Understand roles in Azure Active Directory
There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. To supplement the built-in roles, Azure AD also supports custom roles. Use custom roles to select the role permissions that you want. For example, you could create one to manage particular Azure AD resources such as applications or service principals.
This article explains what Azure AD roles are and how they can be used.
How Azure AD roles are different from other Microsoft 365 roles
There are many different services in Microsoft 365, such as Azure AD and Intune. Some of these services have their own role-based access control systems, specifically:
- Azure Active Directory (Azure AD)
- Microsoft Exchange
- Microsoft Intune
- Microsoft Defender for Cloud Apps
- Microsoft 365 Defender portal
- Compliance portal
- Cost Management + Billing
Other services such as Teams, SharePoint, and Managed Desktop don’t have separate role-based access control systems. They use Azure AD roles for their administrative access. Azure has its own role-based access control system for Azure resources such as virtual machines, and this system is not the same as Azure AD roles.
When we say separate role-based access control system. it means there is a different data store where role definitions and role assignments are stored. Similarly, there is a different policy decision point where access checks happen. For more information, see Roles for Microsoft 365 services in Azure AD and Classic subscription administrator roles, Azure roles, and Azure AD roles.
Why some Azure AD roles are for other services
Microsoft 365 has a number of role-based access control systems that developed independently over time, each with its own service portal. To make it convenient for you to manage identity across Microsoft 365 from the Azure portal, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft 365 service. An example of this addition is the Exchange Administrator role in Azure AD. This role is equivalent to the Organization Management role group in the Exchange role-based access control system, and can manage all aspects of Exchange. Similarly, we added the Intune Administrator role, Teams Administrator, SharePoint Administrator, and so on. Service-specific roles is one category of Azure AD built-in roles in the following section.
Categories of Azure AD roles
Azure AD built-in roles differ in where they can be used, which fall into the following three broad categories.
- Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.
- Service-specific roles: For major Microsoft 365 services (non-Azure AD), we have built service-specific roles that grant permissions to manage all features within the service. For example, Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles can manage features with their respective services. Exchange Administrator can manage mailboxes, Intune Administrator can manage device policies, SharePoint Administrator can manage site collections, Teams Administrator can manage call qualities and so on.
- Cross-service roles: There are some roles that span services. We have two global roles - Global Administrator and Global Reader. All Microsoft 365 services honor these two roles. Also, there are some security-related roles like Security Administrator and Security Reader that grant access across multiple security services within Microsoft 365. For example, using Security Administrator roles in Azure AD, you can manage Microsoft 365 Defender portal, Microsoft Defender Advanced Threat Protection, and Microsoft Defender for Cloud Apps. Similarly, in the Compliance Administrator role you can manage Compliance-related settings in Compliance portal, Exchange, and so on.
The following table is offered as an aid to understanding these role categories. The categories are named arbitrarily, and aren't intended to imply any other capabilities beyond the documented Azure AD role permissions.
|Azure AD-specific roles||Application Administrator
B2C IEF Keyset Administrator
B2C IEF Policy Administrator
Cloud Application Administrator
Cloud Device Administrator
Conditional Access Administrator
Directory Synchronization Accounts
External ID User Flow Administrator
External ID User Flow Attribute Administrator
External Identity Provider Administrator
Hybrid Identity Administrator
Partner Tier1 Support
Partner Tier2 Support
Privileged Authentication Administrator
Privileged Role Administrator
|Cross-service roles||Global Administrator
Compliance Data Administrator
Service Support Administrator
|Service-specific roles||Azure DevOps Administrator
Azure Information Protection Administrator
CRM Service Administrator
Customer Lockbox Access Approver
Desktop Analytics Administrator
Exchange Service Administrator
Insights Business Leader
Intune Service Administrator
Lync Service Administrator
Message Center Privacy Reader
Message Center Reader
Modern Commerce User
Office Apps Administrator
Power BI Service Administrator
Power Platform Administrator
SharePoint Service Administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
Teams Devices Administrator