Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.
There are around 60 built-in roles in Azure Active Directory (Azure AD), which are roles with a predetermined set of rights. Azure AD now enables bespoke roles in addition to the built-in roles. Choose the role permissions you want by using custom roles. For instance, you may establish one to manage specific Azure AD resources, like applications or service principles.
What Azure AD roles are and how to use them are described in this article.
How the responsibilities in Azure AD differ from those in Microsoft 365
Microsoft 365 offers a wide range of services, including Azure AD and Intune. These services, specifically some of them, have their own role-based access control systems, including:
- Azure Active Directory (Azure AD)
- Microsoft Exchange
- Microsoft Intune
- Microsoft Defender for Cloud Apps
- Microsoft 365 Defender portal
- Compliance portal
- Cost Management + Billing
Role-based access control systems are not different from other services like Teams, SharePoint, and Managed Desktop. They gain administrative access through Azure AD roles. In contrast to Azure AD roles, Azure offers its own role-based access control mechanism for resources like virtual machines.
Role-based access control is a different system. It implies that the definitions and allocations of roles are kept in a distinct data store. The decision point for access checks in a policy also differs. See Azure roles, Azure AD roles, and Roles for Microsoft 365 services in Administrator roles in Azure AD and Classic Subscription for further details.
What causes some Azure AD roles to be for other services?
Every role-based access control system in Microsoft 365 has its own service portal. These systems independently evolved over time. We have included some service-specific built-in roles that each allow administrative access to a Microsoft 365 service in order to make it simple for you to manage identity across Microsoft 365 from the Azure interface. The Azure AD Exchange Administrator position is one illustration of this development. This position, which has full Exchange management capabilities, corresponds to the Organization Management role group in the Exchange role-based access control system. In a similar manner, we also added the Administrator roles for Teams, SharePoint, and Intune. In the section that follows, one category of built-in roles for Azure AD is called “service-specific roles.”
Role categories in Azure AD
Roles related to Azure AD: These roles only provide access to manage resources within Azure AD. For instance, permissions to administer resources located in Azure AD are granted by User Administrator, Application Administrator, and Groups Administrator.
Service-specific roles: We have created service-specific roles for the main Microsoft 365 services (non-Azure AD) that grant access to handle every feature of the service. Examples of roles that can manage features with their associated services include Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator. Mailboxes can be managed by Exchange administrators, device policies can be managed by Intune administrators, site collections can be managed by SharePoint administrators, call quality can be managed by Teams administrators, and so on.
Roles that cross services: Some roles do so. Worldwide Administrator and Global Reader are our two global positions. These two duties are respected by every Microsoft 365 service. Additionally, some security-related positions like Security Administrator and Security Reader inside Microsoft 365 provide access to various security services. You can control the Microsoft 365 Defender portal, Microsoft Defender Advanced Threat Protection, and Microsoft Defender for Cloud Apps, for instance, using the Security Administrator roles in Azure AD. Similar to this, the Compliance Administrator role allows you to control settings for the Compliance portal, Exchange, and other places.
To help with comprehension of various role classifications, the following table is provided. The categories’ names are arbitrary and aren’t meant to indicate any capabilities other than those listed in the corresponding Azure AD role permissions.
|Azure AD-specific roles||Application Administrator
B2C IEF Keyset Administrator
B2C IEF Policy Administrator
Cloud Application Administrator
Cloud Device Administrator
Conditional Access Administrator
Directory Synchronization Accounts
External ID User Flow Administrator
External ID User Flow Attribute Administrator
External Identity Provider Administrator
Hybrid Identity Administrator
Partner Tier1 Support
Partner Tier2 Support
Privileged Authentication Administrator
Privileged Role Administrator
|Cross-service roles||Global Administrator
Compliance Data Administrator
Service Support Administrator
|Service-specific roles||Azure DevOps Administrator
Azure Information Protection Administrator
CRM Service Administrator
Customer Lockbox Access Approver
Desktop Analytics Administrator
Exchange Service Administrator
Insights Business Leader
Intune Service Administrator
Lync Service Administrator
Message Center Privacy Reader
Message Center Reader
Modern Commerce User
Office Apps Administrator
Power BI Service Administrator
Power Platform Administrator
SharePoint Service Administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
Teams Devices Administrator
Professional Labs is the Best Cloud Managed Services Provider in Qatar, for more details contact
Contact Us | Professional labs (prolabsit.com)