Cuir in eagar

Comhroinn trí


Roles across Microsoft services

Services in Microsoft 365 can be managed with administrative roles in Microsoft Entra ID. Some services also provide additional roles that are specific to that service. This article lists content, API references, and audit and monitoring references related to role-based access control (RBAC) for Microsoft 365 and other services.

Microsoft Entra

Microsoft Entra ID and related services in Microsoft Entra.

Microsoft Entra ID

Area Content
Overview Microsoft Entra built-in roles
Management API reference Microsoft Entra roles
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• When role is assigned to a group, manage group memberships with the Microsoft Graph v1.0 groups API
Audit and monitoring reference Microsoft Entra roles
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category
• When a role is assigned to a group, to audit changes to group memberships, see audits with category GroupManagement and activities Add member to group and Remove member from group

Entitlement management

Area Content
Overview Entitlement management roles
Management API reference Entitlement Management-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with: microsoft.directory/entitlementManagement

Entitlement Management-specific roles
Microsoft Graph v1.0 roleManagement API
• Use entitlementManagement provider
Audit and monitoring reference Entitlement Management-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Entitlement Management-specific roles
In Microsoft Entra audit log, with category EntitlementManagement and Activity is one of:
Remove Entitlement Management role assignment
Add Entitlement Management role assignment

Microsoft 365

Services in the Microsoft 365 suite.

Exchange

Area Content
Overview Permissions in Exchange Online
Management API reference Exchange-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• Roles with permissions starting with: microsoft.office365.exchange

Exchange-specific roles
Microsoft Graph Beta roleManagement API
• Use exchange provider
Audit and monitoring reference Exchange-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Exchange-specific roles
Use the Microsoft Graph Beta Security API (audit log query) and list audit events where recordType == ExchangeAdmin and Operation is one of:
Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, New-RoleGroup, Remove-RoleGroup, New-ManagementRole, Remove-ManagementRoleEntry, New-ManagementRoleAssignment

SharePoint

Includes SharePoint, OneDrive, Delve, Lists, Project Online, and Loop.

Area Content
Overview About the SharePoint Administrator role in Microsoft 365
Delve for admins
Control settings for Microsoft Lists
Change permission management in Project Online
Management API reference SharePoint-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• Roles with permissions starting with: microsoft.office365.sharepoint
Audit and monitoring reference SharePoint-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Intune

Area Content
Overview Role-based access control (RBAC) with Microsoft Intune
Management API reference Intune-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• Roles with permissions starting with: microsoft.intune

Intune-specific roles
Microsoft Graph Beta roleManagement API
• Use deviceManagement provider
• Alternatively, use Intune-specific Microsoft Graph Beta RBAC management API
Audit and monitoring reference Intune-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 directoryAudit API
RoleManagement category

Intune-specific roles
Intune auditing overview
API access to Intune-specific audit logs:
Microsoft Graph Beta getAuditActivityTypes API
• First list activity types where category=Role, then use Microsoft Graph Beta auditEvents API to list all auditEvents for each activity type

Teams

Includes Teams, Bookings, Copilot Studio for Teams, and Shifts.

Area Content
Overview Use Microsoft Teams administrator roles to manage Teams
Management API reference Teams-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• Roles with permissions starting with: microsoft.teams
Audit and monitoring reference Teams-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Purview suite

Includes Purview suite, Azure Information Protection, and Information Barriers.

Area Content
Overview Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview
Management API reference Purview-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with:
microsoft.office365.complianceManager
microsoft.office365.protectionCenter
microsoft.office365.securityComplianceCenter

Purview-specific roles
Use PowerShell: Security & Compliance PowerShell. Specific cmdlets are:
Get-RoleGroup
Get-RoleGroupMember
New-RoleGroup
Add-RoleGroupMember
Update-RoleGroupMember
Remove-RoleGroupMember
Remove-RoleGroup
Audit and monitoring reference Purview-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Purview-specific roles
Use the Microsoft Graph Beta Security API (audit log query Beta) and list audit events where recordType == SecurityComplianceRBAC and Operation is one of Add-RoleGroupMember, Remove-RoleGroupMember, Update-RoleGroupMember, New-RoleGroup, Remove-RoleGroup

Power Platform

Includes Power Platform, Dynamics 365, Flow, and Dataverse for Teams.

Area Content
Overview Use service admin roles to manage your tenant
Security roles and privileges
Management API reference Power Platform-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with:
microsoft.powerApps
microsoft.dynamics365
microsoft.flow

Dataverse-specific roles
Perform operations using the Web API
• Query the User (SystemUser) table/entity reference
• Role assignments are part of the systemuserroles_association tables
Audit and monitoring reference Power Platform-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Dataverse-specific roles
Dataverse auditing overview
API to access dataverse-specific audit logs
Dataverse Web API
Audit table reference
• Audits with action codes:
53 – Assign Role To Team
54 – Remove Role From Team
55 – Assign Role To User
56 – Remove Role From User
57 – Add Privileges to Role
58 – Remove Privileges From Role
59 – Replace Privileges In Role

Defender suite

Includes Defender suite, Secure Score, Cloud App Security, and Threat Intelligence.

Area Content
Overview Microsoft Defender XDR Unified role-based access control (RBAC)
Management API reference Defender-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• The following roles have permissions (reference): Security Administrator, Security Operator, Security Reader, Global Administrator, and Global Reader

Defender-specific roles
Workloads must be activated to use Defender unified RBAC. See Activate Microsoft Defender XDR Unified role-based access control (RBAC). Activating defender Unified RBAC will turn off individual Defender solution roles.
• Can only be managed via security.microsoft.com portal.
Audit and monitoring reference Defender-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Viva Engage

Area Content
Overview Manage administrator roles in Viva Engage
Management API reference Viva Engage-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.office365.yammer.

Viva Engage-specific roles
• Verified admin and Network admin roles can be managed via the Yammer admin center.
• Corporate communicator role can be assigned via the Viva Engage admin center.
Yammer Data Export API can be used to export admins.csv to read the list of admins
Audit and monitoring reference Viva Engage-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Viva Engage-specific roles
• Use Yammer Data Export API to incrementally export admins.csv for a list of admins

Viva Connections

Area Content
Overview Admin roles and tasks in Microsoft Viva
Management API reference Viva Connections-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• The following roles have permissions: SharePoint Administrator, Teams Administrator, and Global Administrator
Audit and monitoring reference Viva Connections-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Viva Learning

Area Content
Overview Set up Microsoft Viva Learning in the Teams admin center
Management API reference Viva Learning-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.office365.knowledge
Audit and monitoring reference Viva Learning-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Viva Insights

Area Content
Overview Roles in Viva Insights
Management API reference Viva Insights-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.office365.insights
Audit and monitoring reference Viva Insights-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category
Area Content
Overview Set up Microsoft Search
Management API reference Search-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.office365.search
Audit and monitoring reference Search-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Universal Print

Area Content
Overview Universal Print Administrator Roles
Management API reference Universal Print-specifc roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.azure.print
Audit and monitoring reference Universal Print-specifc roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Microsoft 365 Apps suite management

Includes Microsoft 365 Apps suite management and Forms.

Area Content
Overview Overview of the Microsoft 365 Apps admin center
Administrator settings for Microsoft Forms
Management API reference Microsoft 365 Apps-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• The following roles have permissions: Office Apps Administrator, Security Administrator, Global Administrator
Audit and monitoring reference Microsoft 365 Apps-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with RoleManagement category

Azure

Azure role-based access control (Azure RBAC) for the Azure control plane and subscription information.

Azure

Includes Azure and Sentinel.

Area Content
Overview What is Azure role-based access control (Azure RBAC)?
Roles and permissions in Microsoft Sentinel
Management API reference Azure service-specific roles in Azure
Azure Resource Manager Authorization API
• Role assignment: List, Create/Update, Delete
• Role definition: List, Create/Update, Delete

• There is a legacy method to grant access to Azure resources called classic administrators. Classic administrators are equivalent to the Owner role in Azure RBAC. Classic administrators will be retired in August 2024.
• Note that an Microsoft Entra Global Administrator can gain unilateral access to Azure via elevate access.
Audit and monitoring reference Azure service-specific roles in Azure
Monitor Azure RBAC changes in the Azure Activity Log
Azure Activity Log API
• Audits with Event Category Administrative and Operation Create role assignment, Delete role assignment, Create or update custom role definition, Delete custom role definition.

View Elevate Access logs in the tenant level Azure Activity Log
Azure Activity Log API – Tenant Activity Logs
• Audits with Event Category Administrative and containing string elevateAccess.
• Access to tenant level activity logs requires using elevate access at least once to gain tenant level access.

Commerce

Services related to purchasing and billing.

Cost Management and Billing – Enterprise Agreements

Area Content
Overview Managing Azure Enterprise Agreement roles
Management API reference Enterprise Agreements-specific roles in Microsoft Entra ID
Enterprise Agreements does not support Microsoft Entra roles.

Enterprise Agreements-specific roles
Billing Role Assignments API
• Enterprise Administrator (Role ID: 9f1983cb-2574-400c-87e9-34cf8e2280db)
• Enterprise Administrator (read only) (Role ID: 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e)
• EA Purchaser (Role ID: da6647fb-7651-49ee-be91-c43c4877f0c4)
Enrollment Department Role Assignments API
• Department Admin (Role ID: fb2cf67f-be5b-42e7-8025-4683c668f840)
• Department Reader (Role ID: db609904-a47f-4794-9be8-9bd86fbffd8a)
Enrollment Account Role Assignments API
• Account Owner (Role ID: c15c22c0-9faf-424c-9b7e-bd91c06a240b)
Audit and monitoring reference Enterprise Agreements-specific roles
Azure Activity Log API – Tenant Activity Logs
• Access to tenant level activity logs requires using elevate access at least once to gain tenant level access.
• Audits where resourceProvider == Microsoft.Billing and operationName contains billingRoleAssignments or EnrollmentAccount

Cost Management and Billing – Microsoft Customer Agreements

Area Content
Overview Understand Microsoft Customer Agreement administrative roles in Azure
Understand your Microsoft business billing account
Management API reference Microsoft Customer Agreements-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• The following roles have permissions: Billing Administrator, Global Administrator.

Microsoft Customer Agreements-specific roles
• By default, the Microsoft Entra Global Administrator and Billing Administrator roles are automatically assigned the Billing Account Owner role in Microsoft Customer Agreements-specific RBAC.
Billing Role Assignment API
Audit and monitoring reference Microsoft Customer Agreements-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with category RoleManagement

Microsoft Customer Agreements-specific roles
Azure Activity Log API – Tenant Activity Logs
• Access to tenant level activity logs requires using elevate access at least once to gain tenant level access.
• Audits where resourceProvider == Microsoft.Billing and operationName one of the following (all prefixed with Microsoft.Billing):
/permissionRequests/write
/billingAccounts/createBillingRoleAssignment/action
/billingAccounts/billingProfiles/createBillingRoleAssignment/action
/billingAccounts/billingProfiles/invoiceSections/createBillingRoleAssignment/action
/billingAccounts/customers/createBillingRoleAssignment/action
/billingAccounts/billingRoleAssignments/write
/billingAccounts/billingRoleAssignments/delete
/billingAccounts/billingProfiles/billingRoleAssignments/delete
/billingAccounts/billingProfiles/customers/createBillingRoleAssignment/action
/billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments/delete
/billingAccounts/departments/billingRoleAssignments/write
/billingAccounts/departments/billingRoleAssignments/delete
/billingAccounts/enrollmentAccounts/transferBillingSubscriptions/action
/billingAccounts/enrollmentAccounts/billingRoleAssignments/write
/billingAccounts/enrollmentAccounts/billingRoleAssignments/delete
/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/transfer/action
/billingAccounts/billingProfiles/invoiceSections/initiateTransfer/action
/billingAccounts/billingProfiles/invoiceSections/transfers/delete
/billingAccounts/billingProfiles/invoiceSections/transfers/cancel/action
/billingAccounts/billingProfiles/invoiceSections/transfers/write
/transfers/acceptTransfer/action
/transfers/accept/action
/transfers/decline/action
/transfers/declineTransfer/action
/billingAccounts/customers/initiateTransfer/action
/billingAccounts/customers/transfers/delete
/billingAccounts/customers/transfers/cancel/action
/billingAccounts/customers/transfers/write
/billingAccounts/billingProfiles/invoiceSections/products/transfer/action
/billingAccounts/billingSubscriptions/elevateRole/action

Business Subscriptions and Billing – Volume Licensing

Area Content
Overview Manage volume licensing user roles Frequently Asked Questions
Management API reference Volume Licensing-specific roles in Microsoft Entra ID
Volume Licensing does not support Microsoft Entra roles.

Volume Licensing-specific roles
VL users and roles are managed in the M365 Admin Center.

Partner Center

Area Content
Overview Roles, permissions, and workspace access for users
Management API reference Partner Center-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• The following roles have permissions: Global Administrator, User Administrator.

Partner Center-specific roles
Partner Center-specific roles can only be managed via Partner Center.
Audit and monitoring reference Partner Center-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with category RoleManagement

Other services

Azure DevOps

Area Content
Overview About permissions and security groups
Management API reference Azure DevOps-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.azure.devOps.

Azure DevOps-specific roles
Create/read/update/delete permissions granted via Roleassignments API
• View permissions of roles with Roledefinitions API
Permissions reference topic
• When an Azure DevOps group (note: different from Microsoft Entra group) is assigned to a role, create/read/update/delete group memberships with the Memberships API
Audit and monitoring reference Azure DevOps-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with category RoleManagement

Azure DevOps-specific roles
Accessing the AzureDevOps Audit Log
Audit API reference
AuditId reference
• Audits with ActionId Security.ModifyPermission, Security.RemovePermission.
• For changes to groups assigned to roles, audits with ActionId Group.UpdateGroupMembership, Group.UpdateGroupMembership.Add, Group.UpdateGroupMembership.Remove

Fabric

Includes Fabric and Power BI.

Area Content
Overview Understand Microsoft Fabric admin roles
Management API reference Fabric-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 roleManagement API
• Use directory provider
• See roles with permissions starting with microsoft.powerApps.powerBI.
Audit and monitoring reference Fabric-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with category RoleManagement

Unified Support Portal for managing customer support cases

Includes Unified Support Portal and Services Hub.

Area Content
Overview Services Hub roles and permissions
Management API reference Manage these roles in the Services Hub portal, https://serviceshub.microsoft.com.

Microsoft Graph application permissions

In addition to the previously mentioned RBAC systems, elevated permissions can be granted to Microsoft Entra application registrations and service principals using application permissions. For example, a non-interactive, non-human application identity can be granted the ability to read all mail in a tenant (the Mail.Read application permission). The following table lists how to manage and monitor application permissions.

Area Content
Overview Overview of Microsoft Graph permissions
Management API reference Microsoft Graph-specific roles in Microsoft Entra ID
Microsoft Graph v1.0 servicePrincipal API
• Enumerate the appRoleAssignments for each servicePrincipal in the tenant.
• For each appRoleAssignment, get information about the permissions granted by the assignment by reading the appRole property on the servicePrincipal object referenced by the resourceId and appRoleId in the appRoleAssignment.
• Of specific interest are app permissions to the Microsoft Graph (servicePrincipal with appID == "00000003-0000-0000-c000-000000000000") which grant access to Exchange, SharePoint, Teams, and so on. Here is a reference for Microsoft Graph permissions.
• Also see Microsoft Entra security operations for applications.
Audit and monitoring reference Microsoft Graph-specific roles in Microsoft Entra ID
Microsoft Entra activity log overview
API access to Microsoft Entra audit logs:
Microsoft Graph v1.0 directoryAudit API
• Audits with category ApplicationManagement and Activity name Add app role assignment to service principal

Next steps