Roles you can't manage in Privileged Identity Management

You can manage just-in-time assignments to all Azure AD roles and all Azure roles using Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. Azure roles include built-in and custom roles attached to your management groups, subscriptions, resource groups, and resources. However, there are few roles that you can't manage. This article describes the roles you can't manage in Privileged Identity Management.

Classic subscription administrator roles

You cannot manage the following classic subscription administrator roles in Privileged Identity Management:

  • Account Administrator
  • Service Administrator
  • Co-Administrator

For more information about the classic subscription administrator roles, see Azure roles, Azure AD roles, and classic subscription administrator roles.

What about Microsoft 365 admin roles?

We support all Microsoft 365 roles in the Azure AD Roles and Administrators portal experience, such as Exchange Administrator and SharePoint Administrator, but we don't support specific roles within Exchange RBAC or SharePoint RBAC. For more information about these Microsoft 365 services, see Microsoft 365 admin roles.


  • Eligible users for the SharePoint administrator role, the Device administrator role, and any roles trying to access the Microsoft Security & Compliance Center might experience delays of up to a few hours after activating their role. We are working with those teams to fix the issues.
  • For information about delays activating the Azure AD Joined Device Local Administrator role, see How to manage the local administrators group on Azure AD joined devices.

Next steps