Least privileged roles by task in Microsoft Entra ID
In this article, you can find the information needed to restrict a user's administrator permissions by assigning least privileged roles in Microsoft Entra ID. You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.
You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Microsoft Entra roles at different scopes or Create and assign a custom role in Microsoft Entra ID.
Task | Least privileged role | Additional roles |
---|---|---|
Configure application proxy app | Application Administrator | |
Configure connector group properties | Application Administrator | |
Create application registration when ability is disabled for all users | Application Developer | Cloud Application Administrator Application Administrator |
Create connector group | Application Administrator | |
Delete connector group | Application Administrator | |
Disable application proxy | Application Administrator | |
Download connector service | Application Administrator | |
Read all configuration | Application Administrator |
Note
Azure AD B2C Global Administrators do not have the same permissions as Microsoft Entra Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory.
Task | Least privileged role | Additional roles |
---|---|---|
Configure company branding | Organizational Branding Administrator | |
Read all configuration | Directory Readers | Default user role |
Task | Least privileged role | Additional roles |
---|---|---|
Passthrough authentication | Hybrid Identity Administrator | |
Read all configuration | Global Reader | Hybrid Identity Administrator |
Seamless single sign-on | Hybrid Identity Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Manage on-premises directory synchronization | Hybrid Identity Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Passthrough authentication | Hybrid Identity Administrator | |
Read all configuration | Global Reader | Hybrid Identity Administrator |
Seamless single sign-on | Hybrid Identity Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Add or delete services | Owner | |
Apply fixes to sync error | Contributor | Owner |
Configure notifications | Contributor | Owner |
Configure settings | Owner | |
Configure sync notifications | Contributor | Owner |
Read ADFS security reports | Security Reader | Contributor Owner |
Read all configuration | Reader | Contributor Owner |
Read sync errors | Reader | Contributor Owner |
Read sync services | Reader | Contributor Owner |
View metrics and alerts | Reader | Contributor Owner |
View metrics and alerts | Reader | Contributor Owner |
View sync service metrics and alerts | Reader | Contributor Owner |
Task | Least privileged role | Additional roles |
---|---|---|
Manage domains | Domain Name Administrator | |
Read all configuration | Directory Readers | Default user role |
Task | Least privileged role | Additional roles |
---|---|---|
Create Microsoft Entra Domain Services instance | Application Administrator Groups Administrator Domain Services Contributor |
|
Perform all Microsoft Entra Domain Services tasks | AAD DC Administrators group | |
Read all configuration | Reader on Azure subscription containing AD DS service |
Task | Least privileged role | Additional roles |
---|---|---|
Delete device | Cloud Device Administrator | Intune Administrator |
Disable device | Cloud Device Administrator | Intune Administrator |
Enable device | Cloud Device Administrator | Intune Administrator |
Read basic configuration | Default user role | |
Read BitLocker keys | Cloud Device Administrator | Helpdesk Administrator Intune Administrator Security Administrator Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Add resources to a catalog | Identity Governance Administrator | With entitlement management, you can delegate this task to the catalog owner |
Add SharePoint Online sites to catalog | SharePoint Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Assign license | User Administrator | |
Create group | Groups Administrator | User Administrator |
Create, update, or delete access review of a group or of an app | User Administrator | |
Manage group expiration | User Administrator | |
Manage group settings | Groups Administrator | User Administrator |
Read all configuration (except hidden membership) | Directory Readers | Default user role |
Read hidden membership | Group member | Group owner Password Administrator Exchange Administrator SharePoint Administrator Teams Administrator User Administrator |
Read membership of groups with hidden membership | Helpdesk Administrator | User Administrator Teams Administrator |
Revoke license | License Administrator | User Administrator |
Update dynamic membership groups | Group owner | User Administrator |
Update group owners | Group owner | User Administrator |
Update group properties | Group owner | User Administrator |
Delete group | Groups Administrator | User Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Assign license | License Administrator | User Administrator |
Read all configuration | Directory Readers | Default user role |
Revoke license | License Administrator | User Administrator |
Try or buy subscription | Billing Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
View scenario monitoring signals | Reports Reader | Security Reader Security Operator Security Administrator Helpdesk Administrator Global Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Configure alert notifications | Security Administrator | |
Configure and enable or disable MFA policy | Security Administrator | |
Configure and enable or disable sign-in risk policy | Security Administrator | |
Configure and enable or disable user risk policy | Security Administrator | |
Configure weekly digests | Security Administrator | |
Dismiss all risk detections | Security Administrator | |
Fix or dismiss vulnerability | Security Administrator | |
Read all configuration | Security Reader | |
Read all risk detections | Security Reader | |
Read vulnerabilities | Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Read audit logs | Reports Reader | Application Administrator Cloud Application Administrator Cloud Device Administrator Global Secure Access Administrator Hybrid Identity Administrator Security Administrator Security Operator Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Read sign-in logs | Reports Reader | Application Administrator Cloud Application Administrator Cloud Device Administrator Hybrid Identity Administrator Security Administrator Security Operator Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Delete all existing app passwords generated by the selected users | Authentication Policy Administrator | Authentication Administrator |
Disable per-user MFA | Authentication Administrator | Privileged Authentication Administrator |
Enable per-user MFA | Authentication Administrator | Privileged Authentication Administrator |
Manage MFA service settings | Authentication Policy Administrator | |
Require selected users to provide contact methods again | Authentication Administrator | |
Restore multifactor authentication on all remembered devices | Authentication Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Block/unblock users | Authentication Policy Administrator | |
Configure account lockout | Authentication Policy Administrator | |
Configure caching rules | Authentication Policy Administrator | |
Configure fraud alert | Authentication Policy Administrator | |
Configure notifications | Authentication Policy Administrator | |
Configure one-time bypass | Authentication Policy Administrator | |
Configure phone call settings | Authentication Policy Administrator | |
Configure providers | Authentication Policy Administrator | |
Configure server settings | Authentication Policy Administrator | |
Read activity report | Global Reader | |
Read all configuration | Global Reader | |
Read server status | Global Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Manage identity providers | External Identity Provider Administrator | |
Read all configuration | Global Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Configure authentication methods | Authentication Policy Administrator | |
Configure customization | Authentication Policy Administrator | |
Configure notification | Authentication Policy Administrator | |
Configure on-premises integration | Authentication Policy Administrator | |
Configure password reset properties | User Administrator | Authentication Policy Administrator |
Configure registration | Authentication Policy Administrator | |
Read all configuration | Security Administrator | User Administrator |
What's Microsoft Entra Permissions Management
Task | Least privileged role | Additional roles |
---|---|---|
Tenant onboarding | Permissions Management Administrator | |
Onboard cloud environments | Permissions Management Administrator | |
Assign permissions in Microsoft Entra Permissions Management | Permissions Management Administrator | |
Start trial and buy Microsoft Entra Permissions Management licenses | Billing Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Assign users to roles | Privileged Role Administrator | |
Configure role settings | Privileged Role Administrator | |
View audit activity | Security Reader | |
View role memberships | Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Manage role assignments | Privileged Role Administrator | |
Read access review of a Microsoft Entra role | Security Reader | Security Administrator Privileged Role Administrator |
Read all configuration | Default user role |
Task | Least privileged role | Additional roles |
---|---|---|
Enable or disable authentication methods | Authentication Policy Administrator | |
View, provision on behalf of, and manage individual user authentication methods | Authentication Administrator | Privileged Authentication Administrator |
Configure password protection | Security Administrator | |
Configure smart lockout | Security Administrator | |
Read all configuration | Global Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Security Reader | Security Administrator |
Read security score | Security Reader | Security Administrator |
Update event status | Security Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Read all configuration | Security Reader | |
Read risky sign-ins | Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Dismiss all events | Security Administrator | |
Read all configuration | Security Reader | |
Read users flagged for risk | Security Reader |
Task | Least privileged role | Additional roles |
---|---|---|
Create, delete, or view a Temporary Access Pass for admins or members (except themselves) | Privileged Authentication Administrator | |
Create, delete, or view a Temporary Access Pass for members (except themselves) | Authentication Administrator | |
View a Temporary Access Pass details for a user (without reading the code itself) | Global Reader | |
Configure or update the Temporary Access Pass authentication method policy | Authentication Policy Administrator |
Task | Least privileged role | Additional roles |
---|---|---|
Create Microsoft Entra ID or Azure AD B2C Tenant | Tenant Creator | |
Update Microsoft Entra tenant properties | Billing Administrator | |
Manage privacy statement and contact | Billing Administrator |