Microsoft Entra ID · Remaining Built-in Roles

Authentication Policy Administrator

Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials configuration.

Scope: Organization-wide authentication policy configuration including MFA, passwordless, and verifiable credentials

Permissions

  • Auth Policy - Full authentication policy management
  • MFA Settings - Manage MFA settings
  • Credential Policies - Create credential policies
  • Credential Policies - Delete credential policies
  • Credential Policies - Read credential policies
  • Credential Policies - Update credential policies
  • Credential Policies - Read credential policy owners
  • Credential Policies - Update credential policy owners
  • Verifiable Credentials - Read verifiable credentials config
  • Verifiable Credentials - Update verifiable credentials config
  • Verifiable Credentials - Read VC contracts
  • Verifiable Credentials - Update VC contracts
  • Verifiable Credentials - Read VC cards
  • Verifiable Credentials - Revoke VC cards
  • Verifiable Credentials - Create VC contracts
  • Auth Strength - Manage authentication strength requirements
  • Passwordless - Configure FIDO2, passwordless, and Windows Hello policies
  • Password Protection - Set password protection and banned password lists

Common use cases

  • Implementing passwordless authentication strategy
  • Configuring MFA methods organization-wide
  • Setting password complexity requirements
  • Managing FIDO2 security key rollouts
  • Configuring Windows Hello for Business policies
  • Setting up verifiable credentials issuance
  • Defining authentication strengths for Conditional Access
  • Managing banned password lists
  • Configuring smart lockout settings
  • Certificate-based authentication configuration
  • Temporary Access Pass policy management
  • SMS and voice MFA policy configuration

Best practices

  • Test policy changes with pilot groups first
  • Document all authentication policy changes
  • Align with Zero Trust security principles
  • Phase passwordless rollout gradually
  • Monitor authentication success rates after changes
  • Maintain fallback authentication methods
  • Coordinate with Conditional Access Administrator
  • Review authentication logs regularly
  • Consider user experience impact of policy changes
  • Plan for password protection policy impact
  • Use authentication strength for high-security scenarios
  • Keep verifiable credentials configuration current

Security considerations

  • Policy changes affect all users organization-wide
  • Can weaken authentication if misconfigured
  • Banned password list affects password resets
  • MFA policy gaps can create security vulnerabilities
  • Coordinate changes with security team
  • Test thoroughly in non-production first
  • Monitor for authentication failures after changes
  • Document rollback procedures for policy changes

Official Microsoft Learn documentation →

Open the interactive RBACMap →