Microsoft Entra ID Role Management
Microsoft Entra ID roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. Microsoft Entra ID roles control access to Microsoft Entra ID resources such as users, groups, and applications.
Microsoft Entra ID supports two types of roles definitions:
-
Built-in roles - Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified.
-
Custom roles - To round off the edges and meet your sophisticated requirements, Microsoft Entra ID also supports custom roles.
Microsoft Entra ID roles object type supports the following operations:
-
Aggregation of built-in and custom roles as separate group object
-
Create, modify, and delete custom roles
-
Aggregation of user membership to roles during account aggregation
-
Add / Remove built-in and custom roles to Microsoft Entra ID users
Administrator Permissions
|
Permission |
Permission Type |
Purpose |
|---|---|---|
|
RoleManagement.ReadWrite.Directory |
Application |
Add/Remove Roles for Accounts |
|
RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
Application |
Aggregate Roles |
|
RoleManagement.ReadWrite.Directory |
Application |
Create Role |
|
RoleManagement.ReadWrite.Directory |
Application |
Delete Role |
|
RoleManagement.ReadWrite.Directory |
Application |
Modify Role |
|
RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
Application |
Read Roles entitlement for Accounts |
Supported Schema Attributes
To manage the Microsoft Entra ID role objects, ensure that the attributes present in Roles Attributes are present in the group schema.