Microsoft Entra ID RBAC Roles

Can manage all enterprise Azure DevOps policies for organizations backed by Microsoft Entra ID.

Can manage network locations and review enterprise network design insights for Microsoft 365 SaaS applications.

Can access and manage Desktop management tools and services for Windows device analytics.

Manage all aspects of Microsoft Edge including policies, settings, and enterprise configurations.

Manages organizational data ingestion for Microsoft 365 and Microsoft Viva applications.

Manages all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.

Creates agent blueprints and their service principals. The user is added as owner of the agent blueprint and its service principal.

Manages all aspects of the Agent Registry service in Microsoft Entra ID including metadata, collections, and visibility of AI agents.

Creates and manages custom authentication extensions to customize sign-in and sign-up experiences for users.

Manages all aspects of the Microsoft Dragon admin center for healthcare voice recognition.

Triggers password submit events for custom authentication extensions. Works alongside Authentication Extensibility Administrator to enable password-based custom authentication flows.

Can configure identity providers for direct federation with external organizations for B2B collaboration.

Manages policy keys and secrets used for token encryption, token signing, and claim encryption/decryption in Azure AD B2C.

Creates and manages custom policies in Azure AD B2C Identity Experience Framework including user flows and federation.

Can create new Microsoft Entra and Azure AD B2C tenants even when tenant creation is disabled for regular users.

Creates and manages all aspects of user flows for external identity scenarios.

Creates and manages the attribute schema available to all user flows for external identities.

Creates and manages warranty claims and entitlements for Microsoft manufactured hardware like Surface and HoloLens.

Creates warranty claims for Microsoft hardware and reads existing claims they created, with limited access to shipping addresses.

Provisions new IoT devices, manages their lifecycle, configures certificates, and manages device templates.

Manages Microsoft Kaizala settings, usage reports, and business reports generated using Kaizala actions.

Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices.

Manages all aspects of printers and printer connectors in Microsoft Universal Print including configuration and connector settings.

Registers and unregisters printers, updates printer status, and reads connector information but cannot set permissions.

Can manage all aspects of Privileged Identity Management including settings, eligible assignments, and approval workflows. This role is equivalent to Privileged Role Administrator for PIM purposes.

Designated as approver for PIM role activation requests. Can approve or deny activation requests but cannot modify PIM settings.

Can manage Identity Protection policies, investigate and remediate risky users and sign-ins, and configure risk-based policies. Requires Microsoft Entra ID P2 license.

Can read Identity Protection reports, risk detections, and configurations but cannot remediate risks or modify policies. Requires Microsoft Entra ID P2 license.

Can manage access using Microsoft Entra ID for identity governance scenarios including access packages, access reviews, catalogs, and entitlement management.

Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows for joiner, mover, and leaver scenarios.

Define and manage the definition of custom security attributes that can be assigned to supported Microsoft Entra objects.

Assign custom security attribute keys and values to supported Microsoft Entra objects like users, service principals, and devices.

Read audit logs and configure diagnostic settings for events related to custom security attributes.

Read audit logs for custom security attribute value changes, definition changes, and assignments. Cannot configure diagnostic settings or read other audit log types.

Read custom security attribute keys and values for supported Microsoft Entra objects.

Reads the definition of custom security attributes but cannot assign values.

Reads and edits provisioning configuration of custom security attributes for applications.

Reads the provisioning configuration of custom security attributes for applications.

Manage all aspects of Microsoft Entra Permissions Management including discovery, remediation, and monitoring of permissions across multi-cloud environments.

Manages all capabilities in the Microsoft Entra Tenant Governance service for multi-tenant organization management.

Read-only access to all tenant governance data in the Microsoft Entra Tenant Governance service.

Can initiate governance relationships with other tenants and terminate existing governance relationships in Microsoft Entra Tenant Governance.

Can read tenant governance relationships and relevant objects in Microsoft Entra Tenant Governance.

Manage all aspects of Granular Delegated Admin Privileges (GDAP) relationships in a customer tenant. Used by Microsoft Cloud Solution Provider (CSP) partners and their delegated administrators to…

System role used exclusively by the Microsoft Entra Connect service to synchronize on-premises Active Directory with Microsoft Entra ID. Not intended for human assignment — Microsoft manages…

Can manage security events, view reports, dismiss alerts, and take limited remediation actions. Cannot modify security policies.

Can create and manage all aspects of attack simulation campaigns including phishing simulations, payload creation, and campaign reporting.

Can read and manage compliance configuration and reports across Microsoft Entra ID and Microsoft 365 including DLP, retention, sensitivity labels, and eDiscovery.

Creates and manages compliance content, tracks data in Microsoft Purview, and can perform eDiscovery operations.

Can manage all aspects of the Azure Information Protection product including labels, policies, and protection templates.

Can approve Microsoft support requests to access customer organizational data. Critical for controlling Microsoft engineer access.

Manages all aspects of Microsoft 365 Backup including policies, restore operations, and backup configurations.

Can read all notifications in Message Center including data privacy messages. Important for privacy compliance awareness.

Creates attack payloads for security awareness training but cannot launch simulations. Payloads are available to all tenant admins.

Full permissions in Microsoft Defender for Cloud Apps including adding administrators, policies, and governance actions.

Can read sign-in and audit reports, and view the Microsoft Agent 365 overview and agent registry for the tenant including agent metadata. Ideal for compliance and security monitoring without broader…

Can configure knowledge, learning, and intelligent features including Microsoft Viva Topics, Learning, and search customizations.

Can create and manage editorial content for Microsoft Search such as bookmarks, Q&A, and locations.

Access the analytical capabilities in Microsoft Viva Insights and run custom queries.

Can view and share dashboards and insights via the Microsoft Viva Insights app.

Views product feedback, survey results, and reports to find training and communication opportunities for users.

Can manage Microsoft Entra Private Access and Internet Access, configure traffic policies, and manage network security features.

Provides read-only access to network traffic logs in Microsoft Entra Internet Access and Private Access for security analysis.

Can manage Conditional Access settings and policies. This is a privileged role that controls access to all cloud resources.

Can create and manage access reviews for group memberships, application assignments, and role assignments. Requires Microsoft Entra ID P2 license.

Designated reviewer for access reviews who can approve or deny continued access. Cannot modify review settings.

Can manage catalogs and access packages within their assigned catalogs.

Can manage access packages within assigned catalogs.

Can manage calling and meetings features within the Microsoft Teams service including policies, configurations, and analytics.

Can manage voice and telephony features in Microsoft Teams including phone numbers, calling policies, and voice configurations.

Can manage Teams certified devices including phones, meeting room devices, and collaboration bars.

Read-only access to Teams admin center settings and Call Quality Dashboard without management capabilities.

Troubleshoots communications issues in Teams with access to full call records for all participants.

Troubleshoots communications issues in Teams with access to call details only for specific users looked up.

Manages external collaboration policies and settings for Teams, including configuring external domains and controlling which groups and users can interact with the organization.

Manage all aspects of Microsoft 365 Copilot, Microsoft Agent 365, and AI-related enterprise services including extensibility and copilot agents. Has tenant-wide visibility and full governance…

Manage and configure all aspects of Microsoft Viva Goals including OKR settings and integrations.

Can manage all settings for Microsoft Viva Pulse app including survey configurations and privacy settings.

Manage and configure Microsoft Viva Glint settings in the Microsoft 365 admin center including admin assignments.

Has administrative access in the Microsoft 365 Insights app for organizational analytics.

Read all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. Recommended least-privilege role for viewing the complete agent inventory in Microsoft Agent 365 and the…

Can create and manage all aspects of Microsoft Power Apps, Power Automate, and Power BI environments and policies.

Has access to Dynamics 365 admin center, can manage Dynamics 365 environments, and perform administrative tasks across Dynamics 365 apps.

Can manage all aspects of Microsoft Fabric including workspaces, capacities, and tenant-wide settings for analytics workloads.

Can read messages and updates for their organization in Office 365 Message Center only.

Read Usage reports and Adoption Score but cannot access user-level details.

Accesses and performs all administrative tasks on Dynamics 365 Business Central environments.

Can manage all aspects of Microsoft Intune product including devices, apps, policies, and user management for endpoints.

Can manage all aspects of Exchange Online including mailboxes, groups, connectors, mail flow rules, and organization-wide settings.

Can manage all aspects of SharePoint Online including site collections, sharing policies, term store, and OneDrive for Business settings.

Can manage the Microsoft Teams service including meetings, calling, messaging policies, and Teams-certified devices.

Manage all aspects of the Yammer service including network settings, usage policies, and content moderation.

Can create and manage all aspects of Microsoft Search settings including bookmarks, Q&A, and locations.

Can manage Microsoft 365 apps cloud settings including policies, feature management, and whats new content.

Can create and manage support requests with Microsoft for Azure and Microsoft 365 services.

Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app.

Creates and manages content like topics, acronyms, and manages topic visibility and taxonomies.

Manages Microsoft Graph Data Connect settings including dataset configuration and application authorization.

Performs all migration functionality to migrate content to Microsoft 365 using Migration Manager.

Performs all SharePoint Administrator actions plus advanced management capabilities like viewing file metadata and removing permissions.

Manages all aspects of Microsoft 365 Backup for SharePoint and OneDrive including backup policies and restore operations.

Manages all aspects of SharePoint Embedded containers using PowerShell, Graph API, or SharePoint admin center.

Backs up and restores content including granular restore for Exchange Online in Microsoft 365 Backup.

Creates or updates Exchange Online recipients within the Exchange Online organization.

Can manage all aspects of the Skype for Business product. Legacy role retained for organizations still using Skype for Business features.

Manages all aspects of organizational branding including default and localized branding themes.

Writes, publishes, and manages organizational messages delivered through Microsoft product surfaces.

Reviews, approves, or rejects organizational messages before they are delivered to users.

Manages profile photos for all users including administrators, and configures people settings like pronouns and name pronunciation.

Manages all aspects of Microsoft Places service including buildings, floors, rooms, desks, and booking policies.

Manages all aspects of external user profiles in the extended directory for Teams.

Can manage all aspects of Microsoft Entra ID and Microsoft services. This is the highest privilege role with the ability to reset any password, consent to any app, and elevate to Azure subscriptions.

Can read everything that a Global Administrator can read, but cannot update anything. This is a PRIVILEGED role - the information visible can be used to plan attacks.

Can manage role assignments in Microsoft Entra ID and all aspects of Privileged Identity Management (PIM). This role can grant any role to any user including Global Administrator.

Can set or reset any authentication method (including passwords) for any user, including Global Administrators. This is one of the highest-privilege roles.

Can read security information and reports, and manage configuration in Microsoft Entra ID and Microsoft 365. This role has broad security configuration permissions across services.

Can read security information and reports across Microsoft Entra ID, Identity Protection, Privileged Identity Management, and Microsoft 365 Defender.

Can perform billing related tasks including purchases, subscription management, support tickets, and service health monitoring.

Can manage product licenses on users and groups. Can also manage usage location and read service plans but cannot purchase or manage subscriptions.

Can create users and groups, and manage all aspects of users and groups, including resetting passwords for limited admins. This is a privileged role with significant scope.

Can view, set, and reset authentication method information for any non-admin user. Cannot manage MFA settings or password protection policies.

Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials configuration.

Can reset passwords for non-administrators and Helpdesk Administrators. Cannot manage service health, support tickets, or advanced user properties.

Can reset passwords for non-administrators. Most limited password reset role without additional service health or support ticket access.

Can create and manage all aspects of groups and group settings like naming and expiration policies, and manage group membership and ownership.

Can invite guest users independent of the member invitation settings. This is the most limited guest invitation role.

Can read basic directory information. Commonly used to grant directory read access to service principals and guest users.

Can read and write basic directory information. Primarily used for granting access to applications and services, not intended for end users.

Can create and manage all aspects of app registrations and enterprise apps. This is a privileged role that can impersonate applications.

Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Ideal for cloud-only environments.

Can create application registrations independent of the "Users can register applications" setting. Most limited application role.

Can enable, disable, and delete devices in Microsoft Entra ID and read Windows BitLocker recovery keys in the Azure portal.

Can create and manage all aspects of Windows Update deployments through Windows Update for Business.

Can provision and manage all aspects of Cloud PCs.

Can manage AD to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication, and federation settings for hybrid environments.

Can manage domain names in cloud and on-premises including adding, verifying, and removing custom domains.

Manages all aspects of Microsoft Entra Backup including creating recovery jobs and managing backup snapshots for directory data.

Read-only access to Microsoft Entra Backup including listing preview jobs, recovery jobs, and backup snapshots. Can create preview jobs to assess recovery scope.

Legacy Microsoft partner support role. Microsoft documents this role with "Do not use — not intended for general use." Superseded by Granular Delegated Admin Privileges (GDAP) and the Customer…

Legacy Microsoft partner support role with elevated permissions over Partner Tier1 Support. Microsoft documents this role with "Do not use — not intended for general use." Superseded by Granular…