Active Directory & Office 365 Reporting Tool

Azure AD Roles & Privileges: Azure AD RBAC Model. First of all, the Azure AD Role-Based Access Control (RBAC) Model is designed to manage and control access to Azure AD resources. More to add, it provides a flexible and granular approach to assign roles and permissions to users, groups, and applications.

Understanding Azure AD Roles

Built In Roles

Well, Azure AD provides 100+ built in roles that you use to manage access to Azure AD resources. 

Each role has a specific set of permissions and responsibilities associated with it, allowing you to grant appropriate access to users (or groups of users) based on their organizational roles and responsibilities.

Let’s take a quick look at five of them:

Global Admin

Hence, this type of role has full access to all administrative features in Azure AD, and all other services associated with the Azure AD tenant. What is more, Global Admins manage user accounts, assign roles, configure Azure AD settings, and perform all admin tasks.

Privileged Role Admin

Then, Privileged Role Admin manages privileged roles in Azure AD — including assigning and removing roles that grant admin access to resources. In addition, they also manage Azure AD roles and configure Azure AD Privileged Identity Management (PIM).

Conditional Access Admin

All in all, this role configures and manages conditional access policies, which allow you to enforce access controls and security policies based on specific conditions — such as device state, user location, or risk level.

Security Admin

Next role manages security related settings in Azure AD — like configuring security defaults, investigating and mitigating security threats, identity protection, and reviewing security reports and alerts.

Helpdesk Admin

Following role is responsible for providing user support and managing user accounts within an organization’s Azure AD environment. Altogether, helpdesk admins assist with tasks — such as user provisioning, password resets, support request management, and troubleshooting authentication issues. But they don’t have access to more sensitive administrative features.

Custom Roles

Importantly, in Azure AD RBAC, you have the flexibility to create custom roles to meet specific access control requirements. As a result, these custom roles allow you to define granular permissions tailored to your organization’s needs.

Interestingly, custom roles are modified or deleted as needed. Also, update the permissions, data actions, or assignable scopes of a custom role to refine the access control. If a custom role is no longer needed, delete it — but note that this action removes all role assignments associated with that custom role.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Understanding Azure AD Role Assignment

Basically, a role assignment in Azure AD associates a role definition with a security principal — such as a user, group, or application (also known as service principal) at a specific scope. As seen, this assignment grants the security principal access to Azure AD resources based on the permissions defined in the role.

Let’s take a quick look at the three key components of role assignment:

Security Principal

Refers to the identity to which the permissions are granted. It is either a user account, a group, or a service principal (an identity representing an application or service). The security principal receives access to Azure AD resources based on the assigned role.

Role Definition

Certainly, the role definition is a collection of permissions that define what actions are performed on Azure AD resources. As mentioned above, Azure AD provides built in roles with pre defined sets of permissions, and custom roles are created to meet specific access control requirements.


Followed by scope, it determines the boundaries within which permissions are granted by the role assignment and applicable. Consequently, it specifies the level at which the assigned security principal exercises their assigned role.  As said, the scope is at the tenant level, administrative unit level, or specific resources within Azure AD.

Categorical Explanation Of Azure AD Roles

Azure AD Specific Roles

Importantly, there are about 27 Azure AD built in roles to manage and control access to Azure AD resources. Additionally, they have various levels of permissions and access control within the Azure AD environment.

Here’s three of them:

Authentication Admin

Equally speaking, managing authentication methods and settings for non administrator roles in Azure AD is authentication Admin. So, users assigned this role revoke multi factor authentication (MFA), create or manage support tickets in Azure, self service password reset (SSPR), etc.

Application Admin

Equally, this role is responsible for creating and managing all aspects of enterprise application registrations and proxy settings within Azure AD.  Then, users with this role create, update, and delete application registrations, configure permissions and consent, and manage application settings.

User Admin

Next role is focused on user management within Azure AD. Besides, users with this role create, update, and delete user accounts, reset passwords, and perform other user related tasks.

Service specific Roles

Evidently, the service specific roles (about 29) have been made for the major non Azure AD Microsoft 365 services. Following, these roles are meant to grant permission for the management of features within the specific services.

Here’s three of them:

Intune Admin

Generally, intune administrators create and manage all security groups but cannot control or update the Office groups owner or memberships.

SharePoint Admin

Next type of administrators manage all sorts of access within the SharePoint services. In addition, this role specifically focuses on managing SharePoint Online settings, configurations, support tickets, and monitors service health.

Exchange Admin

Exchange administrators manage all the aspects of Microsoft Exchange. This role  creates and manages all the MS 365 Groups and support tickets.

Cross service Roles

Azure AD RBAC model includes cross service roles that provide permissions and access across multiple Azure services. These roles allow you to manage access to resources and perform administrative tasks that span different services within the Azure ecosystem. 

The 2 global roles that form the cross service roles and are honoured by entire Microsoft 365 services are:

  • Global Administrator
  • Global Reader

In addition to the above roles, some security specific roles are also the components in cross service roles such as:

  • Security Administrator
  • Security Reader

These 2 roles are responsible for granting access to a number of security services spanning within Microsoft 365.

Understanding Azure AD Privileges

Summing up, in the Azure AD RBAC model, privileges are the specific actions or operations or permissions that are performed on Azure AD resources by a user or entity assigned to a particular role. And these permissions determine what actions are performed on the resource, such as read, write, delete, or manage.

Roles define a collection of privileges, and users assigned those roles inherit the associated privileges. When assigning roles to users, you are effectively granting them the corresponding privileges to perform actions on Azure AD resources.

For instance, if you assign the Authentication Administrator role to a user, that user have permissions to view, set, and reset any information related to authentication methods for non admin users.

Each built in role is predefined and comes with a set of permissions (or privileges) tailored to a specific set of tasks or responsibilities. Plus, you also create custom roles that align with your specific access control requirements.

It’s important to carefully consider the privileges associated with each role and assign roles based on the principle of least privilege. This principle ensures that users are granted only the necessary privileges required for their specific tasks and responsibilities, minimizing the risk of unauthorized access or unintended actions within the Azure AD environment.

Thank you for reading Azure AD Roles & Privileges: Azure AD RBAC Model. We shall conclude.

Azure AD Roles & Privileges: Azure AD RBAC Model Conclusion

Finally, Azure AD RBAC provides a flexible and scalable approach to managing access control within the Azure AD environment. It allows you to grant the appropriate level of permissions to users and groups while enforcing the principle of least privilege. And by using RBAC effectively, you enhance security, maintain governance, and streamline access management across every resource operating under Azure AD.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Anmol Nigam

Anmol Nigam

I write bespoke content for SaaS entrepreneurs and brands to help them scale organically.

Leave a comment

Your email address will not be published. Required fields are marked *