Roles for Microsoft 365 services in Azure Active Directory

All products in Microsoft 365 can be managed with administrative roles in Azure Active Directory (Azure AD). Some products also provide additional roles that are specific to that product. For information on the roles supported by each product, see the table below. For guidelines about role security planning, see Securing privileged access for hybrid and cloud deployments in Azure AD.

Where to find content

Microsoft 365 service	Role content	API content
Admin roles in Office 365 and Microsoft 365 business plans	Microsoft 365 admin roles	Not available
Azure Active Directory (Azure AD) and Azure AD Identity Protection	Azure AD built-in roles	Graph API Fetch role assignments
Exchange Online	Exchange role-based access control	PowerShell for Exchange Fetch role assignments
SharePoint Online	Azure AD built-in roles Also About the SharePoint admin role in Microsoft 365	Graph API Fetch role assignments
Teams/Skype for Business	Azure AD built-in roles	Graph API Fetch role assignments
Security & Compliance Center (Office 365 Advanced Threat Protection, Exchange Online Protection, Information Protection)	Office 365 admin roles	Exchange PowerShell Fetch role assignments
Secure Score	Azure AD built-in roles	Graph API Fetch role assignments
Compliance Manager	Compliance Manager roles	Not available
Azure Information Protection	Azure AD built-in roles	Graph API Fetch role assignments
Microsoft Defender for Cloud Apps	Role-based access control	API reference
Azure Advanced Threat Protection	Azure ATP role groups	Not available
Windows Defender Advanced Threat Protection	Windows Defender ATP role-based access control	Not available
Privileged Identity Management	Azure AD built-in roles	Graph API Fetch role assignments
Intune	Intune role-based access control	Graph API Fetch role assignments
Managed Desktop	Azure AD built-in roles	Graph API Fetch role assignments

Next steps

• How to assign or remove Azure AD administrator roles
• Azure AD built-in roles