Howdy folks,
I’m excited to announce that 16 new built-in roles for Azure AD—including the highly requested Global reader—are now in public preview. We heard from you that daily admin tasks shouldn’t require you to be a Global administrator. And we couldn’t agree more! These new roles allow you to delegate administration tasks and reduce the number of Global administrators in your directory. These roles are available globally for all subscriptions.
Global reader is a read-only version of the Global administrator role, which allows you to view all settings and administrative information across Microsoft 365. You can use the Global reader role for planning, audits, and investigations. Global Reader can also be used with other limited administrative roles, such as Exchange administrator, making it easier to work without Global administrator privileges.
Global reader is in public preview and is supported across virtually all Microsoft 365 services. Support for viewing SharePoint Online settings and administrative information is on the way. Check out the documentation, which contains full details and will be updated as we make changes and enhancements.
Other newly built-in roles include the Authentication administrator and Privileged authentication administrator roles for granting granular permissions for credential management, as well as a set of roles for managing Azure AD B2C. Learn more about the new built-in roles in the table below.
As a best practice, we recommend having no more than five permanent Global administrators. To support this, our strategy is to provide built-in roles for 90 percent of your scenarios, and to provide the capability for you to build custom roles for requirements that are specific to your organization.
Custom roles give you fine-grained control over what an administrator can do. We recently introduced custom roles for app registrations. We’re working on expanding this capability to enable you to create custom roles for other management scenarios, as well.
In the Azure portal, under Roles and administrators, newly added build-in roles are highlighted with a green flag next to the role name.
Role name |
Description |
Authentication administrator |
View, set, and reset authentication method information and passwords for any non-admin user. |
Azure DevOps administrator |
Manage Azure DevOps organization policy and settings. |
B2C user flow administrator |
Create and manage all aspects of user flows. |
B2C user flow attribute administrator |
Create and manage the attribute schema available to all user flows. |
B2C IEF Keyset administrator |
Manage secrets for federation and encryption in the Identity Experience Framework. |
B2C IEF Policy administrator |
Create and manage trust framework policies in the Identity Experience Framework. |
Compliance data administrator |
Create and manage compliance data and alerts. |
External Identity Provider administrator |
Configure identity providers for use in direct federation. |
Global reader |
View everything a Global administrator can view without the ability to edit or change. |
Kaizala administrator |
Manage settings for Microsoft Kaizala. |
Message center privacy reader |
Read Message center posts, data privacy messages, groups, domains and subscriptions. |
Password administrator |
Reset passwords for non-administrators and Password administrators. |
Privileged authentication administrator |
View, set, and reset authentication method information for any user (admin or non-admin). |
Security operator |
Creates and manages security events. |
Search administrator |
Create and manage all aspects of Microsoft Search settings. |
Search editor |
Create and manage editorial content such as bookmarks, Q & As, locations, floorplan. |
For more details on built-in roles in Azure AD, check out Administrator role permissions in Azure AD, which contains full details and will be updated as we make changes and enhancements.
As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you!
Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.