You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/users-groups-roles/directory-assign-admin-roles.md
+27-26Lines changed: 27 additions & 26 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,14 +95,6 @@ All enterprise Azure DevOps policies can be managed by users in this role.
95
95
96
96
Users with this role have all permissions in the Azure Information Protection service. This role allows configuring labels for the Azure Information Protection policy, managing protection templates, and activating protection. This role does not grant any permissions in Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center.
97
97
98
-
### [B2C User Flow Administrator](#b2c-user-flow-administrator-permissions)
99
-
100
-
Users with this role can create and manage B2C User Flows (also called "built-in" policies) in the Azure portal. By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token, and adjust session settings for all policies in the Azure AD organization. On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the organization schema. Changes to Identity Experience Framework (also known as Custom) policies is also outside the scope of this role.
101
-
102
-
### [B2C User Flow Attribute Administrator](#b2c-user-flow-attribute-administrator-permissions)
103
-
104
-
Users with this role add or delete custom attributes available to all user flows in the Azure AD organization. As such, users with this role can change or add new elements to the end-user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.
User can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption. By adding new keys to existing key containers, this limited administrator can rollover secrets as needed without impacting existing applications. This user can see the full content of these secrets and their expiration dates even after their creation.
@@ -209,6 +201,15 @@ Users with this role have global permissions within Microsoft Exchange Online, w
209
201
> [!NOTE]
210
202
> In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Exchange Service Administrator." It is "Exchange Administrator" in the [Azure portal](https://portal.azure.com). It is "Exchange Online administrator" in the [Exchange admin center](https://go.microsoft.com/fwlink/p/?LinkID=529144).
211
203
204
+
205
+
### [External Id User Flow Administrator](#external-id-user-flow-administrator-permissions)
206
+
207
+
Users with this role can create and manage B2C User Flows (also called "built-in" policies) in the Azure portal. By creating or editing user flows, these users can change the html/CSS/javascript content of the user experience, change MFA requirements per user flow, change claims in the token, and adjust session settings for all policies in the Azure AD organization. On the other hand, this role does not include the ability to review user data, or make changes to the attributes that are included in the organization schema. Changes to Identity Experience Framework (also known as Custom) policies is also outside the scope of this role.
208
+
209
+
### [External Id User Flow Attribute Administrator](#external-id-user-flow-attribute-administrator-permissions)
210
+
211
+
Users with this role add or delete custom attributes available to all user flows in the Azure AD organization. As such, users with this role can change or add new elements to the end-user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications. This role cannot edit user flows.
This administrator manages federation between Azure AD organizations and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). This user can enable the Azure AD organization to trust authentications from external identity providers. The resulting impact on end-user experiences depends on the type of organization:
@@ -593,22 +594,6 @@ Can manage all aspects of the Azure Information Protection service.
593
594
| microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
594
595
| microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
595
596
596
-
### B2C User Flow Administrator permissions
597
-
598
-
Create and manage all aspects of user flows.
599
-
600
-
|**Actions**|**Description**|
601
-
| --- | --- |
602
-
| microsoft.aad.b2c/userFlows/allTasks | Read and configure user flows in Azure Active Directory B2C. |
603
-
604
-
### B2C User Flow Attribute Administrator permissions
605
-
606
-
Create and manage the attribute schema available to all user flows.
607
-
608
-
|**Actions**|**Description**|
609
-
| --- | --- |
610
-
| microsoft.aad.b2c/userAttributes/allTasks | Read and configure user attributes in Azure Active Directory B2C. |
611
-
612
597
### B2C IEF Keyset Administrator permissions
613
598
614
599
Manage secrets for federation and encryption in the Identity Experience Framework.
@@ -1024,6 +1009,22 @@ Can manage all aspects of the Exchange product.
0 commit comments