Roles and administrators - O365 vs Azure Active Directory

(Note: New Roles are marked below)

Roles in O365	Roles in Azure Active Directory	Roles Description
	Application Administrator	Users in this role can add, manage, and configure enterprise applications, app registrations and manage on-premises like app proxy.
	Application Developer	Users in this role will continue to be able to register app registrations even if the Global Admin has turned off the tenant level switch for "Users can register apps".
	Authentication administrator	Has access to view, set, and reset authentication method information for any non-admin user.
	Azure Information Protection administrator	Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection.
	B2C IEF Keyset administrator	User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation. This is a sensitive role. The Keyset administrator role should be carefully audited and assigned with care during preproduction and production.
	B2C IEF Policy administrator	Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript) , change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers.    Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the tenant. The B2C IEF Policy Administrator is a highly sensitive role, which should be assigned on a very limited basis for tenants in production.  Activities by these users should be closely audited, especially for tenants in production.
	B2C user flow administrator	Users with this role can create and manage B2C User Flows (aka "built-in" policies) in Azure Portal. By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token and adjust session settings for all policies in the tenant. On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the tenant schema. Changes to Identity Experience Framework (aka Custom) policies is also outside the scope of this role.
	B2C user flow attribute administrator	Users with this role add or delete custom attributes available to all user flows in the tenant. As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.
Billing administrator	Billing administrator	Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
	Cloud application administrator	Users in this role can add, manage, and configure enterprise applications, app registrations but will not be able to configure or manage on-premises like app proxy.
	Cloud device administrator	A User in this role has the ability to read directory information (including devices details), manage devices, delete devices, read and manage group memberships, view BitLocker keys.
Compliance administrator	Compliance administrator	Users with this role have management permissions within in the Office 365 Security & Compliance Center and Exchange Admin Center.
	Compliance data administrator	Users with this role have permissions to protect and track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. Users can also manage all features within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365.
	Conditional access administrator	Users with this role have the ability to manage Azure Active Directory conditional access settings. Note: To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator.
Customer Lockbox access approver	Customer LockBox access approver	User in this role can login to the Office Admin Center and view/approve/reject data access requests.
	Desktop Analytics administrator	Users in this role will have access to manage Desktop Analytics and Office Customization & Policy Services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, and view deployment and health status. For Office Customization & Policies Services, this role will enable users to manage Office polices.
Dynamics 365 service administrator	Dynamics 365 administrator	Users with this role have global permissions within Microsoft CRM Online, when the service is present, as well as the ability to manage support tickets and monitor service health.
Exchange administrator	Exchange administrator	Users with this role have global permissions within Microsoft Exchange Online, when the service is present.
	External Identity Provider administrator	This administrator manages federation between Azure Active Directory tenants and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service id, assigned key containers). This user can enable the tenant to trust authentications from external identity providers. The resulting impact on end user experiences depends on the type of tenant: (1) Azure Active Directory tenants for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. (2) Azure Active Directory B2C tenants: The addition of a federation (e.g. with Facebook, or with another Azure Active Directory) does not immediately impact end user flows until the identity provider is added as an option in a user flow (aka built-in policy). To change user flows, the limited role of “B2C User Flow Administrator” is required.
Global administrator	Global administrator	Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators. Note: In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal.
	Guest inviter	Users in this role can manage Azure Active Directory B2B guest user invitations when the "Members can invite" user setting is set to No. It does not include any other permissions.
Helpdesk administrator	Helpdesk (password) administrator	Users with this role can change passwords, manage service requests, and monitor service health. Helpdesk administrators can change passwords only for users and other Helpdesk administrators. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Helpdesk Administrator". It is "Password Administrator" in the Azure portal.
	Information Protection administrator	Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection.
	Intune administrator	Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
Kaizala administrator	Kaizala administrator	Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions.
License administrator	License administrator	Users in this role can assign licenses, remove licenses and manage group license assignments.
	Message center privacy reader	Users in this role can monitor all notifications in the Message Center, including data privacy messages. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups, domains, and subscriptions. This role has no permission to view, create, or manage service requests.
Message Center reader	Message Center reader	User in this role can read messages and updates for their organization in Office 365 Message Center only.
Power BI service administrator	Power BI administrator	Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health.
	Privileged authentication administrator	Users with this role can view the current authentication method information and set or reset non-password credentials for all users, including global administrators. Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next login of all users.
	Privileged role administrator	Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management.
Reports reader	Reports reader	Users with this role can view usage reporting data and the reports dashboard in Office 365 admin center and the adoption context pack in PowerBI. Additionally, the role provides access to sign-on reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product specific admin centers like Exchange.
Search administrator	Search administrator	Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Search Administrators can delegate the Search Administrators and Search Editor roles to users, and create and manage content, like bookmarks, Q&As, and locations. Additionally, these users can view the message center, monitor service health, and create service requests.
Search editor	Search editor	Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.
	Security administrator	Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity Protection, Azure Information Protection, Privileged Identity Management, and Office 365 Security & Compliance Center.
	Security Operator	Creates and manages security events.
	Security reader	Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center
Service administrator	Service administrator	Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Office 365 admin portal.
SharePoint administrator	SharePoint administrator	Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to manage support tickets and monitor service health.
Skype for Business administrator	Skype for Business administrator	Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator". It is "Skype for Business Service Administrator" in the Azure portal.
Teams Communications Administrator	Teams Communications Administrator	Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset.
Teams Communications Support Engineer	Teams Communications Support Engineer	Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can view full call record information for all participants involved.
Teams Communications Support Specialist	Teams Communications Support Specialist	Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can only view user details in the call for the specific user they have looked up.
Teams Service Administrator	Teams Service Administrator	Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role also grants the ability to manage O365 groups.
User management administrator	User administrator	Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator. User Account administrators can change passwords for users, Helpdesk administrators, and other User Account administrators only