You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can be changed only in user settings in Azure AD.
22
22
23
-
## Limit the use of Global administrator
23
+
## Limit use of Global administrator
24
24
25
25
Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization. By default, the person who signs up for an Azure subscription is assigned the Global administrator role for the Azure AD organization. Only Global administrators and Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.
26
26
@@ -65,7 +65,8 @@ Users in this role can create application registrations when the "Users can regi
Users in this role can set or reset non-password credentials, update passwords, require to re-register against existing non-password credential (for example, MFA or FIDO) and revoke **remember MFA on the device** (which prompts for MFA on the next sign-in) of users who are non-administrators or assigned the following roles only:
68
+
The Authentication administrator role is currently in public preview. Users with this role can set or reset non-password credentials and can update passwords for all users. Authentication Administrators can require users to re-register against existing non-password credential (for example, MFA or FIDO) and revoke **remember MFA on the device**, which prompts for MFA on the next sign-in of users who are non-administrators or assigned the following roles only:
69
+
69
70
* Authentication Administrator
70
71
* Directory Readers
71
72
* Guest Inviter
@@ -134,7 +135,7 @@ Users in this role can enable, disable, and delete devices in Azure AD and read
Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. Assignees can also create support tickets for Azure and Microsoft 365. More information is available at [About Office 365 admin roles](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d).
138
+
Users with this role have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Office 365 Security & Compliance Center. Assignees can also manage all features within the Exchange admin center and Teams & Skype for Business admin centers and create support tickets for Azure and Microsoft 365. More information is available at [About Office 365 admin roles](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d).
138
139
139
140
In | Can do
140
141
----- | ----------
@@ -759,7 +760,10 @@ Can read and manage compliance configuration and reports in Azure AD and Office
759
760
| microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
760
761
| microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
761
762
| microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
763
+
| microsoft.office365.exchange/allEntities/allTasks | Manage all aspects of Exchange Online. |
762
764
| microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
765
+
| microsoft.office365.sharepoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint. |
766
+
| microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online. |
763
767
| microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
764
768
765
769
### Compliance Data Administrator permissions
@@ -779,7 +783,10 @@ Creates and manages compliance content.
779
783
| microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
780
784
| microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
781
785
| microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager |
786
+
| microsoft.office365.exchange/allEntities/allTasks | Manage all aspects of Exchange Online. |
782
787
| microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
788
+
| microsoft.office365.sharepoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in microsoft.office365.sharepoint. |
789
+
| microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online. |
783
790
| microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
784
791
785
792
### Conditional Access Administrator permissions
@@ -1750,8 +1757,31 @@ The following roles should not be used. They have been deprecated and will be re
1750
1757
* Mailbox Administrator
1751
1758
* Workplace Device Join
1752
1759
1760
+
## Roles not shown in the portal
1761
+
1762
+
Not every role returned by PowerShell or MS Graph API is visible in Azure portal. The following table organizes those differences.
1763
+
1764
+
API name | Azure portal name | Notes
1765
+
-------- | ------------------- | -------------
1766
+
Company Administrator | Global Administrator | [Name changed for better clarity](directory-assign-admin-roles.md#role-template-ids)
1767
+
CRM Service Administrator | Dynamics 365 administrator | [Reflects current product branding](directory-assign-admin-roles.md#role-template-ids)
Directory Synchronization Accounts | Not shown because it shouldn't be used | [Directory Synchronization Accounts documentation](directory-assign-admin-roles.md#directory-synchronization-accounts)
1772
+
Directory Writers | Not shown because it shouldn't be used | [Directory Writers documentation](directory-assign-admin-roles.md#directory-writers)
1773
+
Guest User | Not shown because it can't be used | NA
1774
+
Lync Service Administrator | Skype for Business administrator | [Reflects current product branding](directory-assign-admin-roles.md#role-template-ids)
1775
+
Partner Tier 1 Support | Not shown because it shouldn't be used | [Partner Tier1 Support documentation](directory-assign-admin-roles.md#partner-tier1-support)
1776
+
Partner Tier 2 Support | Not shown because it shouldn't be used | [Partner Tier2 Support documentation](directory-assign-admin-roles.md#partner-tier2-support)
1777
+
Printer Administrator | Work in progress | Work in progress
1778
+
Printer Technician | Work in progress | Work in progress
1779
+
Restricted Guest User | Not shown because it can't be used | NA
* To learn more about how to assign a user as an administrator of an Azure subscription, see [Manage access using RBAC and the Azure portal](../../role-based-access-control/role-assignments-portal.md)
1756
-
* To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md)
1785
+
* To learn more about how to assign a user as an administrator of an Azure subscription, see [Manage access using Azure roles (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md)
1786
+
* To learn more about how resource access is controlled in Microsoft Azure, see [Understand the different roles](../../role-based-access-control/rbac-and-directory-admin-roles.md)
1757
1787
* For more information on how Azure Active Directory relates to your Azure subscription, see [How Azure subscriptions are associated with Azure Active Directory](../fundamentals/active-directory-how-subscriptions-associated-directory.md)
0 commit comments