Azure Entra Roles

Microsoft Entra Roles and Permissions Overview:

Microsoft Azure Entra, previously known as Azure Active Directory, offers robust identity and access management solutions. Here are the built-in roles that are enabled with each tenant.

Permission Types:

Microsoft Entra, which includes Microsoft Entra ID (formerly Azure Active Directory), provides various roles and permissions to help manage access to resources. Here's an overview of some of the basic roles and their permissions within Microsoft Entra ID:

1. Global Administrator

  • Description: The Global Administrator role has the highest level of access in Microsoft Entra ID. Users with this role can manage everything in the directory.

  • Permissions:

    • Manage all administrative features in Microsoft Entra ID, as well as services that use Microsoft Entra ID identities like Microsoft 365.

    • Assign other admin roles.

    • Reset passwords for all users and admins.

    • Manage billing and support tickets.

    • Configure multi-factor authentication and conditional access policies.

2. User Administrator

  • Description: The User Administrator role is responsible for managing user accounts and groups, including password resets and license assignments.

  • Permissions:

    • Create, update, and delete users and groups.

    • Manage user and group properties.

    • Assign licenses to users.

    • Reset passwords for non-administrators.

    • Manage guest access and invitations.

3. Application Administrator

  • Description: The Application Administrator role is designed to manage application registrations and enterprise applications.

  • Permissions:

    • Register and manage applications in Microsoft Entra ID.

    • Configure application permissions.

    • Manage consent requests for applications.

    • Assign applications to users or groups.

    • Manage application credentials.

4. Billing Administrator

  • Description: The Billing Administrator role handles billing and subscription-related tasks.

  • Permissions:

    • Manage subscriptions, payment methods, and billing profiles.

    • View and manage billing details.

    • Create and manage support requests related to billing.

    • Access to Microsoft 365 Admin Center for billing management.

5. Authentication Administrator

  • Description: The Authentication Administrator role manages authentication methods and controls access to sensitive authentication data.

  • Permissions:

    • Manage authentication methods (like MFA) for users.

    • Configure password reset policies.

    • Manage Conditional Access policies related to authentication.

    • Reset user passwords and revoke sessions.

6. Device Administrator

  • Description: The Device Administrator role manages device settings and compliance policies.

  • Permissions:

    • Manage device settings, including enrollment and compliance policies.

    • Enable or disable devices in the directory.

    • Perform remote actions like wipe or retire on devices.

    • Manage BitLocker keys for devices.

7. Helpdesk Administrator

  • Description: The Helpdesk Administrator role is intended for support staff who handle basic user support tasks.

  • Permissions:

    • Reset passwords for non-administrators.

    • Unlock user accounts.

    • Manage user account properties (like phone numbers or email).

    • Monitor service health and notifications.

8. Security Administrator

  • Description: The Security Administrator role focuses on security-related tasks within Microsoft Entra ID.

  • Permissions:

    • Manage security features, like identity protection policies and conditional access.

    • View security reports and alerts.

    • Manage privileged identity management (PIM).

    • Access to security-related dashboards and reports.

Last updated