| title | Windows 365 Administrator |
|---|---|
| description | Windows 365 Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
This role can create and manage security groups, but does not have administrator rights over Microsoft 365 groups. That means administrators cannot update owners or memberships of Microsoft 365 groups in the organization. However, they can manage the Microsoft 365 group they create, which is a part of their end-user privileges. So, any Microsoft 365 group (not security group) they create is counted against their quota of 250.
Assign the Windows 365 Administrator role to users who need to do the following tasks:
- Manage Windows 365 Cloud PCs in Microsoft Intune
- Enroll and manage devices in Microsoft Entra ID, including assigning users and policies
- Create and manage security groups, but not role-assignable groups
- View basic properties in the Microsoft 365 admin center
- Read usage reports in the Microsoft 365 admin center
- Create and manage support tickets in Azure and the Microsoft 365 admin center
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.cloudPC/allEntities/allProperties/allTasks Manage all aspects of Windows 365 microsoft.directory/deletedItems.devices/delete Permanently delete devices, which can no longer be restored microsoft.directory/deletedItems.devices/restore Restore soft deleted devices to original state microsoft.directory/deviceManagementPolicies/standard/read Read standard properties on mobile device management and mobile app management policies microsoft.directory/deviceRegistrationPolicy/standard/read Read standard properties on device registration policies microsoft.directory/devices/basic/update Update basic properties on devices microsoft.directory/devices/create Create devices (enroll in Microsoft Entra ID) microsoft.directory/devices/delete Delete devices from Microsoft Entra ID microsoft.directory/devices/disable Disable devices in Microsoft Entra ID microsoft.directory/devices/enable Enable devices in Microsoft Entra ID microsoft.directory/devices/extensionAttributeSet1/update Update the extensionAttribute1 to extensionAttribute5 properties on devices microsoft.directory/devices/extensionAttributeSet2/update Update the extensionAttribute6 to extensionAttribute10 properties on devices microsoft.directory/devices/extensionAttributeSet3/update Update the extensionAttribute11 to extensionAttribute15 properties on devices microsoft.directory/devices/registeredOwners/update Update registered owners of devices microsoft.directory/devices/registeredUsers/update Update registered users of devices microsoft.directory/groups.security/assignedLabels/update Update the assigned labels property on Security groups of assigned membership type, excluding role-assignable groups microsoft.directory/groups.security/basic/update Update basic properties on Security groups, excluding role-assignable groups microsoft.directory/groups.security/classification/update Update the classification property on Security groups, excluding role-assignable groups microsoft.directory/groups.security/create Create Security groups, excluding role-assignable groups microsoft.directory/groups.security/delete Delete Security groups, excluding role-assignable groups microsoft.directory/groups.security/dynamicMembershipRule/update Update the dynamic membership rule on Security groups, excluding role-assignable groups microsoft.directory/groups.security/members/update Update members of Security groups, excluding role-assignable groups microsoft.directory/groups.security/owners/update Update owners of Security groups, excluding role-assignable groups microsoft.directory/groups.security/visibility/update Update the visibility property on Security groups, excluding role-assignable groups microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.usageReports/allEntities/allProperties/read Read Office 365 usage reports microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center