Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.
There are around 60 built-in roles in Azure Active Directory (Azure AD), which are roles with a predetermined set of rights. Azure AD now enables bespoke roles in addition to the built-in roles. Choose the role permissions you want by using custom roles. For instance, you may establish one to manage specific Azure AD resources, like applications or service principles.
What Azure AD roles are and how to use them are described in this article.
How the responsibilities in Azure AD differ from those in Microsoft 365
Microsoft 365 offers a wide range of services, including Azure AD and Intune. These services, specifically some of them, have their own role-based access control systems, including:
- Azure Active Directory (Azure AD)
- Microsoft Exchange
- Microsoft Intune
- Microsoft Defender for Cloud Apps
- Microsoft 365 Defender portal
- Compliance portal
- Cost Management + Billing
Role-based access control systems are not different from other services like Teams, SharePoint, and Managed Desktop. They gain administrative access through Azure AD roles. In contrast to Azure AD roles, Azure offers its own role-based access control mechanism for resources like virtual machines.
Role-based access control is a different system. It implies that the definitions and allocations of roles are kept in a distinct data store. The decision point for access checks in a policy also differs. See Azure roles, Azure AD roles, and Roles for Microsoft 365 services in Administrator roles in Azure AD and Classic Subscription for further details.
What causes some Azure AD roles to be for other services?
Every role-based access control system in Microsoft 365 has its own service portal. These systems independently evolved over time. We have included some service-specific built-in roles that each allow administrative access to a Microsoft 365 service in order to make it simple for you to manage identity across Microsoft 365 from the Azure interface. The Azure AD Exchange Administrator position is one illustration of this development. This position, which has full Exchange management capabilities, corresponds to the Organization Management role group in the Exchange role-based access control system. In a similar manner, we also added the Administrator roles for Teams, SharePoint, and Intune. In the section that follows, one category of built-in roles for Azure AD is called “service-specific roles.”
Role categories in Azure AD
Roles related to Azure AD: These roles only provide access to manage resources within Azure AD. For instance, permissions to administer resources located in Azure AD are granted by User Administrator, Application Administrator, and Groups Administrator.
Service-specific roles: We have created service-specific roles for the main Microsoft 365 services (non-Azure AD) that grant access to handle every feature of the service. Examples of roles that can manage features with their associated services include Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator. Mailboxes can be managed by Exchange administrators, device policies can be managed by Intune administrators, site collections can be managed by SharePoint administrators, call quality can be managed by Teams administrators, and so on.
Roles that cross services: Some roles do so. Worldwide Administrator and Global Reader are our two global positions. These two duties are respected by every Microsoft 365 service. Additionally, some security-related positions like Security Administrator and Security Reader inside Microsoft 365 provide access to various security services. You can control the Microsoft 365 Defender portal, Microsoft Defender Advanced Threat Protection, and Microsoft Defender for Cloud Apps, for instance, using the Security Administrator roles in Azure AD. Similar to this, the Compliance Administrator role allows you to control settings for the Compliance portal, Exchange, and other places.
To help with comprehension of various role classifications, the following table is provided. The categories’ names are arbitrary and aren’t meant to indicate any capabilities other than those listed in the corresponding Azure AD role permissions.
Category | Role |
Azure AD-specific roles | Application Administrator Application Developer Authentication Administrator B2C IEF Keyset Administrator B2C IEF Policy Administrator Cloud Application Administrator Cloud Device Administrator Conditional Access Administrator Device Administrators Directory Readers Directory Synchronization Accounts Directory Writers External ID User Flow Administrator External ID User Flow Attribute Administrator External Identity Provider Administrator Groups Administrator Guest Inviter Helpdesk Administrator Hybrid Identity Administrator License Administrator Partner Tier1 Support Partner Tier2 Support Password Administrator Privileged Authentication Administrator Privileged Role Administrator Reports Reader User Administrator |
Cross-service roles | Global Administrator Compliance Administrator Compliance Data Administrator Global Reader Security Administrator Security Operator Security Reader Service Support Administrator |
Service-specific roles | Azure DevOps Administrator Azure Information Protection Administrator Billing Administrator CRM Service Administrator Customer Lockbox Access Approver Desktop Analytics Administrator Exchange Service Administrator Insights Administrator Insights Business Leader Intune Service Administrator Kaizala Administrator Lync Service Administrator Message Center Privacy Reader Message Center Reader Modern Commerce User Network Administrator Office Apps Administrator Power BI Service Administrator Power Platform Administrator Printer Administrator Printer Technician Search Administrator Search Editor SharePoint Service Administrator Teams Communications Administrator Teams Communications Support Engineer Teams Communications Support Specialist Teams Devices Administrator Teams Administrator |
Professional Labs is the Best Cloud Managed Services Provider in Qatar, for more details contact
Contact Us | Professional labs (prolabsit.com)