Microsoft Entra ID · Security & Compliance

Attack Payload Author

Creates attack payloads for security awareness training but cannot launch simulations. Payloads are available to all tenant admins.

Scope: Create phishing simulation payloads for security awareness training

Permissions

  • Create attack payloads
  • Manage attack payloads
  • Read simulation reports (own simulations only)
  • Read associated training reports

Common use cases

  • Creating phishing templates
  • Designing security awareness content
  • Building training scenarios

Best practices

  • Create realistic but safe payloads
  • Test payloads before publishing
  • Document payload purposes

Security considerations

  • Cannot launch simulations (separation of duties)
  • Payloads visible to all admins

Common questions

When should I assign the Attack Payload Author role?

Assign Attack Payload Author when you need to: Creating phishing templates; Designing security awareness content; and Building training scenarios. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attack Payload Author role do?

The Attack Payload Author role grants permissions including: Create attack payloads; Manage attack payloads; Read simulation reports (own simulations only); and Read associated training reports. See the Permissions section above for the full list.

What are the security risks of the Attack Payload Author role?

Key considerations when assigning Attack Payload Author: Cannot launch simulations (separation of duties); and Payloads visible to all admins. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →