Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
16 new built-in roles—including Global reader—now available in preview
Published Oct 10 2019 09:00 AM 66K Views

Howdy folks,

 

I’m excited to announce that 16 new built-in roles for Azure AD—including the highly requested Global reader—are now in public preview. We heard from you that daily admin tasks shouldn’t require you to be a Global administrator. And we couldn’t agree more! These new roles allow you to delegate administration tasks and reduce the number of Global administrators in your directory. These roles are available globally for all subscriptions.

 

Global reader is a read-only version of the Global administrator role, which allows you to view all settings and administrative information across Microsoft 365. You can use the Global reader role for planning, audits, and investigations. Global Reader can also be used with other limited administrative roles, such as Exchange administrator, making it easier to work without Global administrator privileges.

 

Global reader is in public preview and is supported across virtually all Microsoft 365 services. Support for viewing SharePoint Online settings and administrative information is on the way. Check out the documentation, which contains full details and will be updated as we make changes and enhancements.

 

Other newly built-in roles include the Authentication administrator and Privileged authentication administrator roles for granting granular permissions for credential management, as well as a set of roles for managing Azure AD B2C. Learn more about the new built-in roles in the table below.

 

As a best practice, we recommend having no more than five permanent Global administrators. To support this, our strategy is to provide built-in roles for 90 percent of your scenarios, and to provide the capability for you to build custom roles for requirements that are specific to your organization.

Custom roles give you fine-grained control over what an administrator can do. We recently introduced custom roles for app registrations. We’re working on expanding this capability to enable you to create custom roles for other management scenarios, as well.

 

In the Azure portal, under Roles and administrators, newly added build-in roles are highlighted with a green flag next to the role name.

 

Roles and administrators tab in the Azure portal.Roles and administrators tab in the Azure portal.

 

Role name

Description

Authentication administrator

View, set, and reset authentication method information and passwords for any non-admin user.

Azure DevOps administrator

Manage Azure DevOps organization policy and settings.

B2C user flow administrator

Create and manage all aspects of user flows.

B2C user flow attribute administrator

Create and manage the attribute schema available to all user flows.

B2C IEF Keyset administrator

Manage secrets for federation and encryption in the Identity Experience Framework.

B2C IEF Policy administrator

Create and manage trust framework policies in the Identity Experience Framework.

Compliance data administrator

Create and manage compliance data and alerts.

External Identity Provider administrator

Configure identity providers for use in direct federation.

Global reader

View everything a Global administrator can view without the ability to edit or change.

Kaizala administrator

Manage settings for Microsoft Kaizala.

Message center privacy reader

Read Message center posts, data privacy messages, groups, domains and subscriptions.

Password administrator

Reset passwords for non-administrators and Password administrators.

Privileged authentication administrator

View, set, and reset authentication method information for any user (admin or non-admin).

Security operator

Creates and manages security events.

Search administrator

Create and manage all aspects of Microsoft Search settings.

Search editor

Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.

 

For more details on built-in roles in Azure AD, check out Administrator role permissions in Azure AD, which contains full details and will be updated as we make changes and enhancements.

 

As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you!

 

Best regards,

 

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

35 Comments
Copper Contributor

Great news! Are these new roles compatible with Azure Administrative Units?

 

Our organization is divided into multiple units with their own IT operations teams that we don't want interfering with each other. We're excited for these new roles but would like for them to be scoped to a specific group of users. Maybe there's a different way to scope these roles.

 

Thanks again. Always exciting and encouraging to learn about the developments here!

Copper Contributor

Is there a method to switch the roles dynamically, similar to AWS IAM roles?

 

@Spencer Stewart - We have not currently enabled these roles to be scoped to Administrative Units. But eventually we will. We are actively working on improving Administrative Units' experience.

 

cc: @Vince Smith , @Anand Yadav 

@tandockers - Can you please elaborate your scenario? I would love to understand more.

Copper Contributor

@Abhijeet Kumar Sinha, thank you very much for the reply. I'm glad to hear AUs are still actively progressing! They are a feature we are very interested in. Thanks again!

Brass Contributor

Is Azure DevOps administrator already working? I can not do anything with Azure DevOps in terms of management after being added to the group.

Copper Contributor

How about a role for managing MFA? 

Microsoft

@ilik0 We have a new feature that is private preview where users with the Azure DevOps Administrator role can manage a new policy to restrict creating new orgs in their company. If you want to join our private preview, please ping me at rajr@microsoft.com.

Copper Contributor

This is great Alex, we've been eager for the Global Reader role.  I have a suggestion:  similar to how the Global Administrator can be toggled on to be an inherited User Access Administrator for every subscription in the AAD tenant, could you also make the Global Reader members capable of being a Reader for every subscription in the AAD tenant?

@Bryan Dougherty - Thanks for your feedback! I think you are trying to say that users in Global Reader role should optionally have read access to all Azure subscriptions in a tenant. Please post this on UserVoice forum so that others can vote on it. 

@kevinkus - We released Authentication Administrator and Privileged Authentication Administrator. These roles can manage MFA of users in the tenant. Refer to this documentation for more details - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro....

 

Is this what you were looking for? If not, please elaborate your scenario a bit.

Copper Contributor

I don't see those roles available in my tenant to manage MFA unless I am completely overlooking it

roles.JPGroles2.JPG

Copper Contributor

@abhijeet kumar sinha:

It didn't work; please don't tease us like this :) I checked to see if the 2 roles you mentioned to Kevink have new capabilities, but the MFA option is still grayed-out in the Azure portal --> AAD. So unfortunately, we created a very complex privileged granting global admin and monitoring/auditing process for our helpdesk anytime they enroll an oath token for a user, and not do anything else in the Azure portal. Enrolling oath tokens shouldn't be limited to global admins. I heard that a limited MFA-enrollment role was coming, and was too hopeful that this announcement was it; apparently not!

 

@kevinkus: Your screenshot looks like it came from Office 365 admin center. You'll need to go to portal.azure.com --> Azure Active Directory --> Roles and Administrators to see the new roles.

@vyim_hal - It looks like as an Authentication Administrator, you are trying to reset password or modify MFA properties of another admin, not a regular user. Authentication Administrator has privileges over only users who are non-administrators or assigned the following roles only: Authentication Administrator, Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. Refer to this documentation - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

 

If you want to modify authentication properties of all admins, consider using Privileged Authentication Admin. Refer to the documentation here - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

Deleted
Not applicable

@Alex Simons (AZURE) It seems like Global Reader role does not have the rights to view One Drive configuration as well as a few SharePoint configuration. Do you have any idea if this issue will soon be resolved ?

Thank you.

@Deleted - Thanks for your feedback! Yes, this is a known issue. We're working on it. It's documented here - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#global-reader

Deleted
Not applicable

@Abhijeet Kumar Sinha Thank you for your answer! Glad to hear that. I didn't see any mention about One Drive and i still could see a few settings of SharePoint :)  

@Deleted - Thanks for pointing out OneDrive. It is in the same boat as SharePoint. Global Reader cannot view settings in OneDrive Admin Center. I will update the documentation to reflect this. The fact that you see a few settings in SharePoint Admin Center shows that work is underway ;) 

Microsoft

With the goal of less than five Global Admin Accounts how are we helping the customer with Service Accounts for 3rd party tools.  Can there be role for a Service Account with a non expiring password/with special requirements for the password?  My customer has 35 Global Admin accounts half of which belong to ADConnect, MAS360, ShareGate, etc.  Not sure if they are just needed when the software is installed or not; however, they are still there.  Are the vendors requiring a Global Admin account?   Seems like a big security risk. 

Brass Contributor

There should be a way to specify "Licenses Administrators" by product.

Ex.: Project Online administrators can only add/remove Project Online licenses from users.

Steel Contributor

Like @Spencer Stewart in Education we have one tenant for a group of schools with a domain for each school. It would be great to be able to have an administrator e. g. To manage users only for that domain. 

 

Brass Contributor

Hi @Abhijeet Kumar Sinha,

 

The problem with the authentication admin and management of mfa is that the role is too powerful. Users with this role can do much more than only manage mfa. Many of the requests as well in uservoice cope with the problem that they need to delegate e.g. reset of mfa to user helpdesk stuff.  

 

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

 

 Important

Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:

  • Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator may be able to assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
  • Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
  • Security Group and Office 365 Group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere.
  • Administrators in other services outside of Azure AD like Exchange Online, Office Security and Compliance Center, and human resources systems.
  • Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.

 

@Sven Mihály-Bison, BA - Managing MFA and password is a critical functionality. By resetting it, you can potentially take over the account. We are just being transparent to all of you what does it mean to manage MFA for any user in a tenant. That's why we have provided a detailed explanation so that you take an informed call.

By the way, Auth Admin can reset credentials of only normal users and these admins - 

  • Authentication Administrator
  • Directory Readers
  • Guest Inviter
  • Message Center Reader
  • Reports Reader

If Auth Admin is too powerful for your use case, consider using other built-in roles like Helpdesk Admin, Password Admin.

Iron Contributor

What is the difference between Report reader and global reader?

 

I'm trying to get Teams usage report and want to view number of Teams created or Teams that have not been used in a while. According to this link I need to have the Teams Admin role assigned to view this information is that correct?

@Faiza Qadri - Reports reader can read sign-in and audit logs in Azure AD. A Global Reader can read all settings across M365 services, not just Azure AD. Think of Global Reader as read-only counterpart of Global Admin.

 

A Global Reader can download usage reports in Teams Admin Center and from M365 Admin Center. There are some known limitations of Global Reader that we have documented here - Global Reader .

Iron Contributor

Thanks @Abhijeet Kumar Sinha I'm looking for the Teams Reporting analytics without having an admin role. Do you know when that would be released?

Iron Contributor

Does any of these new roles enable managing MFA for users (Enable/Disable/Enforce) using GUI ?

Would be nice to avoid assigning global admin to those who need to be enabling MFA for users..

BR, Ruslan

@RNalivaika - We have Auth Admin and Privileged Auth Admin for manage MFA on a per-user basis. However, we do not have a built-in role to manage MFA settings at a tenant level yet.

Iron Contributor

@Abhijeet Kumar Sinhathanks for your input. When I assign Authentication Administrator role to a helpdesk operator (who is not a Global admin), he still does not see the button "Manage Multifactor authentication" on the user properties window in O365 admin portal, neither can access using URL https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandCo...

BR, Ruslan

@RNalivaika -

1. Login as Authentication Administrator.

2. Navigate here - https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers.

3. Select a user.

4. Go to "Authentication methods" tab.

5. You can now choose to reset that user's MFA.

 

AuthAdmin.png

Iron Contributor

Abhijeet Kumar Sinha, the menu you are reffering to does not allow me to enable or disable MFA for particular users. Requiring reregister or revoking MFA sessions is not the same as enabling or disabling MFA for a user.

Ideally I would like to see Authentication administrator have access to use multi-factor authentication admin center as pictured below:

RNalivaika_0-1584625945625.png

 

 

Copper Contributor

Just found,maybe known

 

Global Reader cannot see in Teams administration the tree "Teams Apps"
Microsoft Teams admin centerwith Teams admin role.jpg

@Heiko Fuhrmann - Thanks for writing to us. Yes, it is known issue. We have documented it here- https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro....

Copper Contributor

Is there a way to create custom role in Azure B2c

Copper Contributor

I am trying to assign ad role- global reader to service principal in terraform. I says role not found. Want to know whether I can assign ad role to service principal or only rbac role.

I am getting this error on trying to assign global reader role to service principal-

Error: loading Role Definition List: could not find role 'Global Reader'

│ with module.infrastructure_cloud-scanner-app.azurerm_role_assignment.main["/subscriptions/aeca76e8-1861-4aed-b28a-b8c48923f89b"],
│ on ../../modules/infrastructure/cloud-scanner-app/main.tf line 49, in resource "azurerm_role_assignment" "main":
│ 49: resource "azurerm_role_assignment" "main" {

Version history
Last update:
‎Jul 24 2020 01:32 AM
Updated by: