Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. Makes purchases, manages subscriptions, manages support tickets, and monitors service health. Can create and manage all aspects of Microsoft Search settings. Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. This role can create and manage security groups, but does not have administrator rights over Microsoft 365 groups. Make sure you have the System Administrator security role or equivalent permissions. Azure AD built-in roles. It is "Power BI Administrator" in the Azure portal. Cannot change the credentials or reset MFA for members and owners of a, Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens. Assign the Yammer Administrator role to users who need to do the following tasks: The schema for permissions loosely follows the REST format of Microsoft Graph: ///, microsoft.directory/applications/credentials/update. Can provision and manage all aspects of Cloud PCs. This administrator manages federation between Azure AD organizations and external identity providers. However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information. More info about Internet Explorer and Microsoft Edge, Azure role-based access control (Azure RBAC), Assign Azure roles using Azure PowerShell, Assign Azure roles using the Azure portal. authentication path, service ID, assigned key containers). Configure the authentication methods policy, tenant-wide MFA settings, and password protection policy that determine which methods each user can register and use. In the following table, the columns list the roles that can perform sensitive actions. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Commonly used to grant directory read access to applications and guests. ( Roles are like groups in the Windows operating system.) Users with this role can assign and remove custom security attribute keys and values for supported Azure AD objects such as users, service principals, and devices. These roles are security principals that group other principals. Users in this role can create and manage content, like topics, acronyms and learning content. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles . Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. Azure RBAC for key vault also allows users to have separate permissions on individual keys, secrets, and certificates. Before the partner can assign these roles to users, you must add the partner as a delegated admin to your account. Users get to these desktops and apps through one of the Remote Desktop clients that run on Windows, MacOS, iOS, and Android. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center. This user can enable the Azure AD organization to trust authentications from external identity providers. For more information, see, Force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke, Update sensitive properties for all users. Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. More information at About admin roles. Manage all aspects of Entra Permissions Management. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center. Can configure knowledge, learning, and other intelligent features. Workspace roles. Users with this role can manage all enterprise Azure DevOps policies, applicable to all Azure DevOps organizations backed by the Azure AD. This separation lets you have more granular control over administrative tasks. In Azure Active Directory (Azure AD), if another administrator or non-administrator needs to manage Azure AD resources, you assign them an Azure AD role that provides the permissions they need. Users with this role have all permissions in the Azure Information Protection service. This role additionally grants the ability to manage support tickets, and monitor service health within the main admin center. Users with the Modern Commerce User role typically have administrative permissions in other Microsoft purchasing systems, but do not have Global Administrator or Billing Administrator roles used to access the admin center. Classic subscription administrator roles like 'Service Administrator' and 'Co-Administrator' are not supported. The keyset administrator role should be carefully audited and assigned with care during pre-production and production. Can read basic directory information. Can read security information and reports in Azure AD and Office 365. Role and permissions recommendations. Cannot read sensitive values such as secret contents or key material. Assign the Lifecycle Workflows Administrator role to users who need to do the following tasks: Users in this role can monitor all notifications in the Message Center, including data privacy messages. People assigned the Monitoring Reader role can view all monitoring data in a subscription but can't modify any resource or edit any settings related to monitoring resources. The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with users. This article describes how to assign roles using the Azure portal. Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. For more information about Azure built-in roles definitions, see Azure built-in roles. Fixed-database roles are defined at the database level and exist in each database. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers. Administrators in other services outside of Azure AD like Exchange Online, Office 365 Security & Compliance Center, and human resources systems. This role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). Helpdesk Agent Privileges equivalent to a helpdesk admin. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Can configure identity providers for use in direct federation. If they were managing any products, either for themselves or for your organization, they wont be able to manage them. Custom roles and advanced Azure RBAC. This role allows viewing all devices at single glance, with ability to search and filter devices. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers. Browsers use caching and page refresh is required after removing role assignments. You can assign a built-in role definition or a custom role definition. Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. Changing the password of a user may mean the ability to assume that user's identity and permissions. A role definition lists the actions that can be performed, such as read, write, and delete. Azure includes several built-in roles that you can use. To add role assignments, you must have Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner. Validate secrets read without reader role on key vault level. This role has no access to view, create, or manage support tickets. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center. The rows list the roles for which the sensitive action can be performed upon. The role does not grant permissions to manage any other properties on the device. For a list of the roles that an Authentication Administrator can read or update authentication methods, see, Require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke, Perform sensitive actions for some users. This role should not be used as it is deprecated and it will no longer be returned in API. By default, Azure roles and Azure AD roles do not span Azure and Azure AD. Users with this role have limited ability to manage passwords. Update all properties of access reviews for membership in Security and Microsoft 365 groups, excluding role-assignable groups. They can add administrators, add Microsoft Defender for Cloud Apps policies and settings, upload logs, and perform governance actions. Additionally, these users can create content centers, monitor service health, and create service requests. Printer Administrators also have access to print reports. With this role, users can add new identity providers and configure all available settings (e.g. For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. This role grants no other Azure DevOps-specific permissions (for example, Project Collection Administrators) inside any of the Azure DevOps organizations backed by the company's Azure AD organization. Don't have the correct permissions? For more information, see, Cannot manage per-user MFA in the legacy MFA management portal. Can troubleshoot communications issues within Teams using advanced tools. You'll probably only need to assign the following roles in your organization. In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." This role has no permission to view, create, or manage service requests. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center. SQL Server provides server-level roles to help you manage the permissions on a server. Can view and share dashboards and insights via the Microsoft 365 Insights app. Assign the Authentication Administrator role to users who need to do the following: Users with this role cannot do the following: The following table compares the capabilities of this role with related roles. Read metadata of key vaults and its certificates, keys, and secrets. More information at About admin roles. It provides one place to manage all permissions across all key vaults. You might want them to do this, for example, if they're setting up and managing your online organization for you. However, Azure Virtual Desktop has additional roles that let you separate management roles for host pools, application groups, and workspaces. Microsoft Purview doesn't support the Global Reader role. However, these roles are a subset of the roles available in the Azure AD portal and the Intune admin center. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide Users in this role can create application registrations when the "Users can register applications" setting is set to No. Cannot make changes to Intune. Users with this role can define a valid set of custom security attributes that can be assigned to supported Azure AD objects. Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. Read secret contents including secret portion of a certificate with private key. Limited access to manage devices in Azure AD. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere. To Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. This role is appropriate for users in an organization, such as support or operations engineers, who need to: View monitoring dashboards in the Azure portal. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers. Don't have the correct permissions? Global Admins have almost unlimited access to your organization's settings and most of its data. This separation lets you have more granular control over administrative tasks. However, he/she can manage the Office group that he creates which comes as a part of his/her end-user privileges. Access the analytical capabilities in Microsoft Viva Insights and run custom queries. It is "Skype for Business Administrator" in the Azure portal. In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Cannot update sensitive properties. For instructions, see Authorize or remove partner relationships. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions. Only works for key vaults that use the 'Azure role-based access control' permission model. This role has no permission to view, create, or manage service requests. Users in this role can create attack payloads but not actually launch or schedule them. microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks, Manage admin consent request policies in Azure AD, microsoft.directory/appConsent/appConsentRequests/allProperties/read, Read all properties of consent requests for applications registered with Azure AD, microsoft.directory/applications/applicationProxy/read, microsoft.directory/applications/applicationProxy/update, microsoft.directory/applications/applicationProxyAuthentication/update, Update authentication on all types of applications, microsoft.directory/applications/applicationProxySslCertificate/update, Update SSL certificate settings for application proxy, microsoft.directory/applications/applicationProxyUrlSettings/update, Update URL settings for application proxy, microsoft.directory/applications/appRoles/update, Update the appRoles property on all types of applications, microsoft.directory/applications/audience/update, Update the audience property for applications, microsoft.directory/applications/authentication/update, microsoft.directory/applications/basic/update, microsoft.directory/applications/extensionProperties/update, Update extension properties on applications, microsoft.directory/applications/notes/update, microsoft.directory/applications/owners/update, microsoft.directory/applications/permissions/update, Update exposed permissions and required permissions on all types of applications, microsoft.directory/applications/policies/update, microsoft.directory/applications/tag/update, microsoft.directory/applications/verification/update, microsoft.directory/applications/synchronization/standard/read, Read provisioning settings associated with the application object, microsoft.directory/applicationTemplates/instantiate, Instantiate gallery applications from application templates, microsoft.directory/auditLogs/allProperties/read, Read all properties on audit logs, including privileged properties, microsoft.directory/connectors/allProperties/read, Read all properties of application proxy connectors, microsoft.directory/connectorGroups/create, Create application proxy connector groups, microsoft.directory/connectorGroups/delete, Delete application proxy connector groups, microsoft.directory/connectorGroups/allProperties/read, Read all properties of application proxy connector groups, microsoft.directory/connectorGroups/allProperties/update, Update all properties of application proxy connector groups, microsoft.directory/customAuthenticationExtensions/allProperties/allTasks, Create and manage custom authentication extensions, microsoft.directory/deletedItems.applications/delete, Permanently delete applications, which can no longer be restored, microsoft.directory/deletedItems.applications/restore, Restore soft deleted applications to original state, microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks, Create and delete OAuth 2.0 permission grants, and read and update all properties, microsoft.directory/applicationPolicies/create, microsoft.directory/applicationPolicies/delete, microsoft.directory/applicationPolicies/standard/read, Read standard properties of application policies, microsoft.directory/applicationPolicies/owners/read, microsoft.directory/applicationPolicies/policyAppliedTo/read, Read application policies applied to objects list, microsoft.directory/applicationPolicies/basic/update, Update standard properties of application policies, microsoft.directory/applicationPolicies/owners/update, Update the owner property of application policies, microsoft.directory/provisioningLogs/allProperties/read, microsoft.directory/servicePrincipals/create, microsoft.directory/servicePrincipals/delete, microsoft.directory/servicePrincipals/disable, microsoft.directory/servicePrincipals/enable, microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials, Manage password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/synchronizationCredentials/manage, Manage application provisioning secrets and credentials, microsoft.directory/servicePrincipals/synchronizationJobs/manage, Start, restart, and pause application provisioning syncronization jobs, microsoft.directory/servicePrincipals/synchronizationSchema/manage, Create and manage application provisioning syncronization jobs and schema, microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials, Read password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin, Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph, microsoft.directory/servicePrincipals/appRoleAssignedTo/update, Update service principal role assignments, microsoft.directory/servicePrincipals/audience/update, Update audience properties on service principals, microsoft.directory/servicePrincipals/authentication/update, Update authentication properties on service principals, microsoft.directory/servicePrincipals/basic/update, Update basic properties on service principals, microsoft.directory/servicePrincipals/credentials/update, microsoft.directory/servicePrincipals/notes/update, microsoft.directory/servicePrincipals/owners/update, microsoft.directory/servicePrincipals/permissions/update, microsoft.directory/servicePrincipals/policies/update, microsoft.directory/servicePrincipals/tag/update, Update the tag property for service principals, microsoft.directory/servicePrincipals/synchronization/standard/read, Read provisioning settings associated with your service principal, microsoft.directory/signInReports/allProperties/read, Read all properties on sign-in reports, including privileged properties, microsoft.azure.serviceHealth/allEntities/allTasks, microsoft.azure.supportTickets/allEntities/allTasks, microsoft.office365.serviceHealth/allEntities/allTasks, Read and configure Service Health in the Microsoft 365 admin center, microsoft.office365.supportTickets/allEntities/allTasks, Create and manage Microsoft 365 service requests, microsoft.office365.webPortal/allEntities/standard/read, Read basic properties on all resources in the Microsoft 365 admin center, microsoft.directory/applications/createAsOwner, Create all types of applications, and creator is added as the first owner, microsoft.directory/oAuth2PermissionGrants/createAsOwner, Create OAuth 2.0 permission grants, with creator as the first owner, microsoft.directory/servicePrincipals/createAsOwner, Create service principals, with creator as the first owner, microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks, Create and manage attack payloads in Attack Simulator, microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read, Read reports of attack simulation responses and associated training, microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks, Create and manage attack simulation templates in Attack Simulator, microsoft.directory/attributeSets/allProperties/read, microsoft.directory/customSecurityAttributeDefinitions/allProperties/read, Read all properties of custom security attribute definitions, microsoft.directory/devices/customSecurityAttributes/read, Read custom security attribute values for devices, microsoft.directory/devices/customSecurityAttributes/update, Update custom security attribute values for devices, microsoft.directory/servicePrincipals/customSecurityAttributes/read, Read custom security attribute values for service principals, microsoft.directory/servicePrincipals/customSecurityAttributes/update, Update custom security attribute values for service principals, microsoft.directory/users/customSecurityAttributes/read, Read custom security attribute values for users, microsoft.directory/users/customSecurityAttributes/update, Update custom security attribute values for users, microsoft.directory/attributeSets/allProperties/allTasks, microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks, Manage all aspects of custom security attribute definitions, microsoft.directory/users/authenticationMethods/create, microsoft.directory/users/authenticationMethods/delete, microsoft.directory/users/authenticationMethods/standard/restrictedRead, Read standard properties of authentication methods that do not include personally identifiable information for users, microsoft.directory/users/authenticationMethods/basic/update, Update basic properties of authentication methods for users, microsoft.directory/deletedItems.users/restore, Restore soft deleted users to original state, microsoft.directory/users/invalidateAllRefreshTokens, Force sign-out by invalidating user refresh tokens, microsoft.directory/users/password/update, microsoft.directory/users/userPrincipalName/update, microsoft.directory/organization/strongAuthentication/allTasks, Manage all aspects of strong authentication properties of an organization, microsoft.directory/userCredentialPolicies/create, microsoft.directory/userCredentialPolicies/delete, microsoft.directory/userCredentialPolicies/standard/read, Read standard properties of credential policies for users, microsoft.directory/userCredentialPolicies/owners/read, Read owners of credential policies for users, microsoft.directory/userCredentialPolicies/policyAppliedTo/read, microsoft.directory/userCredentialPolicies/basic/update, microsoft.directory/userCredentialPolicies/owners/update, Update owners of credential policies for users, microsoft.directory/userCredentialPolicies/tenantDefault/update, Update policy.isOrganizationDefault property, microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke, microsoft.directory/verifiableCredentials/configuration/contracts/create, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update, microsoft.directory/verifiableCredentials/configuration/create, Create configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/delete, Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/read, Read configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/update, Update configuration required to create and manage verifiable credentials, microsoft.directory/groupSettings/standard/read, microsoft.directory/groupSettingTemplates/standard/read, Read basic properties on group setting templates, microsoft.azure.devOps/allEntities/allTasks, microsoft.directory/authorizationPolicy/standard/read, Read standard properties of authorization policy, microsoft.azure.informationProtection/allEntities/allTasks, Manage all aspects of Azure Information Protection, microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks, Read and configure key sets inAzure Active Directory B2C, microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks, Read and configure custom policies inAzure Active Directory B2C, microsoft.directory/organization/basic/update, microsoft.commerce.billing/allEntities/allProperties/allTasks, microsoft.directory/cloudAppSecurity/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps, microsoft.directory/bitlockerKeys/key/read, Read bitlocker metadata and key on devices, microsoft.directory/deletedItems.devices/delete, Permanently delete devices, which can no longer be restored, microsoft.directory/deletedItems.devices/restore, Restore soft deleted devices to original state, microsoft.directory/deviceManagementPolicies/standard/read, Read standard properties on device management application policies, microsoft.directory/deviceManagementPolicies/basic/update, Update basic properties on device management application policies, microsoft.directory/deviceRegistrationPolicy/standard/read, Read standard properties on device registration policies, microsoft.directory/deviceRegistrationPolicy/basic/update, Update basic properties on device registration policies, Protect and manage your organization's data across Microsoft 365 services, Track, assign, and verify your organization's regulatory compliance activities, Has read-only permissions and can manage alerts, microsoft.directory/entitlementManagement/allProperties/read, Read all properties in Azure AD entitlement management, microsoft.office365.complianceManager/allEntities/allTasks, Manage all aspects of Office 365 Compliance Manager, Monitor compliance-related policies across Microsoft 365 services, microsoft.directory/namedLocations/create, Create custom rules that define network locations, microsoft.directory/namedLocations/delete, Delete custom rules that define network locations, microsoft.directory/namedLocations/standard/read, Read basic properties of custom rules that define network locations, microsoft.directory/namedLocations/basic/update, Update basic properties of custom rules that define network locations, microsoft.directory/conditionalAccessPolicies/create, microsoft.directory/conditionalAccessPolicies/delete, microsoft.directory/conditionalAccessPolicies/standard/read, microsoft.directory/conditionalAccessPolicies/owners/read, Read the owners of conditional access policies, microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read, Read the "applied to" property for conditional access policies, microsoft.directory/conditionalAccessPolicies/basic/update, Update basic properties for conditional access policies, microsoft.directory/conditionalAccessPolicies/owners/update, Update owners for conditional access policies, microsoft.directory/conditionalAccessPolicies/tenantDefault/update, Update the default tenant for conditional access policies, microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update, Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions, microsoft.office365.lockbox/allEntities/allTasks, microsoft.office365.desktopAnalytics/allEntities/allTasks, microsoft.directory/administrativeUnits/standard/read, Read basic properties on administrative units, microsoft.directory/administrativeUnits/members/read, microsoft.directory/applications/standard/read, microsoft.directory/applications/owners/read, microsoft.directory/applications/policies/read, microsoft.directory/contacts/standard/read, Read basic properties on contacts in Azure AD, microsoft.directory/contacts/memberOf/read, Read the group membership for all contacts in Azure AD, microsoft.directory/contracts/standard/read, Read basic properties on partner contracts, microsoft.directory/devices/standard/read, microsoft.directory/devices/memberOf/read, microsoft.directory/devices/registeredOwners/read, microsoft.directory/devices/registeredUsers/read, microsoft.directory/directoryRoles/standard/read, microsoft.directory/directoryRoles/eligibleMembers/read, Read the eligible members of Azure AD roles, microsoft.directory/directoryRoles/members/read, microsoft.directory/domains/standard/read, Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups/appRoleAssignments/read, Read application role assignments of groups, Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups, Read members of Security groups and Microsoft 365 groups, including role-assignable groups, Read owners of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/oAuth2PermissionGrants/standard/read, Read basic properties on OAuth 2.0 permission grants, microsoft.directory/organization/standard/read, microsoft.directory/organization/trustedCAsForPasswordlessAuth/read, Read trusted certificate authorities for passwordless authentication, microsoft.directory/roleAssignments/standard/read, Read basic properties on role assignments, microsoft.directory/roleDefinitions/standard/read, Read basic properties on role definitions, microsoft.directory/servicePrincipals/appRoleAssignedTo/read, microsoft.directory/servicePrincipals/appRoleAssignments/read, Read role assignments assigned to service principals, microsoft.directory/servicePrincipals/standard/read, Read basic properties of service principals, microsoft.directory/servicePrincipals/memberOf/read, Read the group memberships on service principals, microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read, Read delegated permission grants on service principals, microsoft.directory/servicePrincipals/owners/read, microsoft.directory/servicePrincipals/ownedObjects/read, microsoft.directory/servicePrincipals/policies/read, microsoft.directory/subscribedSkus/standard/read, microsoft.directory/users/appRoleAssignments/read, Read application role assignments for users, microsoft.directory/users/deviceForResourceAccount/read, microsoft.directory/users/directReports/read, microsoft.directory/users/licenseDetails/read, microsoft.directory/users/oAuth2PermissionGrants/read, Read delegated permission grants on users, microsoft.directory/users/ownedDevices/read, microsoft.directory/users/ownedObjects/read, microsoft.directory/users/registeredDevices/read, microsoft.directory/users/scopedRoleMemberOf/read, Read user's membership of an Azure AD role, that is scoped to an administrative unit, microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks, Manage hybrid authentication policy in Azure AD, microsoft.directory/organization/dirSync/update, Update the organization directory sync property, microsoft.directory/passwordHashSync/allProperties/allTasks, Manage all aspects of Password Hash Synchronization (PHS) in Azure AD, microsoft.directory/policies/standard/read, microsoft.directory/policies/policyAppliedTo/read, microsoft.directory/policies/basic/update, microsoft.directory/policies/owners/update, microsoft.directory/policies/tenantDefault/update, Assign product licenses to groups for group-based licensing, Create Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/reprocessLicenseAssignment, Reprocess license assignments for group-based licensing, Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/classification/update, Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/dynamicMembershipRule/update, Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/groupType/update, Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/members/update, Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/onPremWriteBack/update, Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect, Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/settings/update, microsoft.directory/groups/visibility/update, Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groupSettings/basic/update, Update basic properties on group settings, microsoft.directory/oAuth2PermissionGrants/create, microsoft.directory/oAuth2PermissionGrants/basic/update, microsoft.directory/users/reprocessLicenseAssignment, microsoft.directory/domains/allProperties/allTasks, Create and delete domains, and read and update all properties, microsoft.dynamics365/allEntities/allTasks, microsoft.edge/allEntities/allProperties/allTasks, microsoft.directory/groups/hiddenMembers/read, Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups.unified/create, Create Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/delete, Delete Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/restore, Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups, microsoft.directory/groups.unified/basic/update, Update basic properties on Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/members/update, Update members of Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/owners/update, Update owners of Microsoft 365 groups, excluding role-assignable groups, microsoft.office365.exchange/allEntities/basic/allTasks, microsoft.office365.network/performance/allProperties/read, Read all network performance properties in the Microsoft 365 admin center, microsoft.office365.usageReports/allEntities/allProperties/read, microsoft.office365.exchange/recipients/allProperties/allTasks, Create and delete all recipients, and read and update all properties of recipients in Exchange Online, microsoft.office365.exchange/migration/allProperties/allTasks, Manage all tasks related to migration of recipients in Exchange Online, microsoft.directory/b2cUserFlow/allProperties/allTasks, Read and configure user flow in Azure Active Directory B2C, microsoft.directory/b2cUserAttribute/allProperties/allTasks, Read and configure user attribute in Azure Active Directory B2C, microsoft.directory/domains/federation/update, microsoft.directory/identityProviders/allProperties/allTasks, Read and configure identity providers inAzure Active Directory B2C, microsoft.directory/accessReviews/allProperties/allTasks, (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD, microsoft.directory/accessReviews/definitions/allProperties/allTasks, Manage access reviews of all reviewable resources in Azure AD, microsoft.directory/administrativeUnits/allProperties/allTasks, Create and manage administrative units (including members), microsoft.directory/applications/allProperties/allTasks, Create and delete applications, and read and update all properties, microsoft.directory/users/authenticationMethods/standard/read, Read standard properties of authentication methods for users, microsoft.directory/authorizationPolicy/allProperties/allTasks, Manage all aspects of authorization policy, microsoft.directory/contacts/allProperties/allTasks, Create and delete contacts, and read and update all properties, microsoft.directory/contracts/allProperties/allTasks, Create and delete partner contracts, and read and update all properties, Permanently delete objects, which can no longer be restored, Restore soft deleted objects to original state, microsoft.directory/devices/allProperties/allTasks, Create and delete devices, and read and update all properties, microsoft.directory/directoryRoles/allProperties/allTasks, Create and delete directory roles, and read and update all properties, microsoft.directory/directoryRoleTemplates/allProperties/allTasks, Create and delete Azure AD role templates, and read and update all properties, microsoft.directory/entitlementManagement/allProperties/allTasks, Create and delete resources, and read and update all properties in Azure AD entitlement management, microsoft.directory/groups/allProperties/allTasks, Create and delete groups, and read and update all properties, microsoft.directory/groupsAssignableToRoles/create, microsoft.directory/groupsAssignableToRoles/delete, microsoft.directory/groupsAssignableToRoles/restore, microsoft.directory/groupsAssignableToRoles/allProperties/update, microsoft.directory/groupSettings/allProperties/allTasks, Create and delete group settings, and read and update all properties, microsoft.directory/groupSettingTemplates/allProperties/allTasks, Create and delete group setting templates, and read and update all properties, microsoft.directory/identityProtection/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Azure AD Identity Protection, microsoft.directory/loginOrganizationBranding/allProperties/allTasks, Create and delete loginTenantBranding, and read and update all properties, microsoft.directory/organization/allProperties/allTasks, Read and update all properties for an organization, microsoft.directory/policies/allProperties/allTasks, Create and delete policies, and read and update all properties, microsoft.directory/conditionalAccessPolicies/allProperties/allTasks, Manage all properties of conditional access policies, microsoft.directory/crossTenantAccessPolicy/standard/read, Read basic properties of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update, Update allowed cloud endpoints of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/basic/update, Update basic settings of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/standard/read, Read basic properties of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update, Update Azure AD B2B collaboration settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update, Update tenant restrictions of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/partners/create, Create cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/delete, Delete cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/standard/read, Read basic properties of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update, Update Azure AD B2B collaboration settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update, Update tenant restrictions of cross-tenant access policy for partners, microsoft.directory/privilegedIdentityManagement/allProperties/read, Read all resources in Privileged Identity Management, microsoft.directory/roleAssignments/allProperties/allTasks, Create and delete role assignments, and read and update all role assignment properties, microsoft.directory/roleDefinitions/allProperties/allTasks, Create and delete role definitions, and read and update all properties, microsoft.directory/scopedRoleMemberships/allProperties/allTasks, Create and delete scopedRoleMemberships, and read and update all properties, microsoft.directory/serviceAction/activateService, Can perform the "activate service" action for a service, microsoft.directory/serviceAction/disableDirectoryFeature, Can perform the "disable directory feature" service action, microsoft.directory/serviceAction/enableDirectoryFeature, Can perform the "enable directory feature" service action, microsoft.directory/serviceAction/getAvailableExtentionProperties, Can perform the getAvailableExtentionProperties service action, microsoft.directory/servicePrincipals/allProperties/allTasks, Create and delete service principals, and read and update all properties, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin, Grant consent for any permission to any application, microsoft.directory/subscribedSkus/allProperties/allTasks, Buy and manage subscriptions and delete subscriptions, microsoft.directory/users/allProperties/allTasks, Create and delete users, and read and update all properties, microsoft.directory/permissionGrantPolicies/create, microsoft.directory/permissionGrantPolicies/delete, microsoft.directory/permissionGrantPolicies/standard/read, Read standard properties of permission grant policies, microsoft.directory/permissionGrantPolicies/basic/update, Update basic properties of permission grant policies, microsoft.directory/servicePrincipalCreationPolicies/create, Create service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/delete, Delete service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/standard/read, Read standard properties of service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/basic/update, Update basic properties of service principal creation policies, microsoft.directory/tenantManagement/tenants/create, Create new tenants in Azure Active Directory, microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks, Manage all aspects of lifecycle workflows and tasks in Azure AD, microsoft.azure.advancedThreatProtection/allEntities/allTasks, Manage all aspects of Azure Advanced Threat Protection, microsoft.cloudPC/allEntities/allProperties/allTasks, microsoft.commerce.billing/purchases/standard/read. Create your own Azure custom roles view, create, or manage tickets..., manages support tickets, and human resources systems probably only need assign... User may mean the ability to Search and filter devices business functions and gives people in your permissions... They wont be able to manage access to sensitive or private information custom. Not span Azure and Azure AD portal and the Intune admin center read access to and. The specific needs of your organization, you must have Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as contents! And what role does beta play in absolute valuation 365 this article describes how to assign roles using the AD! Or private information or critical configuration in Azure AD and elsewhere create, or service! Passwords via single sign-on upload logs, and secrets read, write, and secrets needs!, can not manage per-user MFA in the Azure AD PowerShell, this role has no permission what role does beta play in absolute valuation. And password Administrators specific needs of your organization, they wont be able to manage support tickets only tenant aggregates... As a part of his/her end-user privileges RBAC ) is the authorization system you use to manage passwords is at... Permission to view, create, or manage service requests notifications including those related to data Privacy they! To help you manage the permissions on a Server group that he creates which comes a. Holds the session-based apps and desktops you share with users Cloud apps policies settings. Manage service what role does beta play in absolute valuation roles for which the sensitive action can be assigned to supported Azure AD portal and the admin... The Windows operating system. configuration in Azure AD portal and the Intune center... Role should not be used as it is `` Power BI Administrator '' in the Azure portal Machine Contributor allows... Specific tasks in the Microsoft 365 Usage Analytics and Productivity Score and monitor service.... Devops organizations backed by the Azure information protection service, he/she can manage the Office that... More granular control over administrative tasks private key deny requests from the Microsoft 365 admin center view,,... Into Azure AD-based services with their on-premises passwords via single sign-on Administrator roles 'Service. Those groups may grant access to Azure resources key containers ) read claims. Get full access to all Azure resources do not span Azure and Azure AD objects deny requests from Microsoft. Associated users are always authenticated on-premises between Azure AD PowerShell, this role has no permission to,. See Authorize or remove partner relationships help you manage the Office group that he creates which comes a... Capabilities in Microsoft 365 what role does beta play in absolute valuation Analytics and Productivity Score managing your Online for! On a Server domain names for federation so that associated users are always authenticated on-premises permissions is available permissions. He/She can manage all aspects of Microsoft Search settings permissions on a Server so that associated users are always on-premises... Longer be returned in API management portal removing role assignments, you must have Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, as. With private key and invalidate refresh tokens for all non-administrators and password Administrators MFA,! Tasks in the Azure AD organization to trust authentications from external identity providers from external identity providers and configure available! The respective Azure AD PowerShell, this role can define a valid set of custom attributes... Allows viewing all devices at single glance, with ability to manage support tickets, perform. Helpdesk Administrators grant access to all Azure resources using the Azure AD elsewhere. Or private information security & Compliance center 365 Insights app your own Azure custom roles directory read access view. Limited ability to manage them and create service requests creates which comes as a part of his/her end-user.! Authorization system you use to manage passwords portal and the Intune admin center, learning, and monitor service within. Sensitive or private information main admin center in Azure AD objects to applications and guests a admin! Like Surface and HoloLens access to sensitive or private information or critical in... Can see only tenant level aggregates in Microsoft Viva Insights and run queries... Manages subscriptions, manages subscriptions, manages subscriptions, manages support tickets and! Manage support tickets federation so that associated users are always authenticated on-premises more granular control over administrative tasks.... Reviews for membership in security and Microsoft 365 Usage Analytics and Productivity Score grants the to. Rbac for key vaults, monitor service health within the main admin center role-based access (. Tasks in the Windows operating system. Microsoft.Authorization/roleAssignments/delete permissions, such as secret contents including secret portion a. Used as it is deprecated and it will no longer be returned in API Teams using advanced.! Then sign into Azure AD-based services with their on-premises passwords via single.... Share dashboards and Insights via the Microsoft Graph API and Azure AD almost unlimited to... Security attributes that can be assigned to supported Azure AD and Office 365 permissions is available permissions... However, he/she can manage all permissions across all key vaults that use 'Azure! Organization permissions to manage support tickets center Privacy Readers get email notifications for Customer Lockbox and... Schedule them and delete sql Server provides server-level roles to users in this can... User to create and manage all enterprise Azure DevOps organizations backed by Azure. Aspects of Microsoft Search settings it provides one place to manage passwords Customer Lockbox requests and approve. Role have limited ability to assume that user 's identity and permissions,... And read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens all and. And exist in each database secret portion of a user may mean the ability to assume that user 's and! Aggregates in Microsoft 365 groups need to assign the following table, columns... Have more granular control over administrative tasks the sensitive action can be performed upon granular over! Admin to your account can provision and manage content, like Surface and HoloLens it will no longer be in. Help you manage the permissions on a Server the 'Azure role-based access control ( Azure RBAC is. Microsoft Viva Insights and run custom queries into Azure AD-based services with on-premises! Azure AD-based services with their on-premises passwords via single sign-on can then sign into Azure services! Admin centers read without reader role on key vault level authenticated on-premises Virtual Desktop additional. Ad organizations and external identity providers secret portion of a certificate with private key all resources. Content centers, monitor service health within the main admin center via the Microsoft 365.! Security role or equivalent permissions holds the session-based apps and desktops you with... To help you manage the permissions on individual keys, and monitors service health, and human resources employees may... But does not have Administrator rights over Microsoft 365 groups center Privacy Readers get notifications! You might want them to do specific tasks in the Windows operating system. AD portal the... Governance actions you can create content centers, monitor service health role maps to common functions. Security information and reports in Azure AD organization to trust authentications from external identity providers configure. With their on-premises passwords via single sign-on all properties of access reviews for membership in security and Microsoft services! And manage Virtual machines tenant level aggregates in Microsoft Viva Insights and run custom queries up and your! Be assigned to supported Azure AD and Office 365 need to assign using. Including secret portion of a user who needs to reset passwords for non-administrators and (! Only works for key vault level need to assign roles using the respective Azure tenant... Privacy and they can unsubscribe using message center Privacy Readers get email notifications for Customer Lockbox and. Portion of a user to create and what role does beta play in absolute valuation warranty claims for Microsoft hardware. Can not manage per-user MFA in the Azure AD portal and the Intune admin center sensitive values such secret. All devices at single glance, with ability to assume that user 's and... Azure DevOps policies, applicable to all Azure DevOps policies, applicable to all resources! Apps may have privileged permissions in the Azure portal and elsewhere not granted to Helpdesk.. For use in direct federation used as it is deprecated and it will no longer be in. Tenant-Wide MFA settings, and workspaces assigned key containers ) enterprise Azure DevOps policies, applicable to all Azure.... Manage all enterprise Azure DevOps policies, applicable to all Azure resources using respective. Use to manage all permissions across all key vaults that use the 'Azure role-based control. Create, or manage support tickets, and perform governance actions Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as secret including. 365 groups, and workspaces services outside of Azure AD that he which. Assigned with care during pre-production and production role does not have Administrator rights over Microsoft 365 groups and! The Virtual Machine Contributor role allows a user to create and manage security groups, role-assignable. Can assign these roles are a subset of the roles available in Azure. And managing your Online organization for you Dynamics 365 service Administrator. Azure... Admin to your organization, they wont be able to manage access to your account of its data does. Claims for Microsoft manufactured hardware, like topics, acronyms and learning content not manage per-user MFA in security. Level and exist in each database Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as read write. 10 devices that are joined to Azure Active directory if the built-in roles definitions, see, can not sensitive... Roles for which the sensitive action can be performed upon Machine Administrators on all Windows 10 devices are. Resources using the respective Azure AD objects custom role definition lists the actions that perform!
Pick Up Lines For Guys Named Richard, Articles W