Roles in O365 | Roles in Azure Active Directory | Roles Description |
Application Administrator | Users in this role can add, manage, and configure enterprise applications, app registrations and manage on-premises like app proxy. | |
Application Developer | Users in this role will continue to be able to register app registrations even if the Global Admin has turned off the tenant level switch for "Users can register apps". | |
Authentication administrator | Has access to view, set, and reset authentication method information for any non-admin user. | |
Azure Information Protection administrator | Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection. | |
B2C IEF Keyset administrator | User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation. This is a sensitive role. The Keyset administrator role should be carefully audited and assigned with care during preproduction and production. | |
B2C IEF Policy administrator | Users in this role have the ability to create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant. By editing policies, this user can establish direct federation with external identity providers, change the directory schema, change all user-facing content (HTML, CSS, JavaScript) , change the requirements to complete an authentication, create new users, send user data to external systems including full migrations, and edit all user information including sensitive fields like passwords and phone numbers. Conversely, this role cannot change the encryption keys or edit the secrets used for federation in the tenant. The B2C IEF Policy Administrator is a highly sensitive role, which should be assigned on a very limited basis for tenants in production. Activities by these users should be closely audited, especially for tenants in production. | |
B2C user flow administrator | Users with this role can create and manage B2C User Flows (aka "built-in" policies) in Azure Portal. By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token and adjust session settings for all policies in the tenant. On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the tenant schema. Changes to Identity Experience Framework (aka Custom) policies is also outside the scope of this role. | |
B2C user flow attribute administrator | Users with this role add or delete custom attributes available to all user flows in the tenant. As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows. | |
Billing administrator | Billing administrator | Makes purchases, manages subscriptions, manages support tickets, and monitors service health. |
Cloud application administrator | Users in this role can add, manage, and configure enterprise applications, app registrations but will not be able to configure or manage on-premises like app proxy. | |
Cloud device administrator | A User in this role has the ability to read directory information (including devices details), manage devices, delete devices, read and manage group memberships, view BitLocker keys. | |
Compliance administrator | Compliance administrator | Users with this role have management permissions within in the Office 365 Security & Compliance Center and Exchange Admin Center. |
Compliance data administrator | Users with this role have permissions to protect and track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. Users can also manage all features within the Exchange admin center, Compliance Manager, and Teams & Skype for Business admin center and create support tickets for Azure and Microsoft 365. | |
Conditional access administrator | Users with this role have the ability to manage Azure Active Directory conditional access settings. Note: To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator. | |
Customer Lockbox access approver | Customer LockBox access approver | User in this role can login to the Office Admin Center and view/approve/reject data access requests. |
Desktop Analytics administrator | Users in this role will have access to manage Desktop Analytics and Office Customization & Policy Services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, and view deployment and health status. For Office Customization & Policies Services, this role will enable users to manage Office polices. | |
Dynamics 365 service administrator | Dynamics 365 administrator | Users with this role have global permissions within Microsoft CRM Online, when the service is present, as well as the ability to manage support tickets and monitor service health. |
Exchange administrator | Exchange administrator | Users with this role have global permissions within Microsoft Exchange Online, when the service is present. |
External Identity Provider administrator | This administrator manages federation between Azure Active Directory tenants and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service id, assigned key containers). This user can enable the tenant to trust authentications from external identity providers. The resulting impact on end user experiences depends on the type of tenant: (1) Azure Active Directory tenants for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. (2) Azure Active Directory B2C tenants: The addition of a federation (e.g. with Facebook, or with another Azure Active Directory) does not immediately impact end user flows until the identity provider is added as an option in a user flow (aka built-in policy). To change user flows, the limited role of “B2C User Flow Administrator” is required. | |
Global administrator | Global administrator | Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators. Note: In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal. |
Guest inviter | Users in this role can manage Azure Active Directory B2B guest user invitations when the "Members can invite" user setting is set to No. It does not include any other permissions. | |
Helpdesk administrator | Helpdesk (password) administrator | Users with this role can change passwords, manage service requests, and monitor service health. Helpdesk administrators can change passwords only for users and other Helpdesk administrators. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Helpdesk Administrator". It is "Password Administrator" in the Azure portal. |
Information Protection administrator | Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection. | |
Intune administrator | Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. | |
Kaizala administrator | Kaizala administrator | Users with this role have global permissions to manage settings within Microsoft Kaizala, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, the user can access reports related to adoption & usage of Kaizala by Organization members and business reports generated using the Kaizala actions. |
License administrator | License administrator | Users in this role can assign licenses, remove licenses and manage group license assignments. |
Message center privacy reader | Users in this role can monitor all notifications in the Message Center, including data privacy messages. Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. Only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. Additionally, this role contains the ability to view groups, domains, and subscriptions. This role has no permission to view, create, or manage service requests. | |
Message Center reader | Message Center reader | User in this role can read messages and updates for their organization in Office 365 Message Center only. |
Power BI service administrator | Power BI administrator | Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. |
Privileged authentication administrator | Users with this role can view the current authentication method information and set or reset non-password credentials for all users, including global administrators. Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next login of all users. | |
Privileged role administrator | Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management. | |
Reports reader | Reports reader | Users with this role can view usage reporting data and the reports dashboard in Office 365 admin center and the adoption context pack in PowerBI. Additionally, the role provides access to sign-on reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product specific admin centers like Exchange. |
Search administrator | Search administrator | Users in this role have full access to all Microsoft Search management features in the Microsoft 365 admin center. Search Administrators can delegate the Search Administrators and Search Editor roles to users, and create and manage content, like bookmarks, Q&As, and locations. Additionally, these users can view the message center, monitor service health, and create service requests. |
Search editor | Search editor | Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations. |
Security administrator | Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity Protection, Azure Information Protection, Privileged Identity Management, and Office 365 Security & Compliance Center. | |
Security Operator | Creates and manages security events. | |
Security reader | Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center | |
Service administrator | Service administrator | Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Office 365 admin portal. |
SharePoint administrator | SharePoint administrator | Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to manage support tickets and monitor service health. |
Skype for Business administrator | Skype for Business administrator | Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health. Note: In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Lync Service Administrator". It is "Skype for Business Service Administrator" in the Azure portal. |
Teams Communications Administrator | Teams Communications Administrator | Users in this role can manage aspects of the Microsoft Teams workload related to voice & telephony. This includes the management tools for telephone number assignment, voice and meeting policies, and full access to the call analytics toolset. |
Teams Communications Support Engineer | Teams Communications Support Engineer | Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can view full call record information for all participants involved. |
Teams Communications Support Specialist | Teams Communications Support Specialist | Users in this role can troubleshoot communication issues within Microsoft Teams & Skype for Business using the user call troubleshooting tools in the Microsoft Teams & Skype for Business admin center. Users in this role can only view user details in the call for the specific user they have looked up. |
Teams Service Administrator | Teams Service Administrator | Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role also grants the ability to manage O365 groups. |
User management administrator | User administrator | Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator. User Account administrators can change passwords for users, Helpdesk administrators, and other User Account administrators only |
Posting the solutions occurred thru my experience with Microsoft 365 (admin, compliance, security), SharePoint (Admin & Migrations), OneDrive, Teams, Office 365 Integrations, etc.,
Wednesday, June 19, 2019
Roles and administrators - O365 vs Azure Active Directory
(Note: New Roles are marked below)
Subscribe to:
Post Comments (Atom)
Looking for Microsoft Office 365 help call on 08081642786 , visit on: Microsoft Office 365 help
ReplyDeleteExcellent Blog! I would Thanks for sharing this wonderful content.its very useful to us.
ReplyDeleteI gained many unknown information, the way you have clearly explained is really fantastic.keep posting such useful information.
Full Stack Training in Chennai | Certification | Online Training Course
Full Stack Training in Bangalore | Certification | Online Training Course
Full Stack Training in Hyderabad | Certification | Online Training Course
Full Stack Developer Training in Chennai | Mean Stack Developer Training in Chennai
Full Stack Training
Full Stack Online Training
thanks for sharing.............................!
ReplyDeleteAppian BPM online training
Appian BPM training
arcsight online training
arcsight training
Build and Release online training
Build and Release training
Dell Bhoomi online training
Dell Bhoomi training
Dot Net online training
Dot Net training
ETL Testing online training
ETL Testing training
Hadoop online training
Hadoop training
Tibco online training
Tibco training
Nice post.
ReplyDeleteSAP ABAP training
SAP Basis online training
SAP Basis training
SAP Bods online training
SAP Bods training
SAP BW on Hana online training
SAP BW on Hana training
SAP CS online training
SAP CS training
SAP Fico online training
SAP Fico training
SAP Grc online training
SAP Grc training
SAP Hana online training
SAP Hana training
SAP mm online training
SAP mm training
SAP pm online training
SAP pm training
SAP PP online training
SAP PP training
SAP Qm online training
SAP Qm training
SAP Sd online training
SAP Sd training
SAP Security online training
Good post! Thanks for sharing this amazing post
ReplyDeleteDevOps Training
DevOps Online Training