| Roles in O365 |
Roles
in Azure Active Directory |
Roles
Description |
|
Application
Administrator |
Users in this role can add, manage,
and configure enterprise applications, app registrations and manage
on-premises like app proxy. |
|
Application
Developer |
Users
in this role will continue to be able to register app registrations even if
the Global Admin has turned off the tenant level switch for "Users can
register apps". |
|
Authentication
administrator |
Has access to view, set, and reset
authentication method information for any non-admin user. |
|
Azure Information Protection administrator |
Users with this role have user rights only on
the Azure Information Protection service. They are not granted user rights on
Identity Protection Center, Privileged Identity Management, Monitor Office
365 Service Health, or Office 365 Security & Compliance Center. They can
configure labels for the Azure Information Protection policy, manage
protection templates, and activate protection. |
|
B2C IEF Keyset administrator |
User can create and manage policy keys and
secrets for token encryption, token signatures, and claim
encryption/decryption. By adding new keys to existing key containers, this
limited administrator can rollover secrets as needed without impacting
existing applications. This user can see the full content of these secrets
and their expiration dates even after their creation. This is a sensitive
role. The Keyset administrator role should be carefully audited and assigned
with care during preproduction and production. |
|
B2C IEF Policy administrator |
Users in this role have the ability to
create, read, update, and delete all custom policies in Azure AD B2C and
therefore have full control over the Identity Experience Framework in the
relevant Azure AD B2C tenant. By editing policies, this user can establish
direct federation with external identity providers, change the directory
schema, change all user-facing content (HTML, CSS, JavaScript) , change the
requirements to complete an authentication, create new users, send user data
to external systems including full migrations, and edit all user information
including sensitive fields like passwords and phone numbers. Conversely,
this role cannot change the encryption keys or edit the secrets used for
federation in the tenant. The B2C IEF Policy Administrator is a highly
sensitive role, which should be assigned on a very limited basis for tenants
in production. Activities by these users should be closely audited,
especially for tenants in production. |
|
B2C user flow administrator |
Users with this role can create and manage
B2C User Flows (aka "built-in" policies) in Azure Portal. By
creating or editing user flows, these users can change the
html/CSS/javascript content of the user experience, change MFA requirements
per user flow, change claims in the token and adjust session settings for all
policies in the tenant. On the other hand, this role does not include the
ability to review user data, or make changes to the attributes that are
included in the tenant schema. Changes to Identity Experience Framework (aka
Custom) policies is also outside the scope of this role. |
|
B2C user flow attribute administrator |
Users with this role add or delete custom
attributes available to all user flows in the tenant. As such, users with
this role can change or add new elements to the end user schema and impact
the behavior of all user flows and indirectly result in changes to what data
may be asked of end users and ultimately sent as claims to applications. This
role cannot edit user flows. |
| Billing administrator |
Billing
administrator |
Makes purchases, manages
subscriptions, manages support tickets, and monitors service health. |
|
Cloud
application administrator |
Users in this role can add, manage,
and configure enterprise applications, app registrations but will not be
able to configure or manage on-premises like app proxy. |
|
Cloud
device administrator |
A User in this role has the ability
to read directory information (including devices details), manage devices,
delete devices, read and manage group memberships, view BitLocker keys. |
| Compliance administrator |
Compliance
administrator |
Users with this role have management
permissions within in the Office 365 Security & Compliance Center and
Exchange Admin Center. |
|
Compliance data administrator |
Users with
this role have permissions to protect and track data in the Microsoft 365
compliance center, Microsoft 365 admin center, and Azure. Users can also
manage all features within the Exchange admin center, Compliance Manager, and
Teams & Skype for Business admin center and create support tickets for
Azure and Microsoft 365. |
|
Conditional
access administrator |
Users with this role have the
ability to manage Azure Active Directory conditional access settings. Note:
To deploy Exchange ActiveSync conditional access policy in Azure, the user
must also be Global Administrator. |
| Customer Lockbox access approver |
Customer
LockBox access approver |
User in this role can login to the
Office Admin Center and view/approve/reject data access requests. |
|
Desktop
Analytics administrator |
Users in this role will have access
to manage Desktop Analytics and Office Customization & Policy Services.
For Desktop Analytics, this includes the ability to view asset inventory,
create deployment plans, and view deployment and health status. For Office
Customization & Policies Services, this role will enable users to manage
Office polices. |
| Dynamics 365 service administrator |
Dynamics
365 administrator |
Users with this role have global
permissions within Microsoft CRM Online, when the service is present, as well
as the ability to manage support tickets and monitor service health. |
| Exchange administrator |
Exchange
administrator |
Users with this role have global
permissions within Microsoft Exchange Online, when the service is present. |
|
External Identity Provider administrator |
This
administrator manages federation between Azure Active Directory tenants and
external identity providers. With this role, users can add new identity
providers and configure all available settings (e.g. authentication path,
service id, assigned key containers). This user can enable the tenant to
trust authentications from external identity providers. The resulting impact
on end user experiences depends on the type of tenant: (1) Azure Active
Directory tenants for employees and partners: The addition of a federation
(e.g. with Gmail) will immediately impact all guest invitations not yet
redeemed. (2) Azure Active Directory B2C tenants: The addition of a
federation (e.g. with Facebook, or with another Azure Active Directory) does
not immediately impact end user flows until the identity provider is added as
an option in a user flow (aka built-in policy). To change user flows, the
limited role of “B2C User Flow Administrator” is required. |
| Global administrator |
Global
administrator |
Users with this role have access to
all administrative features in Azure Active Directory, as well as services
that federate to Azure Active Directory like Exchange Online, SharePoint
Online, and Skype for Business Online. The person who signs up for the Azure
Active Directory tenant becomes a global administrator. Only global
administrators can assign other administrator roles. There can be more than
one global administrator at your company. Global admins can reset the
password for any user and all other administrators. Note: In Microsoft Graph
API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as
"Company Administrator". It is "Global Administrator" in
the Azure portal. |
|
Guest
inviter |
Users in this role can manage Azure
Active Directory B2B guest user invitations when the "Members can
invite" user setting is set to No. It does not include any other
permissions. |
| Helpdesk administrator |
Helpdesk
(password) administrator |
Users with this role can change
passwords, manage service requests, and monitor service health. Helpdesk
administrators can change passwords only for users and other Helpdesk
administrators. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD
PowerShell, this role is identified as "Helpdesk Administrator". It
is "Password Administrator" in the Azure portal. |
|
Information
Protection administrator |
Users with this role have user
rights only on the Azure Information Protection service. They are not granted
user rights on Identity Protection Center, Privileged Identity Management,
Monitor Office 365 Service Health, or Office 365 Security & Compliance
Center. They can configure labels for the Azure Information Protection
policy, manage protection templates, and activate protection. |
|
Intune
administrator |
Users with this role have global
permissions within Microsoft Intune Online, when the service is present.
Additionally, this role contains the ability to manage users and devices in
order to associate policy, as well as create and manage groups. |
| Kaizala administrator |
Kaizala administrator |
Users with
this role have global permissions to manage settings within Microsoft
Kaizala, when the service is present, as well as the ability to manage
support tickets and monitor service health. Additionally, the user can access
reports related to adoption & usage of Kaizala by Organization members
and business reports generated using the Kaizala actions. |
| License administrator |
License
administrator |
Users in this role can assign
licenses, remove licenses and manage group license assignments. |
|
Message center privacy reader |
Users in this
role can monitor all notifications in the Message Center, including data
privacy messages. Message Center Privacy Readers get email notifications
including those related to data privacy and they can unsubscribe using
Message Center Preferences. Only the Global Administrator and the Message
Center Privacy Reader can read data privacy messages. Additionally, this role
contains the ability to view groups, domains, and subscriptions. This role
has no permission to view, create, or manage service requests. |
| Message Center reader |
Message
Center reader |
User in this role can read messages
and updates for their organization in Office 365 Message Center only. |
| Power BI service administrator |
Power
BI administrator |
Users with this role have global
permissions within Microsoft Power BI, when the service is present, as well
as the ability to manage support tickets and monitor service health. |
|
Privileged
authentication administrator |
Users with this role can view the
current authentication method information and set or reset non-password
credentials for all users, including global administrators. Privileged
Authentication Administrators can force users to re-register against existing
non-password credential (e.g. MFA, FIDO) and revoke 'remember MFA on the
device', prompting for MFA on the next login of all users. |
|
Privileged
role administrator |
Users with this role can manage role
assignments in Azure Active Directory, as well as within Azure AD Privileged
Identity Management. In addition, this role allows management of all aspects
of Privileged Identity Management. |
| Reports reader |
Reports
reader |
Users with this role can view usage
reporting data and the reports dashboard in Office 365 admin center and the
adoption context pack in PowerBI. Additionally, the role provides access to
sign-on reports and activity in Azure AD and data returned by the Microsoft
Graph reporting API. A user assigned to the Reports Reader role can access
only relevant usage and adoption metrics. They don't have any admin
permissions to configure settings or access the product specific admin
centers like Exchange. |
| Search
administrator |
Search
administrator |
Users in this
role have full access to all Microsoft Search management features in the
Microsoft 365 admin center. Search Administrators can delegate the Search
Administrators and Search Editor roles to users, and create and manage
content, like bookmarks, Q&As, and locations. Additionally, these users
can view the message center, monitor service health, and create service
requests. |
| Search editor |
Search editor |
Users in this
role can create, manage, and delete content for Microsoft Search in the
Microsoft 365 admin center, including bookmarks, Q&As, and locations. |
|
Security
administrator |
Users with this role have all of the
read-only permissions of the Security reader role, plus the ability to manage
configuration for security-related services: Azure Active Directory Identity
Protection, Azure Information Protection, Privileged Identity Management, and
Office 365 Security & Compliance Center. |
|
Security
Operator |
Creates and manages security events. |
|
Security
reader |
Users with this role have global
read-only access, including all information in Azure Active Directory,
Identity Protection, Privileged Identity Management, as well as the ability
to read Azure Active Directory sign-in reports and audit logs. The role also
grants read-only permission in Office 365 Security & Compliance Center |
| Service administrator |
Service
administrator |
Users with this role can open
support requests with Microsoft for Azure and Office 365 services, and views
the service dashboard and message center in the Azure portal and Office 365
admin portal. |
| SharePoint administrator |
SharePoint
administrator |
Users with this role have global
permissions within Microsoft SharePoint Online, when the service is present,
as well as the ability to manage support tickets and monitor service health. |
| Skype for Business administrator |
Skype
for Business administrator |
Users with this role have global
permissions within Microsoft Skype for Business, when the service is present,
as well as manage Skype-specific user attributes in Azure Active Directory.
Additionally, this role grants the ability to manage support tickets and
monitor service health. Note: In Microsoft Graph API, Azure AD Graph API and
Azure AD PowerShell, this role is identified as "Lync Service
Administrator". It is "Skype for Business Service
Administrator" in the Azure portal. |
| Teams Communications
Administrator |
Teams Communications
Administrator |
Users in this role can manage
aspects of the Microsoft Teams workload related to voice & telephony.
This includes the management tools for telephone number assignment, voice and
meeting policies, and full access to the call analytics toolset. |
| Teams Communications Support
Engineer |
Teams Communications Support
Engineer |
Users in this role can troubleshoot
communication issues within Microsoft Teams & Skype for Business using
the user call troubleshooting tools in the Microsoft Teams & Skype for
Business admin center. Users in this role can view full call record information
for all participants involved. |
| Teams Communications Support
Specialist |
Teams Communications Support
Specialist |
Users in this role can troubleshoot
communication issues within Microsoft Teams & Skype for Business using
the user call troubleshooting tools in the Microsoft Teams & Skype for
Business admin center. Users in this role can only view user details in the
call for the specific user they have looked up. |
| Teams Service Administrator |
Teams Service Administrator |
Users in this role can manage all
aspects of the Microsoft Teams workload via the Microsoft Teams & Skype
for Business admin center and the respective PowerShell modules. This
includes, among other areas, all management tools related to telephony, messaging,
meetings, and the teams themselves. This role also grants the ability to
manage O365 groups. |
| User management administrator |
User
administrator |
Users with this role can create and
manage all aspects of users and groups. Additionally, this role includes the
ability to manage support tickets and monitors service health. Some
restrictions apply. For example, this role does not allow deleting a global
administrator. User Account administrators can change passwords for users,
Helpdesk administrators, and other User Account administrators only |
