Home
%3CLINGO-SUB%20id%3D%22lingo-sub-900749%22%20slang%3D%22en-US%22%3E16%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-900749%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%20that%2016%20new%20built-in%20roles%20for%20Azure%20AD%E2%80%94including%20the%20highly%20requested%20%3CSTRONG%3EGlobal%20reader%3C%2FSTRONG%3E%E2%80%94are%20now%20in%20public%20preview.%20We%20heard%20from%20you%20that%20daily%20admin%20tasks%20shouldn%E2%80%99t%20require%20you%20to%20be%20a%20Global%20administrator.%20And%20we%20couldn%E2%80%99t%20agree%20more!%20These%20new%20roles%20allow%20you%20to%20delegate%20administration%20tasks%20and%20reduce%20the%20number%20of%20Global%20administrators%20in%20your%20directory.%20These%20roles%20are%20available%20globally%20for%20all%20subscriptions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGlobal%20reader%20is%20a%20read-only%20version%20of%20the%20Global%20administrator%20role%2C%20which%20allows%20you%20to%20view%20all%20settings%20and%20administrative%20information%20across%20Microsoft%20365.%20You%20can%20use%20the%20Global%20reader%20role%20for%20planning%2C%20audits%2C%20and%20investigations.%20Global%20Reader%20can%20also%20be%20used%20with%20other%20limited%20administrative%20roles%2C%20such%20as%20Exchange%20administrator%2C%20making%20it%20easier%20to%20work%20without%20Global%20administrator%20privileges.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGlobal%20reader%20is%20in%20public%20preview%20and%20is%20supported%20across%20virtually%20all%20Microsoft%20365%20services.%20Support%20for%20viewing%20SharePoint%20Online%20settings%20and%20administrative%20information%20is%20on%20the%20way.%20Check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23global-reader%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%2C%20which%20contains%20full%20details%20and%20will%20be%20updated%20as%20we%20make%20changes%20and%20enhancements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20newly%20built-in%20roles%20include%20the%20Authentication%20administrator%20and%20Privileged%20authentication%20administrator%20roles%20for%20granting%20granular%20permissions%20for%20credential%20management%2C%20as%20well%20as%20a%20set%20of%20roles%20for%20managing%20Azure%20AD%20B2C.%20Learn%20more%20about%20the%20new%20built-in%20roles%20in%20the%20table%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20best%20practice%2C%20we%20recommend%20having%20no%20more%20than%20five%20permanent%20Global%20administrators.%20To%20support%20this%2C%20our%20strategy%20is%20to%20provide%20built-in%20roles%20for%2090%20percent%20of%20your%20scenarios%2C%20and%20to%20provide%20the%20capability%20for%20you%20to%20build%20custom%20roles%20for%20requirements%20that%20are%20specific%20to%20your%20organization.%3C%2FP%3E%0A%3CP%3ECustom%20roles%20give%20you%20fine-grained%20control%20over%20what%20an%20administrator%20can%20do.%20We%20recently%20introduced%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-custom-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecustom%20roles%20for%20app%20registrations%3C%2FA%3E.%20We%E2%80%99re%20working%20on%20expanding%20this%20capability%20to%20enable%20you%20to%20create%20custom%20roles%20for%20other%20management%20scenarios%2C%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20Azure%20portal%2C%20under%20%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FRolesAndAdministrators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3ERoles%20and%20administrators%3C%2FSTRONG%3E%3C%2FA%3E%2C%20newly%20added%20build-in%20roles%20are%20highlighted%20with%20a%20green%20flag%20next%20to%20the%20role%20name.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135937iAF0FBC0DA54D216F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2216%20new%20built-in%20roles%201.png%22%20title%3D%2216%20new%20built-in%20roles%201.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ERoles%20and%20administrators%20tab%20in%20the%20Azure%20portal.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20style%3D%22height%3A%20844px%3B%20width%3A%201000px%3B%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3E%3CSTRONG%3ERole%20name%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20396px%3B%22%3E%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EAuthentication%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EView%2C%20set%2C%20and%20reset%20authentication%20method%20information%20and%20passwords%20for%20any%20non-admin%20user.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EAzure%20DevOps%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EManage%20Azure%20DevOps%20organization%20policy%20and%20settings.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EB2C%20user%20flow%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreate%20and%20manage%20all%20aspects%20of%20user%20flows.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EB2C%20user%20flow%20attribute%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreate%20and%20manage%20the%20attribute%20schema%20available%20to%20all%20user%20flows.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EB2C%20IEF%20Keyset%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EManage%20secrets%20for%20federation%20and%20encryption%20in%20the%20Identity%20Experience%20Framework.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EB2C%20IEF%20Policy%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreate%20and%20manage%20trust%20framework%20policies%20in%20the%20Identity%20Experience%20Framework.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3ECompliance%20data%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreate%20and%20manage%20compliance%20data%20and%20alerts.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EExternal%20Identity%20Provider%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EConfigure%20identity%20providers%20for%20use%20in%20direct%20federation.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EGlobal%20reader%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EView%20everything%20a%20Global%20administrator%20can%20view%20without%20the%20ability%20to%20edit%20or%20change.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EKaizala%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20396px%3B%22%3E%3CP%3EManage%20settings%20for%20Microsoft%20Kaizala.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EMessage%20center%20privacy%20reader%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3ERead%20Message%20center%20posts%2C%20data%20privacy%20messages%2C%20groups%2C%20domains%20and%20subscriptions.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EPassword%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EReset%20passwords%20for%20non-administrators%20and%20Password%20administrators.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3EPrivileged%20authentication%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3EView%2C%20set%2C%20and%20reset%20authentication%20method%20information%20for%20any%20user%20(admin%20or%20non-admin).%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2029px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3ESecurity%20operator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2029px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreates%20and%20manages%20security%20events.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3ESearch%20administrator%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreate%20and%20manage%20all%20aspects%20of%20Microsoft%20Search%20settings.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2056px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20215.333px%3B%22%3E%3CP%3ESearch%20editor%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2056px%3B%20width%3A%20396px%3B%22%3E%3CP%3ECreate%20and%20manage%20editorial%20content%20such%20as%20bookmarks%2C%20Q%20%26amp%3B%20As%2C%20locations%2C%20floorplan.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20details%20on%20built-in%20roles%20in%20Azure%20AD%2C%20check%20out%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdministrator%20role%20permissions%20in%20Azure%20AD%3C%2FA%3E%2C%20which%20contains%20full%20details%20and%20will%20be%20updated%20as%20we%20make%20changes%20and%20enhancements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we'd%20love%20to%20hear%20your%20feedback%2C%20thoughts%2C%20and%20suggestions.%20Feel%20free%20to%20share%20with%20us%20on%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3Fcategory_id%3D166032%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20administrative%20roles%20forum%3C%2FA%3E%26nbsp%3Bor%20leave%20comments%20below.%20We%20look%20forward%20to%20hearing%20from%20you!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-900749%22%20slang%3D%22en-US%22%3E%3CP%3ENew%20built-in%20roles%20are%20designed%20to%20help%20you%20delegate%20administration%20tasks%20and%20reduce%20the%20number%20of%20Global%20administrators.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135935iFED900CF8FAFD65C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2216%20new%20built-in%20roles%20teaser.png%22%20title%3D%2216%20new%20built-in%20roles%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-900749%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909026%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909026%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20news!%20Are%20these%20new%20roles%20compatible%20with%20Azure%20Administrative%20Units%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20organization%20is%20divided%20into%20multiple%20units%20with%20their%20own%20IT%20operations%20teams%20that%20we%20don't%20want%20interfering%20with%20each%20other.%20We're%20excited%20for%20these%20new%20roles%20but%20would%20like%20for%20them%20to%20be%20scoped%20to%20a%20specific%20group%20of%20users.%20Maybe%20there's%20a%20different%20way%20to%20scope%20these%20roles.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again.%20Always%20exciting%20and%20encouraging%20to%20learn%20about%20the%20developments%20here!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909383%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909383%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20method%20to%20switch%20the%20roles%20dynamically%2C%20similar%20to%20AWS%20IAM%20roles%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-910968%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-910968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F139079%22%20target%3D%22_blank%22%3E%40Spencer%20Stewart%3C%2FA%3E%26nbsp%3B-%20We%20have%20not%20currently%20enabled%20these%20roles%20to%20be%20scoped%20to%20Administrative%20Units.%20But%20eventually%20we%20will.%20We%20are%20actively%20working%20on%20improving%20Administrative%20Units'%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ecc%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F196814%22%20target%3D%22_blank%22%3E%40Vince%20Smith%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160226%22%20target%3D%22_blank%22%3E%40Anand%20Yadav%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-910969%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-910969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F424624%22%20target%3D%22_blank%22%3E%40tandockers%3C%2FA%3E%26nbsp%3B-%20Can%20you%20please%20elaborate%20your%20scenario%3F%20I%20would%20love%20to%20understand%20more.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-910972%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-910972%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%2C%26nbsp%3Bthank%20you%20very%20much%20for%20the%20reply.%20I'm%20glad%20to%20hear%20AUs%20are%20still%20actively%20progressing!%20They%20are%20a%20feature%20we%20are%20very%20interested%20in.%20Thanks%20again!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-912284%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-912284%22%20slang%3D%22en-US%22%3E%3CP%3EIs%26nbsp%3B%3CSPAN%3EAzure%20DevOps%20administrator%20already%20working%3F%20I%20can%20not%20do%20anything%20with%20Azure%20DevOps%20in%20terms%20of%20management%20after%20being%20added%20to%20the%20group.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-912368%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-912368%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20about%20a%20role%20for%20managing%20MFA%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-912891%22%20slang%3D%22en-US%22%3ERe%3A%2016%20new%20built-in%20roles%E2%80%94including%20Global%20reader%E2%80%94now%20available%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-912891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F273782%22%20target%3D%22_blank%22%3E%40ilik0%3C%2FA%3E%20We%20have%20a%20new%20feature%20that%20is%20private%20preview%20where%20users%20with%20the%20Azure%20DevOps%20Administrator%20role%20can%20manage%20a%20new%20policy%20to%20restrict%20creating%20new%20orgs%20in%20their%20company.%20If%20you%20want%20to%20join%20our%20private%20preview%2C%20please%20ping%20me%20at%20rajr%40microsoft.com.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

I’m excited to announce that 16 new built-in roles for Azure AD—including the highly requested Global reader—are now in public preview. We heard from you that daily admin tasks shouldn’t require you to be a Global administrator. And we couldn’t agree more! These new roles allow you to delegate administration tasks and reduce the number of Global administrators in your directory. These roles are available globally for all subscriptions.

 

Global reader is a read-only version of the Global administrator role, which allows you to view all settings and administrative information across Microsoft 365. You can use the Global reader role for planning, audits, and investigations. Global Reader can also be used with other limited administrative roles, such as Exchange administrator, making it easier to work without Global administrator privileges.

 

Global reader is in public preview and is supported across virtually all Microsoft 365 services. Support for viewing SharePoint Online settings and administrative information is on the way. Check out the documentation, which contains full details and will be updated as we make changes and enhancements.

 

Other newly built-in roles include the Authentication administrator and Privileged authentication administrator roles for granting granular permissions for credential management, as well as a set of roles for managing Azure AD B2C. Learn more about the new built-in roles in the table below.

 

As a best practice, we recommend having no more than five permanent Global administrators. To support this, our strategy is to provide built-in roles for 90 percent of your scenarios, and to provide the capability for you to build custom roles for requirements that are specific to your organization.

Custom roles give you fine-grained control over what an administrator can do. We recently introduced custom roles for app registrations. We’re working on expanding this capability to enable you to create custom roles for other management scenarios, as well.

 

In the Azure portal, under Roles and administrators, newly added build-in roles are highlighted with a green flag next to the role name.

 

16 new built-in roles 1.pngRoles and administrators tab in the Azure portal.

 

Role name

Description

Authentication administrator

View, set, and reset authentication method information and passwords for any non-admin user.

Azure DevOps administrator

Manage Azure DevOps organization policy and settings.

B2C user flow administrator

Create and manage all aspects of user flows.

B2C user flow attribute administrator

Create and manage the attribute schema available to all user flows.

B2C IEF Keyset administrator

Manage secrets for federation and encryption in the Identity Experience Framework.

B2C IEF Policy administrator

Create and manage trust framework policies in the Identity Experience Framework.

Compliance data administrator

Create and manage compliance data and alerts.

External Identity Provider administrator

Configure identity providers for use in direct federation.

Global reader

View everything a Global administrator can view without the ability to edit or change.

Kaizala administrator

Manage settings for Microsoft Kaizala.

Message center privacy reader

Read Message center posts, data privacy messages, groups, domains and subscriptions.

Password administrator

Reset passwords for non-administrators and Password administrators.

Privileged authentication administrator

View, set, and reset authentication method information for any user (admin or non-admin).

Security operator

Creates and manages security events.

Search administrator

Create and manage all aspects of Microsoft Search settings.

Search editor

Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.

 

For more details on built-in roles in Azure AD, check out Administrator role permissions in Azure AD, which contains full details and will be updated as we make changes and enhancements.

 

As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you!

 

Best regards,

 

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

18 Comments
Senior Member

Great news! Are these new roles compatible with Azure Administrative Units?

 

Our organization is divided into multiple units with their own IT operations teams that we don't want interfering with each other. We're excited for these new roles but would like for them to be scoped to a specific group of users. Maybe there's a different way to scope these roles.

 

Thanks again. Always exciting and encouraging to learn about the developments here!

Visitor

Is there a method to switch the roles dynamically, similar to AWS IAM roles?

 

@Spencer Stewart - We have not currently enabled these roles to be scoped to Administrative Units. But eventually we will. We are actively working on improving Administrative Units' experience.

 

cc: @Vince Smith , @Anand Yadav 

@tandockers - Can you please elaborate your scenario? I would love to understand more.

Senior Member

@Abhijeet Kumar Sinha, thank you very much for the reply. I'm glad to hear AUs are still actively progressing! They are a feature we are very interested in. Thanks again!

Visitor

Is Azure DevOps administrator already working? I can not do anything with Azure DevOps in terms of management after being added to the group.

Occasional Visitor

How about a role for managing MFA? 

Microsoft

@ilik0 We have a new feature that is private preview where users with the Azure DevOps Administrator role can manage a new policy to restrict creating new orgs in their company. If you want to join our private preview, please ping me at rajr@microsoft.com.

Senior Member

This is great Alex, we've been eager for the Global Reader role.  I have a suggestion:  similar to how the Global Administrator can be toggled on to be an inherited User Access Administrator for every subscription in the AAD tenant, could you also make the Global Reader members capable of being a Reader for every subscription in the AAD tenant?

@Bryan Dougherty - Thanks for your feedback! I think you are trying to say that users in Global Reader role should optionally have read access to all Azure subscriptions in a tenant. Please post this on UserVoice forum so that others can vote on it. 

@kevinkus - We released Authentication Administrator and Privileged Authentication Administrator. These roles can manage MFA of users in the tenant. Refer to this documentation for more details - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro....

 

Is this what you were looking for? If not, please elaborate your scenario a bit.

Occasional Visitor

I don't see those roles available in my tenant to manage MFA unless I am completely overlooking it

roles.JPGroles2.JPG

Occasional Visitor

@abhijeet kumar sinha:

It didn't work; please don't tease us like this :) I checked to see if the 2 roles you mentioned to Kevink have new capabilities, but the MFA option is still grayed-out in the Azure portal --> AAD. So unfortunately, we created a very complex privileged granting global admin and monitoring/auditing process for our helpdesk anytime they enroll an oath token for a user, and not do anything else in the Azure portal. Enrolling oath tokens shouldn't be limited to global admins. I heard that a limited MFA-enrollment role was coming, and was too hopeful that this announcement was it; apparently not!

 

@kevinkus: Your screenshot looks like it came from Office 365 admin center. You'll need to go to portal.azure.com --> Azure Active Directory --> Roles and Administrators to see the new roles.

@vyim_hal - It looks like as an Authentication Administrator, you are trying to reset password or modify MFA properties of another admin, not a regular user. Authentication Administrator has privileges over only users who are non-administrators or assigned the following roles only: Authentication Administrator, Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. Refer to this documentation - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

 

If you want to modify authentication properties of all admins, consider using Privileged Authentication Admin. Refer to the documentation here - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

Senior Member

@Alex Simons (AZURE) It seems like Global Reader role does not have the rights to view One Drive configuration as well as a few SharePoint configuration. Do you have any idea if this issue will soon be resolved ?

Thank you.

@Imane Serroune - Thanks for your feedback! Yes, this is a known issue. We're working on it. It's documented here - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

Senior Member

@Abhijeet Kumar Sinha Thank you for your answer! Glad to hear that. I didn't see any mention about One Drive and i still could see a few settings of SharePoint :)  

@Imane Serroune - Thanks for pointing out OneDrive. It is in the same boat as SharePoint. Global Reader cannot view settings in OneDrive Admin Center. I will update the documentation to reflect this. The fact that you see a few settings in SharePoint Admin Center shows that work is underway ;)