16 new built-in roles—including Global reader—now available in preview
Published Oct 10 2019 09:00 AM 66.5K Views

Howdy folks,


I’m excited to announce that 16 new built-in roles for Azure AD—including the highly requested Global reader—are now in public preview. We heard from you that daily admin tasks shouldn’t require you to be a Global administrator. And we couldn’t agree more! These new roles allow you to delegate administration tasks and reduce the number of Global administrators in your directory. These roles are available globally for all subscriptions.


Global reader is a read-only version of the Global administrator role, which allows you to view all settings and administrative information across Microsoft 365. You can use the Global reader role for planning, audits, and investigations. Global Reader can also be used with other limited administrative roles, such as Exchange administrator, making it easier to work without Global administrator privileges.


Global reader is in public preview and is supported across virtually all Microsoft 365 services. Support for viewing SharePoint Online settings and administrative information is on the way. Check out the documentation, which contains full details and will be updated as we make changes and enhancements.


Other newly built-in roles include the Authentication administrator and Privileged authentication administrator roles for granting granular permissions for credential management, as well as a set of roles for managing Azure AD B2C. Learn more about the new built-in roles in the table below.


As a best practice, we recommend having no more than five permanent Global administrators. To support this, our strategy is to provide built-in roles for 90 percent of your scenarios, and to provide the capability for you to build custom roles for requirements that are specific to your organization.

Custom roles give you fine-grained control over what an administrator can do. We recently introduced custom roles for app registrations. We’re working on expanding this capability to enable you to create custom roles for other management scenarios, as well.


In the Azure portal, under Roles and administrators, newly added build-in roles are highlighted with a green flag next to the role name.


Roles and administrators tab in the Azure portal.Roles and administrators tab in the Azure portal.


Role name


Authentication administrator

View, set, and reset authentication method information and passwords for any non-admin user.

Azure DevOps administrator

Manage Azure DevOps organization policy and settings.

B2C user flow administrator

Create and manage all aspects of user flows.

B2C user flow attribute administrator

Create and manage the attribute schema available to all user flows.

B2C IEF Keyset administrator

Manage secrets for federation and encryption in the Identity Experience Framework.

B2C IEF Policy administrator

Create and manage trust framework policies in the Identity Experience Framework.

Compliance data administrator

Create and manage compliance data and alerts.

External Identity Provider administrator

Configure identity providers for use in direct federation.

Global reader

View everything a Global administrator can view without the ability to edit or change.

Kaizala administrator

Manage settings for Microsoft Kaizala.

Message center privacy reader

Read Message center posts, data privacy messages, groups, domains and subscriptions.

Password administrator

Reset passwords for non-administrators and Password administrators.

Privileged authentication administrator

View, set, and reset authentication method information for any user (admin or non-admin).

Security operator

Creates and manages security events.

Search administrator

Create and manage all aspects of Microsoft Search settings.

Search editor

Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.


For more details on built-in roles in Azure AD, check out Administrator role permissions in Azure AD, which contains full details and will be updated as we make changes and enhancements.


As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you!


Best regards,


Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

Version history
Last update:
‎Jul 24 2020 01:32 AM
Updated by: