Least privileged roles by task in Azure Active Directory
In this article, you can find the information needed to restrict a user's administrator permissions by assigning least privileged roles in Azure Active Directory (Azure AD). You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.
You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Azure AD roles at different scopes or Create and assign a custom role.
Application proxy
Task | Least privileged role | Additional roles |
---|---|---|
Configure application proxy app | Application Administrator | |
Configure connector group properties | Application Administrator | |
Create application registration when ability is disabled for all users | Application Developer | Cloud Application Administrator Application Administrator |
Create connector group | Application Administrator | |
Delete connector group | Application Administrator | |
Disable application proxy | Application Administrator | |
Download connector service | Application Administrator | |
Read all configuration | Application Administrator |
External Identities/B2C
Task | Least privileged role | Additional roles |
---|---|---|
Create Azure AD B2C directories | All non-guest users | |
Create B2C applications | Global Administrator | |
Create enterprise applications | Cloud Application Administrator | Application Administrator |
Create, read, update, and delete B2C policies | B2C IEF Policy Administrator | |
Create, read, update, and delete identity providers | External Identity Provider Administrator | |
Create, read, update, and delete password reset user flows | External ID User Flow Administrator | |
Create, read, update, and delete profile editing user flows | External ID User Flow Administrator | |
Create, read, update, and delete sign-in user flows | External ID User Flow Administrator | |
Create, read, update, and delete sign-up user flow | External ID User Flow Administrator | |
Create, read, update, and delete user attributes | External ID User Flow Attribute Administrator | |
Create, read, update, and delete users | User Administrator | |
Configure B2B external collaboration settings | Global Administrator | |
Read all configuration | Global Reader | |
Read B2C audit logs | Global Reader |
Note
Azure AD B2C Global Administrators do not have the same permissions as Azure AD Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not an Azure AD directory.
Company branding
Task | Least privileged role | Additional roles |
---|---|---|
Configure company branding | Global Administrator | |
Read all configuration | Directory Readers | Default user role |
Company properties
Task | Least privileged role | Additional roles |
---|---|---|
Configure company properties | Global Administrator |
Connect
Task | Least privileged role | Additional roles |
---|---|---|
Passthrough authentication | Global Administrator | |
Read all configuration | Global Reader | Global Administrator |
Seamless single sign-on | Global Administrator |
Cloud Provisioning
Task | Least privileged role | Additional roles |
---|---|---|
Passthrough authentication | Hybrid Identity Administrator | |
Read all configuration | Global Reader | Hybrid Identity Administrator |
Seamless single sign-on | Hybrid Identity Administrator |
Connect Health
Task | Least privileged role | Additional roles |
---|---|---|
Add or delete services | Owner | |
Apply fixes to sync error | Contributor | Owner |
Configure notifications | Contributor | Owner |
Configure settings | Owner | |
Configure sync notifications | Contributor | Owner |
Read ADFS security reports | Security Reader | Contributor Owner |
Read all configuration | Reader | Contributor Owner |
Read sync errors | Reader | Contributor Owner |
Read sync services | Reader | Contributor Owner |
View metrics and alerts | Reader | Contributor Owner |
View metrics and alerts | Reader | Contributor Owner |
View sync service metrics and alerts | Reader | Contributor Owner |
Custom domain names
Task | Least privileged role | Additional roles |
---|---|---|
Manage domains | Domain Name Administrator | |
Read all configuration | Directory Readers | Default user role |
Domain Services
Task | Least privileged role | Additional roles |
---|---|---|
Create Azure AD Domain Services instance | Application Administrator Groups Administrator Domain Services Contributor |
|
Perform all Azure AD Domain Services tasks | AAD DC Administrators group | |
Read all configuration | Reader on Azure subscription containing AD DS service |
Devices
Task | Least privileged role | Additional roles |
---|---|---|
Delete device | Cloud Device Administrator | Intune Administrator |
Disable device | Cloud Device Administrator | Intune Administrator |
Enable device | Cloud Device Administrator | Intune Administrator |
Read basic configuration | Default user role | |
Read BitLocker keys | Cloud Device Administrator | Helpdesk Administrator Intune Administrator Security Administrator Security Reader |
Enterprise applications
Entitlement management
Task | Least privileged role | Additional roles |
---|---|---|
Add resources to a catalog | Identity Governance Administrator | With entitlement management, you can delegate this task to the catalog owner |
Add SharePoint Online sites to catalog | SharePoint Administrator |
Groups
Task | Least privileged role | Additional roles |
---|---|---|
Assign license | User Administrator | |
Create group | Groups Administrator | User Administrator |
Create, update, or delete access review of a group or of an app | User Administrator | |
Manage group expiration | User Administrator | |
Manage group settings | Groups Administrator | User Administrator |
Read all configuration (except hidden membership) | Directory Readers | Default user role |
Read hidden membership | Group member | Group owner Password Administrator Exchange Administrator SharePoint Administrator Teams Administrator User Administrator |
Read membership of groups with hidden membership | Helpdesk Administrator | User Administrator Teams Administrator |
Revoke license | License Administrator | User Administrator |
Update group membership | Group owner | User Administrator |
Update group owners | Group owner | User Administrator |
Update group properties | Group owner | User Administrator |
Delete group | Groups Administrator | User Administrator |
Identity Protection
Task | Least privileged role | Additional roles |
---|---|---|
Configure alert notifications | Security Administrator | |
Configure and enable or disable MFA policy | Security Administrator | |
Configure and enable or disable sign-in risk policy | Security Administrator | |
Configure and enable or disable user risk policy | Security Administrator | |
Configure weekly digests | Security Administrator | |
Dismiss all risk detections | Security Administrator | |
Fix or dismiss vulnerability | Security Administrator | |
Read all configuration | Security Reader | |
Read all risk detections | Security Reader | |
Read vulnerabilities | Security Reader |
Licenses
Task | Least privileged role | Additional roles |
---|---|---|
Assign license | License Administrator | User Administrator |
Read all configuration | Directory Readers | Default user role |
Revoke license | License Administrator | User Administrator |
Try or buy subscription | Billing Administrator |
Monitoring - Audit logs
Task | Least privileged role | Additional roles |
---|---|---|
Read audit logs | Reports Reader | Security Reader Security Administrator |
Monitoring - Sign-ins
Task | Least privileged role | Additional roles |
---|---|---|
Read sign-in logs | Reports Reader | Security Reader Security Administrator Global Reader |
Multi-factor authentication
Task | Least privileged role | Additional roles |
---|---|---|
Delete all existing app passwords generated by the selected users | Global Administrator | |
Disable per-user MFA | Authentication Administrator | Privileged Authentication Administrator |
Enable per-user MFA | Authentication Administrator | Privileged Authentication Administrator |
Manage MFA service settings | Authentication Policy Administrator | |
Require selected users to provide contact methods again | Authentication Administrator | |
Restore multi-factor authentication on all remembered devices | Authentication Administrator |
MFA Server
Task | Least privileged role | Additional roles |
---|---|---|
Block/unblock users | Authentication Policy Administrator | |
Configure account lockout | Authentication Policy Administrator | |
Configure caching rules | Authentication Policy Administrator | |
Configure fraud alert | Authentication Policy Administrator | |
Configure notifications | Authentication Policy Administrator | |
Configure one-time bypass | Authentication Policy Administrator | |
Configure phone call settings | Authentication Policy Administrator | |
Configure providers | Authentication Policy Administrator | |
Configure server settings | Authentication Policy Administrator | |
Read activity report | Global Reader | |
Read all configuration | Global Reader | |
Read server status | Global Reader |
Organizational relationships
Task | Least privileged role | Additional roles |
---|---|---|
Manage identity providers | External Identity Provider Administrator | |
Manage settings | Global Administrator | |
Manage privacy statement and contact | Global Administrator | |
Read all configuration | Global Reader |
Password reset
Task | Least privileged role | Additional roles |
---|---|---|
Configure authentication methods | Global Administrator | |
Configure customization | Global Administrator | |
Configure notification | Global Administrator | |
Configure on-premises integration | Global Administrator | |
Configure password reset properties | User Administrator | Global Administrator |
Configure registration | Global Administrator | |
Read all configuration | Security Administrator | User Administrator |
Privileged identity management
Task | Least privileged role | Additional roles |
---|---|---|
Assign users to roles | Privileged Role Administrator | |
Configure role settings | Privileged Role Administrator | |
View audit activity | Security Reader | |
View role memberships | Security Reader |
Roles and administrators
Task | Least privileged role | Additional roles |
---|---|---|
Manage role assignments | Privileged Role Administrator | |
Read access review of an Azure AD role | Security Reader | Security Administrator Privileged Role Administrator |
Read all configuration | Default user role |
Security - Authentication methods
Task | Least privileged role | Additional roles |
---|---|---|
Configure authentication methods | Global Administrator | |
Configure password protection | Security Administrator | |
Configure smart lockout | Security Administrator | |
Read all configuration | Global Reader |
Security - Conditional Access
Security - Identity security score
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Security Reader | Security Administrator |
Read security score | Security Reader | Security Administrator |
Update event status | Security Administrator |
Security - Risky sign-ins
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Security Reader | |
Read risky sign-ins | Security Reader |
Security - Users flagged for risk
Task | Least privileged role | Additional roles |
---|---|---|
Dismiss all events | Security Administrator | |
Read all configuration | Security Reader | |
Read users flagged for risk | Security Reader |
Temporary Access Pass
Task | Least privileged role | Additional roles |
---|---|---|
Create, delete, or view a Temporary Access Pass for any user (except themselves) and can configure and manage authentication method policy | Global Administrator | |
Create, delete, or view a Temporary Access Pass for admins or members (except themselves) | Privileged Authentication Administrator | |
Create, delete, or view a Temporary Access Pass for members (except themselves) | Authentication Administrator | |
View a Temporary Access Pass details for a user (without reading the code itself) | Global Reader | |
Configure or update the Temporary Access Pass authentication method policy | Authentication Policy Administrator |
Tenant Creation
Task | Least privileged role | Additional roles |
---|---|---|
Create Azure AD or Azure AD B2C Tenant | Tenant Creator | Global Administrator |
Users
Task | Least privileged role | Additional roles |
---|---|---|
Add user to directory role | Privileged Role Administrator | |
Add user to group | User Administrator | |
Assign license | License Administrator | User Administrator |
Create guest user | Guest Inviter | User Administrator |
Reset guest user invite | User Administrator | Global Administrator |
Create user | User Administrator | |
Delete users | User Administrator | |
Invalidate refresh tokens of limited admins | User Administrator | |
Invalidate refresh tokens of non-admins | Helpdesk Administrator | User Administrator |
Invalidate refresh tokens of privileged admins | Privileged Authentication Administrator | |
Read basic configuration | Default user role | |
Reset password for limited admins | User Administrator | |
Reset password of non-admins | Password Administrator | User Administrator |
Reset password of privileged admins | Privileged Authentication Administrator | |
Revoke license | License Administrator | User Administrator |
Update all properties except User Principal Name | User Administrator | |
Update User Principal Name for limited admins | User Administrator | |
Update User Principal Name property on privileged admins | Global Administrator | |
Update user settings | Global Administrator | |
Update Authentication methods | Authentication Administrator | Privileged Authentication Administrator Global Administrator |
Support
Next steps
Feedback
Submit and view feedback for