EMSTAC - Users and Groups in Azure

Users and Groups in Azure

Ratings

(0)

There are three main types of user accounts in Microsoft Entra ID.

Cloud identity user accounts: users created directly within Entra ID.
Directory synchronised identity user accounts: users in defined in Windows Server Active Directory.
Guest user accounts: users invited from outside Azure.

Group Accounts/User Groups

There Distribution groups for sending email notifications are two types of user groups you can create in Azure, Security groups and Microsoft 365 groups.

With Security groups you can give permissions to all the members of a group instead of doing it individually. So it is important to group users security wise.

Microsoft 365 Groups is for collaboration and access to Microsoft SaaS apps like Teams, Outlook, etc.,

Administrative Unit (AU) this is used to restrict permissions in a role specific portions of your organisation. For example, you can create an administrative unit for a regional support team and assign specific roles to manage users only within that region. AUs can only be managed by Global Admin or Privileged Role Admin.

Some Roles and Administrators in Azure

Administrative roles are used for granting access for privileged actions in Microsoft Entra ID.

Role

Description

Privilege

Type

Application Administrator

Can create and manage all aspects of app registrations and enterprise apps.

PRIVILEGED

Built-in

Application Developer

Can create application registrations independent of the 'Users can register applications' setting.

PRIVILEGED

Built-in

Attack Payload Author

Can create attack payloads that an administrator can initiate later.

Built-in

Attack Simulation Administrator

Can create and manage all aspects of attack simulation campaigns.

Built-in

Attribute Assignment Administrator

Assign custom security attribute keys and values to supported Microsoft Entra objects.

Built-in

Attribute Assignment Reader

Read custom security attribute keys and values for supported Microsoft Entra objects.

Built-in

Attribute Definition Administrator

Define and manage the definition of custom security attributes.

Built-in

Attribute Definition Reader

Read the definition of custom security attributes.

Built-in

Attribute Log Administrator

Read audit logs and configure diagnostic settings for events related to custom security attributes.

Built-in

Attribute Log Reader

Read audit logs related to custom security attributes.

Built-in

Authentication Administrator

Can access to view, set and reset authentication method information for any non-admin user.

PRIVILEGED

Built-in

Authentication Extensibility Administrator

Customize sign in and sign up experiences for users by creating and managing custom authentication extensions.

PRIVILEGED

Built-in

Authentication Policy Administrator

Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials.

Built-in

Azure DevOps Administrator

Can manage Azure DevOps organization policy and settings.

Built-in

Azure Information Protection Administrator

Can manage all aspects of the Azure Information Protection product.

Built-in

B2C IEF Keyset Administrator

Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).

PRIVILEGED

Built-in

B2C IEF Policy Administrator

Can create and manage trust framework policies in the Identity Experience Framework (IEF).

Built-in

Billing Administrator

Can perform common billing related tasks like updating payment information.

Built-in

Cloud App Security Administrator

Can manage all aspects of the Cloud App Security product.

Built-in

Cloud Application Administrator

Can create and manage all aspects of app registrations and enterprise apps except App Proxy.

PRIVILEGED

Built-in

Cloud Device Administrator

Limited access to manage devices in Microsoft Entra ID.

PRIVILEGED

Built-in

Compliance Administrator

Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.

Built-in

Compliance Data Administrator

Creates and manages compliance content.

Built-in

Conditional Access Administrator

Can manage Conditional Access capabilities.

PRIVILEGED

Built-in

Customer LockBox Access Approver

Can approve Microsoft support requests to access customer organizational data.

Built-in

Desktop Analytics Administrator

Can access and manage Desktop management tools and services.

Built-in

Directory Readers

Can read basic directory information. Commonly used to grant directory read access to applications and guests.

Built-in

Directory Writers

Can read and write basic directory information. For granting access to applications, not intended for users.

PRIVILEGED

Built-in

Domain Name Administrator

Can manage domain names in cloud and on-premises.

PRIVILEGED

Built-in

Dynamics 365 Administrator

Can manage all aspects of the Dynamics 365 product.

Built-in

Dynamics 365 Business Central Administrator

Access and perform all administrative tasks on Dynamics 365 Business Central environments.

Built-in

Edge Administrator

Manage all aspects of Microsoft Edge.

Built-in

Exchange Administrator

Can manage all aspects of the Exchange product.

Built-in

Exchange Recipient Administrator

Can create or update Exchange Online recipients within the Exchange Online organization.

Built-in

Extended Directory User Administrator

Manage all aspects of external user profiles in the extended directory for Teams.

Built-in

External ID User Flow Administrator

Can create and manage all aspects of user flows.

Built-in

External ID User Flow Attribute Administrator

Can create and manage the attribute schema available to all user flows.

Built-in

External Identity Provider Administrator

Can configure identity providers for use in direct federation.

PRIVILEGED

Built-in

Fabric Administrator

Can manage all aspects of Microsoft Fabric.

Built-in

Global Administrator

Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.

PRIVILEGED

Built-in

Global Reader

Can read everything that a Global Administrator can, but not update anything.

PRIVILEGED

Built-in

Global Secure Access Administrator

Create and manage all aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access, including managing access to public and private endpoints.

Built-in

Groups Administrator

Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.

Built-in

Guest Inviter

Can invite guest users independent of the 'members can invite guests' setting.

Built-in

Helpdesk Administrator

Can reset passwords for non-administrators and Helpdesk Administrators.

PRIVILEGED

Built-in

Hybrid Identity Administrator

Can manage AD to Microsoft Entra cloud provisioning, Microsoft Entra Connect, and federation settings.

PRIVILEGED

Built-in

Identity Governance Administrator

Manage access using Microsoft Entra ID Governance scenarios.

Built-in

Insights Administrator

Has administrative access in the Microsoft 365 Insights app.

Built-in

Insights Analyst

Access the analytical capabilities in Microsoft Viva Insights and run custom queries.

Built-in

Insights Business Leader

Can view and share dashboards and insights via the M365 Insights app.

Built-in

Intune Administrator

Can manage all aspects of the Intune product.

PRIVILEGED

Built-in

Kaizala Administrator

Can manage settings for Microsoft Kaizala.

Built-in

Knowledge Administrator

Can configure knowledge, learning, and other intelligent features.

Built-in

Knowledge Manager

Has access to topic management dashboard and can manage content.

Built-in

License Administrator

Can manage product licenses on users and groups.

Built-in

Lifecycle Workflows Administrator

Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.

PRIVILEGED

Built-in

Message Center Privacy Reader

Can read security messages and updates in Office 365 Message Center only.

Built-in

Message Center Reader

Can read messages and updates for their organization in Office 365 Message Center only.

Built-in

Microsoft 365 Migration Administrator

Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager.

Built-in

Microsoft Entra Joined Device Local Administrator

Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices.

Built-in

Microsoft Hardware Warranty Administrator

Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens.

Built-in

Microsoft Hardware Warranty Specialist

Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens.

Built-in

Network Administrator

Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.

Built-in

Office Apps Administrator

Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices.

Built-in

Organizational Branding Administrator

Manage all aspects of organizational branding in a tenant.

Built-in

Organizational Messages Approver

Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users.

Built-in

Organizational Messages Writer

Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces.

Built-in

Password Administrator

Can reset passwords for non-administrators and Password Administrators.

PRIVILEGED

Built-in

Permissions Management Administrator

Manage all aspects of Entra Permissions Management.

Built-in

Power Platform Administrator

Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.

Built-in

Printer Administrator

Can manage all aspects of printers and printer connectors.

Built-in

Printer Technician

Can register and unregister printers and update printer status.

Built-in

Privileged Authentication Administrator

Can access to view, set and reset authentication method information for any user (admin or non-admin).

PRIVILEGED

Built-in

Privileged Role Administrator

Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.

PRIVILEGED

Built-in

Reports Reader

Can read sign-in and audit reports.

Built-in

Search Administrator

Can create and manage all aspects of Microsoft Search settings.

Built-in

Search Editor

Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.

Built-in

Security Administrator

Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.

PRIVILEGED

Built-in

Security Operator

Creates and manages security events.

PRIVILEGED

Built-in

Security Reader

Can read security information and reports in Microsoft Entra ID and Microsoft 365.

PRIVILEGED

Built-in

Service Support Administrator

Can read service health information and manage support tickets.

Built-in

SharePoint Administrator

Can manage all aspects of the SharePoint service.

Built-in

SharePoint Embedded Administrator

Manage all aspects of SharePoint Embedded containers.

Built-in

Skype for Business Administrator

Can manage all aspects of the Skype for Business product.

Built-in

Teams Administrator

Can manage the Microsoft Teams service.

Built-in

Teams Communications Administrator

Can manage calling and meetings features within the Microsoft Teams service.

Built-in

Teams Communications Support Engineer

Can troubleshoot communications issues within Teams using advanced tools.

Built-in

Teams Communications Support Specialist

Can troubleshoot communications issues within Teams using basic tools.

Built-in

Teams Devices Administrator

Can perform management related tasks on Teams certified devices.

Built-in

Teams Telephony Administrator

Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service.

Built-in

Tenant Creator

Create new Microsoft Entra or Azure AD B2C tenants.

Built-in

Usage Summary Reports Reader

Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score.

Built-in

User Administrator

Can manage all aspects of users and groups, including resetting passwords for limited admins.

PRIVILEGED

Built-in

User Experience Success Manager

View product feedback, survey results, and reports to find training and communication opportunities.

Built-in

Virtual Visits Administrator

Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app.

Built-in

Viva Goals Administrator

Manage and configure all aspects of Microsoft Viva Goals.

Built-in

Viva Pulse Administrator

Can manage all settings for Microsoft Viva Pulse app.

Built-in

Windows 365 Administrator

Can provision and manage all aspects of Cloud PCs.

Built-in

Windows Update Deployment Administrator

Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service.

Built-in

Yammer Administrator

Manage all aspects of the Yammer service.

Built-in

Azure Arc is a solution that bridges the gap between on-premises, edge, and multi-cloud environments, allowing businesses to manage, govern, and secure their infrastructure effectively.

Cloud Computing

Users and Groups in Azure

Introducing PowerShell

Cloud Computing

Users and Groups in Azure

Related Articles

Cloud Components and Shared Responsibility Model

Azure Arc

Introducing PowerShell