title	Least privileged roles by task
description	Least privileged roles to delegate for tasks in Microsoft Entra ID
ms.topic	reference
ms.date	06/20/2025
ms.custom	it-pro, sfi-ga-nochange

Least privileged roles by task in Microsoft Entra ID

This article describes the least privileged role you should use for several tasks in Microsoft Entra ID. You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.

You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see Assign Microsoft Entra roles or Create a custom role in Microsoft Entra ID.

Application proxy least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra application proxy.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Configure application proxy app Application Administrator

Configure connector group properties Application Administrator

Create application registration when ability is disabled for all users Application Developer Cloud Application Administrator
Application Administrator

Create connector group Application Administrator

Delete connector group Application Administrator

Disable application proxy Application Administrator

Download connector service Application Administrator

Read all configuration Application Administrator

Task	Least privileged role	Additional roles
Configure application proxy app	Application Administrator
Configure connector group properties	Application Administrator
Create application registration when ability is disabled for all users	Application Developer	Cloud Application Administrator Application Administrator
Create connector group	Application Administrator
Delete connector group	Application Administrator
Disable application proxy	Application Administrator
Download connector service	Application Administrator
Read all configuration	Application Administrator

External Identities/Azure AD B2C least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra External ID and Azure Active Directory B2C.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Create Azure AD B2C directories All non-guest users

Create enterprise applications Cloud Application Administrator Application Administrator

Create, read, update, and delete B2C policies B2C IEF Policy Administrator

Create, read, update, and delete identity providers External Identity Provider Administrator

Create, read, update, and delete password reset user flows External ID User Flow Administrator

Create, read, update, and delete profile editing user flows External ID User Flow Administrator

Create, read, update, and delete sign-in user flows External ID User Flow Administrator

Create, read, update, and delete sign-up user flow External ID User Flow Administrator

Create, read, update, and delete user attributes External ID User Flow Attribute Administrator

Create, read, update, and delete users User Administrator

Configure B2B external collaboration settings - Guest user access Privileged Role Administrator

Configure B2B external collaboration settings - Guest invite settings Guest Inviter External ID User Flow Administrator

Configure B2B external collaboration settings - External user leave settings External Identity Provider Administrator

Configure B2B external collaboration settings - Collaboration restrictions Global Administrator

Read all configuration Global Reader

Read B2C audit logs Global Reader

Task	Least privileged role	Additional roles
Create Azure AD B2C directories	All non-guest users
Create enterprise applications	Cloud Application Administrator	Application Administrator
Create, read, update, and delete B2C policies	B2C IEF Policy Administrator
Create, read, update, and delete identity providers	External Identity Provider Administrator
Create, read, update, and delete password reset user flows	External ID User Flow Administrator
Create, read, update, and delete profile editing user flows	External ID User Flow Administrator
Create, read, update, and delete sign-in user flows	External ID User Flow Administrator
Create, read, update, and delete sign-up user flow	External ID User Flow Administrator
Create, read, update, and delete user attributes	External ID User Flow Attribute Administrator
Create, read, update, and delete users	User Administrator
Configure B2B external collaboration settings - Guest user access	Privileged Role Administrator
Configure B2B external collaboration settings - Guest invite settings	Guest Inviter	External ID User Flow Administrator
Configure B2B external collaboration settings - External user leave settings	External Identity Provider Administrator
Configure B2B external collaboration settings - Collaboration restrictions	Global Administrator
Read all configuration	Global Reader
Read B2C audit logs	Global Reader

Note

Azure AD B2C Global Administrators do not have the same permissions as Microsoft Entra Global Administrators. If you have Azure AD B2C Global Administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory.

Company branding least privileged roles

Here are the least privileged roles you should use when performing tasks for company branding in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Configure company branding Organizational Branding Administrator

Read all configuration Directory Readers Default user role

Task	Least privileged role	Additional roles
Configure company branding	Organizational Branding Administrator
Read all configuration	Directory Readers	Default user role

Connect least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Passthrough authentication Hybrid Identity Administrator

Read all configuration Global Reader Hybrid Identity Administrator

Seamless single sign-on Hybrid Identity Administrator

Task	Least privileged role	Additional roles
Passthrough authentication	Hybrid Identity Administrator
Read all configuration	Global Reader	Hybrid Identity Administrator
Seamless single sign-on	Hybrid Identity Administrator

Connect Sync least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect Sync.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Manage on-premises directory synchronization Hybrid Identity Administrator

Task	Least privileged role	Additional roles
Manage on-premises directory synchronization	Hybrid Identity Administrator

Cloud Provisioning least privileged roles

Here are the least privileged roles you should use when performing tasks for identity provisioning in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Passthrough authentication Hybrid Identity Administrator

Read all configuration Global Reader Hybrid Identity Administrator

Seamless single sign-on Hybrid Identity Administrator

Task	Least privileged role	Additional roles
Passthrough authentication	Hybrid Identity Administrator
Read all configuration	Global Reader	Hybrid Identity Administrator
Seamless single sign-on	Hybrid Identity Administrator

Connect Health least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Connect Health.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Add or delete services Owner

Apply fixes to sync error Contributor Owner

Configure notifications Contributor Owner

Configure settings Owner

Configure sync notifications Contributor Owner

Read ADFS security reports Security Reader Contributor
Owner

Read all configuration Reader Contributor
Owner

Read sync errors Reader Contributor
Owner

Read sync services Reader Contributor
Owner

View metrics and alerts Reader Contributor
Owner

View metrics and alerts Reader Contributor
Owner

View sync service metrics and alerts Reader Contributor
Owner

Task	Least privileged role	Additional roles
Add or delete services	Owner
Apply fixes to sync error	Contributor	Owner
Configure notifications	Contributor	Owner
Configure settings	Owner
Configure sync notifications	Contributor	Owner
Read ADFS security reports	Security Reader	Contributor Owner
Read all configuration	Reader	Contributor Owner
Read sync errors	Reader	Contributor Owner
Read sync services	Reader	Contributor Owner
View metrics and alerts	Reader	Contributor Owner
View metrics and alerts	Reader	Contributor Owner
View sync service metrics and alerts	Reader	Contributor Owner

Custom domain names least privileged roles

Here are the least privileged roles you should use when performing tasks for custom domain names in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Manage domains Domain Name Administrator

Read all configuration Directory Readers Default user role

Task	Least privileged role	Additional roles
Manage domains	Domain Name Administrator
Read all configuration	Directory Readers	Default user role

Domain Services least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Domain Services.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Create Microsoft Entra Domain Services instance Application Administrator
Groups Administrator
Domain Services Contributor

Perform all Microsoft Entra Domain Services tasks AAD DC Administrators group

Read all configuration Reader on Azure subscription containing AD DS service

Task	Least privileged role	Additional roles
Create Microsoft Entra Domain Services instance	Application Administrator Groups Administrator Domain Services Contributor
Perform all Microsoft Entra Domain Services tasks	AAD DC Administrators group
Read all configuration	Reader on Azure subscription containing AD DS service

Devices least privileged roles

Here are the least privileged roles you should use when performing tasks for device identity in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Delete device Cloud Device Administrator Intune Administrator

Disable device Cloud Device Administrator Intune Administrator

Enable device Cloud Device Administrator Intune Administrator

Read basic configuration Default user role

Read BitLocker keys Cloud Device Administrator Helpdesk Administrator
Intune Administrator
Security Administrator
Security Reader

Provision and manage IoT devices IoT Device Administrator Cloud Device Administrator

Manage IoT device templates IoT Device Administrator Cloud Device Administrator

Task	Least privileged role	Additional roles
Delete device	Cloud Device Administrator	Intune Administrator
Disable device	Cloud Device Administrator	Intune Administrator
Enable device	Cloud Device Administrator	Intune Administrator
Read basic configuration	Default user role
Read BitLocker keys	Cloud Device Administrator	Helpdesk Administrator Intune Administrator Security Administrator Security Reader
Provision and manage IoT devices	IoT Device Administrator	Cloud Device Administrator
Manage IoT device templates	IoT Device Administrator	Cloud Device Administrator

Enterprise applications least privileged roles

Here are the least privileged roles you should use when performing tasks for application management in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Consent to any delegated permissions Cloud Application Administrator Application Administrator

Consent to application permissions not including Microsoft Graph Cloud Application Administrator Application Administrator

Consent to application permissions to Microsoft Graph Privileged Role Administrator

Consent to applications accessing own data Default user role

Create enterprise application Cloud Application Administrator Application Administrator

Manage Application Proxy Application Administrator

Read access review of a group or of an app Security Reader Security Administrator
User Administrator

Read all configuration Default user role

Update enterprise application assignments Enterprise application owner Cloud Application Administrator
Application Administrator
User Administrator

Update enterprise application owners Enterprise application owner Cloud Application Administrator
Application Administrator

Update enterprise application properties Enterprise application owner Cloud Application Administrator
Application Administrator

Update enterprise application provisioning Enterprise application owner Cloud Application Administrator
Application Administrator

Update enterprise application self-service Enterprise application owner Cloud Application Administrator
Application Administrator

Update single sign-on properties Enterprise application owner Cloud Application Administrator
Application Administrator

Create and modify custom authentication extensions Authentication Extensibility Administrator Application Administrator

Task	Least privileged role	Additional roles
Consent to any delegated permissions	Cloud Application Administrator	Application Administrator
Consent to application permissions not including Microsoft Graph	Cloud Application Administrator	Application Administrator
Consent to application permissions to Microsoft Graph	Privileged Role Administrator
Consent to applications accessing own data	Default user role
Create enterprise application	Cloud Application Administrator	Application Administrator
Manage Application Proxy	Application Administrator
Read access review of a group or of an app	Security Reader	Security Administrator User Administrator
Read all configuration	Default user role
Update enterprise application assignments	Enterprise application owner	Cloud Application Administrator Application Administrator User Administrator
Update enterprise application owners	Enterprise application owner	Cloud Application Administrator Application Administrator
Update enterprise application properties	Enterprise application owner	Cloud Application Administrator Application Administrator
Update enterprise application provisioning	Enterprise application owner	Cloud Application Administrator Application Administrator
Update enterprise application self-service	Enterprise application owner	Cloud Application Administrator Application Administrator
Update single sign-on properties	Enterprise application owner	Cloud Application Administrator Application Administrator
Create and modify custom authentication extensions	Authentication Extensibility Administrator	Application Administrator

Note

In practice, consenting to Microsoft Graph application permissions typically requires the Global Administrator role. Privileged Role Administrator may not be sufficient depending on tenant consent policies, permission scopes, or Graph protection requirements.

Entitlement management least privileged roles

Here are the least privileged roles you should use when performing tasks for entitlement management in Microsoft Entra ID Governance.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Tasks in Entitlement Management Identity Governance Administrator. For roles lesser privilege than this within the Entitlement Management system, see: Delegation and roles in entitlement management.

Task	Least privileged role	Additional roles
Tasks in Entitlement Management	Identity Governance Administrator. For roles lesser privilege than this within the Entitlement Management system, see: Delegation and roles in entitlement management.

Groups least privileged roles

Here are the least privileged roles you should use when performing tasks for groups in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Assign license User Administrator

Create group Groups Administrator User Administrator

Create, update, or delete access review of a group or of an app User Administrator

Manage group expiration User Administrator

Manage group settings Groups Administrator User Administrator

Read all configuration (except hidden membership) Directory Readers Default user role

Read hidden membership Group member Group owner
Password Administrator
Exchange Administrator
SharePoint Administrator
Teams Administrator
User Administrator

Read membership of groups with hidden membership Helpdesk Administrator User Administrator
Teams Administrator

Revoke license License Administrator User Administrator

Update dynamic membership groups Group owner User Administrator

Update group owners Group owner User Administrator

Update group properties Group owner User Administrator

Delete group Groups Administrator User Administrator

Task	Least privileged role	Additional roles
Assign license	User Administrator
Create group	Groups Administrator	User Administrator
Create, update, or delete access review of a group or of an app	User Administrator
Manage group expiration	User Administrator
Manage group settings	Groups Administrator	User Administrator
Read all configuration (except hidden membership)	Directory Readers	Default user role
Read hidden membership	Group member	Group owner Password Administrator Exchange Administrator SharePoint Administrator Teams Administrator User Administrator
Read membership of groups with hidden membership	Helpdesk Administrator	User Administrator Teams Administrator
Revoke license	License Administrator	User Administrator
Update dynamic membership groups	Group owner	User Administrator
Update group owners	Group owner	User Administrator
Update group properties	Group owner	User Administrator
Delete group	Groups Administrator	User Administrator

Licenses least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra licensing.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Assign license License Administrator User Administrator

Read all configuration Directory Readers Default user role

Revoke license License Administrator User Administrator

Try or buy subscription Billing Administrator

Task	Least privileged role	Additional roles
Assign license	License Administrator	User Administrator
Read all configuration	Directory Readers	Default user role
Revoke license	License Administrator	User Administrator
Try or buy subscription	Billing Administrator

Lifecycle Workflows least privileged roles

Here are the least privileged roles you should use when performing tasks for lifecycle workflows in Microsoft Entra ID Governance.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Create a workflow Lifecycle workflows Administrator

Add a custom extension to a workflow Lifecycle workflows Administrator. You must also have either the Logic App contributor or Owner Azure Resource Manager role.

Task	Least privileged role	Additional roles
Create a workflow	Lifecycle workflows Administrator
Add a custom extension to a workflow	Lifecycle workflows Administrator. You must also have either the Logic App contributor or Owner Azure Resource Manager role.

Microsoft Entra Health least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra Health monitoring.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

View scenario monitoring signals and alert configurations Reports Reader Security Reader
Security Operator
Security Administrator
Helpdesk Administrator
Global Reader

Update alerts and alert email configurations Helpdesk Administrator

Task	Least privileged role	Additional roles
View scenario monitoring signals and alert configurations	Reports Reader	Security Reader Security Operator Security Administrator Helpdesk Administrator Global Reader
Update alerts and alert email configurations	Helpdesk Administrator

Microsoft Entra ID Protection least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra ID Protection.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Configure alert notifications Security Administrator

Configure and enable or disable MFA policy Security Administrator

Configure and enable or disable sign-in risk policy Security Administrator

Configure and enable or disable user risk policy Security Administrator

Configure weekly digests Security Administrator

Dismiss all risk detections Security Operator

Fix or dismiss vulnerability Security Administrator

Read all configuration Security Reader

Read all risk detections Security Reader

Read vulnerabilities Security Reader

Task	Least privileged role	Additional roles
Configure alert notifications	Security Administrator
Configure and enable or disable MFA policy	Security Administrator
Configure and enable or disable sign-in risk policy	Security Administrator
Configure and enable or disable user risk policy	Security Administrator
Configure weekly digests	Security Administrator
Dismiss all risk detections	Security Operator
Fix or dismiss vulnerability	Security Administrator
Read all configuration	Security Reader
Read all risk detections	Security Reader
Read vulnerabilities	Security Reader

Monitoring and health - Audit and sign-in logs least privileged roles

Here are the least privileged roles you should use when performing tasks for audit and sign-in logs in Microsoft Entra monitoring.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Read audit and sign-in logs Reports Reader Application Administrator
Cloud Application Administrator
Cloud Device Administrator
Global Secure Access Administrator
Hybrid Identity Administrator
Security Administrator
Security Operator
Security Reader

Task	Least privileged role	Additional roles
Read audit and sign-in logs	Reports Reader	Application Administrator Cloud Application Administrator Cloud Device Administrator Global Secure Access Administrator Hybrid Identity Administrator Security Administrator Security Operator Security Reader

Monitoring and health - Provisioning logs least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra provisioning logs.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Read provisioning logs Reports Reader Enterprise application owner
Application Administrator
Cloud Application Administrator
Cloud Device Administrator
Hybrid Identity Administrator
Security Administrator
Security Operator
Security Reader

Task	Least privileged role	Additional roles
Read provisioning logs	Reports Reader	Enterprise application owner Application Administrator Cloud Application Administrator Cloud Device Administrator Hybrid Identity Administrator Security Administrator Security Operator Security Reader

Monitoring and health - Recommendations least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra identity recommendations.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Read recommendations Reports Reader Security Reader
Global Reader
Helpdesk Administrator
Service Support Administrator
User Administrator

Update recommendations Authentication Policy Administrator Application Administrator
Authentication Administrator
Cloud Application Administrator
Conditional Access Administrator
Exchange Administrator
Hybrid Identity Administrator
Identity Governance Administrator
Privileged Role Administrator
Security Administrator
Security Operator
SharePoint Administrator

Read Identity Secure Score improvement action Service Support Administrator Security Administrator
Exchange Administrator

Update Identity Secure Score improvement action SharePoint Administrator Helpdesk Administrator
User Administrator
Security Reader
Security Operator
Global Reader

Task	Least privileged role	Additional roles
Read recommendations	Reports Reader	Security Reader Global Reader Helpdesk Administrator Service Support Administrator User Administrator
Update recommendations	Authentication Policy Administrator	Application Administrator Authentication Administrator Cloud Application Administrator Conditional Access Administrator Exchange Administrator Hybrid Identity Administrator Identity Governance Administrator Privileged Role Administrator Security Administrator Security Operator SharePoint Administrator
Read Identity Secure Score improvement action	Service Support Administrator	Security Administrator Exchange Administrator
Update Identity Secure Score improvement action	SharePoint Administrator	Helpdesk Administrator User Administrator Security Reader Security Operator Global Reader

Monitoring and health - Sign-in diagnostic tool

Here are the least privileged roles you should use when running the sign-in diagnostic tool.

[!div class="mx-tableFixed"]

Task Least privileged roles Additional roles

Use sign-in diagnostic from Diagnose and solve problems Billing Administrator Application Administrator
Cloud Application Administrator
Cloud Device Administrator
Conditional Access Administrator
Customer LockBox Access Approver
Groups Administrator
License Administrator
Global Reader
Helpdesk Administrator
Privileged Role Administrator
Security Administrator
User Administrator

Use sign-in diagnostic from the Sign-in logs BOTH Reports Reader AND Billing Administrator Global Secure Access Administrator
Hybrid Identity Administrator
Security Administrator
Security Operator
Security Reader

Task	Least privileged roles	Additional roles
Use sign-in diagnostic from Diagnose and solve problems	Billing Administrator	Application Administrator Cloud Application Administrator Cloud Device Administrator Conditional Access Administrator Customer LockBox Access Approver Groups Administrator License Administrator Global Reader Helpdesk Administrator Privileged Role Administrator Security Administrator User Administrator
Use sign-in diagnostic from the Sign-in logs	BOTH Reports Reader AND Billing Administrator	Global Secure Access Administrator Hybrid Identity Administrator Security Administrator Security Operator Security Reader

Multifactor authentication least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra authentication.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Delete all existing app passwords generated by the selected users Authentication Policy Administrator Authentication Administrator

Disable per-user MFA Authentication Administrator Privileged Authentication Administrator

Enable per-user MFA Authentication Administrator Privileged Authentication Administrator

Manage MFA service settings Authentication Policy Administrator

Require selected users to provide contact methods again Authentication Administrator

Restore multifactor authentication on all remembered devices Authentication Administrator

Task	Least privileged role	Additional roles
Delete all existing app passwords generated by the selected users	Authentication Policy Administrator	Authentication Administrator
Disable per-user MFA	Authentication Administrator	Privileged Authentication Administrator
Enable per-user MFA	Authentication Administrator	Privileged Authentication Administrator
Manage MFA service settings	Authentication Policy Administrator
Require selected users to provide contact methods again	Authentication Administrator
Restore multifactor authentication on all remembered devices	Authentication Administrator

MFA Server least privileged roles

Here are the least privileged roles you should use when performing tasks in MFA Server.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Block/unblock users Authentication Policy Administrator

Configure account lockout Authentication Policy Administrator

Configure caching rules Authentication Policy Administrator

Configure fraud alert Authentication Policy Administrator

Configure notifications Authentication Policy Administrator

Configure one-time bypass Authentication Policy Administrator

Configure phone call settings Authentication Policy Administrator

Configure providers Authentication Policy Administrator

Configure server settings Authentication Policy Administrator

Read activity report Global Reader

Read all configuration Global Reader

Read server status Global Reader

Task	Least privileged role	Additional roles
Block/unblock users	Authentication Policy Administrator
Configure account lockout	Authentication Policy Administrator
Configure caching rules	Authentication Policy Administrator
Configure fraud alert	Authentication Policy Administrator
Configure notifications	Authentication Policy Administrator
Configure one-time bypass	Authentication Policy Administrator
Configure phone call settings	Authentication Policy Administrator
Configure providers	Authentication Policy Administrator
Configure server settings	Authentication Policy Administrator
Read activity report	Global Reader
Read all configuration	Global Reader
Read server status	Global Reader

Organizational relationships least privileged roles

Here are the least privileged roles you should use when performing tasks for external collaboration settings in Microsoft Entra External ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Manage identity providers External Identity Provider Administrator

Read all configuration Global Reader

Task	Least privileged role	Additional roles
Manage identity providers	External Identity Provider Administrator
Read all configuration	Global Reader

Password reset least privileged roles

Here are the least privileged roles you should use when performing tasks for password reset in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Configure authentication methods Authentication Policy Administrator

Configure customization Authentication Policy Administrator

Configure notification Authentication Policy Administrator

Configure on-premises integration Authentication Policy Administrator

Configure password reset properties User Administrator Authentication Policy Administrator

Configure registration Authentication Policy Administrator

Read all configuration Security Administrator User Administrator

Task	Least privileged role	Additional roles
Configure authentication methods	Authentication Policy Administrator
Configure customization	Authentication Policy Administrator
Configure notification	Authentication Policy Administrator
Configure on-premises integration	Authentication Policy Administrator
Configure password reset properties	User Administrator	Authentication Policy Administrator
Configure registration	Authentication Policy Administrator
Read all configuration	Security Administrator	User Administrator

Privileged Identity Management least privileged roles

Here are the least privileged roles you should use when performing tasks for Microsoft Entra Privileged Identity Management in Microsoft Entra ID Governance.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Assign users to roles Privileged Role Administrator

Configure role settings Privileged Role Administrator

View audit activity Security Reader

View role memberships Security Reader

Task	Least privileged role	Additional roles
Assign users to roles	Privileged Role Administrator
Configure role settings	Privileged Role Administrator
View audit activity	Security Reader
View role memberships	Security Reader

Roles and administrators least privileged roles

Here are the least privileged roles you should use when performing tasks for roles and administrators in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Manage role assignments Privileged Role Administrator

Read access review of a Microsoft Entra role Security Reader Security Administrator
Privileged Role Administrator

Read all configuration Default user role

Task	Least privileged role	Additional roles
Manage role assignments	Privileged Role Administrator
Read access review of a Microsoft Entra role	Security Reader	Security Administrator Privileged Role Administrator
Read all configuration	Default user role

Security - Authentication methods least privileged roles

Here are the least privileged roles you should use when performing tasks for authentication methods in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Enable or disable authentication methods Authentication Policy Administrator

View, provision on behalf of, and manage individual user authentication methods Authentication Administrator Privileged Authentication Administrator

Configure password protection Security Administrator

Configure smart lockout Security Administrator

Read all configuration Global Reader

Task	Least privileged role	Additional roles
Enable or disable authentication methods	Authentication Policy Administrator
View, provision on behalf of, and manage individual user authentication methods	Authentication Administrator	Privileged Authentication Administrator
Configure password protection	Security Administrator
Configure smart lockout	Security Administrator
Read all configuration	Global Reader

Security - Conditional Access least privileged roles

Here are the least privileged roles you should use when performing tasks for Conditional Access in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Configure MFA trusted IP addresses Conditional Access Administrator

Create custom controls Conditional Access Administrator Security Administrator

Create named locations Conditional Access Administrator Security Administrator

Create policies Conditional Access Administrator Security Administrator

Create terms of use Conditional Access Administrator Security Administrator

Create VPN connectivity certificate Cloud Application Administrator Application Administrator

Delete classic policy Conditional Access Administrator Security Administrator

Restore a soft-deleted policy Conditional Access Administrator Security Administrator

Delete terms of use Conditional Access Administrator Security Administrator

Delete VPN connectivity certificate Conditional Access Administrator Security Administrator

Disable classic policy Conditional Access Administrator Security Administrator

Manage custom controls Conditional Access Administrator Security Administrator

Manage named locations Conditional Access Administrator Security Administrator

Manage terms of use Conditional Access Administrator Security Administrator

Read all configuration Security Reader

Read named locations Security Reader

Read terms of use Security Reader Global Reader

Read which terms of use were accepted by the signed-in user Default user role

Task	Least privileged role	Additional roles
Configure MFA trusted IP addresses	Conditional Access Administrator
Create custom controls	Conditional Access Administrator	Security Administrator
Create named locations	Conditional Access Administrator	Security Administrator
Create policies	Conditional Access Administrator	Security Administrator
Create terms of use	Conditional Access Administrator	Security Administrator
Create VPN connectivity certificate	Cloud Application Administrator	Application Administrator
Delete classic policy	Conditional Access Administrator	Security Administrator
Restore a soft-deleted policy	Conditional Access Administrator	Security Administrator
Delete terms of use	Conditional Access Administrator	Security Administrator
Delete VPN connectivity certificate	Conditional Access Administrator	Security Administrator
Disable classic policy	Conditional Access Administrator	Security Administrator
Manage custom controls	Conditional Access Administrator	Security Administrator
Manage named locations	Conditional Access Administrator	Security Administrator
Manage terms of use	Conditional Access Administrator	Security Administrator
Read all configuration	Security Reader
Read named locations	Security Reader
Read terms of use	Security Reader	Global Reader
Read which terms of use were accepted by the signed-in user	Default user role

Security - Identity Security Score least privileged roles

Here are the least privileged roles you should use when performing tasks for Identity Secure Score in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Read all configuration Security Reader Security Administrator

Read security score Security Reader Security Administrator

Update event status Security Administrator

Task	Least privileged role	Additional roles
Read all configuration	Security Reader	Security Administrator
Read security score	Security Reader	Security Administrator
Update event status	Security Administrator

Security - Risky sign-ins least privileged roles

Here are the least privileged roles you should use when performing tasks for risky sign-ins in Microsoft Entra ID Protection.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Read all configuration Security Reader

Read risky sign-ins Security Reader

Task	Least privileged role	Additional roles
Read all configuration	Security Reader
Read risky sign-ins	Security Reader

Security - Users flagged for risk least privileged roles

Here are the least privileged roles you should use when performing tasks for users flagged for risk in Microsoft Entra ID Protection.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Dismiss all events Security Administrator

Read all configuration Security Reader

Read users flagged for risk Security Reader

Task	Least privileged role	Additional roles
Dismiss all events	Security Administrator
Read all configuration	Security Reader
Read users flagged for risk	Security Reader

Temporary Access Pass least privileged roles

Here are the least privileged roles you should use when performing tasks for Temporary Access Pass in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Create, delete, or view a Temporary Access Pass for admins or members (except themselves) Privileged Authentication Administrator

Create, delete, or view a Temporary Access Pass for members (except themselves) Authentication Administrator

View a Temporary Access Pass details for a user (without reading the code itself) Global Reader

Configure or update the Temporary Access Pass authentication method policy Authentication Policy Administrator

Task	Least privileged role	Additional roles
Create, delete, or view a Temporary Access Pass for admins or members (except themselves)	Privileged Authentication Administrator
Create, delete, or view a Temporary Access Pass for members (except themselves)	Authentication Administrator
View a Temporary Access Pass details for a user (without reading the code itself)	Global Reader
Configure or update the Temporary Access Pass authentication method policy	Authentication Policy Administrator

Tenants least privileged roles

Here are the least privileged roles you should use when performing tasks in Microsoft Entra tenants.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Create Microsoft Entra ID or Azure AD B2C Tenant Tenant Creator

Update Microsoft Entra tenant properties Billing Administrator

Manage privacy statement and contact Billing Administrator

Task	Least privileged role	Additional roles
Create Microsoft Entra ID or Azure AD B2C Tenant	Tenant Creator
Update Microsoft Entra tenant properties	Billing Administrator
Manage privacy statement and contact	Billing Administrator

Users least privileged roles

Here are the least privileged roles you should use when performing tasks for users in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Add user to directory role Privileged Role Administrator

Add user to group User Administrator

Assign license License Administrator User Administrator

Create guest user Guest Inviter User Administrator

Reset guest user invite Helpdesk Administrator User Administrator

Create user User Administrator

Delete users User Administrator

Invalidate refresh tokens of limited admins User Administrator

Invalidate refresh tokens of non-admins Helpdesk Administrator User Administrator

Invalidate refresh tokens of privileged admins Privileged Authentication Administrator

Read basic configuration Default user role

Reset password for limited admins User Administrator

Reset password of non-admins Password Administrator User Administrator

Reset password of privileged admins Privileged Authentication Administrator

Revoke license License Administrator User Administrator

Update all properties except User Principal Name User Administrator

Update On-premises sync enabled property Hybrid Identity Administrator

Update profile photos and people settings People Administrator

Update User Principal Name for limited admins User Administrator

Update User Principal Name property on privileged admins Privileged Authentication Administrator

Update user settings - Default user role permissions Privileged Role Administrator

Update user settings - Guest user access Privileged Role Administrator

Update user settings - Administration center Global Administrator

Update user settings - LinkedIn account connections Global Administrator

Update user settings - Show keep user signed in Global Administrator

Update Authentication methods Authentication Administrator Privileged Authentication Administrator

Task	Least privileged role	Additional roles
Add user to directory role	Privileged Role Administrator
Add user to group	User Administrator
Assign license	License Administrator	User Administrator
Create guest user	Guest Inviter	User Administrator
Reset guest user invite	Helpdesk Administrator	User Administrator
Create user	User Administrator
Delete users	User Administrator
Invalidate refresh tokens of limited admins	User Administrator
Invalidate refresh tokens of non-admins	Helpdesk Administrator	User Administrator
Invalidate refresh tokens of privileged admins	Privileged Authentication Administrator
Read basic configuration	Default user role
Reset password for limited admins	User Administrator
Reset password of non-admins	Password Administrator	User Administrator
Reset password of privileged admins	Privileged Authentication Administrator
Revoke license	License Administrator	User Administrator
Update all properties except User Principal Name	User Administrator
Update On-premises sync enabled property	Hybrid Identity Administrator
Update profile photos and people settings	People Administrator
Update User Principal Name for limited admins	User Administrator
Update User Principal Name property on privileged admins	Privileged Authentication Administrator
Update user settings - Default user role permissions	Privileged Role Administrator
Update user settings - Guest user access	Privileged Role Administrator
Update user settings - Administration center	Global Administrator
Update user settings - LinkedIn account connections	Global Administrator
Update user settings - Show keep user signed in	Global Administrator
Update Authentication methods	Authentication Administrator	Privileged Authentication Administrator

Support least privileged roles

Here are the least privileged roles you should use when performing tasks for support in Microsoft Entra ID.

[!div class="mx-tableFixed"]

Task Least privileged role Additional roles

Submit support ticket Service Support Administrator Application Administrator
Azure Information Protection Administrator
Billing Administrator
Cloud Application Administrator
Compliance Administrator
Dynamics 365 Administrator
Desktop Analytics Administrator
Exchange Administrator
Helpdesk Administrator
Intune Administrator
Password Administrator
Fabric Administrator
Privileged Authentication Administrator
SharePoint Administrator
Skype for Business Administrator
Teams Administrator
Teams Communications Administrator
User Administrator

FilesExpand file tree

delegate-by-task.md

Latest commit

History