Roles across Microsoft services
Services in Microsoft 365 can be managed with administrative roles in Microsoft Entra ID. Some services also provide additional roles that are specific to that service. This article lists content, API references, and audit and monitoring references related to role-based access control (RBAC) for Microsoft 365 and other services.
Microsoft Entra
Microsoft Entra ID and related services in Microsoft Entra.
Microsoft Entra ID
| Area | Content |
|---|---|
| Overview | Microsoft Entra built-in roles |
| Management API reference | Microsoft Entra roles Microsoft Graph v1.0 roleManagement API • Use directory provider• When role is assigned to a group, manage group memberships with the Microsoft Graph v1.0 groups API |
| Audit and monitoring reference | Microsoft Entra roles Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category• When a role is assigned to a group, to audit changes to group memberships, see audits with category GroupManagement and activities Add member to group and Remove member from group |
Entitlement management
| Area | Content |
|---|---|
| Overview | Entitlement management roles |
| Management API reference | Entitlement Management-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with: microsoft.directory/entitlementManagementEntitlement Management-specific roles Microsoft Graph v1.0 roleManagement API • Use entitlementManagement provider |
| Audit and monitoring reference | Entitlement Management-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryEntitlement Management-specific roles In Microsoft Entra audit log, with category EntitlementManagement and Activity is one of:• Remove Entitlement Management role assignment• Add Entitlement Management role assignment |
Microsoft 365
Services in the Microsoft 365 suite.
Exchange
| Area | Content |
|---|---|
| Overview | Permissions in Exchange Online |
| Management API reference | Exchange-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.office365.exchangeExchange-specific roles Microsoft Graph Beta roleManagement API • Use exchange provider |
| Audit and monitoring reference | Exchange-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryExchange-specific roles Use the Microsoft Graph Beta Security API (audit log query) and list audit events where recordType == ExchangeAdmin and Operation is one of:Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, New-RoleGroup, Remove-RoleGroup, New-ManagementRole, Remove-ManagementRoleEntry, New-ManagementRoleAssignment |
SharePoint
Includes SharePoint, OneDrive, Delve, Lists, Project Online, and Loop.
| Area | Content |
|---|---|
| Overview | About the SharePoint Administrator role in Microsoft 365 Delve for admins Control settings for Microsoft Lists Change permission management in Project Online |
| Management API reference | SharePoint-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.office365.sharepoint |
| Audit and monitoring reference | SharePoint-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Intune
| Area | Content |
|---|---|
| Overview | Role-based access control (RBAC) with Microsoft Intune |
| Management API reference | Intune-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.intuneIntune-specific roles Microsoft Graph Beta roleManagement API • Use deviceManagement provider• Alternatively, use Intune-specific Microsoft Graph Beta RBAC management API |
| Audit and monitoring reference | Intune-specific roles in Microsoft Entra ID Microsoft Graph v1.0 directoryAudit API • RoleManagement categoryIntune-specific roles Intune auditing overview API access to Intune-specific audit logs: • Microsoft Graph Beta getAuditActivityTypes API • First list activity types where category= Role, then use Microsoft Graph Beta auditEvents API to list all auditEvents for each activity type |
Teams
Includes Teams, Bookings, Copilot Studio for Teams, and Shifts.
| Area | Content |
|---|---|
| Overview | Use Microsoft Teams administrator roles to manage Teams |
| Management API reference | Teams-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• Roles with permissions starting with: microsoft.teams |
| Audit and monitoring reference | Teams-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Purview suite
Includes Purview suite, Azure Information Protection, and Information Barriers.
| Area | Content |
|---|---|
| Overview | Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview |
| Management API reference | Purview-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with: microsoft.office365.complianceManagermicrosoft.office365.protectionCentermicrosoft.office365.securityComplianceCenterPurview-specific roles Use PowerShell: Security & Compliance PowerShell. Specific cmdlets are: Get-RoleGroup Get-RoleGroupMember New-RoleGroup Add-RoleGroupMember Update-RoleGroupMember Remove-RoleGroupMember Remove-RoleGroup |
| Audit and monitoring reference | Purview-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryPurview-specific roles Use the Microsoft Graph Beta Security API (audit log query Beta) and list audit events where recordType == SecurityComplianceRBAC and Operation is one of Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, New-RoleGroup, Remove-RoleGroup |
Power Platform
Includes Power Platform, Dynamics 365, Flow, and Dataverse for Teams.
| Area | Content |
|---|---|
| Overview | Use service admin roles to manage your tenant Security roles and privileges |
| Management API reference | Power Platform-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with: microsoft.powerAppsmicrosoft.dynamics365microsoft.flowDataverse-specific roles Perform operations using the Web API • Query the User (SystemUser) table/entity reference • Role assignments are part of the systemuserroles_association tables |
| Audit and monitoring reference | Power Platform-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryDataverse-specific roles Dataverse auditing overview API to access dataverse-specific audit logs Dataverse Web API • Audit table reference • Audits with action codes: 53 – Assign Role To Team 54 – Remove Role From Team 55 – Assign Role To User 56 – Remove Role From User 57 – Add Privileges to Role 58 – Remove Privileges From Role 59 – Replace Privileges In Role |
Defender suite
Includes Defender suite, Secure Score, Cloud App Security, and Threat Intelligence.
| Area | Content |
|---|---|
| Overview | Microsoft Defender XDR Unified role-based access control (RBAC) |
| Management API reference | Defender-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions (reference): Security Administrator, Security Operator, Security Reader, Global Administrator, and Global Reader Defender-specific roles Workloads must be activated to use Defender unified RBAC. See Activate Microsoft Defender XDR Unified role-based access control (RBAC). Activating defender Unified RBAC will turn off individual Defender solution roles. • Can only be managed via security.microsoft.com portal. |
| Audit and monitoring reference | Defender-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Viva Engage
| Area | Content |
|---|---|
| Overview | Manage administrator roles in Viva Engage |
| Management API reference | Viva Engage-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.yammer.Viva Engage-specific roles • Verified admin and Network admin roles can be managed via the Yammer admin center. • Corporate communicator role can be assigned via the Viva Engage admin center. • Yammer Data Export API can be used to export admins.csv to read the list of admins |
| Audit and monitoring reference | Viva Engage-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement categoryViva Engage-specific roles • Use Yammer Data Export API to incrementally export admins.csv for a list of admins |
Viva Connections
| Area | Content |
|---|---|
| Overview | Admin roles and tasks in Microsoft Viva |
| Management API reference | Viva Connections-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: SharePoint Administrator, Teams Administrator, and Global Administrator |
| Audit and monitoring reference | Viva Connections-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Viva Learning
| Area | Content |
|---|---|
| Overview | Set up Microsoft Viva Learning in the Teams admin center |
| Management API reference | Viva Learning-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.knowledge |
| Audit and monitoring reference | Viva Learning-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Viva Insights
| Area | Content |
|---|---|
| Overview | Roles in Viva Insights |
| Management API reference | Viva Insights-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.insights |
| Audit and monitoring reference | Viva Insights-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Search
| Area | Content |
|---|---|
| Overview | Set up Microsoft Search |
| Management API reference | Search-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.office365.search |
| Audit and monitoring reference | Search-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Universal Print
| Area | Content |
|---|---|
| Overview | Universal Print Administrator Roles |
| Management API reference | Universal Print-specifc roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.azure.print |
| Audit and monitoring reference | Universal Print-specifc roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Microsoft 365 Apps suite management
Includes Microsoft 365 Apps suite management and Forms.
| Area | Content |
|---|---|
| Overview | Overview of the Microsoft 365 Apps admin center Administrator settings for Microsoft Forms |
| Management API reference | Microsoft 365 Apps-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: Office Apps Administrator, Security Administrator, Global Administrator |
| Audit and monitoring reference | Microsoft 365 Apps-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with RoleManagement category |
Azure
Azure role-based access control (Azure RBAC) for the Azure control plane and subscription information.
Azure
Includes Azure and Sentinel.
| Area | Content |
|---|---|
| Overview | What is Azure role-based access control (Azure RBAC)? Roles and permissions in Microsoft Sentinel |
| Management API reference | Azure service-specific roles in Azure Azure Resource Manager Authorization API • Role assignment: List, Create/Update, Delete • Role definition: List, Create/Update, Delete • There is a legacy method to grant access to Azure resources called classic administrators. Classic administrators are equivalent to the Owner role in Azure RBAC. Classic administrators will be retired in August 2024. • Note that an Microsoft Entra Global Administrator can gain unilateral access to Azure via elevate access. |
| Audit and monitoring reference | Azure service-specific roles in Azure Monitor Azure RBAC changes in the Azure Activity Log • Azure Activity Log API • Audits with Event Category Administrative and Operation Create role assignment, Delete role assignment, Create or update custom role definition, Delete custom role definition.View Elevate Access logs in the tenant level Azure Activity Log • Azure Activity Log API – Tenant Activity Logs • Audits with Event Category Administrative and containing string elevateAccess.• Access to tenant level activity logs requires using elevate access at least once to gain tenant level access. |
Commerce
Services related to purchasing and billing.
Cost Management and Billing – Enterprise Agreements
| Area | Content |
|---|---|
| Overview | Managing Azure Enterprise Agreement roles |
| Management API reference | Enterprise Agreements-specific roles in Microsoft Entra ID Enterprise Agreements does not support Microsoft Entra roles. Enterprise Agreements-specific roles Billing Role Assignments API • Enterprise Administrator (Role ID: 9f1983cb-2574-400c-87e9-34cf8e2280db) • Enterprise Administrator (read only) (Role ID: 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e) • EA Purchaser (Role ID: da6647fb-7651-49ee-be91-c43c4877f0c4) Enrollment Department Role Assignments API • Department Admin (Role ID: fb2cf67f-be5b-42e7-8025-4683c668f840) • Department Reader (Role ID: db609904-a47f-4794-9be8-9bd86fbffd8a) Enrollment Account Role Assignments API • Account Owner (Role ID: c15c22c0-9faf-424c-9b7e-bd91c06a240b) |
| Audit and monitoring reference | Enterprise Agreements-specific roles Azure Activity Log API – Tenant Activity Logs • Access to tenant level activity logs requires using elevate access at least once to gain tenant level access. • Audits where resourceProvider == Microsoft.Billing and operationName contains billingRoleAssignments or EnrollmentAccount |
Cost Management and Billing – Microsoft Customer Agreements
| Area | Content |
|---|---|
| Overview | Understand Microsoft Customer Agreement administrative roles in Azure Understand your Microsoft business billing account |
| Management API reference | Microsoft Customer Agreements-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: Billing Administrator, Global Administrator. Microsoft Customer Agreements-specific roles • By default, the Microsoft Entra Global Administrator and Billing Administrator roles are automatically assigned the Billing Account Owner role in Microsoft Customer Agreements-specific RBAC. • Billing Role Assignment API |
| Audit and monitoring reference | Microsoft Customer Agreements-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category RoleManagementMicrosoft Customer Agreements-specific roles Azure Activity Log API – Tenant Activity Logs • Access to tenant level activity logs requires using elevate access at least once to gain tenant level access. • Audits where resourceProvider == Microsoft.Billing and operationName one of the following (all prefixed with Microsoft.Billing):/permissionRequests/write/billingAccounts/createBillingRoleAssignment/action/billingAccounts/billingProfiles/createBillingRoleAssignment/action/billingAccounts/billingProfiles/invoiceSections/createBillingRoleAssignment/action/billingAccounts/customers/createBillingRoleAssignment/action/billingAccounts/billingRoleAssignments/write/billingAccounts/billingRoleAssignments/delete/billingAccounts/billingProfiles/billingRoleAssignments/delete/billingAccounts/billingProfiles/customers/createBillingRoleAssignment/action/billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments/delete/billingAccounts/departments/billingRoleAssignments/write/billingAccounts/departments/billingRoleAssignments/delete/billingAccounts/enrollmentAccounts/transferBillingSubscriptions/action/billingAccounts/enrollmentAccounts/billingRoleAssignments/write/billingAccounts/enrollmentAccounts/billingRoleAssignments/delete/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/transfer/action/billingAccounts/billingProfiles/invoiceSections/initiateTransfer/action/billingAccounts/billingProfiles/invoiceSections/transfers/delete/billingAccounts/billingProfiles/invoiceSections/transfers/cancel/action/billingAccounts/billingProfiles/invoiceSections/transfers/write/transfers/acceptTransfer/action/transfers/accept/action/transfers/decline/action/transfers/declineTransfer/action/billingAccounts/customers/initiateTransfer/action/billingAccounts/customers/transfers/delete/billingAccounts/customers/transfers/cancel/action/billingAccounts/customers/transfers/write/billingAccounts/billingProfiles/invoiceSections/products/transfer/action/billingAccounts/billingSubscriptions/elevateRole/action |
Business Subscriptions and Billing – Volume Licensing
| Area | Content |
|---|---|
| Overview | Manage volume licensing user roles Frequently Asked Questions |
| Management API reference | Volume Licensing-specific roles in Microsoft Entra ID Volume Licensing does not support Microsoft Entra roles. Volume Licensing-specific roles VL users and roles are managed in the M365 Admin Center. |
Partner Center
| Area | Content |
|---|---|
| Overview | Roles, permissions, and workspace access for users |
| Management API reference | Partner Center-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• The following roles have permissions: Global Administrator, User Administrator. Partner Center-specific roles Partner Center-specific roles can only be managed via Partner Center. |
| Audit and monitoring reference | Partner Center-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category RoleManagement |
Other services
Azure DevOps
| Area | Content |
|---|---|
| Overview | About permissions and security groups |
| Management API reference | Azure DevOps-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.azure.devOps.Azure DevOps-specific roles Create/read/update/delete permissions granted via Roleassignments API • View permissions of roles with Roledefinitions API • Permissions reference topic • When an Azure DevOps group (note: different from Microsoft Entra group) is assigned to a role, create/read/update/delete group memberships with the Memberships API |
| Audit and monitoring reference | Azure DevOps-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category RoleManagementAzure DevOps-specific roles • Accessing the AzureDevOps Audit Log • Audit API reference • AuditId reference • Audits with ActionId Security.ModifyPermission, Security.RemovePermission.• For changes to groups assigned to roles, audits with ActionId Group.UpdateGroupMembership, Group.UpdateGroupMembership.Add, Group.UpdateGroupMembership.Remove |
Fabric
Includes Fabric and Power BI.
| Area | Content |
|---|---|
| Overview | Understand Microsoft Fabric admin roles |
| Management API reference | Fabric-specific roles in Microsoft Entra ID Microsoft Graph v1.0 roleManagement API • Use directory provider• See roles with permissions starting with microsoft.powerApps.powerBI. |
| Audit and monitoring reference | Fabric-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category RoleManagement |
Unified Support Portal for managing customer support cases
Includes Unified Support Portal and Services Hub.
| Area | Content |
|---|---|
| Overview | Services Hub roles and permissions |
| Management API reference | Manage these roles in the Services Hub portal, https://serviceshub.microsoft.com. |
Microsoft Graph application permissions
In addition to the previously mentioned RBAC systems, elevated permissions can be granted to Microsoft Entra application registrations and service principals using application permissions. For example, a non-interactive, non-human application identity can be granted the ability to read all mail in a tenant (the Mail.Read application permission). The following table lists how to manage and monitor application permissions.
| Area | Content |
|---|---|
| Overview | Overview of Microsoft Graph permissions |
| Management API reference | Microsoft Graph-specific roles in Microsoft Entra ID Microsoft Graph v1.0 servicePrincipal API • Enumerate the appRoleAssignments for each servicePrincipal in the tenant. • For each appRoleAssignment, get information about the permissions granted by the assignment by reading the appRole property on the servicePrincipal object referenced by the resourceId and appRoleId in the appRoleAssignment. • Of specific interest are app permissions to the Microsoft Graph (servicePrincipal with appID == "00000003-0000-0000-c000-000000000000") which grant access to Exchange, SharePoint, Teams, and so on. Here is a reference for Microsoft Graph permissions. • Also see Microsoft Entra security operations for applications. |
| Audit and monitoring reference | Microsoft Graph-specific roles in Microsoft Entra ID Microsoft Entra activity log overview API access to Microsoft Entra audit logs: • Microsoft Graph v1.0 directoryAudit API • Audits with category ApplicationManagement and Activity name Add app role assignment to service principal |