Microsoft Entra built-in roles
In Microsoft Entra ID, if another administrator or non-administrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.
The following is a list of Microsoft Entra built-in roles and is not an exhaustive representation.
- Application Administrator [PRIVILEGED]
- Application Developer [PRIVILEGED]
- Attribute Assignment Administrator
- Attribute Assignment Reader
- Attribute Definition Administrator
- Attribute Definition Reader
- Attribute Log Administrator
- Attribute Log Reader
- Authentication Administrator [PRIVILEGED]
- Authentication Policy Administrator
Application Administrator
This is a privileged role. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Microsoft Graph.
Important
This exception means that you can still consent to application permissions for other apps (for example, non-Microsoft apps or apps that you have registered). You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.
Actions | Description |
---|---|
microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks | Manage admin consent request policies in Microsoft Entra ID |
microsoft.directory/appConsent/appConsentRequests/allProperties/read | Read all properties of consent requests for applications registered with Microsoft Entra ID |
microsoft.directory/applications/create | Create all types of applications |
microsoft.directory/applications/delete | Delete all types of applications |
microsoft.directory/applications/applicationProxy/read | Read all application proxy properties |
microsoft.directory/applications/applicationProxy/update | Update all application proxy properties |
microsoft.directory/applications/applicationProxyAuthentication/update | Update authentication on all types of applications |
microsoft.directory/applications/applicationProxySslCertificate/update | Update SSL certificate settings for application proxy |
microsoft.directory/applications/applicationProxyUrlSettings/update | Update URL settings for application proxy |
microsoft.directory/applications/appRoles/update | Update the appRoles property on all types of applications |
microsoft.directory/applications/audience/update | Update the audience property for applications |
microsoft.directory/applications/authentication/update | Update authentication on all types of applications |
microsoft.directory/applications/basic/update | Update basic properties for applications |
microsoft.directory/applications/credentials/update | Update application credentials [PRIVILEGED] |
microsoft.directory/applications/extensionProperties/update | Update extension properties on applications |
microsoft.directory/applications/notes/update | Update notes of applications |
microsoft.directory/applications/owners/update | Update owners of applications |
microsoft.directory/applications/permissions/update | Update exposed permissions and required permissions on all types of applications |
microsoft.directory/applications/policies/update | Update policies of applications |
microsoft.directory/applications/tag/update | Update tags of applications |
microsoft.directory/applications/verification/update | Update applicationsverification property |
microsoft.directory/applications/synchronization/standard/read | Read provisioning settings associated with the application object |
microsoft.directory/applicationTemplates/instantiate | Instantiate gallery applications from application templates |
microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |
microsoft.directory/connectors/create | Create application proxy connectors |
microsoft.directory/connectors/allProperties/read | Read all properties of application proxy connectors |
microsoft.directory/connectorGroups/create | Create application proxy connector groups |
microsoft.directory/connectorGroups/delete | Delete application proxy connector groups |
microsoft.directory/connectorGroups/allProperties/read | Read all properties of application proxy connector groups |
microsoft.directory/connectorGroups/allProperties/update | Update all properties of application proxy connector groups |
microsoft.directory/customAuthenticationExtensions/allProperties/allTasks | Create and manage custom authentication extensions [PRIVILEGED] |
microsoft.directory/deletedItems.applications/delete | Permanently delete applications, which can no longer be restored |
microsoft.directory/deletedItems.applications/restore | Restore soft deleted applications to original state |
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete OAuth 2.0 permission grants, and read and update all properties [PRIVILEGED] |
microsoft.directory/applicationPolicies/create | Create application policies |
microsoft.directory/applicationPolicies/delete | Delete application policies |
microsoft.directory/applicationPolicies/standard/read | Read standard properties of application policies |
microsoft.directory/applicationPolicies/owners/read | Read owners on application policies |
microsoft.directory/applicationPolicies/policyAppliedTo/read | Read application policies applied to objects list |
microsoft.directory/applicationPolicies/basic/update | Update standard properties of application policies |
microsoft.directory/applicationPolicies/owners/update | Update the owner property of application policies |
microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs |
microsoft.directory/servicePrincipals/create | Create service principals |
microsoft.directory/servicePrincipals/delete | Delete service principals |
microsoft.directory/servicePrincipals/disable | Disable service principals |
microsoft.directory/servicePrincipals/enable | Enable service principals |
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials | Manage password single sign-on credentials on service principals |
microsoft.directory/servicePrincipals/synchronizationCredentials/manage | Manage application provisioning secrets and credentials |
microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning synchronization jobs |
microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning synchronization jobs and schema |
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage | Manage application provisioning secrets and credentials. |
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage | Start, restart, and pause application provisioning synchronization jobs. |
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage | Create and manage application provisioning synchronization jobs and schema. |
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials | Read password single sign-on credentials on service principals |
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin | Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments |
microsoft.directory/servicePrincipals/audience/update | Update audience properties on service principals |
microsoft.directory/servicePrincipals/authentication/update | Update authentication properties on service principals |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on service principals |
microsoft.directory/servicePrincipals/credentials/update | Update credentials of service principals [PRIVILEGED] |
microsoft.directory/servicePrincipals/notes/update | Update notes of service principals |
microsoft.directory/servicePrincipals/owners/update | Update owners of service principals |
microsoft.directory/servicePrincipals/permissions/update | Update permissions of service principals |
microsoft.directory/servicePrincipals/policies/update | Update policies of service principals |
microsoft.directory/servicePrincipals/tag/update | Update the tag property for service principals |
microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with your service principal |
microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Application Developer
This is a privileged role. Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations.
Actions | Description |
---|---|
microsoft.directory/applications/createAsOwner | Create all types of applications, and creator is added as the first owner |
microsoft.directory/oAuth2PermissionGrants/createAsOwner | Create OAuth 2.0 permission grants, with creator as the first owner [PRIVILEGED] |
microsoft.directory/servicePrincipals/createAsOwner | Create service principals, with creator as the first owner |
Attribute Assignment Administrator
Users with this role can assign and remove custom security attribute keys and values for supported Microsoft Entra objects such as users, service principals, and devices.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
Actions | Description |
---|---|
microsoft.directory/azureManagedIdentities/customSecurityAttributes/read | Read custom security attribute values for Microsoft Entra managed identities |
microsoft.directory/azureManagedIdentities/customSecurityAttributes/update | Update custom security attribute values for Microsoft Entra managed identities |
microsoft.directory/attributeSets/allProperties/read | Read all properties of attribute sets |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read | Read all properties of custom security attribute definitions |
microsoft.directory/devices/customSecurityAttributes/read | Read custom security attribute values for devices |
microsoft.directory/devices/customSecurityAttributes/update | Update custom security attribute values for devices |
microsoft.directory/servicePrincipals/customSecurityAttributes/read | Read custom security attribute values for service principals |
microsoft.directory/servicePrincipals/customSecurityAttributes/update | Update custom security attribute values for service principals |
microsoft.directory/users/customSecurityAttributes/read | Read custom security attribute values for users |
microsoft.directory/users/customSecurityAttributes/update | Update custom security attribute values for users |
Attribute Assignment Reader
Users with this role can read custom security attribute keys and values for supported Microsoft Entra objects.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/read | Read all properties of attribute sets |
microsoft.directory/azureManagedIdentities/customSecurityAttributes/read | Read custom security attribute values for Microsoft Entra managed identities |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read | Read all properties of custom security attribute definitions |
microsoft.directory/devices/customSecurityAttributes/read | Read custom security attribute values for devices |
microsoft.directory/servicePrincipals/customSecurityAttributes/read | Read custom security attribute values for service principals |
microsoft.directory/users/customSecurityAttributes/read | Read custom security attribute values for users |
Attribute Definition Administrator
Users with this role can define a valid set of custom security attributes that can be assigned to supported Microsoft Entra objects. This role can also activate and deactivate custom security attributes.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribute roles.
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/allTasks | Manage all aspects of attribute sets |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks | Manage all aspects of custom security attribute definitions |
Attribute Definition Reader
Users with this role can read the definition of custom security attributes.
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. To work with custom security attributes, you must be assigned one of the custom security attribu
Actions | Description |
---|---|
microsoft.directory/attributeSets/allProperties/read | Read all properties of attribute sets |
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read | Read all properties of custom security attribute definitions |
Attribute Log Administrator
Assign the Attribute Log Reader role to users who need to do the following tasks:
- Read audit logs for custom security attribute value changes
- Read audit logs for custom security attribute definition changes and assignments
- Configure diagnostic settings for custom security attributes
Users with this role cannot read audit logs for other events.
By default, Global Administrator and other administrator roles do not have permissions to read audit logs for custom security attributes. To read audit logs for custom security attributes, you must be assigned this role or the Attribute Log Reader role.
Actions | Description |
---|---|
microsoft.directory/customSecurityAttributeAuditLogs/allProperties/read | Read audit logs related to custom security attributes |
microsoft.azure.customSecurityAttributeDiagnosticSettings/allEntities/allProperties/allTasks | Configure all aspects of custom security attributes diagnostic settings |
Attribute Log Reader
Assign the Attribute Log Reader role to users who need to do the following tasks:
- Read audit logs for custom security attribute value changes
- Read audit logs for custom security attribute definition changes and assignments
Users with this role cannot do the following tasks:
- Configure diagnostic settings for custom security attributes
- Read audit logs for other events
By default, Global Administrator and other administrator roles do not have permissions to read audit logs for custom security attributes. To read audit logs for custom security attributes, you must be assigned this role or the Attribute Log Administrator role.
Actions | Description |
---|---|
microsoft.directory/customSecurityAttributeAuditLogs/allProperties/read | Read audit logs related to custom security attributes |
Authentication Administrator
This is a privileged role. Assign the Authentication Administrator role to users who need to do the following:
- Set or reset any authentication method (including passwords) for non-administrators and some roles. For a list of the roles that an Authentication Administrator can read or update authentication methods, see Who can reset passwords.
- Require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in.
- Perform sensitive actions for some users. For more information, see Who can perform sensitive actions.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
Users with this role cannot do the following:
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
- Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens.
The following table compares the capabilities of authentication-related roles.
Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
---|---|---|---|---|---|---|---|
Authentication Administrator | Yes for some users | Yes for some users | No | No | No | Yes for some users | Yes for some users |
Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
Authentication Policy Administrator | No | No | Yes | Yes | Yes | No | No |
User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, Microsoft Purview compliance portal, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
Actions | Description |
---|---|
microsoft.directory/users/authenticationMethods/create | Update authentication methods for users |
microsoft.directory/users/authenticationMethods/delete | Delete authentication methods for users [PRIVILEGED] |
microsoft.directory/users/authenticationMethods/standard/restrictedRead | Read standard properties of authentication methods that do not include personally identifiable information for users |
microsoft.directory/users/authenticationMethods/basic/update | Update basic properties of authentication methods for users [PRIVILEGED] |
microsoft.directory/deletedItems.users/restore | Restore soft deleted users to original state |
microsoft.directory/users/delete | Delete users [PRIVILEGED] |
microsoft.directory/users/disable | Disable users [PRIVILEGED] |
microsoft.directory/users/enable | Enable users [PRIVILEGED] |
microsoft.directory/users/invalidateAllRefreshTokens | Force sign-out by invalidating user refresh tokens [PRIVILEGED] |
microsoft.directory/users/restore | Restore deleted users |
microsoft.directory/users/basic/update | Update basic properties on users |
microsoft.directory/users/manager/update | Update manager for users |
microsoft.directory/users/password/update | Reset passwords for all users [PRIVILEGED] |
microsoft.directory/users/userPrincipalName/update | Update User Principal Name of users [PRIVILEGED] |
microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
Authentication Policy Administrator
Assign the Authentication Policy Administrator role to users who need to do the following:
- Configure the authentication methods policy, tenant-wide MFA settings, and password protection policy that determine which methods each user can register and use.
- Manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.
- Create and manage verifiable credentials.
- Create and manage Azure support tickets.
Users with this role cannot do the following:
- Cannot update sensitive properties. For more information, see Who can perform sensitive actions.
- Cannot delete or restore users. For more information, see Who can perform sensitive actions.
- Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens.
The following table compares the capabilities of authentication-related roles.
Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
---|---|---|---|---|---|---|---|
Authentication Administrator | Yes for some users | Yes for some users | No | No | No | Yes for some users | Yes for some users |
Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
Authentication Policy Administrator | No | No | Yes | Yes | Yes | No | No |
User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Actions | Description |
---|---|
microsoft.directory/organization/strongAuthentication/allTasks | Manage all aspects of strong authentication properties of an organization |
microsoft.directory/userCredentialPolicies/create | Create credential policies for users |
microsoft.directory/userCredentialPolicies/delete | Delete credential policies for users |
microsoft.directory/userCredentialPolicies/standard/read | Read standard properties of credential policies for users |
microsoft.directory/userCredentialPolicies/owners/read | Read owners of credential policies for users |
microsoft.directory/userCredentialPolicies/policyAppliedTo/read | Read policy.appliesTo navigation link |
microsoft.directory/userCredentialPolicies/basic/update | Update basic policies for users |
microsoft.directory/userCredentialPolicies/owners/update | Update owners of credential policies for users |
microsoft.directory/userCredentialPolicies/tenantDefault/update | Update policy.isOrganizationDefault property |
microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read | Read a verifiable credential card |
microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke | Revoke a verifiable credential card |
microsoft.directory/verifiableCredentials/configuration/contracts/create | Create a verifiable credential contract |
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read | Read a verifiable credential contract |
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update | Update a verifiable credential contract |
microsoft.directory/verifiableCredentials/configuration/create | Create configuration required to create and manage verifiable credentials |
microsoft.directory/verifiableCredentials/configuration/delete | Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials |
microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials |
microsoft.directory/verifiableCredentials/configuration/allProperties/update | Update configuration required to create and manage verifiable credentials |
microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |