Skip to Content
IdentityUser GroupsAdmin Roles

Admin Roles

Manage Entra ID directory roles and administrative permissions. Assign built-in roles or create custom roles to grant users the minimum permissions needed for their job function.

Warning: Avoid assigning Global Administrator whenever possible. Use specific admin roles that grant only the permissions required. Use Privileged Identity Management (PIM) for just-in-time elevation.

Role Assignments

View current admin role assignments:

ColumnDescription
UserUser or group with role assignment
RoleAdmin role assigned
Assignment TypePermanent or Eligible (PIM)
ScopeDirectory-wide or Administrative Unit
Start DateWhen assignment becomes active
End DateExpiration (if time-bound)

Common Admin Roles

Global Administrator

Highest Privilege

Full access to all administrative features in Entra ID and Microsoft 365. Can manage all aspects of the tenant including other Global Admins.

Warning: Recommendation: Limit to 2-4 break-glass accounts with PIM activation required.

User Administrator

Create and manage users and groups. Reset passwords for non-admins. Cannot manage Global Admins or Privileged Role Admins.

  • Create, edit, delete users
  • Manage group memberships
  • Reset passwords (non-admin users)
  • Manage user licenses

Helpdesk Administrator

Reset passwords and manage authentication for non-admin users. Ideal for Tier 1 support staff handling password reset requests.

  • Reset passwords for non-admins
  • Invalidate refresh tokens
  • Monitor service health
  • View basic user properties

Exchange Administrator

Full access to Exchange Online. Manage mailboxes, mail flow rules, and Exchange-related settings without broader directory permissions.

Intune Administrator

Full access to Intune/Endpoint Manager. Manage devices, profiles, and apps without access to other M365 services.

Security Administrator

Manage security features across M365. Configure security policies, review alerts, and access security-related reports.

  • Manage Conditional Access policies
  • Configure MFA settings
  • Review security alerts
  • Manage Defender settings

Compliance Administrator

Manage compliance features including DLP, retention, and eDiscovery. Access to Compliance Manager and related reports.

Privileged Role Administrator

Manage role assignments in Entra ID and PIM. Can assign roles to others but does not automatically have the permissions of those roles.

Authentication Administrator

Reset authentication methods (passwords, MFA) for non-admin users. More limited than Helpdesk Admin — focused purely on authentication.

License Administrator

Manage license assignments. Can add, remove, and change license assignments without access to other user properties.

Role Categories

Identity

  • User Administrator
  • Groups Administrator
  • Authentication Admin
  • Helpdesk Administrator

Security

  • Security Administrator
  • Security Reader
  • Conditional Access Admin
  • Attack Simulation Admin

Workloads

  • Exchange Administrator
  • SharePoint Administrator
  • Teams Administrator
  • Intune Administrator

Assigning Roles

Click “Assign Role” and configure:

Select Role

Choose from built-in roles or custom roles you’ve created.

Select Members

Assign to users or role-assignable groups. Groups must be created as “role-assignable” to receive admin roles.

Assignment Type

  • Active — Permanent assignment, always active
  • Eligible — User must activate via PIM when needed

Scope

  • Directory — Full tenant scope
  • Administrative Unit — Limited to specific AU

Duration

Set start/end dates for time-bound assignments (e.g., temporary project access).

Custom Roles

Create custom roles with specific permissions when built-in roles don’t fit:

Define Permissions

Select individual permissions from the full permission set. Example: Create a role that can only reset passwords and read user profiles.

Clone Existing Role

Start from an existing role and add/remove permissions as needed.

Limitations

Custom roles require Azure AD Premium P1 or P2 license. Maximum 30 custom roles per tenant.

Administrative Units

Scope admin roles to specific subsets of users:

Example: Regional Helpdesk

  1. Create Administrative Unit “US-West Region”
  2. Add all US West users to the AU (static or dynamic)
  3. Assign Helpdesk Admin scoped to this AU
  4. Helpdesk can only reset passwords for US West users

Role Assignment Audit

Track changes to admin role assignments:

  • When roles were assigned/removed
  • Who made the change
  • Assignment duration and scope
  • PIM activation history

Note: Review admin role assignments quarterly. Remove stale assignments and ensure compliance with least-privilege.

Graph API Endpoints

  • GET /directoryRoles
  • GET /directoryRoles/{id}/members
  • POST /directoryRoles/{id}/members/$ref
  • GET /roleManagement/directory/roleDefinitions
  • GET /roleManagement/directory/roleAssignments

API Reference

  • GET /api/identity/roles — List all directory roles
  • GET /api/identity/roles/:id/members — List members of a role
  • POST /api/identity/roles/:id/members — Assign role to user
  • DELETE /api/identity/roles/:id/members/:userId — Remove role assignment
  • GET /api/identity/roles/assignments — List all role assignments across tenant
Last updated on
M365 GroupsMSP Portal Dashboard