Roles you can't manage in Privileged Identity Management

You can manage just-in-time assignments to all Microsoft Entra roles and all Azure roles using Privileged Identity Management (PIM) in Microsoft Entra ID. Azure roles include built-in and custom roles attached to your management groups, subscriptions, resource groups, and resources. However, there are few roles that you can't manage. This article describes the roles you can't manage in Privileged Identity Management.

Classic subscription administrator roles

You cannot manage the following classic subscription administrator roles in Privileged Identity Management:

  • Account Administrator
  • Service Administrator
  • Co-Administrator

For more information about the classic subscription administrator roles, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles.

What about Microsoft 365 admin roles?

We support all Microsoft 365 roles in the Microsoft Entra roles and Administrators portal experience, such as Exchange Administrator and SharePoint Administrator, but we don't support specific roles within Exchange RBAC or SharePoint RBAC. For more information about these Microsoft 365 services, see Microsoft 365 admin roles.


For information about delays activating the Microsoft Entra Joined Device Local Administrator role, see How to manage the local administrators group on Microsoft Entra joined devices.

Next steps