AD Roles
Cards (9)
- Global Administrator Role:
- Assignment:
- Automatically assigned to anyone who signs up for an Azure subscription.
- Capabilities:
- Full control over every administrative setting in Azure AD.
- Recommendation:
- Limit assignment due to extensive privileges.
- Best practice is to assign to fewer than five people in the organization.
- Various Roles in Azure AD: Security and Authentication Administrators:
- Global Administrator and Privileged Role Administrator:
- Access to features and services using Azure AD, including Microsoft 365 security center, compliance center, Exchange Online, SharePoint Online, and Skype for Business Online.
- Delegation of administrator roles.
- Authentication Administrators:
- Set or reset any authentication method for non-administrators and some roles.
- Control over re-registration against non-password credentials.
- Ability to revoke multi-factor authentication on a device.
- Application Administrators:
- Application Developer:
- Independent creation of application registrations.
- Application Administrator:
- Creation and management of all aspects of enterprise applications, application registrations, and application proxy settings.
- Cloud Application Administrator:
- Similar to Application Administrator but excludes the ability to manage application proxy.
- Cloud Administrators:
- Cloud Device Administrator:
- Enables, disables, and deletes devices in Azure AD.
- Can read Windows 10 BitLocker keys.
- Compliance Administrator and Compliance Data Administrator:
- Manage compliance-related features in Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Microsoft 365 Security & Compliance Center.
- Compliance Data Administrator can track compliance data within the Exchange admin center.
- B2C Administrators:
- B2C User Flow Administrator:
- Creation and management of B2C User Flows.
- B2C User Flow Attribute Administrator:
- Addition or deletion of custom attributes available to all user in the tenant.
- B2C IEF Keyset Administrator:
- Creation and management of policy keys and secrets for token encryption, token signatures, and claim encryption/decryption.
- B2C IEF Policy Administrator:
- Full control over the Identity Experience Framework in Azure AD B2C.
- Corporate Administrators:
- Azure DevOps Administrator:
- Management of Azure DevOps policy to restrict new Azure DevOps organization creation.
- Azure Information Protection Administrator:
- Full permissions in the Azure Information Protection service.
- Conditional Access Administrator:
- Management of Azure Active Directory Conditional Access settings.
- Billing Administrator:
- Ability to make purchases, manage subscriptions, handle support tickets, and monitor service health.
- Corporate Administrators:
- Exchange Administrator:
- Global permissions within Microsoft Exchange Online.
- Directory Readers:
- Read basic directory information.
- Groups Administrator:
- Create/manage groups and settings like naming and expiration policies.
- Security Administrator:
- Permission to manage security-related features in Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Information Protection, and Microsoft 365 Security & Compliance Center.
- Only Global administrators and Privileged Role administrators can delegate administrator roles
- What if, instead of managing compliance-related features, you want a user to have permissions only to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure? Assign them the role of Compliance Data Administrator. Users with this role can also track compliance data within the Exchange admin center.
- A B2C IEF Policy Administrator can create, read, update, and delete all custom policies in Azure AD B2C. You should assign this role to users if you want your user to have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant