Azure New 16 Built In Roles Available In Preview

Brass Contributor

Microsoft announces in Azure AD new 16 new built-in roles are included also highly requested Global Reader role is now in public preview. Most of the daily tasks are run by the global administrator and another system administrator cannot do any tasks these new roles can help to reduce the global administrator tasks. These roles are available globally for all subscriptions


Global reader is the read-only counterpart to Global administrator. Assign Global reader instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. The global reader works with Microsoft 365 admin center, Exchange admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.

Global reader role has a few limitations right now –

  • SharePoint admin center – SharePoint admin center does not support the Global reader role. You won’t see ‘SharePoint’ in left pane under Admin Centers in Microsoft 365 admin center.
  • OneDrive admin center – OneDrive admin center does not support the Global reader role.
  • Azure AD portal – Global reader can’t read the provisioning mode of an enterprise app.
  • M365 admin center – Global reader can’t read customer lockbox requests. You won’t find the Customer lockbox requests tab under Support in the left pane of M365 Admin Center.
  • M365 Security center – Global reader can’t read sensitivity and retention labels. You won’t find Sensitivity labelsRetention labels, and Label analytics tabs in the left pane of the M365 Security center.
  • Teams admin center – Global reader cannot read Teams lifecycleAnalytics & reportsIP phone device management and App catalog.
  • Privileged Access Management (PAM) doesn’t support the Global reader role.
  • Azure Information Protection – Global reader is supported for central reporting only, and when your tenant isn’t on the unified labeling platform.

These features are currently in development.



Role nameDescription
Authentication administratorView, set, and reset authentication method information and passwords for any non-admin user.
Azure DevOps administratorManage Azure DevOps organization policy and settings.
B2C user flow administratorCreate and manage all aspects of user flows.
B2C user flow attribute administratorCreate and manage the attribute schema available to all user flows.
B2C IEF Keyset administratorManage secrets for federation and encryption in the Identity Experience Framework.
B2C IEF Policy administratorCreate and manage trust framework policies in the Identity Experience Framework.
Compliance data administratorCreate and manage compliance data and alerts.
External Identity Provider administratorConfigure identity providers for use in direct federation.
Global readerView everything a Global administrator can view without the ability to edit or change.
Kaizala administratorManage settings for Microsoft Kaizala.
Message center privacy readerRead Message center posts, data privacy messages, groups, domains and subscriptions.
Password administratorReset passwords for non-administrators and Password administrators.
Privileged authentication administratorView, set, and reset authentication method information for any user (admin or non-admin).
Security operatorCreates and manages security events.
Search administratorCreate and manage all aspects of Microsoft Search settings.
Search editorCreate and manage editorial content such as bookmarks, Q & As, locations, floorplan.
0 Replies