier1 support4ba39ca4-527c-499a-b93d-d9b492c50246
Partner Tier2 SupportPartner tier2 supporte00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
Password AdministratorPassword administrator966707d0-3269-4727-9be2-8c3a10f19b9d
Power BI Service AdministratorPower BI administratora9ea8996-122f-4c74-9520-8edcd192826c
Privileged Authentication AdministratorPrivileged authentication administrator7be44c8a-adaf-4e2a-84d6-ab2649e08a13
Privileged Role AdministratorPrivileged role administratore8611ab8-c189-46e8-94e1-60213ab1f814
Reports ReaderReports reader4a5d8f65-41da-4de4-8968-e035b65339cf
Search AdministratorSearch administrator0964bb5e-9bdb-4d7b-ac29-58e794862a40
Search EditorSearch editor8835291a-918c-4fd7-a9ce-faa49f0cf7d9
Security AdministratorSecurity administrator194ae4cb-b126-40b2-bd5b-6091b380977d
Security OperatorSecurity operator5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
Security ReaderSecurity reader5d6b6bb7-de71-4623-b4af-96380a352509
Service Support AdministratorService administratorf023fd81-a637-4b56-95fd-791ac0226033
SharePoint Service AdministratorSharePoint administratorf28a1f50-f6e7-4571-818b-6a12f2af6b6c
Teams Communications AdministratorTeams Communications Administratorbaf37b3a-610e-45da-9e62-d9d1e5e8914b
Teams Communications Support EngineerTeams Communications Support Engineerf70938a0-fc10-4177-9e90-2178f8765737
Teams Communications Support SpecialistTeams Communications Support Specialistfcf91098-03e3-41a9-b5ba-6f0ec8188a12
Teams Service AdministratorTeams Service Administrator69091246-20e8-4a56-aa4d-066075b2a7a8
UserUsera0b1b346-4d3e-4e8b-98f8-753987be4970
User Account AdministratorUser administratorfe930be7-5e62-47db-91af-98c3a49a38b1
Workplace Device JoinWorkplace device joinc34f683f-4d5a-4403-affd-6615e00e3a7f

Deprecated roles

The following roles should not be used. They have been deprecated and will be removed from Azure AD in the future.
  • AdHoc License Administrator
  • Device Join
  • Device Managers
  • Device Users
  • Email Verified User Creator
  • Mailbox Administrator

Add or change Azure subscription administrators

To manage access to Azure resources, you must have the appropriate administrator role. Azure has an authorization system called role-based access control (RBAC) with several built-in roles you can choose from. You can assign these roles at different scopes, such as management group, subscription, or resource group.
Microsoft recommends that you manage access to resources using RBAC. However, if you are still using the classic deployment model and managing the classic resources by using Azure Service Management PowerShell Module, you'll need to use a classic administrator.
 Tip
If you only use the Azure portal to manage the classic resources, you won’t need to use the classic administrator.
This article describes how add or change the administrator role for a user using RBAC at the subscription scope.

Assign a user as an administrator of a subscription

To make a user an administrator of an Azure subscription, assign them the Owner role (an RBAC role) at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the right to delegate access to others. These steps are the same as any other role assignment.
  1. In the Azure portal, open Subscriptions.
  2. Click the subscription where you want to grant access.
  3. Click Access control (IAM).
  4. Click the Role assignments tab to view all the role assignments for this subscription.
    Screenshot that shows role assignments
  5. Click Add > Add role assignment to open the Add role assignment pane.
    If you don't have permissions to assign roles, the option will be disabled.
  6. In the Role drop-down list, select the Owner role.
  7. In the Select list, select a user. If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.
    Screenshot that shows the Owner role selected
  8. Click Save to assign the role.
    After a few moments, the user is assigned the Owner role at the subscription scope.