User management permissions for Azure AD custom roles (preview)

Important

User management permissions for Azure AD custom roles is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

User management permissions can be used in custom role definitions in Azure Active Directory (Azure AD) to grant fine-grained access such as the following:

  • Read or update basic properties of users
  • Read or update identity of users
  • Read or update job information of users
  • Update contact information of users
  • Update parental controls of users
  • Update settings of users
  • Read direct reports of users
  • Update extension properties of users
  • Read device information of users
  • Read or manage licenses of users
  • Update password policies of users
  • Read assignments and memberships of users

This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see Create and assign a custom role.

License requirements

Using this feature requires Azure AD Premium P1 licenses. To find the right license for your requirements, see Compare generally available features of Azure AD.

Read or update basic properties of users

The following permissions are available to read or update basic properties of users.

Permission Description
microsoft.directory/users/standard/read Read basic properties on users.
microsoft.directory/users/basic/update Update basic properties on users.

Read or update identity of users

The following permissions are available to read or update identity of users.

Permission Description
microsoft.directory/users/identities/read Read identities of users.
microsoft.directory/users/identities/update Update the identity properties of users, such as name and user principal name.

Read or update job information of users

The following permissions are available to read or update job information of users.

Permission Description
microsoft.directory/users/manager/read Read manager of users.
microsoft.directory/users/manager/update Update manager for users.
microsoft.directory/users/jobInfo/update Update the job info properties of users, such as job title, department, and company name.

Update contact information of users

The following permissions are available to update contact information of users.

Permission Description
microsoft.directory/users/contactInfo/update Update the contact info properties of users, such as address, phone, and email.

Update parental controls of users

The following permissions are available to update parental controls of users.

Permission Description
microsoft.directory/users/parentalControls/update Update parental controls of users.

Update settings of users

The following permissions are available to update settings of users.

Permission Description
microsoft.directory/users/usageLocation/update Update usage location of users.

Read direct reports of users

The following permissions are available to read direct reports of users.

Permission Description
microsoft.directory/users/directReports/read Read the direct reports for users.

Update extension properties of users

The following permissions are available to update extension properties of users.

Permission Description
microsoft.directory/users/extensionProperties/update Update extension properties of users.

Read device information of users

The following permissions are available to read device information of users.

Permission Description
microsoft.directory/users/ownedDevices/read Read owned devices of users
microsoft.directory/users/registeredDevices/read Read registered devices of users
microsoft.directory/users/deviceForResourceAccount/read Read deviceForResourceAccount of users.

Read or manage licenses of users

The following permissions are available to read or manage licenses of users.

Permission Description
microsoft.directory/users/licenseDetails/read Read license details of users.
microsoft.directory/users/assignLicense Manage user licenses.
microsoft.directory/users/reprocessLicenseAssignment Reprocess license assignments for users.

Update password policies of users

The following permissions are available to update password policies of users.

Permission Description
microsoft.directory/users/passwordPolicies/update Update password policies properties of users.

Read assignments and memberships of users

The following permissions are available to read assignments and memberships of users.

Permission Description
microsoft.directory/users/appRoleAssignments/read Read application role assignments for users
microsoft.directory/users/scopedRoleMemberOf/read Read user's membership of an Azure AD role, that is scoped to an administrative unit
microsoft.directory/users/memberOf/read Read the group memberships of users

Full list of permissions

Permission Description
microsoft.directory/users/appRoleAssignments/read Read application role assignments for users.
microsoft.directory/users/assignLicense Manage user licenses.
microsoft.directory/users/basic/update Update basic properties on users.
microsoft.directory/users/contactInfo/update Update the contact info properties of users, such as address, phone, and email.
microsoft.directory/users/deviceForResourceAccount/read Read deviceForResourceAccount of users.
microsoft.directory/users/directReports/read Read the direct reports for users.
microsoft.directory/users/extensionProperties/update Update extension properties of users.
microsoft.directory/users/identities/read Read identities of users.
microsoft.directory/users/identities/update Update the identity properties of users, such as name and user principal name.
microsoft.directory/users/jobInfo/update Update the job info properties of users, such as job title, department, and company name.
microsoft.directory/users/licenseDetails/read Read license details of users.
microsoft.directory/users/manager/read Read manager of users.
microsoft.directory/users/manager/update Update manager for users.
microsoft.directory/users/memberOf/read Read the group memberships of users.
microsoft.directory/users/ownedDevices/read Read owned devices of users.
microsoft.directory/users/parentalControls/update Update parental controls of users.
microsoft.directory/users/passwordPolicies/update Update password policies properties of users.
microsoft.directory/users/registeredDevices/read Read registered devices of users.
microsoft.directory/users/reprocessLicenseAssignment Reprocess license assignments for users.
microsoft.directory/users/scopedRoleMemberOf/read Read user's membership of an Azure AD role, that is scoped to an administrative unit.
microsoft.directory/users/standard/read Read basic properties on users.
microsoft.directory/users/usageLocation/update Update usage location of users.

Next steps