Azure RBAC

Azure AD admin roles and Role Based Access Control (IAM)

Azure offers the following administrator roles out of the box for Azure AD administration.

  • Billing Administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Compliance Administrator:Users with this role have management permissions within in the Office 365 Security & Compliance Center and Exchange Admin Center. More information at “About Office 365 admin roles.”
  • Conditional Access Administrator: Users with this role have the ability to manage Azure Active Directory conditional access settings.

    Note

    To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator.

  • Dynamics 365 service administrator: Users with this role have global permissions within Microsoft CRM Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.
  • Device Administrators: Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.
  • Directory Readers: This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.
  • Directory Synchronization Accounts: Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.
  • Directory Writers: This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.
  • Exchange Service Administrator: Users with this role have global permissions within Microsoft Exchange Online, when the service is present. More information at About Office 365 admin roles.
  • Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.

    Note

    In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as “Company Administrator”. It is “Global Administrator” in the Azure portal.

  • Guest Inviter: Users in this role can manage Azure Active Directory B2B guest user invitations when the “Members can invite” user setting is set to No. More information about B2B collaboration at About Azure AD B2B collaboration. It does not include any other permissions.
  • Information Protection Administrator: Users with this role have user rights only on the Azure Information Protection service. They are not granted user rights on Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, or Office 365 Security & Compliance Center. They can configure labels for the Azure Information Protection policy, manage protection templates, and activate protection.
  • Intune Service Administrator: Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
  • Mailbox Administrator: This role is only used as part of Exchange Online email support for RIM Blackberry devices. If your organization does not use Exchange Online email on RIM Blackberry devices, do not use this role.
  • Partner Tier 1 Support: Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.
  • Partner Tier 2 Support: Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.
  • Password Administrator / Helpdesk Administrator: Users with this role can change passwords, manage service requests, and monitor service health. Helpdesk administrators can change passwords only for users and other Helpdesk administrators.

    Note

    In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as “Helpdesk Administrator”. It is “Password Administrator” in the Azure portal.

  • Power BI Service Administrator: Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.
  • Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management.
  • Reports Reader: Users with this role can view usage reporting data and the reports dashboard in Office 365 admin center and the adoption context pack in PowerBI. Additionally, the role provides access to sign-on reports and activity in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don’t have any admin permissions to configure settings or access the product specific admin centers like Exchange.
  • Security Administrator: Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity Protection, Azure Information Protection, Privileged Identity Management, and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
  • Security Reader: Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
  • Service Support Administrator: Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Office 365 admin portal. More information at About Office 365 admin roles.
  • SharePoint Service Administrator: Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.
  • Skype for Business / Lync Service Administrator: Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.

More details about the AAD administrator role permissions can be found at: https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-assign-admin-roles-azure-portal

Azure also offers a granular list of roles for managing each Azure Resource via the Access Control (IAM) module. The list of available roles are generated based on the type of resource.

For example the following roles are available for an IoT Hub resource in Azure:

iot-hub-iam

Also for example the following roles are available for a resource group in Azure (much larger list):

Azure RG IAM

More details about AzureRM Access Control (IAM) and Role Based Access Control (RBAC) can be found at: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

About The Author