A 11 Microsoft Entra ID administrative roles - dcasota/m365-scripts GitHub Wiki
Microsoft 365 is a cloud-based platform that offers various services and applications for businesses and organizations. One of the key features of Microsoft 365 is the permission model, which defines how users and groups can access and manage resources within the platform. Administrators can enhance the security, efficiency, and productivity of their Microsoft 365 environment by understanding and applying the permission model. The permission model is based on the concepts of roles, scopes, and assignments, which can be combined and configured in various ways to suit different scenarios and use cases.
Microsoft Entra actually has 99 roles.
install-module -name Microsoft.Graph.Entra -Scope AllUsers -force -AllowPrerelease
import-module Microsoft.Graph.Entra
Connect-MgGraph -Scopes 'User.Read.All', 'RoleManagement.ReadWrite.Directory'
get-mgdirectoryroleTemplate -All
Nr. Role Description
01 Application Administrator Can create and manage all aspects of app registrations and enterprise apps.
02 Application Developer Can create application registrations independent of the 'Users can register applications' setting.
03 Attack Payload Author Can create attack payloads that an administrator can initiate later.
04 Attack Simulation Administrator Can create and manage all aspects of attack simulation campaigns.
05 Attribute Assignment Administrator Assign custom security attribute keys and values to supported Microsoft Entra objects.
06 Attribute Assignment Reader Read custom security attribute keys and values for supported Microsoft Entra objects.
07 Attribute Definition Administrator Define and manage the definition of custom security attributes.
08 Attribute Definition Reader Read the definition of custom security attributes.
09 Attribute Log Administrator Read audit logs and configure diagnostic settings for events related to custom security attributes.
10 Attribute Log Reader Read audit logs related to custom security attributes.
11 Authentication Administrator Can access to view, set and reset authentication method information for any non-admin user.
12 Authentication Extensibility Administrator Customize sign in and sign up experiences for users by creating and managing custom authentication extensions.
13 Authentication Policy Administrator Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials.
14 Azure DevOps Administrator Can manage Azure DevOps organization policy and settings.
15 Azure Information Protection Administrator Can manage all aspects of the Azure Information Protection product.
16 B2C IEF Keyset Administrator Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).
17 B2C IEF Policy Administrator Can create and manage trust framework policies in the Identity Experience Framework (IEF).
18 Billing Administrator Can perform common billing related tasks like updating payment information.
19 Cloud App Security Administrator Can manage all aspects of the Cloud App Security product.
20 Cloud Application Administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
21 Cloud Device Administrator Limited access to manage devices in Microsoft Entra ID.
22 Compliance Administrator Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.
23 Compliance Data Administrator Creates and manages compliance content.
24 Conditional Access Administrator Can manage Conditional Access capabilities.
25 Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data.
26 Desktop Analytics Administrator Can access and manage Desktop management tools and services.
27 Directory Readers Can read basic directory information. Commonly used to grant directory read access to applications and guests.
28 Directory Writers Can read and write basic directory information. For granting access to applications, not intended for users.
29 Domain Name Administrator Can manage domain names in cloud and on-premises.
30 Dynamics 365 Administrator Can manage all aspects of the Dynamics 365 product.
31 Dynamics 365 Business Central Administrator Access and perform all administrative tasks on Dynamics 365 Business Central environments.
32 Edge Administrator Manage all aspects of Microsoft Edge.
33 Exchange Administrator Can manage all aspects of the Exchange product.
34 Exchange Recipient Administrator Can create or update Exchange Online recipients within the Exchange Online organization.
35 Extended Directory User Administrator Manage all aspects of external user profiles in the extended directory for Teams.
36 External ID User Flow Administrator Can create and manage all aspects of user flows.
37 External ID User Flow Attribute Administrator Can create and manage the attribute schema available to all user flows.
38 External Identity Provider Administrator Can configure identity providers for use in direct federation.
39 Fabric Administrator Can manage all aspects of Microsoft Fabric.
40 Global Reader Can read everything that a Global Administrator can, but not update anything.
41 Global Secure Access Administrator Create and manage all aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access, including managing access to public and private endpoints.
42 Groups Administrator Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.
43 Guest Inviter Can invite guest users independent of the 'members can invite guests' setting.
44 Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators.
45 Hybrid Identity Administrator Can manage AD to Microsoft Entra cloud provisioning, Microsoft Entra Connect, and federation settings.
46 Identity Governance Administrator Manage access using Microsoft Entra ID Governance scenarios.
47 Insights Administrator Has administrative access in the Microsoft 365 Insights app.
48 Insights Analyst Access the analytical capabilities in Microsoft Viva Insights and run custom queries.
49 Insights Business Leader Can view and share dashboards and insights via the M365 Insights app.
50 Intune Administrator Can manage all aspects of the Intune product.
51 Kaizala Administrator Can manage settings for Microsoft Kaizala.
52 Knowledge Administrator Can configure knowledge, learning, and other intelligent features.
53 Knowledge Manager Has access to topic management dashboard and can manage content.
54 License Administrator Can manage product licenses on users and groups.
55 Lifecycle Workflows Administrator Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.
56 Message Center Privacy Reader Can read security messages and updates in Office 365 Message Center only.
57 Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only.
58 Microsoft 365 Migration Administrator Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager.
59 Microsoft Entra Joined Device Local Administrator Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices.
60 Microsoft Hardware Warranty Administrator Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens.
61 Microsoft Hardware Warranty Specialist Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens.
62 Network Administrator Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.
63 Office Apps Administrator Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices.
64 Organizational Branding Administrator Manage all aspects of organizational branding in a tenant.
65 Organizational Messages Approver Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users.
66 Organizational Messages Writer Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces.
67 Password Administrator Can reset passwords for non-administrators and Password Administrators.
68 Permissions Management Administrator Manage all aspects of Entra Permissions Management.
69 Power Platform Administrator Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.
70 Printer Administrator Can manage all aspects of printers and printer connectors.
71 Printer Technician Can register and unregister printers and update printer status.
72 Privileged Authentication Administrator Can access to view, set and reset authentication method information for any user (admin or non-admin).
73 Privileged Role Administrator Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.
74 Reports Reader Can read sign-in and audit reports.
75 Search Administrator Can create and manage all aspects of Microsoft Search settings.
76 Search Editor Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
77 Security Administrator Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.
78 Security Operator Creates and manages security events.
79 Security Reader Can read security information and reports in Microsoft Entra ID and Microsoft 365.
80 Service Support Administrator Can read service health information and manage support tickets.
81 SharePoint Administrator Can manage all aspects of the SharePoint service.
82 SharePoint Embedded Administrator Manage all aspects of SharePoint Embedded containers.
83 Skype for Business Administrator Can manage all aspects of the Skype for Business product.
84 Teams Administrator Can manage the Microsoft Teams service.
85 Teams Communications Administrator Can manage calling and meetings features within the Microsoft Teams service.
86 Teams Communications Support Engineer Can troubleshoot communications issues within Teams using advanced tools.
87 Teams Communications Support Specialist Can troubleshoot communications issues within Teams using basic tools.
88 Teams Devices Administrator Can perform management related tasks on Teams certified devices.
89 Teams Telephony Administrator Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service.
90 Tenant Creator Create new Microsoft Entra or Azure AD B2C tenants.
91 Usage Summary Reports Reader Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score.
92 User Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins.
93 User Experience Success Manager View product feedback, survey results, and reports to find training and communication opportunities.
94 Virtual Visits Administrator Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app.
95 Viva Goals Administrator Manage and configure all aspects of Microsoft Viva Goals.
96 Viva Pulse Administrator Can manage all settings for Microsoft Viva Pulse app.
97 Windows 365 Administrator Can provision and manage all aspects of Cloud PCs.
98 Windows Update Deployment Administrator Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service.
99 Yammer Administrator Manage all aspects of the Yammer service.
There are different types and categories of roles in Microsoft 365, depending on the scope and level of permissions they grant. The main types of roles are:
Global roles. These roles are the highest-level roles that grant permissions to perform tasks across all Microsoft 365 services and features. There are only a few global roles, such as Global administrator, Global reader, and Power Platform administrator. Global roles are reserved for the most senior and trusted administrators in the organization. Service-specific roles. These roles grant permissions to perform tasks in a specific Microsoft 365 service, such as Exchange Online, SharePoint Online, Teams, or OneDrive. There are many service-specific roles, such as Exchange administrator, SharePoint administrator, Teams administrator, or OneDrive administrator. Service-specific roles are typically assigned to administrators who are responsible for managing and configuring a particular service. Feature-specific roles. These roles grant permissions to perform tasks in a specific feature or function within a Microsoft 365 service, such as security, compliance, or device management. There are many feature-specific roles, such as Security administrator, Compliance administrator, Device administrator, or Intune administrator. Feature-specific roles are typically assigned to administrators who are responsible for managing and configuring a particular aspect of the Microsoft 365 environment. The main categories of roles are:
Administrator roles. These roles grant permissions to perform administrative tasks, such as creating and managing users, devices, licenses, policies, settings, and reports. Administrator roles are typically assigned to administrators who must manage and configure the Microsoft 365 environment. Reader roles. These roles grant permissions to view information and reports, but not to make any changes or modifications. Reader roles are typically assigned to administrators who must monitor and audit the Microsoft 365 environment, but not to perform any actions. Application roles. These roles grant permissions to access and use certain Microsoft 365 applications, such as Power BI, Power Apps, or Power Automate. Application roles are typically assigned to users who must work with these applications, but not to administer them.
See best practices in https://learn.microsoft.com/en-us/training/modules/manage-roles-groups-microsoft-365/5-examine-best-practices-administrative-roles
- Manage to least privilege
- Use Privileged Identity Management to grant just-in-time access
- Turn on multifactor authentication for all your administrator accounts
- Configure recurring access reviews to revoke unneeded permissions over time
- Limit the number of Global Administrators to less than five
- Use groups for Microsoft Entra role assignments and delegate the role assignment
- Use cloud native accounts for Microsoft Entra roles
Open a new Terminal(Administrator) console window.
Install-Module Microsoft.Graph -force
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Connect-MgGraph -Scopes 'User.Read.All', 'RoleManagement.ReadWrite.Directory'
Select the user to login and accept the scope.
Run the following commands to get the list of directory roles.
PS C:\Users\user> Get-MgDirectoryRole | Format-List
DeletedDateTime :
Description : Security Administrator allows ability to read and manage security configuration and reports.
DisplayName : Security Administrator
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : 194ae4cb-b126-40b2-bd5b-6091b380977d
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Users assigned to this role are added to the local administrators group on Microsoft Entra
joined devices.
DisplayName : Azure AD Joined Device Local Administrator
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : 9f06204d-73c1-4d4c-880a-6edb90606fd8
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra
identities.
DisplayName : Global Administrator
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : 62e90394-69f5-4237-9190-012177145e10
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Can perform common billing related tasks like updating payment information.
DisplayName : Billing Administrator
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : b0f54661-2d74-4c50-afa3-1ec803f12efe
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Read audit logs and configure diagnostic settings for events related to custom security
attributes.
DisplayName : Attribute Log Administrator
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : 5b784334-f94b-471a-a387-e7219fc49ca2
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft
365.
DisplayName : Compliance Administrator
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : 17315797-102d-40b4-93e0-432062caca18
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Can read everything that a Global Administrator can, but not update anything.
DisplayName : Global Reader
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Members :
RoleTemplateId : f2ef992c-3afb-46b9-b7cf-a126ee74c451
ScopedMembers :
AdditionalProperties : {}
PS C:\Users\user>
Example to assign a role to a user account.
# Step 2 - Check the account
Get-MgUser -All | Format-List ID, DisplayName, Mail, UserPrincipalName
Id : dba12422-ac75-486a-a960-cd7cb3f6963f
DisplayName : Adele Vance
Mail : [email protected]
UserPrincipalName : [email protected]
# Run the following steps to activate the Helpdesk Administrator role.
# Step 1 - Run the Get-MgDirectoryRoleTemplate command to display the list of templates for all Microsoft Entra roles. Since you plan to activate the Helpdesk Administrator role from the Helpdesk Administrator role template, you must run the command to get the object Id of this role template.
Get-MgDirectoryRoleTemplate -All | Format-List ID, DisplayName
Id : a2d10e79-df32-47fc-86ef-64d199860810
DisplayName : Global Administrator
Id : fe930be7-5e62-47db-91af-98c3a49a38b1
DisplayName : User Administrator
Id : 95e79109-95c0-4d8e-aee3-d01accf2d47b
DisplayName : Helpdesk Administrator
and so on...
# Step 2 - Activate the directory role that's based on the Helpdesk Administrator role template. Copy and paste the object Id of the Helpdesk Administrator role template from the prior command into this New-MgDirectoryRole command.
New-MgDirectoryRole -roleTemplateId '95e79109-95c0-4d8e-aee3-d01accf2d47b'
# Step 3 - Verify the Helpdesk Administrator role now appears in the list of activated roles. When you ran the Get-MgDirectoryRole command in the prior example, only the Global Administrator role appeared. After activating the Helpdesk Administrator role from its template, this role should now appear along with the Global Administrator role.
Get-MgDirectoryRole | Format-List
DeletedDateTime :
Description : Can reset passwords for non-administrators and Helpdesk Administrators.
DisplayName : Helpdesk Administrator
Id : 227ec638-37b9-4eb7-a661-2773dcce2b36
Members :
RoleTemplateId : 95e79109-95c0-4d8e-aee3-d01accf2d47b
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.
DisplayName : Global Administrator
Id : a2d10e79-df32-47fc-86ef-64d199860810
Members :
RoleTemplateId : 1f12db9c-dbb3-410d-a893-4c0bc322bf85
ScopedMembers :
AdditionalProperties : {}
# Step4 - assign the Helpdesk administrator role to the user account
$UserObjectId = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/dba12422-ac75-486a-a960-cd7cb3f6963f" }
New-MgDirectoryRoleMemberByRef -DirectoryRoleId '227ec638-37b9-4eb7-a661-2773dcce2b36' -BodyParameter $UserObjectId