Microsoft Entra ID · Remaining Built-in Roles

Privileged Role Administrator

Can manage role assignments in Microsoft Entra ID and all aspects of Privileged Identity Management (PIM). This role can grant any role to any user including Global Administrator.

Scope: Organization-wide role management and PIM administration

Permissions

  • Access Reviews - Manage access reviews for role assignments
  • Admin Units - Create and manage administrative units
  • Authorization - Manage authorization policy
  • Directory Roles - Create and delete directory roles
  • Role Groups - Update role-assignable groups
  • Role Groups - Create role-assignable groups
  • Role Groups - Delete role-assignable groups
  • OAuth Grants - Manage OAuth 2.0 permission grants
  • PIM Management - Manage PIM
  • Role Assignments - Manage role assignments
  • Custom Roles - Create and manage custom role definitions
  • Scoped Roles - Manage scoped role memberships
  • App Roles - Update app role assignments
  • Service Principals - Update service principal permissions
  • App Consent - Grant consent for any permission
  • Role Assignment - Assign users to any Microsoft Entra role including Global Administrator
  • PIM Settings - Configure PIM settings including approval workflows
  • Role Groups - Create and manage role-assignable groups

Common use cases

  • Managing PIM configurations and approval policies
  • Role assignment governance and delegation
  • Implementing least-privilege access model across the organization
  • Setting up approval workflows for sensitive role activations
  • Creating and managing custom role definitions
  • Configuring role-assignable groups for scalable administration
  • Managing access reviews for privileged role assignments
  • Implementing time-bound role assignments via PIM
  • Configuring Just-in-Time (JIT) access for all admin roles
  • Creating administrative units for delegated administration
  • Designing and implementing Entra ID RBAC strategy
  • Auditing and reviewing role assignment patterns

Best practices

  • Limit to 2-3 people maximum
  • Always use PIM eligible assignment for this role itself
  • Require approval from multiple people for activation
  • Require strong MFA (FIDO2 or certificate-based) for activation
  • Set maximum activation duration to 4 hours or less
  • Require justification for every activation
  • Review role assignments across the tenant quarterly
  • Create alerts for all role assignment changes
  • Document all PIM configuration changes
  • Test approval workflows regularly
  • Use role-assignable groups for scalable administration
  • Implement separation of duties with other privileged roles
  • Configure notifications for role assignment changes
  • Limit permanent active assignments to emergency accounts only
  • Review eligible assignments annually and remove unused
  • Use time-bound eligible assignments (6-12 months)
  • Configure multiple approvers for high-impact role activations

Security considerations

  • CRITICAL: Can assign Global Administrator role to anyone
  • Can grant themselves permanent Global Admin if not properly secured
  • Can remove other administrators from their roles
  • Can modify PIM settings to bypass approval requirements
  • Can create backdoor admin accounts through role assignments
  • Should never have permanent active assignment
  • Must require approval for activation from independent party
  • Compromise allows attacker to grant themselves any privilege
  • Can consent to high-privilege app permissions on behalf of org
  • Can modify custom role definitions to escalate privileges
  • Can manage administrative units to scope or bypass controls
  • Monitor for role assignments made outside normal process
  • Alert on PIM setting changes immediately
  • Consider requiring two-person integrity for major changes
  • Audit all actions taken while role is active

Official Microsoft Learn documentation →

Open the interactive RBACMap →