Microsoft Entra ID · Remaining Built-in Roles
Directory Writers
Can read and write basic directory information. Primarily used for granting access to applications and services, not intended for end users.
Scope: Basic directory write operations including user and group management
Permissions
- Applications - Create applications as owner
- Groups - Create security and M365 groups
- Groups - Create groups as owner
- Group Membership - Update group members
- Group Ownership - Update group owners
- Group Properties - Update basic group properties
- OAuth - Create OAuth2 permission grants
- OAuth - Update OAuth2 grants
- Service Principals - Create service principals as owner
- Licensing - Assign licenses to users
- Users - Create new users
- Users - Disable user accounts
- Users - Enable user accounts
- Session Management - Invalidate refresh tokens
- User Management - Update user manager
- User Properties - Update user photo
- Directory Readers - All Directory Readers permissions
Common use cases
- Applications needing to provision users
- Sync services updating directory attributes
- Directory integration scenarios
- Automated group management services
- User provisioning applications
- License assignment automation
- Photo synchronization services
Best practices
- Assign to service principals, not end users
- Use more specific roles when possible
- Review service principals with this role regularly
- Consider managed identities for Azure services
- Document purpose of each assignment
- Monitor for unauthorized changes
- Use conditional access for service principals
- Prefer application-specific roles when available
Security considerations
- Can create users and groups
- Can modify group memberships
- Can assign licenses affecting costs
- Can invalidate user sessions
- Monitor for privilege escalation via groups
- Audit all directory write operations
- Review OAuth2 permission grants created
- Consider time-limited assignments