Microsoft Entra ID (Azure AD) Roles: A Framework for Role-Based Access Control

Microsoft Entra ID roles enable organizations of all sizes to secure resources by assigning permissions through predefined roles. This article provides an overview of Entra ID Role-Based Access Control (RBAC) and a structured framework for administrators to implement RBAC effectively.

What is Entra ID RBAC (Role-Based Access Control)?

Entra ID (formerly Azure Active Directory) Role-Based Access Control is Microsoft’s solution for handling user and resource permissions in the cloud. Entra ID roles let admins and security architects assign precise levels of access to users, Entra ID groups, and applications.

Dozens of pre-defined roles should suit most small to medium environments. IT Professionals can also create custom roles to achieve more granularity for specific compliance, security, or managerial requirements.

Understanding Entra ID roles

Entra ID roles are the building blocks of Role-Based Access Control (RBAC) in Microsoft’s Identity and Access Management platform. These roles define what actions and permissions a user, group, or service principal can perform in an Entra ID tenant – including Microsoft 365 and other integrated cloud services.

Unlike Azure RBAC, which handles Azure resources, such as virtual machines (VMs) and virtual networks, Entra ID focuses solely on identity and directory management.

Predefined Entra ID roles

Here’s an easy-to-follow table listing all the predefined roles in a new Entra ID tenant and the basic permissions each includes.

Role Name	Category	Purpose
Global Administrator	Identity Governance	Full access to all administrative features in Entra ID and Microsoft services. The most privileged role.
Global Reader	Identity Governance	Read-only access to all administrative settings (cannot edit or take actions).
User Administrator	Identity Governance	Create/manage users and groups, reset passwords (no role assignments).
Groups Administrator	Identity Governance	Manage all groups (Microsoft 365, security, etc.), including membership and policies.
Privileged Role Administrator	Identity Governance	Manage role assignments in Entra ID and activate PIM roles (but cannot edit user data).
License Administrator	Identity Governance	Assign, remove, and manage license subscriptions for users/groups.
Authentication Administrator	Identity Governance	Reset passwords and MFA methods for non-admins, manage auth methods.
Helpdesk Administrator	Identity Governance	Reset passwords and manage support tickets for non-admins.
Directory Readers	Identity Governance	Read basic directory info (assigned by default to some apps).
Directory Writers	Identity Governance	Create/update basic directory objects (rarely used).
External ID User Flow Administrator	Identity Governance	Manage user flows (B2C) for external identity sign-ups.
External ID User Flow Attribute Administrator	Identity Governance	Manage custom attributes in B2C user flows.
External Identity Provider Administrator	Identity Governance	Configure identity providers (e.g., Google, Facebook) for B2B/B2C.
Application Administrator	Application Management	Manage all aspects of enterprise apps, app registrations, and SSO settings.
Cloud Application Administrator	Application Management	Manage enterprise apps (excluding app registrations) and consent to permissions.
Application Developer	Application Management	Create app registrations (but not manage all enterprise apps).
Identity Governance Administrator	Identity Governance	Manage access reviews, entitlement management, and lifecycle workflows.
Security Administrator	Security & Compliance	Manage security policies (conditional access, threat detection), but no full admin rights.
Security Reader	Security & Compliance	Read-only access to security reports and policies.
Compliance Administrator	Security & Compliance	Manage compliance policies and reports (e.g., DLP, retention).
Compliance Data Administrator	Security & Compliance	Manage compliance content (e.g., eDiscovery cases).
Attack Simulation Administrator	Security & Compliance	Create/manage phishing attack simulations in Microsoft Defender.
Hybrid Identity Administrator	Hybrid Management	Configure AD Connect and federation services for hybrid identities.
Intune Administrator	Device Management	Full control over Microsoft Intune (MDM/MAM).
Password Administrator	Identity Governance	Reset passwords for non-admins (subset of Helpdesk Admin).
Billing Administrator	Billing	Manage purchases, subscriptions, and support tickets.
Reports Reader	Monitoring	View usage and security reports (no admin access).
Service Support Administrator	Support	Manage service health and support requests (limited to Microsoft services).
Kaizala Administrator	Collaboration	Manage Kaizala settings (legacy).
Teams Administrator	Collaboration	Manage Microsoft Teams settings and policies.
Exchange Administrator	Collaboration	Manage Exchange Online settings and mailboxes.
SharePoint Administrator	Collaboration	Manage SharePoint Online settings and policies.

Some quick notes:

1. Most roles apply tenant-wide unless restricted by Administrative Units.
2. Some roles do have overlap – individual permissions are included in both Global Administrator and Security Administrator, for instance.
3. Certain roles, like Global Administrator, can be set as ‘Eligible’ via Privileged Identity Management (PIM). More on that later.

Custom roles

Custom roles in Microsoft Entra ID allow organizations to define granular permissions tailored to the specific needs of a role. When built-in roles are too broad or lack precise control, IT Professionals create custom roles, cherry-picking (not arbitrarily) individual permissions to match the ‘framework’ they need for a specific resource. For an enhanced security posture, custom roles intrinsically enable least-privilege access by including only the permissions required to perform a task.

Custom roles include individual permissions tied to Microsoft Graph API operations. Their assignment scope can be:

• Tenant-wide (default)
• Administrative Unit (AU) (e.g., limited to a department or group of people)
• Resource-specific (e.g., a single app registration)

You can use the Entra ID Admin Center website or PowerShell to create custom roles.

Quick note – the Microsoft Entra website is limited to a subset of permissions – you’ll need PowerShell for the full array of options.

How to utilize a framework of Entra ID roles and groups

With your list of pre-defined roles and ideas for how custom roles might be needed to lock down those critical resources in your environment, where should you start? You need a framework. You need to incorporate Entra ID groups into your architecture and planning. This design should be well thought out in advance.

Utilizing a framework instead of going around in circles will eliminate wasted time and resources. In addition, using Entra ID (Security) Groups can help increase efficiency in your day-to-day procedures and administration.

Adding users to an Entra ID security group, and granting that group a specific role, will greatly streamline your rollout and ongoing maintenance of access to resources. Instead of adding nine separate users to the SharePoint Administrator role, you can create an Entra ID group called ‘SharePoint Administrators’, add your users to that group, and then assign the SharePoint Administrator role to that group. Then, the users in that group will have access to log in to the SharePoint Administrator website.

Defining various resources

A robust framework here requires you to identify and protect sensitive resources. These should include data, applications, and administrative functions that, if circumvented, could lead to significant security breaches and potential monetary loss.

Here are some tips and examples to give you an idea where to start.

High-impact resources

In terms of Identity Infrastructure, any role that ends in ‘Administrator’ should be scrutinized, especially the Global Administrator role. You do NOT want a threat actor gaining access to this role in your tenant. So, follow Microsoft’s recommendations by keeping 5 or fewer users with this role. Better yet, limit it to one or two.

Business-critical applications, like ERP systems (Dynamics 365, SAP, etc.), should be hardened with specific roles. Incorporate department-specific frameworks for individual permissions (e.g. the Finance department head can have a custom ‘Global Reader ‘- type role only for these finance applications.

Assign roles strategically / PIM

Security and compliance controls warrant extra planning when defining your framework. Only allow members of your Cybersecurity and Compliance teams to have access to roles like ‘Security Administrator’ and even ‘User Administrator’.

Instead of giving your helpdesk techs the pre-defined ‘User Administrator’ role, create a custom role that includes the ability to reset user passwords and manipulate multifactor authentication (MFA) methods.

Creating a custom role for user administrators allows you to limit the use of the rather powerful ‘User Administrator’ and only give the permissions this group of helpdesk users needs.

Medium-impact resources

For medium-impact resources, here are some tips for defining your framework. Remember, individual needs will vary across enterprises, but these tips should help you to understand the blueprints needed for your framework.

• Department applications like SharePoint and Teams can be included in Entra’s pre-defined roles. Generally, there’s no need to adjust app-level permissions.
• Non-sensitive user directories can also be left alone from the tenant creation defaults.
• And low-risk service principals, tied to API infrastructure, are generally fine as is. A ‘low-risk service principal’ is generally considered to have a lower likelihood of being compromised or misused based on certain security criteria.
• When creating Entra Conditional Access policies, low-risk service principals don’t need as strict measures to confirm authenticity compared to a user with a Global Administrator role.

Privileged Identity Management (PIM)

I’m sure you’ve heard the phrase ‘Just-in-Time (JIT) access.’ Utilizing this aspect of PIM is critical to keeping your identity platform secure at all times, and only allowing temporary high-level access, minimizing the risk of standing admin access. When integrated into an RBAC framework, Entra PIM ensures:

• No one has permanent admin rights (unless explicitly required)
• Elevated access is time-bound (10 minutes, one hour, six hours, etc.)
• Every activation is logged and audited

This table will help you understand the various concepts of PIM.

Term	Definition	Example
Eligible Role	A role that requires activation (no standing access).	A user is eligible for Global Admin but must request it.
Active Role	Temporary, time-bound access after activation.	After approval, the user has Global Admin for 4 hours.
Permanent Role	Always-active assignment (avoid for sensitive roles).	Break-glass accounts (rare exceptions).
Approval Workflow	Requires a second person to grant access.	A Helpdesk Admin needs IT Manager approval to activate.

Here’s a wonderful example of how temporary Entra ID roles can benefit your company and keep identity access robust and audited.

Scenario: A Helpdesk tech needs to reset the CEO’s password.

1. Request Activation:
   • IT staffer submits a request for the User Administrator role in PIM.
   • They provide justification: “CEO account lockout emergency.”
2. Approval:
   • The IT manager reviews and approves via email/Microsoft Teams.
3. Access Granted:
   • Role active for 2 hours (auto-expires).
   • Session logged with timestamp, justification, and approver.
4. Post-Action Audit:
   • The security team reviews logs to ensure no misuse occurred.

Monitoring and auditing Entra ID access logs

A key pillar of this framework must include monitoring and auditing access logs associated with the Entra ID identity platform. Here are the key monitoring tools you need to include in your plan.

Tool	Purpose
Entra ID Audit Logs	Track role assignments, policy changes, and sign-ins.
Microsoft Defender for Identity	Detect suspicious privilege escalation (e.g., “Golden SAML” attacks).
Azure Monitor + Sentinel	Correlate logs for threat detection.
Access Reviews	Quarterly reviews of who has access to sensitive roles/apps. Don’t skip this!

Here are some critical alerts you should configure and tailor to your security and compliance framework.

• Critical Role assignments, such as Global Administrator.
• Sensitive application consent grants – e.g., third-party OAuth apps (Salesforce, identity-focused apps, etc.)
• Multiple failed Conditional Access attempts (potential brute-force attacks)

Common scenarios and best practices

I’ve given a good number of examples above involving implementing a framework in your organization. Let me expand and add a few more here that should be analyzed in every enterprise, regardless of size and complexity.

Least privileged access

Least Privilege Access (LPA) is often coined as the cornerstone of secure identity management. If there is a mantra that every organization’s CISO should follow when developing a framework around Entra ID Roles, this is it. Only give a particular user the access they need to do their job.

Here are some real-world scenarios and actionable best practices to incorporate LPA into your Entra ID RBAC framework.

Scenario: Securing Privileged Roles with PIM

Problem: Too many standing Global Admins.

LPA Solution:

1. Convert all admins to eligible (zero standing access).
2. Require:
   • MFA + Device Compliance for activation.
   • Approval from a second admin (for roles like Global Admin).
3. Limit sessions to 1 hour for critical roles.

Scenario: Restricting Access to Sensitive Data

Problem: HR needs read access to employee data, but shouldn’t modify it.

LPA Solution:

• Custom Role: HR Data Reader with:powershellmicrosoft.directory/users/read microsoft.directory/groups/read
• Scope to an AU (Administrative Unit) named “HR” to limit visibility.

Best Practice:
Combine with Conditional Access: Block access outside trusted IPs/VPNs.

Here are some key takeaways to assist you with understanding the fundamentals to incorporate this into your framework.

1. Custom Roles > Built-In Roles: Tailor permissions to exact needs.
2. PIM is Non-Negotiable: Eliminate standing privileges for sensitive roles.
3. Scope Matters: Use AUs to limit access to subsets of users/resources.
4. Automate Governance: Access reviews + alerts prevent permission drift.

Frequently Asked Questions

What are Entra ID roles?

Microsoft Entra ID roles, formerly Azure AD roles, are sets of permissions that control access to administrative tasks within Microsoft Entra ID (identity and access management). These roles help enforce the principle of least privilege by assigning users only the permissions necessary for their tasks—such as user management, app registration, or security policy configuration.

Who uses Microsoft Entra ID and what is their role?

Microsoft Entra ID is used by IT administrators, compliance officers, developers, and security teams in organizations that leverage Microsoft 365, Azure, or other cloud-based identity systems. These users rely on Entra ID to manage user identities, control access to resources, enforce security policies, and enable secure collaboration across internal and external systems.

What are custom roles in Entra ID?

Custom roles in Microsoft Entra ID allow organizations to define their own sets of permissions tailored to specific operational or security needs. Unlike built-in roles with predefined scopes, custom roles can include granular permissions, giving admins more control over what actions a role holder can perform—ideal for meeting unique compliance or organizational requirements.

How to see roles in Entra?

• Go to the Microsoft Entra admin center.
• Navigate to Roles and administrators under the Identity section.
• Here, you can browse all available roles, view role descriptions, and see which users are assigned to each role.
• You can also use PowerShell (Get-AzureADDirectoryRole) or Microsoft Graph API for programmatic access to role information.