Microsoft Power Platform RBAC Roles

Microsoft Power Platform RBAC across tenant admins, environment roles, and Dataverse security roles for apps, flows, and data.

14 roles across 3 categories. Open the interactive map →

Tenant Administration

Tenant-wide Entra ID roles that govern Power Platform across all environments. Cross-listed here for discoverability — canonical home is Entra ID.

  • Power Platform Administrator

    Tenant-wide administration of Power Platform: manage all environments, capacity, DLP policies, tenant settings. Cross-listed from Microsoft Entra ID.

  • Dynamics 365 Administrator

    Tenant-wide administration of Dynamics 365 apps and the Dataverse environments hosting them. Cross-listed from Microsoft Entra ID.

  • Power Apps Administrator

    Tenant-wide administration of Power Apps. Lower-privilege alternative to Power Platform Administrator for organisations only using Power Apps. Cross-listed from Microsoft Entra ID.

Environment Roles

Per-environment administration. Assigned in the Power Platform admin center, scoped to a single environment.

  • Environment Admin

    Full administration of a single Power Platform environment. Manage members, environment settings, Dataverse provisioning, backups, and capacity allocation.

  • Environment Maker

    Create apps, flows, custom connectors, and other resources in an environment. Standard role for citizen developers.

Dataverse Security Roles

Security roles inside a Dataverse-enabled environment. Govern table-level, row-level, and column-level access to Dataverse data.

  • System Administrator

    Highest Dataverse security role. Full control over the Dataverse environment including schema, security roles, and all data.

  • System Customizer

    Full schema customisation rights but limited to user-owned records for data operations. Common role for app makers and Dataverse developers.

  • Basic User

    Baseline Dataverse role. Run apps, create user-owned records, read shared records. Required minimum for any Dataverse user.

  • Delegate

    Run apps and flows on behalf of another user. Used by Power Automate child flows and impersonation scenarios.

  • Environment Maker (Dataverse role)

    Dataverse-side security role granted automatically when Environment Maker is assigned at the environment level. Creates apps that store data in Dataverse.

  • App Opener

    Allows a user to open and run a model-driven app but does not grant access to data inside the app. Always paired with another role that grants the actual data access.

  • Office Collaborator

    Legacy Microsoft 365 collaboration role for Dataverse. Grants minimal Dataverse access to support O365 integration scenarios. Rarely assigned in modern deployments.

  • Support User

    Read-only access across most Dataverse tables for support and troubleshooting scenarios. Cannot modify data or schema.

  • Website Owner

    Power Pages (formerly Power Apps Portals) website administration role. Manages a Power Pages site including pages, content, web roles, and authentication settings.