Least privileged roles by task - Microsoft Entra ID (original) (raw)

This article describes the least privileged role you should use for several tasks in Microsoft Entra ID. You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.

You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Microsoft Entra roles or Create a custom role in Microsoft Entra ID.

Application proxy least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra application proxy.

Here are the least privileged roles you should use when performing tasks in Microsoft Entra External ID and Azure Active Directory B2C.

Task	Least privileged role	Additional roles
Create Azure AD B2C directories	All non-guest users
Create enterprise applications	Cloud Application Administrator	Application Administrator
Create, read, update, and delete B2C policies	B2C IEF Policy Administrator
Create, read, update, and delete identity providers	External Identity Provider Administrator
Create, read, update, and delete password reset user flows	External ID User Flow Administrator
Create, read, update, and delete profile editing user flows	External ID User Flow Administrator
Create, read, update, and delete sign-in user flows	External ID User Flow Administrator
Create, read, update, and delete sign-up user flow	External ID User Flow Administrator
Create, read, update, and delete user attributes	External ID User Flow Attribute Administrator
Create, read, update, and delete users	User Administrator
Configure B2B external collaboration settings - Guest user access	Privileged Role Administrator
Configure B2B external collaboration settings - Guest invite settings	Guest Inviter	External ID User Flow Administrator
Configure B2B external collaboration settings - External user leave settings	External Identity Provider Administrator
Configure B2B external collaboration settings - Collaboration restrictions	Global Administrator
Read all configuration	Global Reader
Read B2C audit logs	Global Reader

Note

Azure AD B2C Global Administrators do not have the same permissions as Microsoft Entra Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory.

Company branding least privileged roles

Here are the least privileged roles you should use when performing tasks for company branding in Microsoft Entra ID.

Connect least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect.

Connect Sync least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect Sync.

Cloud Provisioning least privileged roles

Here are the least privileged roles you should use when performing tasks for identity provisioning in Microsoft Entra ID.

Connect Health least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect Health.

Custom domain names least privileged roles

Here are the least privileged roles you should use when performing tasks for custom domain names in Microsoft Entra ID.

Domain Services least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Domain Services.

Devices least privileged roles

Here are the least privileged roles you should use when performing tasks for device identity in Microsoft Entra ID.

Enterprise applications least privileged roles

Here are the least privileged roles you should use when performing tasks for application management in Microsoft Entra ID.

Note

In practice, consenting to Microsoft Graph application permissions typically requires the Global Administrator role. Privileged Role Administrator may not be sufficient depending on tenant consent policies, permission scopes, or Graph protection requirements.

Entitlement management least privileged roles

Here are the least privileged roles you should use when performing tasks for entitlement management in Microsoft Entra ID Governance.

Groups least privileged roles

Here are the least privileged roles you should use when performing tasks for groups in Microsoft Entra ID.

Licenses least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra licensing.

Lifecycle Workflows least privileged roles

Here are the least privileged roles you should use when performing tasks for lifecycle workflows in Microsoft Entra ID Governance.

Microsoft Entra Health least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Health monitoring.

Microsoft Entra ID Protection least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra ID Protection.

Here are the least privileged roles you should use when performing tasks for audit and sign-in logs in Microsoft Entra monitoring.

Monitoring and health - Provisioning logs least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra provisioning logs.

Monitoring and health - Recommendations least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra identity recommendations.

Here are the least privileged roles you should use when running the sign-in diagnostic tool.

Multifactor authentication least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra authentication.

MFA Server least privileged roles

Here are the least privileged roles you should use when performing tasks in MFA Server.

Organizational relationships least privileged roles

Here are the least privileged roles you should use when performing tasks for external collaboration settings in Microsoft Entra External ID.

Password reset least privileged roles

Here are the least privileged roles you should use when performing tasks for password reset in Microsoft Entra ID.

Privileged Identity Management least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra Privileged Identity Management in Microsoft Entra ID Governance.

Roles and administrators least privileged roles

Here are the least privileged roles you should use when performing tasks for roles and administrators in Microsoft Entra ID.

Security - Authentication methods least privileged roles

Here are the least privileged roles you should use when performing tasks for authentication methods in Microsoft Entra ID.

Security - Conditional Access least privileged roles

Here are the least privileged roles you should use when performing tasks for Conditional Access in Microsoft Entra ID.

Security - Identity Security Score least privileged roles

Here are the least privileged roles you should use when performing tasks for Identity Secure Score in Microsoft Entra ID.

Security - Risky sign-ins least privileged roles

Here are the least privileged roles you should use when performing tasks for risky sign-ins in Microsoft Entra ID Protection.

Security - Users flagged for risk least privileged roles

Here are the least privileged roles you should use when performing tasks for users flagged for risk in Microsoft Entra ID Protection.

Temporary Access Pass least privileged roles

Here are the least privileged roles you should use when performing tasks for Temporary Access Pass in Microsoft Entra ID.

Tenants least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra tenants.

Users least privileged roles

Here are the least privileged roles you should use when performing tasks for users in Microsoft Entra ID.

Support least privileged roles

Here are the least privileged roles you should use when performing tasks for support in Microsoft Entra ID.