Microsoft Entra ID · Security & Compliance

Attack Simulation Administrator

Can create and manage all aspects of attack simulation campaigns including phishing simulations, payload creation, and campaign reporting.

Scope: Full attack simulation campaign creation and management

Permissions

  • Admin Center - Read admin center properties
  • Payloads - Manage attack payloads
  • Reports - Read attack simulation reports
  • Simulations - Manage attack simulations
  • Campaigns - Create and launch phishing simulation campaigns
  • Payloads - Create custom simulation payloads and templates
  • Results - View simulation results and user performance
  • Training - Manage training assignments from simulations
  • Schedules - Configure simulation schedules and automation
  • Content - Access attack simulation training content

Common use cases

  • Phishing simulation campaigns
  • Security awareness training programs
  • User risk assessment and baselining
  • Compliance training requirements
  • Social engineering awareness testing
  • Credential harvesting simulations
  • Business email compromise testing
  • Targeted attack simulations
  • Training content assignment
  • Security culture measurement

Best practices

  • Coordinate with HR and Legal before launching simulations
  • Communicate simulation programs to leadership
  • Start with baseline simulations before targeted campaigns
  • Track improvement trends over time
  • Integrate with security awareness training
  • Avoid simulations during high-stress periods
  • Provide immediate training for users who fail
  • Use varied simulation types and complexity
  • Consider cultural and regional sensitivity
  • Document simulation policies and procedures
  • Review and update payloads regularly

Security considerations

  • Simulations can cause user anxiety if not communicated
  • Payload creation requires careful handling
  • Simulation data includes user performance information
  • Coordinate with incident response for false positives
  • Ensure simulations comply with organizational policies
  • Consider privacy implications of tracking
  • Audit access to simulation results
  • Separate from production phishing response workflows

Common questions

When should I assign the Attack Simulation Administrator role?

Assign Attack Simulation Administrator when you need to: Phishing simulation campaigns; Security awareness training programs; User risk assessment and baselining; Compliance training requirements; and Social engineering awareness testing. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attack Simulation Administrator role do?

The Attack Simulation Administrator role grants permissions including: Admin Center - Read admin center properties; Payloads - Manage attack payloads; Reports - Read attack simulation reports; Simulations - Manage attack simulations; Campaigns - Create and launch phishing simulation campaigns; and Payloads - Create custom simulation payloads and templates. See the Permissions section above for the full list.

What are the security risks of the Attack Simulation Administrator role?

Key considerations when assigning Attack Simulation Administrator: Simulations can cause user anxiety if not communicated; Payload creation requires careful handling; Simulation data includes user performance information; and Coordinate with incident response for false positives. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →