Microsoft Entra Role Management

Microsoft Entra SaaS roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. Microsoft Entra roles control access to Microsoft Entra resources such as users, groups, and applications.

Microsoft Entra supports two types of roles definitions:

Built-in roles - Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified.
Custom roles - To round off the edges and meet your sophisticated requirements, Microsoft Entra also supports custom roles.

Microsoft Entra roles object type supports the following operations:

Aggregation of built-in and custom roles as separate group object
Aggregation of user membership to roles during account aggregation
Add / Remove built-in and custom roles to Microsoft Entra users

Administrator Permissions

Permission	Permission Type	Purpose
RoleManagement.ReadWrite.Directory	Application	Add/Remove Roles for Accounts
RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All	Application	Aggregate Roles
RoleManagement.ReadWrite.Directory	Application	Provisioning
RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All	Application	Read Roles entitlement for Accounts

Supported Schema Attributes

To manage the Microsoft Entra role objects, ensure that the attributes present in Roles Attributes are present in the group schema.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Microsoft Entra Role Management

Administrator Permissions

Supported Schema Attributes

Documentation Feedback