title	Microsoft Entra built-in roles
description	Describes the Microsoft Entra built-in roles and permissions.
search.appverid	MET150
ms.topic	reference
ms.date	01/22/2026
ms.reviewer	abhijeetsinha
ms.custom	generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-ga-nochange

Microsoft Entra built-in roles

In Microsoft Entra ID, if another administrator or nonadministrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.

This article lists the Microsoft Entra built-in roles you can assign to allow management of Microsoft Entra resources. For information about how to assign roles, see Assign Microsoft Entra roles. If you are looking for roles to manage Azure resources, see Azure built-in roles.

All roles

[!div class="mx-tableFixed"]

Role Description Template ID

Agent ID Administrator Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.
db506228-d27e-4b7d-95e5-295956d6615f

Agent ID Developer Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. adb2368d-a9be-41b5-8667-d96778e081b0

Agent Registry Administrator Manage all aspects of the Agent Registry service in Microsoft Entra ID 6b942400-691f-4bf0-9d12-d8a254a2baf5

AI Administrator Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. d2562ede-74db-457e-a7b6-544e236ebb61

Application Administrator Can create and manage all aspects of app registrations and enterprise apps.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3

Application Developer Can create application registrations independent of the 'Users can register applications' setting.
cf1c38e5-3621-4004-a7cb-879624dced7c

Attack Payload Author Can create attack payloads that an administrator can initiate later. 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f

Attack Simulation Administrator Can create and manage all aspects of attack simulation campaigns. c430b396-e693-46cc-96f3-db01bf8bb62a

Attribute Assignment Administrator Assign custom security attribute keys and values to supported Microsoft Entra objects. 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d

Attribute Assignment Reader Read custom security attribute keys and values for supported Microsoft Entra objects. ffd52fa5-98dc-465c-991d-fc073eb59f8f

Attribute Definition Administrator Define and manage the definition of custom security attributes. 8424c6f0-a189-499e-bbd0-26c1753c96d4

Attribute Definition Reader Read the definition of custom security attributes. 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c

Attribute Log Administrator Read audit logs and configure diagnostic settings for events related to custom security attributes. 5b784334-f94b-471a-a387-e7219fc49ca2

Attribute Log Reader Read audit logs related to custom security attributes. 9c99539d-8186-4804-835f-fd51ef9e2dcd

Attribute Provisioning Administrator Read and edit the provisioning configuration of all active custom security attributes for an application.
ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe

Attribute Provisioning Reader Read the provisioning configuration of all active custom security attributes for an application.
422218e4-db15-4ef9-bbe0-8afb41546d79

Authentication Administrator Can access to view, set and reset authentication method information for any non-admin user.
c4e39bd9-1100-46d3-8c65-fb160da0071f

Authentication Extensibility Administrator Customize sign in and sign up experiences for users by creating and managing custom authentication extensions.
25a516ed-2fa0-40ea-a2d0-12923a21473a

Authentication Policy Administrator Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. 0526716b-113d-4c15-b2c8-68e3c22b9f80

Azure DevOps Administrator Can manage Azure DevOps policies and settings. e3973bdf-4987-49ae-837a-ba8e231c7286

Azure Information Protection Administrator Can manage all aspects of the Azure Information Protection product. 7495fdc4-34c4-4d15-a289-98788ce399fd

B2C IEF Keyset Administrator Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).
aaf43236-0c0d-4d5f-883a-6955382ac081

B2C IEF Policy Administrator Can create and manage trust framework policies in the Identity Experience Framework (IEF). 3edaf663-341e-4475-9f94-5c398ef6c070

Billing Administrator Can perform common billing related tasks like updating payment information. b0f54661-2d74-4c50-afa3-1ec803f12efe

Cloud App Security Administrator Can manage all aspects of the Defender for Cloud Apps product. 892c5842-a9a6-463a-8041-72aa08ca3cf6

Cloud Application Administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
158c047a-c907-4556-b7ef-446551a6b5f7

Cloud Device Administrator Limited access to manage devices in Microsoft Entra ID.
7698a772-787b-4ac8-901f-60d6b08affd2

Compliance Administrator Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365. 17315797-102d-40b4-93e0-432062caca18

Compliance Data Administrator Creates and manages compliance content. e6d1a23a-da11-4be4-9570-befc86d067a7

Conditional Access Administrator Can manage Conditional Access capabilities.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9

Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data. 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91

Desktop Analytics Administrator Can access and manage Desktop management tools and services. 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4

Directory Readers Can read basic directory information. Commonly used to grant directory read access to applications and guests. 88d8e3e3-8f55-4a1e-953a-9b9898b8876b

Directory Synchronization Accounts Only used by Microsoft Entra Connect service. d29b2b05-8046-44ba-8758-1e26182fcf32

Directory Writers Can read and write basic directory information. For granting access to applications, not intended for users.
9360feb5-f418-4baa-8175-e2a00bac4301

Domain Name Administrator Can manage domain names in cloud and on-premises.
8329153b-31d0-4727-b945-745eb3bc5f31

Dragon Administrator Manage all aspects of the Microsoft Dragon admin center. e93e3737-fa85-474a-aee4-7d3fb86510f3

Dynamics 365 Administrator Can manage all aspects of the Dynamics 365 product. 44367163-eba1-44c3-98af-f5787879f96a

Dynamics 365 Business Central Administrator Access and perform all administrative tasks on Dynamics 365 Business Central environments. 963797fb-eb3b-4cde-8ce3-5878b3f32a3f

Edge Administrator Manage all aspects of Microsoft Edge. 3f1acade-1e04-4fbc-9b69-f0302cd84aef

Exchange Administrator Can manage all aspects of the Exchange product. 29232cdf-9323-42fd-ade2-1d097af3e4de

Exchange Backup Administrator Back up and restore content (including granular restore) for Exchange in Microsoft 365 Backup 49eb8f75-97e9-4e37-9b2b-6c3ebfcffa31

Exchange Recipient Administrator Can create or update Exchange Online recipients within the Exchange Online organization. 31392ffb-586c-42d1-9346-e59415a2cc4e

Extended Directory User Administrator Manage all aspects of external user profiles in the extended directory for Teams. dd13091a-6207-4fc0-82ba-3641e056ab95

External ID User Flow Administrator Can create and manage all aspects of user flows. 6e591065-9bad-43ed-90f3-e9424366d2f0

External ID User Flow Attribute Administrator Can create and manage the attribute schema available to all user flows. 0f971eea-41eb-4569-a71e-57bb8a3eff1e

External Identity Provider Administrator Can configure identity providers for use in direct federation.
be2f45a1-457d-42af-a067-6ec1fa63bc45

Fabric Administrator Can manage all aspects of the Fabric and Power BI products. a9ea8996-122f-4c74-9520-8edcd192826c

Global Administrator Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.
62e90394-69f5-4237-9190-012177145e10

Global Reader Can read everything that a Global Administrator can, but not update anything.
f2ef992c-3afb-46b9-b7cf-a126ee74c451

Global Secure Access Administrator Create and manage all aspects of Global Secure Internet Access and Microsoft Global Secure Private Access, including managing access to public and private endpoints. ac434307-12b9-4fa1-a708-88bf58caabc1

Global Secure Access Log Reader Provides designated security personnel with read-only access to network traffic logs in Microsoft Entra Internet Access and Microsoft Entra Private Access for detailed analysis. 843318fb-79a6-4168-9e6f-aa9a07481cc4

Groups Administrator Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. fdd7a751-b60b-444a-984c-02652fe8fa1c

Guest Inviter Can invite guest users independent of the 'members can invite guests' setting. 95e79109-95c0-4d8e-aee3-d01accf2d47b

Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators.
729827e3-9c14-49f7-bb1b-9608f156bbb8

Hybrid Identity Administrator Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.
8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2

Identity Governance Administrator Manage access using Microsoft Entra ID for identity governance scenarios. 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e

Insights Administrator Has administrative access in the Microsoft 365 Insights app. eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c

Insights Analyst Access the analytical capabilities in Microsoft Viva Insights and run custom queries. 25df335f-86eb-4119-b717-0ff02de207e9

Insights Business Leader Can view and share dashboards and insights via the Microsoft 365 Insights app. 31e939ad-9672-4796-9c2e-873181342d2d

Intune Administrator Can manage all aspects of the Intune product.
3a2c62db-5318-420d-8d74-23affee5d9d5

IoT Device Administrator Provision new IoT devices, manage their lifecycle, configure certificates, and manage device templates. 2ea5ce4c-b2d8-4668-bd81-3680bd2d227a

Kaizala Administrator Can manage settings for Microsoft Kaizala. 74ef975b-6605-40af-a5d2-b9539d836353

Knowledge Administrator Can configure knowledge, learning, and other intelligent features. b5a8dcf3-09d5-43a9-a639-8e29ef291470

Knowledge Manager Can organize, create, manage, and promote topics and knowledge. 744ec460-397e-42ad-a462-8b3f9747a02c

License Administrator Can manage product licenses on users and groups. 4d6ac14f-3453-41d0-bef9-a3e0c569773a

Lifecycle Workflows Administrator Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.
59d46f88-662b-457b-bceb-5c3809e5908f

Message Center Privacy Reader Can read security messages and updates in Office 365 Message Center only. ac16e43d-7b2d-40e0-ac05-243ff356ab5b

Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only. 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b

Microsoft 365 Backup Administrator Back up and restore content across supported services (SharePoint, OneDrive, and Exchange Online) in Microsoft 365 Backup 1707125e-0aa2-4d4d-8655-a7c786c76a25

Microsoft 365 Migration Administrator Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager. 8c8b803f-96e1-4129-9349-20738d9f9652

Microsoft Entra Joined Device Local Administrator Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices. 9f06204d-73c1-4d4c-880a-6edb90606fd8

Microsoft Graph Data Connect Administrator Manage aspects of Microsoft Graph Data Connect service in a tenant. ee67aa9c-e510-4759-b906-227085a7fd4d

Microsoft Hardware Warranty Administrator Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens. 1501b917-7653-4ff9-a4b5-203eaf33784f

Microsoft Hardware Warranty Specialist Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. 281fe777-fb20-4fbb-b7a3-ccebce5b0d96

Network Administrator Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. d37c8bed-0711-4417-ba38-b4abe66ce4c2

Office Apps Administrator Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. 2b745bdf-0803-4d80-aa65-822c4493daac

Organizational Branding Administrator Manage all aspects of organizational branding in a tenant. 92ed04bf-c94a-4b82-9729-b799a7a4c178

Organizational Data Source Administrator Set up and manage the ingestion of organizational data into Microsoft 365. 9d70768a-0cbc-4b4c-aea3-2e124b2477f4

Organizational Messages Approver Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users. e48398e2-f4bb-4074-8f31-4586725e205b

Organizational Messages Writer Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. 507f53e4-4e52-4077-abd3-d2e1558b6ea2

Partner Tier1 Support Do not use - not intended for general use.
4ba39ca4-527c-499a-b93d-d9b492c50246

Partner Tier2 Support Do not use - not intended for general use.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8

Password Administrator Can reset passwords for non-administrators and Password Administrators.
966707d0-3269-4727-9be2-8c3a10f19b9d

People Administrator Manage profile photos of users and people settings for all users in the organization. 024906de-61e5-49c8-8572-40335f1e0e10

Permissions Management Administrator Manage all aspects of Microsoft Entra Permissions Management. af78dc32-cf4d-46f9-ba4e-4428526346b5

Places Administrator Manage all aspects of the Microsoft Places service. 78b0ccd1-afc2-4f92-9116-b41aedd09592

Power Platform Administrator Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. 11648597-926c-4cf3-9c36-bcebb0ba8dcc

Printer Administrator Can manage all aspects of printers and printer connectors. 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f

Printer Technician Can register and unregister printers and update printer status. e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477

Privileged Authentication Administrator Can access to view, set and reset authentication method information for any user (admin or non-admin).
7be44c8a-adaf-4e2a-84d6-ab2649e08a13

Privileged Role Administrator Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.
e8611ab8-c189-46e8-94e1-60213ab1f814

Reports Reader Can read sign-in and audit reports. 4a5d8f65-41da-4de4-8968-e035b65339cf

Search Administrator Can create and manage all aspects of Microsoft Search settings. 0964bb5e-9bdb-4d7b-ac29-58e794862a40

Search Editor Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. 8835291a-918c-4fd7-a9ce-faa49f0cf7d9

Security Administrator Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.
194ae4cb-b126-40b2-bd5b-6091b380977d

Security Operator Creates and manages security events.
5f2222b1-57c3-48ba-8ad5-d4759f1fde6f

Security Reader Can read security information and reports in Microsoft Entra ID and Office 365.
5d6b6bb7-de71-4623-b4af-96380a352509

Service Support Administrator Can read service health information and manage support tickets. f023fd81-a637-4b56-95fd-791ac0226033

SharePoint Administrator Can manage all aspects of the SharePoint service. f28a1f50-f6e7-4571-818b-6a12f2af6b6c

SharePoint Advanced Management Administrator Manage all aspects of SharePoint Advanced Management. 99009c4a-3b3f-4957-82a9-9d35e12db77e

SharePoint Backup Administrator Back up and restore content (including granular restore) for SharePoint and OneDrive in Microsoft 365 Backup 9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be

SharePoint Embedded Administrator Manage all aspects of SharePoint Embedded containers. 1a7d78b6-429f-476b-b8eb-35fb715fffd4

Skype for Business Administrator Can manage all aspects of the Skype for Business product. 75941009-915a-4869-abe7-691bff18279e

Teams Administrator Can manage the Microsoft Teams service. 69091246-20e8-4a56-aa4d-066075b2a7a8

Teams Communications Administrator Can manage calling and meetings features within the Microsoft Teams service. baf37b3a-610e-45da-9e62-d9d1e5e8914b

Teams Communications Support Engineer Can troubleshoot communications issues within Teams using advanced tools. f70938a0-fc10-4177-9e90-2178f8765737

Teams Communications Support Specialist Can troubleshoot communications issues within Teams using basic tools. fcf91098-03e3-41a9-b5ba-6f0ec8188a12

Teams Devices Administrator Can perform management related tasks on Teams certified devices. 3d762c5a-1b6c-493f-843e-55a3b42923d4

Teams Reader Read everything in the Teams admin center, but not update anything. 1076ac91-f3d9-41a7-a339-dcdf5f480acc

Teams Telephony Administrator Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service. aa38014f-0993-46e9-9b45-30501a20909d

Tenant Creator Create new Microsoft Entra or Azure AD B2C tenants. 112ca1a2-15ad-4102-995e-45b0bc479a6a

Usage Summary Reports Reader Read Usage reports and Adoption Score, but can't access user details. 75934031-6c7e-415a-99d7-48dbd49e875e

User Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins.
fe930be7-5e62-47db-91af-98c3a49a38b1

User Experience Success Manager View product feedback, survey results, and reports to find training and communication opportunities. 27460883-1df1-4691-b032-3b79643e5e63

Virtual Visits Administrator Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. e300d9e7-4a2b-4295-9eff-f1c78b36cc98

Viva Glint Tenant Administrator Manage and configure Microsoft Viva Glint settings in the Microsoft 365 admin center. 0ec3f692-38d6-4d14-9e69-0377ca7797ad

Viva Goals Administrator Manage and configure all aspects of Microsoft Viva Goals. 92b086b3-e367-4ef2-b869-1de128fb986e

Viva Pulse Administrator Can manage all settings for Microsoft Viva Pulse app. 87761b17-1ed2-4af3-9acd-92a150038160

Windows 365 Administrator Can provision and manage all aspects of Cloud PCs. 11451d60-acb2-45eb-a7d6-43d0f0125c13

Windows Update Deployment Administrator Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. 32696413-001a-46ae-978c-ce0f6b3620d2

Yammer Administrator Manage all aspects of the Yammer service. 810a2642-a034-447f-a5e8-41beaa378541

Role	Description	Template ID
Agent ID Administrator	Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.	db506228-d27e-4b7d-95e5-295956d6615f
Agent ID Developer	Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal.	adb2368d-a9be-41b5-8667-d96778e081b0
Agent Registry Administrator	Manage all aspects of the Agent Registry service in Microsoft Entra ID	6b942400-691f-4bf0-9d12-d8a254a2baf5
AI Administrator	Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.	d2562ede-74db-457e-a7b6-544e236ebb61
Application Administrator	Can create and manage all aspects of app registrations and enterprise apps.	9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
Application Developer	Can create application registrations independent of the 'Users can register applications' setting.	cf1c38e5-3621-4004-a7cb-879624dced7c
Attack Payload Author	Can create attack payloads that an administrator can initiate later.	9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f
Attack Simulation Administrator	Can create and manage all aspects of attack simulation campaigns.	c430b396-e693-46cc-96f3-db01bf8bb62a
Attribute Assignment Administrator	Assign custom security attribute keys and values to supported Microsoft Entra objects.	58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d
Attribute Assignment Reader	Read custom security attribute keys and values for supported Microsoft Entra objects.	ffd52fa5-98dc-465c-991d-fc073eb59f8f
Attribute Definition Administrator	Define and manage the definition of custom security attributes.	8424c6f0-a189-499e-bbd0-26c1753c96d4
Attribute Definition Reader	Read the definition of custom security attributes.	1d336d2c-4ae8-42ef-9711-b3604ce3fc2c
Attribute Log Administrator	Read audit logs and configure diagnostic settings for events related to custom security attributes.	5b784334-f94b-471a-a387-e7219fc49ca2
Attribute Log Reader	Read audit logs related to custom security attributes.	9c99539d-8186-4804-835f-fd51ef9e2dcd
Attribute Provisioning Administrator	Read and edit the provisioning configuration of all active custom security attributes for an application.	ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe
Attribute Provisioning Reader	Read the provisioning configuration of all active custom security attributes for an application.	422218e4-db15-4ef9-bbe0-8afb41546d79
Authentication Administrator	Can access to view, set and reset authentication method information for any non-admin user.	c4e39bd9-1100-46d3-8c65-fb160da0071f
Authentication Extensibility Administrator	Customize sign in and sign up experiences for users by creating and managing custom authentication extensions.	25a516ed-2fa0-40ea-a2d0-12923a21473a
Authentication Policy Administrator	Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials.	0526716b-113d-4c15-b2c8-68e3c22b9f80
Azure DevOps Administrator	Can manage Azure DevOps policies and settings.	e3973bdf-4987-49ae-837a-ba8e231c7286
Azure Information Protection Administrator	Can manage all aspects of the Azure Information Protection product.	7495fdc4-34c4-4d15-a289-98788ce399fd
B2C IEF Keyset Administrator	Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).	aaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF Policy Administrator	Can create and manage trust framework policies in the Identity Experience Framework (IEF).	3edaf663-341e-4475-9f94-5c398ef6c070
Billing Administrator	Can perform common billing related tasks like updating payment information.	b0f54661-2d74-4c50-afa3-1ec803f12efe
Cloud App Security Administrator	Can manage all aspects of the Defender for Cloud Apps product.	892c5842-a9a6-463a-8041-72aa08ca3cf6
Cloud Application Administrator	Can create and manage all aspects of app registrations and enterprise apps except App Proxy.	158c047a-c907-4556-b7ef-446551a6b5f7
Cloud Device Administrator	Limited access to manage devices in Microsoft Entra ID.	7698a772-787b-4ac8-901f-60d6b08affd2
Compliance Administrator	Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.	17315797-102d-40b4-93e0-432062caca18
Compliance Data Administrator	Creates and manages compliance content.	e6d1a23a-da11-4be4-9570-befc86d067a7
Conditional Access Administrator	Can manage Conditional Access capabilities.	b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
Customer LockBox Access Approver	Can approve Microsoft support requests to access customer organizational data.	5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
Desktop Analytics Administrator	Can access and manage Desktop management tools and services.	38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
Directory Readers	Can read basic directory information. Commonly used to grant directory read access to applications and guests.	88d8e3e3-8f55-4a1e-953a-9b9898b8876b
Directory Synchronization Accounts	Only used by Microsoft Entra Connect service.	d29b2b05-8046-44ba-8758-1e26182fcf32
Directory Writers	Can read and write basic directory information. For granting access to applications, not intended for users.	9360feb5-f418-4baa-8175-e2a00bac4301
Domain Name Administrator	Can manage domain names in cloud and on-premises.	8329153b-31d0-4727-b945-745eb3bc5f31
Dragon Administrator	Manage all aspects of the Microsoft Dragon admin center.	e93e3737-fa85-474a-aee4-7d3fb86510f3
Dynamics 365 Administrator	Can manage all aspects of the Dynamics 365 product.	44367163-eba1-44c3-98af-f5787879f96a
Dynamics 365 Business Central Administrator	Access and perform all administrative tasks on Dynamics 365 Business Central environments.	963797fb-eb3b-4cde-8ce3-5878b3f32a3f
Edge Administrator	Manage all aspects of Microsoft Edge.	3f1acade-1e04-4fbc-9b69-f0302cd84aef
Exchange Administrator	Can manage all aspects of the Exchange product.	29232cdf-9323-42fd-ade2-1d097af3e4de
Exchange Backup Administrator	Back up and restore content (including granular restore) for Exchange in Microsoft 365 Backup	49eb8f75-97e9-4e37-9b2b-6c3ebfcffa31
Exchange Recipient Administrator	Can create or update Exchange Online recipients within the Exchange Online organization.	31392ffb-586c-42d1-9346-e59415a2cc4e
Extended Directory User Administrator	Manage all aspects of external user profiles in the extended directory for Teams.	dd13091a-6207-4fc0-82ba-3641e056ab95
External ID User Flow Administrator	Can create and manage all aspects of user flows.	6e591065-9bad-43ed-90f3-e9424366d2f0
External ID User Flow Attribute Administrator	Can create and manage the attribute schema available to all user flows.	0f971eea-41eb-4569-a71e-57bb8a3eff1e
External Identity Provider Administrator	Can configure identity providers for use in direct federation.	be2f45a1-457d-42af-a067-6ec1fa63bc45
Fabric Administrator	Can manage all aspects of the Fabric and Power BI products.	a9ea8996-122f-4c74-9520-8edcd192826c
Global Administrator	Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.	62e90394-69f5-4237-9190-012177145e10
Global Reader	Can read everything that a Global Administrator can, but not update anything.	f2ef992c-3afb-46b9-b7cf-a126ee74c451
Global Secure Access Administrator	Create and manage all aspects of Global Secure Internet Access and Microsoft Global Secure Private Access, including managing access to public and private endpoints.	ac434307-12b9-4fa1-a708-88bf58caabc1
Global Secure Access Log Reader	Provides designated security personnel with read-only access to network traffic logs in Microsoft Entra Internet Access and Microsoft Entra Private Access for detailed analysis.	843318fb-79a6-4168-9e6f-aa9a07481cc4
Groups Administrator	Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.	fdd7a751-b60b-444a-984c-02652fe8fa1c
Guest Inviter	Can invite guest users independent of the 'members can invite guests' setting.	95e79109-95c0-4d8e-aee3-d01accf2d47b
Helpdesk Administrator	Can reset passwords for non-administrators and Helpdesk Administrators.	729827e3-9c14-49f7-bb1b-9608f156bbb8
Hybrid Identity Administrator	Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.	8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2
Identity Governance Administrator	Manage access using Microsoft Entra ID for identity governance scenarios.	45d8d3c5-c802-45c6-b32a-1d70b5e1e86e
Insights Administrator	Has administrative access in the Microsoft 365 Insights app.	eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c
Insights Analyst	Access the analytical capabilities in Microsoft Viva Insights and run custom queries.	25df335f-86eb-4119-b717-0ff02de207e9
Insights Business Leader	Can view and share dashboards and insights via the Microsoft 365 Insights app.	31e939ad-9672-4796-9c2e-873181342d2d
Intune Administrator	Can manage all aspects of the Intune product.	3a2c62db-5318-420d-8d74-23affee5d9d5
IoT Device Administrator	Provision new IoT devices, manage their lifecycle, configure certificates, and manage device templates.	2ea5ce4c-b2d8-4668-bd81-3680bd2d227a
Kaizala Administrator	Can manage settings for Microsoft Kaizala.	74ef975b-6605-40af-a5d2-b9539d836353
Knowledge Administrator	Can configure knowledge, learning, and other intelligent features.	b5a8dcf3-09d5-43a9-a639-8e29ef291470
Knowledge Manager	Can organize, create, manage, and promote topics and knowledge.	744ec460-397e-42ad-a462-8b3f9747a02c
License Administrator	Can manage product licenses on users and groups.	4d6ac14f-3453-41d0-bef9-a3e0c569773a
Lifecycle Workflows Administrator	Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.	59d46f88-662b-457b-bceb-5c3809e5908f
Message Center Privacy Reader	Can read security messages and updates in Office 365 Message Center only.	ac16e43d-7b2d-40e0-ac05-243ff356ab5b
Message Center Reader	Can read messages and updates for their organization in Office 365 Message Center only.	790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
Microsoft 365 Backup Administrator	Back up and restore content across supported services (SharePoint, OneDrive, and Exchange Online) in Microsoft 365 Backup	1707125e-0aa2-4d4d-8655-a7c786c76a25
Microsoft 365 Migration Administrator	Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager.	8c8b803f-96e1-4129-9349-20738d9f9652
Microsoft Entra Joined Device Local Administrator	Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices.	9f06204d-73c1-4d4c-880a-6edb90606fd8
Microsoft Graph Data Connect Administrator	Manage aspects of Microsoft Graph Data Connect service in a tenant.	ee67aa9c-e510-4759-b906-227085a7fd4d
Microsoft Hardware Warranty Administrator	Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens.	1501b917-7653-4ff9-a4b5-203eaf33784f
Microsoft Hardware Warranty Specialist	Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens.	281fe777-fb20-4fbb-b7a3-ccebce5b0d96
Network Administrator	Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.	d37c8bed-0711-4417-ba38-b4abe66ce4c2
Office Apps Administrator	Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices.	2b745bdf-0803-4d80-aa65-822c4493daac
Organizational Branding Administrator	Manage all aspects of organizational branding in a tenant.	92ed04bf-c94a-4b82-9729-b799a7a4c178
Organizational Data Source Administrator	Set up and manage the ingestion of organizational data into Microsoft 365.	9d70768a-0cbc-4b4c-aea3-2e124b2477f4
Organizational Messages Approver	Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users.	e48398e2-f4bb-4074-8f31-4586725e205b
Organizational Messages Writer	Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces.	507f53e4-4e52-4077-abd3-d2e1558b6ea2
Partner Tier1 Support	Do not use - not intended for general use.	4ba39ca4-527c-499a-b93d-d9b492c50246
Partner Tier2 Support	Do not use - not intended for general use.	e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
Password Administrator	Can reset passwords for non-administrators and Password Administrators.	966707d0-3269-4727-9be2-8c3a10f19b9d
People Administrator	Manage profile photos of users and people settings for all users in the organization.	024906de-61e5-49c8-8572-40335f1e0e10
Permissions Management Administrator	Manage all aspects of Microsoft Entra Permissions Management.	af78dc32-cf4d-46f9-ba4e-4428526346b5
Places Administrator	Manage all aspects of the Microsoft Places service.	78b0ccd1-afc2-4f92-9116-b41aedd09592
Power Platform Administrator	Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate.	11648597-926c-4cf3-9c36-bcebb0ba8dcc
Printer Administrator	Can manage all aspects of printers and printer connectors.	644ef478-e28f-4e28-b9dc-3fdde9aa0b1f
Printer Technician	Can register and unregister printers and update printer status.	e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
Privileged Authentication Administrator	Can access to view, set and reset authentication method information for any user (admin or non-admin).	7be44c8a-adaf-4e2a-84d6-ab2649e08a13
Privileged Role Administrator	Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.	e8611ab8-c189-46e8-94e1-60213ab1f814
Reports Reader	Can read sign-in and audit reports.	4a5d8f65-41da-4de4-8968-e035b65339cf
Search Administrator	Can create and manage all aspects of Microsoft Search settings.	0964bb5e-9bdb-4d7b-ac29-58e794862a40
Search Editor	Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.	8835291a-918c-4fd7-a9ce-faa49f0cf7d9
Security Administrator	Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.	194ae4cb-b126-40b2-bd5b-6091b380977d
Security Operator	Creates and manages security events.	5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
Security Reader	Can read security information and reports in Microsoft Entra ID and Office 365.	5d6b6bb7-de71-4623-b4af-96380a352509
Service Support Administrator	Can read service health information and manage support tickets.	f023fd81-a637-4b56-95fd-791ac0226033
SharePoint Administrator	Can manage all aspects of the SharePoint service.	f28a1f50-f6e7-4571-818b-6a12f2af6b6c
SharePoint Advanced Management Administrator	Manage all aspects of SharePoint Advanced Management.	99009c4a-3b3f-4957-82a9-9d35e12db77e
SharePoint Backup Administrator	Back up and restore content (including granular restore) for SharePoint and OneDrive in Microsoft 365 Backup	9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be
SharePoint Embedded Administrator	Manage all aspects of SharePoint Embedded containers.	1a7d78b6-429f-476b-b8eb-35fb715fffd4
Skype for Business Administrator	Can manage all aspects of the Skype for Business product.	75941009-915a-4869-abe7-691bff18279e
Teams Administrator	Can manage the Microsoft Teams service.	69091246-20e8-4a56-aa4d-066075b2a7a8
Teams Communications Administrator	Can manage calling and meetings features within the Microsoft Teams service.	baf37b3a-610e-45da-9e62-d9d1e5e8914b
Teams Communications Support Engineer	Can troubleshoot communications issues within Teams using advanced tools.	f70938a0-fc10-4177-9e90-2178f8765737
Teams Communications Support Specialist	Can troubleshoot communications issues within Teams using basic tools.	fcf91098-03e3-41a9-b5ba-6f0ec8188a12
Teams Devices Administrator	Can perform management related tasks on Teams certified devices.	3d762c5a-1b6c-493f-843e-55a3b42923d4
Teams Reader	Read everything in the Teams admin center, but not update anything.	1076ac91-f3d9-41a7-a339-dcdf5f480acc
Teams Telephony Administrator	Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service.	aa38014f-0993-46e9-9b45-30501a20909d
Tenant Creator	Create new Microsoft Entra or Azure AD B2C tenants.	112ca1a2-15ad-4102-995e-45b0bc479a6a
Usage Summary Reports Reader	Read Usage reports and Adoption Score, but can't access user details.	75934031-6c7e-415a-99d7-48dbd49e875e
User Administrator	Can manage all aspects of users and groups, including resetting passwords for limited admins.	fe930be7-5e62-47db-91af-98c3a49a38b1
User Experience Success Manager	View product feedback, survey results, and reports to find training and communication opportunities.	27460883-1df1-4691-b032-3b79643e5e63
Virtual Visits Administrator	Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app.	e300d9e7-4a2b-4295-9eff-f1c78b36cc98
Viva Glint Tenant Administrator	Manage and configure Microsoft Viva Glint settings in the Microsoft 365 admin center.	0ec3f692-38d6-4d14-9e69-0377ca7797ad
Viva Goals Administrator	Manage and configure all aspects of Microsoft Viva Goals.	92b086b3-e367-4ef2-b869-1de128fb986e
Viva Pulse Administrator	Can manage all settings for Microsoft Viva Pulse app.	87761b17-1ed2-4af3-9acd-92a150038160
Windows 365 Administrator	Can provision and manage all aspects of Cloud PCs.	11451d60-acb2-45eb-a7d6-43d0f0125c13
Windows Update Deployment Administrator	Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service.	32696413-001a-46ae-978c-ce0f6b3620d2
Yammer Administrator	Manage all aspects of the Yammer service.	810a2642-a034-447f-a5e8-41beaa378541

Agent ID Administrator

[!INCLUDE agent-id-administrator]

Agent ID Developer

[!INCLUDE agent-id-developer]

Agent Registry Administrator

[!INCLUDE agent-registry-administrator]

AI Administrator

[!INCLUDE ai-administrator]

Application Administrator

[!INCLUDE application-administrator]

Application Developer

[!INCLUDE application-developer]

Attack Payload Author

[!INCLUDE attack-payload-author]

Attack Simulation Administrator

[!INCLUDE attack-simulation-administrator]

Attribute Assignment Administrator

[!INCLUDE attribute-assignment-administrator]

Attribute Assignment Reader

[!INCLUDE attribute-assignment-reader]

Attribute Definition Administrator

[!INCLUDE attribute-definition-administrator]

Attribute Definition Reader

[!INCLUDE attribute-definition-reader]

Attribute Log Administrator

[!INCLUDE attribute-log-administrator]

Attribute Log Reader

[!INCLUDE attribute-log-reader]

Attribute Provisioning Administrator

[!INCLUDE attribute-provisioning-administrator]

Attribute Provisioning Reader

[!INCLUDE attribute-provisioning-reader]

Authentication Administrator

[!INCLUDE authentication-administrator]

Authentication Extensibility Administrator

[!INCLUDE authentication-extensibility-administrator]

Authentication Policy Administrator

[!INCLUDE authentication-policy-administrator]

Azure DevOps Administrator

[!INCLUDE azure-devops-administrator]

Azure Information Protection Administrator

[!INCLUDE azure-information-protection-administrator]

B2C IEF Keyset Administrator

[!INCLUDE b2c-ief-keyset-administrator]

B2C IEF Policy Administrator

[!INCLUDE b2c-ief-policy-administrator]

Billing Administrator

[!INCLUDE billing-administrator]

Cloud App Security Administrator

[!INCLUDE cloud-app-security-administrator]

Cloud Application Administrator

[!INCLUDE cloud-application-administrator]

Cloud Device Administrator

[!INCLUDE cloud-device-administrator]

Compliance Administrator

[!INCLUDE compliance-administrator]

Compliance Data Administrator

[!INCLUDE compliance-data-administrator]

Conditional Access Administrator

[!INCLUDE conditional-access-administrator]

Customer LockBox Access Approver

[!INCLUDE customer-lockbox-access-approver]

Desktop Analytics Administrator

[!INCLUDE desktop-analytics-administrator]

Directory Readers

[!INCLUDE directory-readers]

Directory Synchronization Accounts

[!INCLUDE directory-synchronization-accounts]

Directory Writers

[!INCLUDE directory-writers]

Domain Name Administrator

[!INCLUDE domain-name-administrator]

Dragon Administrator

[!INCLUDE dragon-administrator]

Dynamics 365 Administrator

[!INCLUDE dynamics-365-administrator]

Dynamics 365 Business Central Administrator

[!INCLUDE dynamics-365-business-central-administrator]

Edge Administrator

[!INCLUDE edge-administrator]

Exchange Administrator

[!INCLUDE exchange-administrator]

Exchange Backup Administrator

[!INCLUDE exchange-backup-administrator]

Exchange Recipient Administrator

[!INCLUDE exchange-recipient-administrator]

Extended Directory User Administrator

[!INCLUDE extended-directory-user-administrator]

External ID User Flow Administrator

[!INCLUDE external-id-user-flow-administrator]

External ID User Flow Attribute Administrator

[!INCLUDE external-id-user-flow-attribute-administrator]

External Identity Provider Administrator

[!INCLUDE external-identity-provider-administrator]

Fabric Administrator

[!INCLUDE fabric-administrator]

Global Administrator

[!INCLUDE global-administrator]

Global Reader

[!INCLUDE global-reader]

Global Secure Access Administrator

[!INCLUDE global-secure-access-administrator]

Global Secure Access Log Reader

[!INCLUDE global-secure-access-log-reader]

Groups Administrator

[!INCLUDE groups-administrator]

Guest Inviter

[!INCLUDE guest-inviter]

Helpdesk Administrator

[!INCLUDE helpdesk-administrator]

Hybrid Identity Administrator

[!INCLUDE hybrid-identity-administrator]

Identity Governance Administrator

[!INCLUDE identity-governance-administrator]

Insights Administrator

[!INCLUDE insights-administrator]

Insights Analyst

[!INCLUDE insights-analyst]

Insights Business Leader

[!INCLUDE insights-business-leader]

Intune Administrator

[!INCLUDE intune-administrator]

IoT Device Administrator

[!INCLUDE iot-device-administrator]

Kaizala Administrator

[!INCLUDE kaizala-administrator]

Knowledge Administrator

[!INCLUDE knowledge-administrator]

Knowledge Manager

[!INCLUDE knowledge-manager]

License Administrator

[!INCLUDE license-administrator]

Lifecycle Workflows Administrator

[!INCLUDE lifecycle-workflows-administrator]

Message Center Privacy Reader

[!INCLUDE message-center-privacy-reader]

Message Center Reader

[!INCLUDE message-center-reader]

Microsoft 365 Backup Administrator

[!INCLUDE microsoft-365-backup-administrator]

Microsoft 365 Migration Administrator

[!INCLUDE microsoft-365-migration-administrator]

Microsoft Entra Joined Device Local Administrator

[!INCLUDE microsoft-entra-joined-device-local-administrator]

Microsoft Graph Data Connect Administrator

[!INCLUDE microsoft-graph-data-connect-administrator]

Microsoft Hardware Warranty Administrator

[!INCLUDE microsoft-hardware-warranty-administrator]

Microsoft Hardware Warranty Specialist

[!INCLUDE microsoft-hardware-warranty-specialist]

Network Administrator

[!INCLUDE network-administrator]

Office Apps Administrator

[!INCLUDE office-apps-administrator]

Organizational Branding Administrator

[!INCLUDE organizational-branding-administrator]

Organizational Data Source Administrator

[!INCLUDE organizational-data-source-administrator]

Organizational Messages Approver

[!INCLUDE organizational-messages-approver]

Organizational Messages Writer

[!INCLUDE organizational-messages-writer]

Partner Tier1 Support

[!INCLUDE partner-tier1-support]

Partner Tier2 Support

[!INCLUDE partner-tier2-support]

Password Administrator

[!INCLUDE password-administrator]

People Administrator

[!INCLUDE people-administrator]

Permissions Management Administrator

[!INCLUDE permissions-management-administrator]

Places Administrator

[!INCLUDE places-administrator]

Power Platform Administrator

[!INCLUDE power-platform-administrator]

Printer Administrator

[!INCLUDE printer-administrator]

Printer Technician

[!INCLUDE printer-technician]

Privileged Authentication Administrator

[!INCLUDE privileged-authentication-administrator]

Privileged Role Administrator

[!INCLUDE privileged-role-administrator]

Reports Reader

[!INCLUDE reports-reader]

Search Administrator

[!INCLUDE search-administrator]

Search Editor

[!INCLUDE search-editor]

Security Administrator

[!INCLUDE security-administrator]

Security Operator

[!INCLUDE security-operator]

Security Reader

[!INCLUDE security-reader]

Service Support Administrator

[!INCLUDE service-support-administrator]

SharePoint Administrator

[!INCLUDE sharepoint-administrator]

SharePoint Advanced Management Administrator

[!INCLUDE sharepoint-advanced-management-administrator]

SharePoint Backup Administrator

[!INCLUDE sharepoint-backup-administrator]

SharePoint Embedded Administrator

[!INCLUDE sharepoint-embedded-administrator]

Skype for Business Administrator

[!INCLUDE skype-for-business-administrator]

Teams Administrator

[!INCLUDE teams-administrator]

Teams Communications Administrator

[!INCLUDE teams-communications-administrator]

Teams Communications Support Engineer

[!INCLUDE teams-communications-support-engineer]

Teams Communications Support Specialist

[!INCLUDE teams-communications-support-specialist]

Teams Devices Administrator

[!INCLUDE teams-devices-administrator]

Teams Reader

[!INCLUDE teams-reader]

Teams Telephony Administrator

[!INCLUDE teams-telephony-administrator]

Tenant Creator

[!INCLUDE tenant-creator]

Usage Summary Reports Reader

[!INCLUDE usage-summary-reports-reader]

User Administrator

[!INCLUDE user-administrator]

User Experience Success Manager

[!INCLUDE user-experience-success-manager]

Virtual Visits Administrator

[!INCLUDE virtual-visits-administrator]

Viva Glint Tenant Administrator

[!INCLUDE viva-glint-tenant-administrator]

Viva Goals Administrator

[!INCLUDE viva-goals-administrator]

Viva Pulse Administrator

[!INCLUDE viva-pulse-administrator]

Windows 365 Administrator

[!INCLUDE windows-365-administrator]

Windows Update Deployment Administrator

[!INCLUDE windows-update-deployment-administrator]

Yammer Administrator

[!INCLUDE yammer-administrator]

Deprecated roles

The following roles should not be used. They have been deprecated and will be removed from Microsoft Entra ID in the future.

AdHoc License Administrator
Device Join
Device Managers
Device Users
Email Verified User Creator
Mailbox Administrator
Workplace Device Join

Roles not shown in the portal

Not every role returned by PowerShell or Microsoft Graph API is visible in Microsoft Entra roles interface. The following table organizes those differences.

API name	Microsoft Entra admin center portal name	Notes
Agent User	Not shown because it's implicitly assigned to users of agents	NA
Device Join	Deprecated	Deprecated roles documentation
Device Managers	Deprecated	Deprecated roles documentation
Device Users	Deprecated	Deprecated roles documentation
Directory Synchronization Accounts	Not shown because it shouldn't be used	Directory Synchronization Accounts documentation
Guest User	Not shown because it can't be used	NA
Microsoft 365 Support Engineer	Not shown because it shouldn't be used	Microsoft 365 Support Engineer documentation
Modern Commerce Administrator	Not shown because it can't be used	Modern Commerce Administrator
Partner Tier 1 Support	Not shown because it shouldn't be used	Partner Tier1 Support documentation
Partner Tier 2 Support	Not shown because it shouldn't be used	Partner Tier2 Support documentation
Restricted Guest User	Not shown because it can't be used	NA
User	Not shown because it can't be used	NA
Workplace Device Join	Deprecated	Deprecated roles documentation

FilesExpand file tree

permissions-reference.md

Latest commit

History