entra-docs/docs/identity/role-based-access-control/includes/directory-writers.md at 1563e3688d9131f52fa7185a51db5162f7cdb6b3 · MicrosoftDocs/entra-docs

title	Directory Writers
description	Directory Writers
ms.topic	include
ms.date	01/26/2026
ms.custom	include file

This is a privileged role. Users in this role can read and update basic information of users, groups, and service principals.

[!div class="mx-tableFixed"]

Actions Description

microsoft.directory/applications/extensionProperties/update Update extension properties on applications

microsoft.directory/contacts/create Create contacts

microsoft.directory/groups/assignedLabels/update Update the assigned labels property on groups of assigned membership type, excluding role-assignable groups

microsoft.directory/groups/assignLicense Assign product licenses to groups for group-based licensing

microsoft.directory/groups/basic/update Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/classification/update Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/create Create Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/dynamicMembershipRule/update Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/groupType/update Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/members/update Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/onPremWriteBack/update Update Microsoft Entra groups to be written back to on-premises with Microsoft Entra Connect

microsoft.directory/groups/owners/update Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groups/reprocessLicenseAssignment Reprocess license assignments for group-based licensing

microsoft.directory/groups/settings/update Update settings of groups

microsoft.directory/groups/visibility/update Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups

microsoft.directory/groupSettings/basic/update Update basic properties on group settings

microsoft.directory/groupSettings/create Create group settings

microsoft.directory/groupSettings/delete Delete group settings

microsoft.directory/oAuth2PermissionGrants/basic/update Update OAuth 2.0 permission grants

microsoft.directory/oAuth2PermissionGrants/create Create OAuth 2.0 permission grants

microsoft.directory/servicePrincipals/appRoleAssignedTo/update Update service principal role assignments

microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/credentials/manage Manage cloud tenant to cloud tenant application provisioning secrets and credentials.

microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/jobs/manage Start, restart, and pause cloud tenant to cloud tenant application provisioning synchronization jobs.

microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/schema/manage Create and manage cloud tenant to cloud tenant application provisioning synchronization jobs and schema.

microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage Manage application provisioning secrets and credentials.

microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage Start, restart, and pause application provisioning synchronization jobs.

microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage Create and manage application provisioning synchronization jobs and schema.

microsoft.directory/servicePrincipals/synchronizationCredentials/manage Manage application provisioning secrets and credentials

microsoft.directory/servicePrincipals/synchronizationJobs/manage Start, restart, and pause application provisioning synchronization jobs

microsoft.directory/servicePrincipals/synchronizationSchema/manage Create and manage application provisioning synchronization jobs and schema

microsoft.directory/users/assignLicense Manage user licenses

microsoft.directory/users/basic/update Update basic properties on users

microsoft.directory/users/create Add users

microsoft.directory/users/disable Disable users

microsoft.directory/users/enable Enable users

microsoft.directory/users/invalidateAllRefreshTokens Force sign-out by invalidating user refresh tokens

microsoft.directory/users/inviteGuest Invite guest users

microsoft.directory/users/manager/update Update manager for users

microsoft.directory/users/photo/update Update photo of users

microsoft.directory/users/reprocessLicenseAssignment Reprocess license assignments for users

microsoft.directory/users/sponsors/update Update sponsors of users

microsoft.directory/users/userPrincipalName/update Update User Principal Name of users

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Actions	Description
microsoft.directory/applications/extensionProperties/update	Update extension properties on applications
microsoft.directory/contacts/create	Create contacts
microsoft.directory/groups/assignedLabels/update	Update the assigned labels property on groups of assigned membership type, excluding role-assignable groups
microsoft.directory/groups/assignLicense	Assign product licenses to groups for group-based licensing
microsoft.directory/groups/basic/update	Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/classification/update	Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/create	Create Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/dynamicMembershipRule/update	Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/groupType/update	Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/members/update	Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/onPremWriteBack/update	Update Microsoft Entra groups to be written back to on-premises with Microsoft Entra Connect
microsoft.directory/groups/owners/update	Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groups/reprocessLicenseAssignment	Reprocess license assignments for group-based licensing
microsoft.directory/groups/settings/update	Update settings of groups
microsoft.directory/groups/visibility/update	Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups
microsoft.directory/groupSettings/basic/update	Update basic properties on group settings
microsoft.directory/groupSettings/create	Create group settings
microsoft.directory/groupSettings/delete	Delete group settings
microsoft.directory/oAuth2PermissionGrants/basic/update	Update OAuth 2.0 permission grants
microsoft.directory/oAuth2PermissionGrants/create	Create OAuth 2.0 permission grants
microsoft.directory/servicePrincipals/appRoleAssignedTo/update	Update service principal role assignments
microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/credentials/manage	Manage cloud tenant to cloud tenant application provisioning secrets and credentials.
microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/jobs/manage	Start, restart, and pause cloud tenant to cloud tenant application provisioning synchronization jobs.
microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/schema/manage	Create and manage cloud tenant to cloud tenant application provisioning synchronization jobs and schema.
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage	Manage application provisioning secrets and credentials.
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage	Start, restart, and pause application provisioning synchronization jobs.
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage	Create and manage application provisioning synchronization jobs and schema.
microsoft.directory/servicePrincipals/synchronizationCredentials/manage	Manage application provisioning secrets and credentials
microsoft.directory/servicePrincipals/synchronizationJobs/manage	Start, restart, and pause application provisioning synchronization jobs
microsoft.directory/servicePrincipals/synchronizationSchema/manage	Create and manage application provisioning synchronization jobs and schema
microsoft.directory/users/assignLicense	Manage user licenses
microsoft.directory/users/basic/update	Update basic properties on users
microsoft.directory/users/create	Add users
microsoft.directory/users/disable	Disable users
microsoft.directory/users/enable	Enable users
microsoft.directory/users/invalidateAllRefreshTokens	Force sign-out by invalidating user refresh tokens
microsoft.directory/users/inviteGuest	Invite guest users
microsoft.directory/users/manager/update	Update manager for users
microsoft.directory/users/photo/update	Update photo of users
microsoft.directory/users/reprocessLicenseAssignment	Reprocess license assignments for users
microsoft.directory/users/sponsors/update	Update sponsors of users
microsoft.directory/users/userPrincipalName/update	Update User Principal Name of users

FilesExpand file tree

directory-writers.md

Latest commit

History

directory-writers.md

File metadata and controls