Microsoft Entra ID · Remaining Built-in Roles

Directory Writers

Can read and write basic directory information. Primarily used for granting access to applications and services, not intended for end users.

Scope: Basic directory write operations including user and group management

Permissions

  • Applications - Create applications as owner
  • Groups - Create security and M365 groups
  • Groups - Create groups as owner
  • Group Membership - Update group members
  • Group Ownership - Update group owners
  • Group Properties - Update basic group properties
  • OAuth - Create OAuth2 permission grants
  • OAuth - Update OAuth2 grants
  • Service Principals - Create service principals as owner
  • Licensing - Assign licenses to users
  • Users - Create new users
  • Users - Disable user accounts
  • Users - Enable user accounts
  • Session Management - Invalidate refresh tokens
  • User Management - Update user manager
  • User Properties - Update user photo
  • Directory Readers - All Directory Readers permissions

Common use cases

  • Applications needing to provision users
  • Sync services updating directory attributes
  • Directory integration scenarios
  • Automated group management services
  • User provisioning applications
  • License assignment automation
  • Photo synchronization services

Best practices

  • Assign to service principals, not end users
  • Use more specific roles when possible
  • Review service principals with this role regularly
  • Consider managed identities for Azure services
  • Document purpose of each assignment
  • Monitor for unauthorized changes
  • Use conditional access for service principals
  • Prefer application-specific roles when available

Security considerations

  • Can create users and groups
  • Can modify group memberships
  • Can assign licenses affecting costs
  • Can invalidate user sessions
  • Monitor for privilege escalation via groups
  • Audit all directory write operations
  • Review OAuth2 permission grants created
  • Consider time-limited assignments

Common questions

When should I assign the Directory Writers role?

Assign Directory Writers when you need to: Applications needing to provision users; Sync services updating directory attributes; Directory integration scenarios; Automated group management services; and User provisioning applications. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Directory Writers role do?

The Directory Writers role grants permissions including: Applications - Create applications as owner; Groups - Create security and M365 groups; Groups - Create groups as owner; Group Membership - Update group members; Group Ownership - Update group owners; and Group Properties - Update basic group properties. See the Permissions section above for the full list.

What are the security risks of the Directory Writers role?

Key considerations when assigning Directory Writers: Can create users and groups; Can modify group memberships; Can assign licenses affecting costs; and Can invalidate user sessions. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →