entra-docs/docs/identity/role-based-access-control/includes/authentication-policy-administrator.md at 1563e3688d9131f52fa7185a51db5162f7cdb6b3 · MicrosoftDocs/entra-docs

title	Authentication Policy Administrator
description	Authentication Policy Administrator
ms.topic	include
ms.date	01/26/2026
ms.custom	include file

Assign the Authentication Policy Administrator role to users who need to do the following:

Configure the authentication methods policy, tenant-wide MFA settings, and password protection policy that determine which methods each user can register and use.
Manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.
Manage MFA settings in the legacy MFA management portal.
Create and manage verifiable credentials.
Create and manage Azure support tickets.

Users with this role cannot do the following:

Cannot update sensitive properties. For more information, see Who can perform sensitive actions.
Cannot delete or restore users. For more information, see Who can perform sensitive actions.
Cannot manage Hardware OATH tokens.

[!INCLUDE authentication-table-include]

[!div class="mx-tableFixed"]

Actions Description

microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets

microsoft.directory/organization/strongAuthentication/allTasks Manage all aspects of strong authentication properties of an organization

microsoft.directory/userCredentialPolicies/basic/update Update basic policies for users

microsoft.directory/userCredentialPolicies/create Create credential policies for users

microsoft.directory/userCredentialPolicies/delete Delete credential policies for users

microsoft.directory/userCredentialPolicies/owners/read Read owners of credential policies for users

microsoft.directory/userCredentialPolicies/owners/update Update owners of credential policies for users

microsoft.directory/userCredentialPolicies/policyAppliedTo/read Read policy.appliesTo navigation link

microsoft.directory/userCredentialPolicies/standard/read Read standard properties of credential policies for users

microsoft.directory/userCredentialPolicies/tenantDefault/update Update policy.isOrganizationDefault property

microsoft.directory/verifiableCredentials/configuration/allProperties/read Read configuration required to create and manage verifiable credentials

microsoft.directory/verifiableCredentials/configuration/allProperties/update Update configuration required to create and manage verifiable credentials

microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read Read a verifiable credential contract

microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update Update a verifiable credential contract

microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read Read a verifiable credential card

microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke Revoke a verifiable credential card

microsoft.directory/verifiableCredentials/configuration/contracts/create Create a verifiable credential contract

microsoft.directory/verifiableCredentials/configuration/create Create configuration required to create and manage verifiable credentials

microsoft.directory/verifiableCredentials/configuration/delete Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Actions	Description
microsoft.azure.supportTickets/allEntities/allTasks	Create and manage Azure support tickets
microsoft.directory/organization/strongAuthentication/allTasks	Manage all aspects of strong authentication properties of an organization
microsoft.directory/userCredentialPolicies/basic/update	Update basic policies for users
microsoft.directory/userCredentialPolicies/create	Create credential policies for users
microsoft.directory/userCredentialPolicies/delete	Delete credential policies for users
microsoft.directory/userCredentialPolicies/owners/read	Read owners of credential policies for users
microsoft.directory/userCredentialPolicies/owners/update	Update owners of credential policies for users
microsoft.directory/userCredentialPolicies/policyAppliedTo/read	Read policy.appliesTo navigation link
microsoft.directory/userCredentialPolicies/standard/read	Read standard properties of credential policies for users
microsoft.directory/userCredentialPolicies/tenantDefault/update	Update policy.isOrganizationDefault property
microsoft.directory/verifiableCredentials/configuration/allProperties/read	Read configuration required to create and manage verifiable credentials
microsoft.directory/verifiableCredentials/configuration/allProperties/update	Update configuration required to create and manage verifiable credentials
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read	Read a verifiable credential contract
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update	Update a verifiable credential contract
microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read	Read a verifiable credential card
microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke	Revoke a verifiable credential card
microsoft.directory/verifiableCredentials/configuration/contracts/create	Create a verifiable credential contract
microsoft.directory/verifiableCredentials/configuration/create	Create configuration required to create and manage verifiable credentials
microsoft.directory/verifiableCredentials/configuration/delete	Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials

FilesExpand file tree

authentication-policy-administrator.md

Latest commit

History

authentication-policy-administrator.md

File metadata and controls