Documentation

Azure ​/ Active Directory

＞ Table of contents "

Azure AD built-in roles

07/26/2021 • 94 minutes to read •
+22

In this article
All roles
Application Administrator
Application Developer
Attack Payload Author
Attack Simulation Administrator
Authentication Administrator
Authentication Policy Administrator
Azure AD Joined Device Local Administrator
Azure DevOps Administrator
Azure Information Protection Administrator
B2C IEF Keyset Administrator
B2C IEF Policy Administrator
Billing Administrator
Cloud App Security Administrator
Cloud Application Administrator
Cloud Device Administrator
Compliance Administrator
Compliance Data Administrator
Conditional Access Administrator
Customer LockBox Access Approver
Desktop Analytics Administrator
Directory Readers
Directory Synchronization Accounts
Directory Writers
Domain Name Administrator
Dynamics 365 Administrator
Exchange Administrator
Exchange Recipient Administrator
External ID User Flow Administrator
External ID User Flow Attribute Administrator
External Identity Provider Administrator
Global Administrator
Global Reader
Groups Administrator
Guest Inviter
Helpdesk Administrator
Hybrid Identity Administrator
Identity Governance Administrator
Insights Administrator
Insights Business Leader
Intune Administrator
Kaizala Administrator
Knowledge Administrator
Knowledge Manager
License Administrator
Message Center Privacy Reader
Message Center Reader
Modern Commerce User
Network Administrator
Office Apps Administrator
Partner Tier1 Support
Partner Tier2 Support
Password Administrator
Power BI Administrator
Power Platform Administrator
Printer Administrator
Printer Technician
Privileged Authentication Administrator
Privileged Role Administrator
Reports Reader
Search Administrator
Search Editor
Security Administrator
Security Operator
Security Reader
Service Support Administrator
SharePoint Administrator
Skype for Business Administrator
Teams Administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
Teams Devices Administrator
Usage Summary Reports Reader
User Administrator
Windows Update Deployment Administrator
How to understand role permissions
Deprecated roles
Roles not shown in the portal
Password reset permissions
Next steps

In Azure Active Directory (Azure AD), if another

administrator or non-administrator needs to manage
Azure AD resources, you assign them an Azure AD
role that provides the permissions they need. For
example, you can assign roles to allow adding or
changing users, resetting user passwords, managing
user licenses, or managing domain names.

This article lists the Azure AD built-in roles you can

assign to allow management of Azure AD resources.
For information about how to assign roles, see Assign
Azure AD roles to users.

All roles
Role Description Template ID

Application Can create and 9b895d92-2cd3-

Administrator manage all 44c7-9d02-
aspects of app a6ac2d5ea5c3
registrations
and enterprise
apps.

Application Can create cf1c38e5-3621-

Developer application 4004-a7cb-
registrations 879624dced7c
independent of
the 'Users can
register
applications'
setting.

Attack Payload Can create 9c6df0f2-1e7c-

Author attack 4dc3-b195-
payloads that 66dfbd24aa8f
an
administrator
can initiate
later.

Attack Simulation Can create and c430b396-e693-

Administrator manage all 46cc-96f3-
aspects of db01bf8bb62a
attack
simulation
campaigns.

Authentication Can access to c4e39bd9-1100-

Administrator view, set and 46d3-8c65-
reset fb160da0071f
authentication
method
information for
any non-admin
user.

Authentication Can create and 0526716b-113d-

Policy manage the 4c15-b2c8-
Administrator authentication 68e3c22b9f80
methods
policy, tenant-
wide MFA
settings,
password
protection
policy, and
verifiable
credentials.

Azure AD Joined Users assigned 9f06204d-73c1-

Device Local to this role are 4d4c-880a-
Administrator added to the 6edb90606fd8
local
administrators
group on
Azure AD-
joined devices.

Azure DevOps Can manage e3973bdf-4987-

Administrator Azure DevOps 49ae-837a-
organization ba8e231c7286
policy and
settings.

Azure Can manage all 7495fdc4-34c4-

Information aspects of the 4d15-a289-
Protection Azure 98788ce399fd
Administrator Information
Protection
product.

B2C IEF Keyset Can manage aaf43236-0c0d-

Administrator secrets for 4d5f-883a-
federation and 6955382ac081
encryption in
the Identity
Experience
Framework
(IEF).

B2C IEF Policy Can create and 3edaf663-341e-

Administrator manage trust 4475-9f94-
framework 5c398ef6c070
policies in the
Identity
Experience
Framework
(IEF).

Billing Can perform b0f54661-2d74-

Administrator common 4c50-afa3-
billing related 1ec803f12efe
tasks like
updating
payment
information.

Cloud App Can manage all 892c5842-a9a6-

Security aspects of the 463a-8041-
Administrator Cloud App 72aa08ca3cf6
Security
product.

Cloud Application Can create and 158c047a-c907-

Administrator manage all 4556-b7ef-
aspects of app 446551a6b5f7
registrations
and enterprise
apps except
App Proxy.

Cloud Device Limited access 7698a772-787b-

Administrator to manage 4ac8-901f-
devices in 60d6b08affd2
Azure AD.

Compliance Can read and 17315797-102d-

Administrator manage 40b4-93e0-
compliance 432062caca18
configuration
and reports in
Azure AD and
Microsoft 365.

Compliance Data Creates and e6d1a23a-da11-

Administrator manages 4be4-9570-
compliance befc86d067a7
content.

Conditional Can manage b1be1c3e-b65d-

Access Conditional 4f19-8427-
Administrator Access f6fa0d97feb9
capabilities.

Customer Can approve 5c4f9dcd-47dc-

LockBox Access Microsoft 4cf7-8c9a-
Approver support 9e4207cbfc91
requests to
access
customer
organizational
data.

Desktop Analytics Can access and 38a96431-2bdf-

Administrator manage 4b4c-8b6e-
Desktop 5d3d8abac1a4
management
tools and
services.

Directory Readers Can read basic 88d8e3e3-8f55-

directory 4a1e-953a-
information. 9b9898b8876b
Commonly
used to grant
directory read
access to
applications
and guests.

Directory Only used by d29b2b05-8046-

Synchronization Azure AD 44ba-8758-
Accounts Connect 1e26182fcf32
service.

Directory Writers Can read and 9360feb5-f418-

write basic 4baa-8175-
directory e2a00bac4301
information.
For granting
access to
applications,
not intended
for users.

Domain Name Can manage 8329153b-31d0-

Administrator domain names 4727-b945-
in cloud and 745eb3bc5f31
on-premises.

Dynamics 365 Can manage all 44367163-eba1-

Administrator aspects of the 44c3-98af-
Dynamics 365 f5787879f96a
product.

Exchange Can manage all 29232cdf-9323-

Administrator aspects of the 42fd-ade2-
Exchange 1d097af3e4de
product.

Exchange Can create or 31392ffb-586c-

Recipient update 42d1-9346-
Administrator Exchange e59415a2cc4e
Online
recipients
within the
Exchange
Online
organization.

External ID User Can create and 6e591065-9bad-

Flow manage all 43ed-90f3-
Administrator aspects of user e9424366d2f0
flows.

External ID User Can create and 0f971eea-41eb-

Flow Attribute manage the 4569-a71e-
Administrator attribute 57bb8a3eff1e
schema
available to all
user flows.

External Identity Can configure be2f45a1-457d-

Provider identity 42af-a067-
Administrator providers for 6ec1fa63bc45
use in direct
federation.

Global Can manage all 62e90394-69f5-

Administrator aspects of 4237-9190-
Azure AD and 012177145e10
Microsoft
services that
use Azure AD
identities.

Global Reader Can read f2ef992c-3afb-

everything that 46b9-b7cf-
a Global a126ee74c451
Administrator
can, but not
update
anything.

Groups Members of fdd7a751-b60b-

Administrator this role can 444a-984c-
create/manage 02652fe8fa1c
groups,
create/manage
groups
settings like
naming and
expiration
policies, and
view groups
activity and
audit reports.

Guest Inviter Can invite 95e79109-95c0-

guest users 4d8e-aee3-
independent of d01accf2d47b
the 'members
can invite
guests' setting.

Helpdesk Can reset 729827e3-9c14-

Administrator passwords for 49f7-bb1b-
non- 9608f156bbb8
administrators
and Helpdesk
Administrators.

Hybrid Identity Can manage 8ac3fc64-6eca-

Administrator AD to Azure 42ea-9e69-
AD cloud 59f4c7b60eb2
provisioning,
Azure AD
Connect, and
federation
settings.

Identity Manage access 45d8d3c5-c802-

Governance using Azure 45c6-b32a-
Administrator AD for identity 1d70b5e1e86e
governance
scenarios.

Insights Has eb1f4a8d-243a-

Administrator administrative 41f0-9fbd-
access in the c7cdf6c5ef7c
Microsoft 365
Insights app.

Insights Business Can view and 31e939ad-9672-

Leader share 4796-9c2e-
dashboards 873181342d2d
and insights
via the M365
Insights app.

Intune Can manage all 3a2c62db-5318-

Administrator aspects of the 420d-8d74-
Intune product. 23affee5d9d5

Kaizala Can manage 74ef975b-6605-

Administrator settings for 40af-a5d2-
Microsoft b9539d836353
Kaizala.

Knowledge Can configure b5a8dcf3-09d5-

Administrator knowledge, 43a9-a639-
learning, and 8e29ef291470
other
intelligent
features.

Knowledge Can organize, 744ec460-397e-

Manager create, 42ad-a462-
manage, and 8b3f9747a02c
promote topics
and
knowledge.

License Can manage 4d6ac14f-3453-

Administrator product 41d0-bef9-
licenses on a3e0c569773a
users and
groups.

Message Center Can read ac16e43d-7b2d-

Privacy Reader security 40e0-ac05-
messages and 243ff356ab5b
updates in
Office 365
Message
Center only.

Message Center Can read 790c1fb9-7f7d-

Reader messages and 4f88-86a1-
updates for ef1f95c05c1b
their
organization in
Office 365
Message
Center only.

Modern Can manage d24aef57-1500-

Commerce User commercial 4070-84db-
purchases for a 2666f29cf966
company,
department or
team.

Network Can manage d37c8bed-0711-

Administrator network 4417-ba38-
locations and b4abe66ce4c2
review
enterprise
network design
insights for
Microsoft 365
Software as a
Service
applications.

Office Apps Can manage 2b745bdf-0803-

Administrator Office apps 4d80-aa65-
cloud services, 822c4493daac
including
policy and
settings
management,
and manage
the ability to
select, unselect
and publish
'what's new'
feature content
to end-user's
devices.

Partner Tier1 Do not use - 4ba39ca4-527c-

Support not intended 499a-b93d-
for general d9b492c50246
use.

Partner Tier2 Do not use - e00e864a-17c5-

Support not intended 4a4b-9c06-
for general f5b95a8d5bd8
use.

Password Can reset 966707d0-3269-

Administrator passwords for 4727-9be2-
non- 8c3a10f19b9d
administrators
and Password
Administrators.

Power BI Can manage all a9ea8996-122f-

Administrator aspects of the 4c74-9520-
Power BI 8edcd192826c
product.

Power Platform Can create and 11648597-926c-

Administrator manage all 4cf3-9c36-
aspects of bcebb0ba8dcc
Microsoft
Dynamics 365,
Power Apps
and Power
Automate.

Printer Can manage all 644ef478-e28f-

Administrator aspects of 4e28-b9dc-
printers and 3fdde9aa0b1f
printer
connectors.

Printer Technician Can register e8cef6f1-e4bd-

and unregister 4ea8-bc07-
printers and 4b8d950f4477
update printer
status.

Privileged Can access to 7be44c8a-adaf-

Authentication view, set and 4e2a-84d6-
Administrator reset ab2649e08a13
authentication
method
information for
any user
(admin or non-
admin).

Privileged Role Can manage e8611ab8-c189-

Administrator role 46e8-94e1-
assignments in 60213ab1f814
Azure AD, and
all aspects of
Privileged
Identity
Management.

Reports Reader Can read sign- 4a5d8f65-41da-

in and audit 4de4-8968-
reports. e035b65339cf

Search Can create and 0964bb5e-9bdb-

Administrator manage all 4d7b-ac29-
aspects of 58e794862a40
Microsoft
Search
settings.

Search Editor Can create and 8835291a-918c-

manage the 4fd7-a9ce-
editorial faa49f0cf7d9
content such
as bookmarks,
Q and As,
locations,
floorplan.

Security Can read 194ae4cb-b126-

Administrator security 40b2-bd5b-
information 6091b380977d
and reports,
and manage
configuration
in Azure AD
and Office 365.

Security Operator Creates and 5f2222b1-57c3-

manages 48ba-8ad5-
security events. d4759f1fde6f

Security Reader Can read 5d6b6bb7-de71-

security 4623-b4af-
information 96380a352509
and reports in
Azure AD and
Office 365.

Service Support Can read f023fd81-a637-

Administrator service health 4b56-95fd-
information 791ac0226033
and manage
support tickets.

SharePoint Can manage all f28a1f50-f6e7-

Administrator aspects of the 4571-818b-
SharePoint 6a12f2af6b6c
service.

Skype for Can manage all 75941009-915a-

Business aspects of the 4869-abe7-
Administrator Skype for 691bff18279e
Business
product.

Teams Can manage 69091246-20e8-

Administrator the Microsoft 4a56-aa4d-
Teams service. 066075b2a7a8

Teams Can manage baf37b3a-610e-

Communications calling and 45da-9e62-
Administrator meetings d9d1e5e8914b
features within
the Microsoft
Teams service.

Teams Can f70938a0-fc10-

Communications troubleshoot 4177-9e90-
Support Engineer communicatio 2178f8765737
ns issues
within Teams
using
advanced
tools.

Teams Can fcf91098-03e3-

Communications troubleshoot 41a9-b5ba-
Support Specialist communicatio 6f0ec8188a12
ns issues
within Teams
using basic
tools.

Teams Devices Can perform 3d762c5a-1b6c-

Administrator management 493f-843e-
related tasks 55a3b42923d4
on Teams
certified
devices.

Usage Summary Can see only 75934031-6c7e-

Reports Reader tenant level 415a-99d7-
aggregates in 48dbd49e875e
Microsoft 365
Usage
Analytics and
Productivity
Score.