Azure AD Role Scoring
At the time of writing this post, Azure AD contains 91 built-in administrative roles. These roles have varying degrees of power within Azure AD. The team at Senserva has built a scoring system for grading these roles so that our analytics platform can grade each user's power level within your organization. This can be helpful for highlighting security vulnerabilities within your administration team (such as misconfigured Multi-Factor Authentication).
Users can have multiple roles within an Azure AD tenant. Users are scored such that the role power level associated with their highest power assigned role will be the one that is displayed. Below is a table containing the different tiers of power levels that we have classified.
| Role Level | Description |
|---|---|
| Limited Access | Read/write access on select low level resources. |
| Technicians | Read/write access for less sensitive resources. |
| Sensitive Access | Read access for sensitive resources. Write access to less sensitive resources. |
| Administrators | Powerful read/write access to sensitive resources. |
| Global Administrators | Powerful access to all resources. |
And below are the individual power levels that we have assigned to each of the Azure AD roles for grading user power levels.
| Role Name | Role Description | Graded Power Level | Template ID |
|---|---|---|---|
| Application Administrator | Can create and manage all aspects of app registrations and enterprise apps. | Administrator | 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 |
| Application Developer | Can create application registrations independent of the 'Users can register applications' setting. | Technician | cf1c38e5-3621-4004-a7cb-879624dced7c |
| Attack Payload Author | Can create attack payloads that an administrator can initiate later. | Technician | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f |
| Attack Simulation Administrator | Can create and manage all aspects of attack simulation campaigns. | Limited Access | c430b396-e693-46cc-96f3-db01bf8bb62a |
| Attribute Assignment Administrator | Assign custom security attribute keys and values to supported Azure AD objects. | Sensitive Access | 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d |
| Attribute Assignment Reader | Read custom security attribute keys and values for supported Azure AD objects. | Sensitive Access | ffd52fa5-98dc-465c-991d-fc073eb59f8f |
| Attribute Definition Administrator | Define and manage the definition of custom security attributes. | Technician | 8424c6f0-a189-499e-bbd0-26c1753c96d4 |
| Attribute Definition Reader | Read the definition of custom security attributes. | Limited Access | 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c |
| Authentication Administrator | Can access to view, set and reset authentication method information for any non-admin user. | Administrator | c4e39bd9-1100-46d3-8c65-fb160da0071f |
| Authentication Policy Administrator | Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. | Sensitive Access | 0526716b-113d-4c15-b2c8-68e3c22b9f80 |
| Azure AD Joined Device Local Administrator | Users assigned to this role are added to the local administrators group on Azure AD-joined devices. | Administrator | 9f06204d-73c1-4d4c-880a-6edb90606fd8 |
| Azure DevOps Administrator | Can manage Azure DevOps policies and settings. | Administrator | e3973bdf-4987-49ae-837a-ba8e231c7286 |
| Azure Information Protection Administrator | Can manage all aspects of the Azure Information Protection product. | Sensitive Access | 7495fdc4-34c4-4d15-a289-98788ce399fd |
| B2C IEF Keyset Administrator | Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). | Administrator | aaf43236-0c0d-4d5f-883a-6955382ac081 |
| B2C IEF Policy Administrator | Can create and manage trust framework policies in the Identity Experience Framework (IEF). | Administrator | 3edaf663-341e-4475-9f94-5c398ef6c070 |
| Billing Administrator | Can perform common billing related tasks like updating payment information. | Administrator | b0f54661-2d74-4c50-afa3-1ec803f12efe |
| Cloud App Security Administrator | Can manage all aspects of the Defender for Cloud Apps product. | Sensitive Access | 892c5842-a9a6-463a-8041-72aa08ca3cf6 |
| Cloud Application Administrator | Can create and manage all aspects of app registrations and enterprise apps except App Proxy. | Administrator | 158c047a-c907-4556-b7ef-446551a6b5f7 |
| Cloud Device Administrator | Limited access to manage devices in Azure AD. | Sensitive Access | 7698a772-787b-4ac8-901f-60d6b08affd2 |
| Compliance Administrator | Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. | Administrator | 17315797-102d-40b4-93e0-432062caca18 |
| Compliance Data Administrator | Creates and manages compliance content. | Administrator | e6d1a23a-da11-4be4-9570-befc86d067a7 |
| Conditional Access Administrator | Can manage Conditional Access capabilities. | Administrator | b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 |
| Customer LockBox Access Approver | Can approve Microsoft support requests to access customer organizational data. | Administrator | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 |
| Desktop Analytics Administrator | Can access and manage Desktop management tools and services. | Limited Access | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 |
| Directory Readers | Can read basic directory information. Commonly used to grant directory read access to applications and guests. | Limited Access | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
| Directory Synchronization Accounts | Only used by Azure AD Connect service. | Administrator | d29b2b05-8046-44ba-8758-1e26182fcf32 |
| Directory Writers | Can read and write basic directory information. For granting access to applications, not intended for users. | Administrator | 9360feb5-f418-4baa-8175-e2a00bac4301 |
| Domain Name Administrator | Can manage domain names in cloud and on-premises. | Technician | 8329153b-31d0-4727-b945-745eb3bc5f31 |
| Dynamics 365 Administrator | Can manage all aspects of the Dynamics 365 product. | Administrator | 44367163-eba1-44c3-98af-f5787879f96a |
| Edge Administrator | Manage all aspects of Microsoft Edge. | Technician | 3f1acade-1e04-4fbc-9b69-f0302cd84aef |
| Exchange Administrator | Can manage all aspects of the Exchange product. | Administrator | 29232cdf-9323-42fd-ade2-1d097af3e4de |
| Exchange Recipient Administrator | Can create or update Exchange Online recipients within the Exchange Online organization. | Technician | 31392ffb-586c-42d1-9346-e59415a2cc4e |
| External ID User Flow Administrator | Can create and manage all aspects of user flows. | Sensitive Access | 6e591065-9bad-43ed-90f3-e9424366d2f0 |
| External ID User Flow Attribute Administrator | Can create and manage the attribute schema available to all user flows. | Sensitive Access | 0f971eea-41eb-4569-a71e-57bb8a3eff1e |
| External Identity Provider Administrator | Can configure identity providers for use in direct federation. | Administrator | be2f45a1-457d-42af-a067-6ec1fa63bc45 |
| Global Administrator | Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. | Global Administrator | 62e90394-69f5-4237-9190-012177145e10 |
| Global Reader | Can read everything that a Global Administrator can, but not update anything. | Administrator | f2ef992c-3afb-46b9-b7cf-a126ee74c451 |
| Groups Administrator | Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. | Limited Access | fdd7a751-b60b-444a-984c-02652fe8fa1c |
| Guest Inviter | Can invite guest users independent of the 'members can invite guests' setting. | Limited Access | 95e79109-95c0-4d8e-aee3-d01accf2d47b |
| Helpdesk Administrator | Can reset passwords for non-administrators and Helpdesk Administrators. | Administrator | 729827e3-9c14-49f7-bb1b-9608f156bbb8 |
| Hybrid Identity Administrator | Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. | Sensitive Access | 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 |
| Identity Governance Administrator | Manage access using Azure AD for identity governance scenarios. | Technician | 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e |
| Insights Administrator | Has administrative access in the Microsoft 365 Insights app. | Administrator | eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c |
| Insights Analyst | Access the analytical capabilities in Microsoft Viva Insights and run custom queries. | Technician | 25df335f-86eb-4119-b717-0ff02de207e9 |
| Insights Business Leader | Can view and share dashboards and insights via the Microsoft 365 Insights app. | Limited Access | 31e939ad-9672-4796-9c2e-873181342d2d |
| Intune Administrator | Can manage all aspects of the Intune product. | Administrator | 3a2c62db-5318-420d-8d74-23affee5d9d5 |
| Kaizala Administrator | Can manage settings for Microsoft Kaizala. | Limited Access | 74ef975b-6605-40af-a5d2-b9539d836353 |
| Knowledge Administrator | Can configure knowledge, learning, and other intelligent features. | Limited Access | b5a8dcf3-09d5-43a9-a639-8e29ef291470 |
| Knowledge Manager | Can organize, create, manage, and promote topics and knowledge. | Limited Access | 744ec460-397e-42ad-a462-8b3f9747a02c |
| License Administrator | Can manage product licenses on users and groups. | Technician | 4d6ac14f-3453-41d0-bef9-a3e0c569773a |
| Lifecycle Workflows Administrator | Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Azure AD. | Sensitive Access | 59d46f88-662b-457b-bceb-5c3809e5908f |
| Message Center Privacy Reader | Can read security messages and updates in Office 365 Message Center only. | Limited Access | ac16e43d-7b2d-40e0-ac05-243ff356ab5b |
| Message Center Reader | Can read messages and updates for their organization in Office 365 Message Center only. | Limited Access | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b |
| Microsoft Hardware Warranty Administrator | Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens. | Limited Access | 1501b917-7653-4ff9-a4b5-203eaf33784f |
| Microsoft Hardware Warranty Specialist | Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. | Limited Access | 281fe777-fb20-4fbb-b7a3-ccebce5b0d96 |
| Modern Commerce User | Can manage commercial purchases for a company, department or team. | Limited Access | d24aef57-1500-4070-84db-2666f29cf966 |
| Network Administrator | Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. | Limited Access | d37c8bed-0711-4417-ba38-b4abe66ce4c2 |
| Office Apps Administrator | Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. | Limited Access | 2b745bdf-0803-4d80-aa65-822c4493daac |
| Organizational Messages Writer | Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. | Limited Access | 507f53e4-4e52-4077-abd3-d2e1558b6ea2 |
| Partner Tier1 Support | Do not use - not intended for general use. | Warning | 4ba39ca4-527c-499a-b93d-d9b492c50246 |
| Partner Tier2 Support | Do not use - not intended for general use. | Warning | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 |
| Password Administrator | Can reset passwords for non-administrators and Password Administrators. | Sensitive Access | 966707d0-3269-4727-9be2-8c3a10f19b9d |
| Permissions Management Administrator | Manage all aspects of Entra Permissions Management. | Administrator | af78dc32-cf4d-46f9-ba4e-4428526346b5 |
| Power BI Administrator | Can manage all aspects of the Power BI product. | Sensitive Access | a9ea8996-122f-4c74-9520-8edcd192826c |
| Power Platform Administrator | Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. | Limited Access | 11648597-926c-4cf3-9c36-bcebb0ba8dcc |
| Printer Administrator | Can manage all aspects of printers and printer connectors. | Limited Access | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f |
| Printer Technician | Can register and unregister printers and update printer status. | Limited Access | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
| Privileged Authentication Administrator | Can access to view, set and reset authentication method information for any user (admin or non-admin). | Administrator | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
| Privileged Role Administrator | Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. | Administrator | e8611ab8-c189-46e8-94e1-60213ab1f814 |
| Reports Reader | Can read sign-in and audit reports. | Limited Access | 4a5d8f65-41da-4de4-8968-e035b65339cf |
| Search Administrator | Can create and manage all aspects of Microsoft Search settings. | Limited Access | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
| Search Editor | Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. | Limited Access | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
| Security Administrator | Can read security information and reports, and manage configuration in Azure AD and Office 365. | Administrator | 194ae4cb-b126-40b2-bd5b-6091b380977d |
| Security Operator | Creates and manages security events. | Sensitive Access | 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f |
| Security Reader | Can read security information and reports in Azure AD and Office 365. | Technician | 5d6b6bb7-de71-4623-b4af-96380a352509 |
| Service Support Administrator | Can read service health information and manage support tickets. | Limited Access | f023fd81-a637-4b56-95fd-791ac0226033 |
| SharePoint Administrator | Can manage all aspects of the SharePoint service. | Sensitive Access | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
| Skype for Business Administrator | Can manage all aspects of the Skype for Business product. | Limited Access | 75941009-915a-4869-abe7-691bff18279e |
| Teams Administrator | Can manage the Microsoft Teams service. | Sensitive Access | 69091246-20e8-4a56-aa4d-066075b2a7a8 |
| Teams Communications Administrator | Can manage calling and meetings features within the Microsoft Teams service. | Limited Access | baf37b3a-610e-45da-9e62-d9d1e5e8914b |
| Teams Communications Support Engineer | Can troubleshoot communications issues within Teams using advanced tools. | Limited Access | f70938a0-fc10-4177-9e90-2178f8765737 |
| Teams Communications Support Specialist | Can troubleshoot communications issues within Teams using basic tools. | Limited Access | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 |
| Teams Devices Administrator | Can perform management related tasks on Teams certified devices. | Administrator | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
| Tenant Creator | Create new Azure AD or Azure AD B2C tenants. | Administrator | 112ca1a2-15ad-4102-995e-45b0bc479a6a |
| Usage Summary Reports Reader | Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | Limited Access | 75934031-6c7e-415a-99d7-48dbd49e875e |
| User Administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins. | Limited Access | fe930be7-5e62-47db-91af-98c3a49a38b1 |
| Virtual Visits Administrator | Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. | Limited Access | e300d9e7-4a2b-4295-9eff-f1c78b36cc98 |
| Viva Goals Administrator | Manage and configure all aspects of Microsoft Viva Goals. | Limited Access | 92b086b3-e367-4ef2-b869-1de128fb986e |
| Windows 365 Administrator | Can provision and manage all aspects of Cloud PCs. | Sensitive Access | 11451d60-acb2-45eb-a7d6-43d0f0125c13 |
| Windows Update Deployment Administrator | Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | Technician | 32696413-001a-46ae-978c-ce0f6b3620d2 |
| Yammer Administrator | Manage all aspects of the Yammer service. | Limited Access | 810a2642-a034-447f-a5e8-41beaa378541 |