Least privileged roles by task in Azure Active Directory

Article
03/16/2023

In this article, you can find the information needed to restrict a user's administrator permissions by assigning least privileged roles in Azure Active Directory (Azure AD). You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.

You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Azure AD roles at different scopes or Create and assign a custom role.

Application proxy

Task	Least privileged role	Additional roles
Configure application proxy app	Application Administrator
Configure connector group properties	Application Administrator
Create application registration when ability is disabled for all users	Application Developer	Cloud Application Administrator Application Administrator
Create connector group	Application Administrator
Delete connector group	Application Administrator
Disable application proxy	Application Administrator
Download connector service	Application Administrator
Read all configuration	Application Administrator

External Identities/B2C

Task	Least privileged role	Additional roles
Create Azure AD B2C directories	All non-guest users
Create B2C applications	Global Administrator
Create enterprise applications	Cloud Application Administrator	Application Administrator
Create, read, update, and delete B2C policies	B2C IEF Policy Administrator
Create, read, update, and delete identity providers	External Identity Provider Administrator
Create, read, update, and delete password reset user flows	External ID User Flow Administrator
Create, read, update, and delete profile editing user flows	External ID User Flow Administrator
Create, read, update, and delete sign-in user flows	External ID User Flow Administrator
Create, read, update, and delete sign-up user flow	External ID User Flow Administrator
Create, read, update, and delete user attributes	External ID User Flow Attribute Administrator
Create, read, update, and delete users	User Administrator
Configure B2B external collaboration settings	Global Administrator
Read all configuration	Global Reader
Read B2C audit logs	Global Reader

Note

Azure AD B2C Global Administrators do not have the same permissions as Azure AD Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not an Azure AD directory.

Company branding

Task	Least privileged role	Additional roles
Configure company branding	Global Administrator
Read all configuration	Directory Readers	Default user role

Company properties

Task	Least privileged role	Additional roles
Configure company properties	Global Administrator

Connect

Task	Least privileged role	Additional roles
Passthrough authentication	Global Administrator
Read all configuration	Global Reader	Global Administrator
Seamless single sign-on	Global Administrator

Cloud Provisioning

Task	Least privileged role	Additional roles
Passthrough authentication	Hybrid Identity Administrator
Read all configuration	Global Reader	Hybrid Identity Administrator
Seamless single sign-on	Hybrid Identity Administrator

Connect Health

Task	Least privileged role	Additional roles
Add or delete services	Owner
Apply fixes to sync error	Contributor	Owner
Configure notifications	Contributor	Owner
Configure settings	Owner
Configure sync notifications	Contributor	Owner
Read ADFS security reports	Security Reader	Contributor Owner
Read all configuration	Reader	Contributor Owner
Read sync errors	Reader	Contributor Owner
Read sync services	Reader	Contributor Owner
View metrics and alerts	Reader	Contributor Owner
View metrics and alerts	Reader	Contributor Owner
View sync service metrics and alerts	Reader	Contributor Owner

Custom domain names

Task	Least privileged role	Additional roles
Manage domains	Domain Name Administrator
Read all configuration	Directory Readers	Default user role

Domain Services

Task	Least privileged role	Additional roles
Create Azure AD Domain Services instance	Application Administrator Groups Administrator Domain Services Contributor
Perform all Azure AD Domain Services tasks	AAD DC Administrators group
Read all configuration	Reader on Azure subscription containing AD DS service

Devices

Task	Least privileged role	Additional roles
Delete device	Cloud Device Administrator	Intune Administrator
Disable device	Cloud Device Administrator	Intune Administrator
Enable device	Cloud Device Administrator	Intune Administrator
Read basic configuration	Default user role
Read BitLocker keys	Cloud Device Administrator	Helpdesk Administrator Intune Administrator Security Administrator Security Reader

Enterprise applications

Task	Least privileged role	Additional roles
Consent to any delegated permissions	Cloud Application Administrator	Application Administrator
Consent to application permissions not including Microsoft Graph	Cloud Application Administrator	Application Administrator
Consent to application permissions to Microsoft Graph	Privileged Role Administrator
Consent to applications accessing own data	Default user role
Create enterprise application	Cloud Application Administrator	Application Administrator
Manage Application Proxy	Application Administrator
Manage user settings	Global Administrator
Read access review of a group or of an app	Security Reader	Security Administrator User Administrator
Read all configuration	Default user role
Update enterprise application assignments	Enterprise application owner	Cloud Application Administrator Application Administrator User Administrator
Update enterprise application owners	Enterprise application owner	Cloud Application Administrator Application Administrator
Update enterprise application properties	Enterprise application owner	Cloud Application Administrator Application Administrator
Update enterprise application provisioning	Enterprise application owner	Cloud Application Administrator Application Administrator
Update enterprise application self-service	Enterprise application owner	Cloud Application Administrator Application Administrator
Update single sign-on properties	Enterprise application owner	Cloud Application Administrator Application Administrator

Entitlement management

Task	Least privileged role	Additional roles
Add resources to a catalog	Identity Governance Administrator	With entitlement management, you can delegate this task to the catalog owner
Add SharePoint Online sites to catalog	SharePoint Administrator

Groups

Task	Least privileged role	Additional roles
Assign license	User Administrator
Create group	Groups Administrator	User Administrator
Create, update, or delete access review of a group or of an app	User Administrator
Manage group expiration	User Administrator
Manage group settings	Groups Administrator	User Administrator
Read all configuration (except hidden membership)	Directory Readers	Default user role
Read hidden membership	Group member	Group owner Password Administrator Exchange Administrator SharePoint Administrator Teams Administrator User Administrator
Read membership of groups with hidden membership	Helpdesk Administrator	User Administrator Teams Administrator
Revoke license	License Administrator	User Administrator
Update group membership	Group owner	User Administrator
Update group owners	Group owner	User Administrator
Update group properties	Group owner	User Administrator
Delete group	Groups Administrator	User Administrator

Identity Protection

Task	Least privileged role	Additional roles
Configure alert notifications	Security Administrator
Configure and enable or disable MFA policy	Security Administrator
Configure and enable or disable sign-in risk policy	Security Administrator
Configure and enable or disable user risk policy	Security Administrator
Configure weekly digests	Security Administrator
Dismiss all risk detections	Security Administrator
Fix or dismiss vulnerability	Security Administrator
Read all configuration	Security Reader
Read all risk detections	Security Reader
Read vulnerabilities	Security Reader

Licenses

Task	Least privileged role	Additional roles
Assign license	License Administrator	User Administrator
Read all configuration	Directory Readers	Default user role
Revoke license	License Administrator	User Administrator
Try or buy subscription	Billing Administrator

Monitoring - Audit logs

Task	Least privileged role	Additional roles
Read audit logs	Reports Reader	Security Reader Security Administrator

Monitoring - Sign-ins

Task	Least privileged role	Additional roles
Read sign-in logs	Reports Reader	Security Reader Security Administrator Global Reader

Multi-factor authentication

Task	Least privileged role	Additional roles
Delete all existing app passwords generated by the selected users	Global Administrator
Disable per-user MFA	Authentication Administrator	Privileged Authentication Administrator
Enable per-user MFA	Authentication Administrator	Privileged Authentication Administrator
Manage MFA service settings	Authentication Policy Administrator
Require selected users to provide contact methods again	Authentication Administrator
Restore multi-factor authentication on all remembered devices	Authentication Administrator

MFA Server

Task	Least privileged role	Additional roles
Block/unblock users	Authentication Policy Administrator
Configure account lockout	Authentication Policy Administrator
Configure caching rules	Authentication Policy Administrator
Configure fraud alert	Authentication Policy Administrator
Configure notifications	Authentication Policy Administrator
Configure one-time bypass	Authentication Policy Administrator
Configure phone call settings	Authentication Policy Administrator
Configure providers	Authentication Policy Administrator
Configure server settings	Authentication Policy Administrator
Read activity report	Global Reader
Read all configuration	Global Reader
Read server status	Global Reader

Organizational relationships

Task	Least privileged role	Additional roles
Manage identity providers	External Identity Provider Administrator
Manage settings	Global Administrator
Manage privacy statement and contact	Global Administrator
Read all configuration	Global Reader

Password reset

Task	Least privileged role	Additional roles
Configure authentication methods	Global Administrator
Configure customization	Global Administrator
Configure notification	Global Administrator
Configure on-premises integration	Global Administrator
Configure password reset properties	User Administrator	Global Administrator
Configure registration	Global Administrator
Read all configuration	Security Administrator	User Administrator

Privileged identity management

Task	Least privileged role	Additional roles
Assign users to roles	Privileged Role Administrator
Configure role settings	Privileged Role Administrator
View audit activity	Security Reader
View role memberships	Security Reader

Roles and administrators

Task	Least privileged role	Additional roles
Manage role assignments	Privileged Role Administrator
Read access review of an Azure AD role	Security Reader	Security Administrator Privileged Role Administrator
Read all configuration	Default user role

Security - Authentication methods

Task	Least privileged role	Additional roles
Configure authentication methods	Global Administrator
Configure password protection	Security Administrator
Configure smart lockout	Security Administrator
Read all configuration	Global Reader

Security - Conditional Access

Task	Least privileged role	Additional roles
Configure MFA trusted IP addresses	Conditional Access Administrator
Create custom controls	Conditional Access Administrator	Security Administrator
Create named locations	Conditional Access Administrator	Security Administrator
Create policies	Conditional Access Administrator	Security Administrator
Create terms of use	Conditional Access Administrator	Security Administrator
Create VPN connectivity certificate	Global Administrator
Delete classic policy	Conditional Access Administrator	Security Administrator
Delete terms of use	Conditional Access Administrator	Security Administrator
Delete VPN connectivity certificate	Conditional Access Administrator	Security Administrator
Disable classic policy	Conditional Access Administrator	Security Administrator
Manage custom controls	Conditional Access Administrator	Security Administrator
Manage named locations	Conditional Access Administrator	Security Administrator
Manage terms of use	Conditional Access Administrator	Security Administrator
Read all configuration	Security Reader	Security Administrator
Read named locations	Security Reader	Conditional Access Administrator Security Administrator

Security - Identity security score

Task	Least privileged role	Additional roles
Read all configuration	Security Reader	Security Administrator
Read security score	Security Reader	Security Administrator
Update event status	Security Administrator

Security - Risky sign-ins

Task	Least privileged role	Additional roles
Read all configuration	Security Reader
Read risky sign-ins	Security Reader

Security - Users flagged for risk

Task	Least privileged role	Additional roles
Dismiss all events	Security Administrator
Read all configuration	Security Reader
Read users flagged for risk	Security Reader

Temporary Access Pass

Task	Least privileged role	Additional roles
Create, delete, or view a Temporary Access Pass for any user (except themselves) and can configure and manage authentication method policy	Global Administrator
Create, delete, or view a Temporary Access Pass for admins or members (except themselves)	Privileged Authentication Administrator
Create, delete, or view a Temporary Access Pass for members (except themselves)	Authentication Administrator
View a Temporary Access Pass details for a user (without reading the code itself)	Global Reader
Configure or update the Temporary Access Pass authentication method policy	Authentication Policy Administrator

Tenant Creation

Task	Least privileged role	Additional roles
Create Azure AD or Azure AD B2C Tenant	Tenant Creator	Global Administrator

Users

Task	Least privileged role	Additional roles
Add user to directory role	Privileged Role Administrator
Add user to group	User Administrator
Assign license	License Administrator	User Administrator
Create guest user	Guest Inviter	User Administrator
Reset guest user invite	User Administrator	Global Administrator
Create user	User Administrator
Delete users	User Administrator
Invalidate refresh tokens of limited admins	User Administrator
Invalidate refresh tokens of non-admins	Helpdesk Administrator	User Administrator
Invalidate refresh tokens of privileged admins	Privileged Authentication Administrator
Read basic configuration	Default user role
Reset password for limited admins	User Administrator
Reset password of non-admins	Password Administrator	User Administrator
Reset password of privileged admins	Privileged Authentication Administrator
Revoke license	License Administrator	User Administrator
Update all properties except User Principal Name	User Administrator
Update User Principal Name for limited admins	User Administrator
Update User Principal Name property on privileged admins	Global Administrator
Update user settings	Global Administrator
Update Authentication methods	Authentication Administrator	Privileged Authentication Administrator Global Administrator

Support

Task	Least privileged role	Additional roles
Submit support ticket	Service Support Administrator	Application Administrator Azure Information Protection Administrator Billing Administrator Cloud Application Administrator Compliance Administrator Dynamics 365 Administrator Desktop Analytics Administrator Exchange Administrator Intune Administrator Password Administrator Power BI Administrator Privileged Authentication Administrator SharePoint Administrator Skype for Business Administrator Teams Administrator Teams Communications Administrator User Administrator