entra-docs/docs/identity/role-based-access-control/includes/cloud-device-administrator.md at 1563e3688d9131f52fa7185a51db5162f7cdb6b3 · MicrosoftDocs/entra-docs

title	Cloud Device Administrator
description	Cloud Device Administrator
ms.topic	include
ms.date	01/26/2026
ms.custom	include file

This is a privileged role. Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

[!div class="mx-tableFixed"]

Actions Description

microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health

microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, excluding custom security attributes audit logs

microsoft.directory/authorizationPolicy/standard/read Read standard properties of authorization policy

microsoft.directory/bitlockerKeys/key/read Read bitlocker metadata and key on devices

microsoft.directory/deletedItems.devices/delete Permanently delete devices, which can no longer be restored

microsoft.directory/deletedItems.devices/restore Restore soft deleted devices to original state

microsoft.directory/deviceLocalCredentials/password/read Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password

microsoft.directory/deviceManagementPolicies/basic/update Update basic properties on mobile device management and mobile app management policies

microsoft.directory/deviceManagementPolicies/standard/read Read standard properties on mobile device management and mobile app management policies

microsoft.directory/deviceRegistrationPolicy/basic/update Update basic properties on device registration policies

microsoft.directory/deviceRegistrationPolicy/standard/read Read standard properties on device registration policies

microsoft.directory/devices/delete Delete devices from Microsoft Entra ID

microsoft.directory/devices/disable Disable devices in Microsoft Entra ID

microsoft.directory/devices/enable Enable devices in Microsoft Entra ID

microsoft.directory/devices/permissions/update Update the alternative name property on an IoT device

microsoft.directory/deviceTemplates/owners/read Read owners on Internet of Things (IoT) device templates

microsoft.directory/deviceTemplates/owners/update Update owners on Internet of Things (IoT) device templates

microsoft.directory/signInReports/allProperties/read Read all properties on sign-in reports, including privileged properties

microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Actions	Description
microsoft.azure.serviceHealth/allEntities/allTasks	Read and configure Azure Service Health
microsoft.directory/auditLogs/allProperties/read	Read all properties on audit logs, excluding custom security attributes audit logs
microsoft.directory/authorizationPolicy/standard/read	Read standard properties of authorization policy
microsoft.directory/bitlockerKeys/key/read	Read bitlocker metadata and key on devices
microsoft.directory/deletedItems.devices/delete	Permanently delete devices, which can no longer be restored
microsoft.directory/deletedItems.devices/restore	Restore soft deleted devices to original state
microsoft.directory/deviceLocalCredentials/password/read	Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password
microsoft.directory/deviceManagementPolicies/basic/update	Update basic properties on mobile device management and mobile app management policies
microsoft.directory/deviceManagementPolicies/standard/read	Read standard properties on mobile device management and mobile app management policies
microsoft.directory/deviceRegistrationPolicy/basic/update	Update basic properties on device registration policies
microsoft.directory/deviceRegistrationPolicy/standard/read	Read standard properties on device registration policies
microsoft.directory/devices/delete	Delete devices from Microsoft Entra ID
microsoft.directory/devices/disable	Disable devices in Microsoft Entra ID
microsoft.directory/devices/enable	Enable devices in Microsoft Entra ID
microsoft.directory/devices/permissions/update	Update the alternative name property on an IoT device
microsoft.directory/deviceTemplates/owners/read	Read owners on Internet of Things (IoT) device templates
microsoft.directory/deviceTemplates/owners/update	Update owners on Internet of Things (IoT) device templates
microsoft.directory/signInReports/allProperties/read	Read all properties on sign-in reports, including privileged properties
microsoft.office365.serviceHealth/allEntities/allTasks	Read and configure Service Health in the Microsoft 365 admin center

FilesExpand file tree

cloud-device-administrator.md

Latest commit

History

cloud-device-administrator.md

File metadata and controls