| title | Privileged Role Administrator |
|---|---|
| description | Privileged Role Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Users with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management. They can create and manage groups that can be assigned to Microsoft Entra roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.
Important
This role grants the ability to manage assignments for all Microsoft Entra roles including the Global Administrator role. This role does not include any other privileged abilities in Microsoft Entra ID like creating or updating users. However, users assigned to this role can grant themselves or others additional privilege by assigning additional roles.
[!div class="mx-tableFixed"]
Actions Description microsoft.directory/accessReviews/definitions.applications/allProperties/read Read all properties of access reviews of application role assignments in Microsoft Entra ID microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/allTasks Manage access reviews for Microsoft Entra role assignments microsoft.directory/accessReviews/definitions.groups/allProperties/read Read all properties of access reviews for membership in Security and Microsoft 365 groups, including role-assignable groups. microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/allProperties/update Update all properties of access reviews for membership in groups that are assignable to Microsoft Entra roles microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/create Create access reviews for membership in groups that are assignable to Microsoft Entra roles microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/delete Delete access reviews for membership in groups that are assignable to Microsoft Entra roles microsoft.directory/administrativeUnits/allProperties/allTasks Create and manage administrative units (including members) microsoft.directory/authorizationPolicy/allProperties/allTasks Manage all aspects of authorization policy microsoft.directory/directoryRoles/allProperties/allTasks Create and delete directory roles, and read and update all properties microsoft.directory/groupsAssignableToRoles/allProperties/update Update role-assignable groups microsoft.directory/groupsAssignableToRoles/assignLicense Assign a license to role-assignable groups microsoft.directory/groupsAssignableToRoles/create Create role-assignable groups microsoft.directory/groupsAssignableToRoles/delete Delete role-assignable groups microsoft.directory/groupsAssignableToRoles/reprocessLicenseAssignment Reprocess license assignments to role-assignable groups microsoft.directory/groupsAssignableToRoles/restore Restore role-assignable groups microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks Create and delete OAuth 2.0 permission grants, and read and update all properties microsoft.directory/permissionGrantPolicies/allProperties/read Read all properties of permission grant policies microsoft.directory/permissionGrantPolicies/allProperties/update Update all properties of permission grant policies microsoft.directory/permissionGrantPolicies/create Create permission grant policies microsoft.directory/permissionGrantPolicies/delete Delete permission grant policies microsoft.directory/privilegedIdentityManagement/allProperties/allTasks Create and delete all resources, and read and update standard properties in Privileged Identity Management microsoft.directory/roleAssignments/allProperties/allTasks Create and delete role assignments, and read and update all role assignment properties microsoft.directory/roleDefinitions/allProperties/allTasks Create and delete role definitions, and read and update all properties microsoft.directory/scopedRoleMemberships/allProperties/allTasks Create and delete scopedRoleMemberships, and read and update all properties microsoft.directory/servicePrincipals/appRoleAssignedTo/update Update service principal role assignments microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin Grant consent for any permission to any application microsoft.directory/servicePrincipals/permissions/update Update permissions of service principals microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center