Senserva Blog

Azure AD Role Scoring

Written by Kyle White | Jul 10, 2023

At the time of writing this post, Azure AD contains 91 built-in administrative roles. These roles have varying degrees of power within Azure AD. 

The team at Senserva has built a scoring system for grading these roles so that our analytics platform can grade each user's power level within your organization. This can be helpful for highlighting security vulnerabilities within your administration team (such as misconfigured Multi-Factor Authentication).

Users can have multiple roles within an Azure AD tenant. Users are scored such that the role power level associated with their highest power assigned role will be the one that is displayed. Below is a table containing the different tiers of power levels that we have classified.

ROLE LEVEL DESCRIPTION
Limited Access Read/write access on select low level resources.
Technicians Read/write access for less sensitive resources.
Sensitive Access Read access for sensitive resources. Write access to less sensitive resources.
Administrators Powerful read/write access to sensitive resources.
Global Administrators Powerful access to all resources.

 

And below are the individual power levels that we have assigned to each of the Azure AD roles for grading user power levels.

ROLE NAME ROLE DESCRIPTION GRADED POWER LEVEL TEMPLATE ID
Application Administrator Can create and manage all aspects of app registrations and enterprise apps. Administrator 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
Application Developer Can create application registrations independent of the 'Users can register applications' setting. Technician cf1c38e5-3621-4004-a7cb-879624dced7c
Attack Payload Author Can create attack payloads that an administrator can initiate later. Technician 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f
Attack Simulation Administrator Can create and manage all aspects of attack simulation campaigns. Limited Access c430b396-e693-46cc-96f3-db01bf8bb62a
Attribute Assignment Administrator Assign custom security attribute keys and values to supported Azure AD objects. Sensitive Access 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d
Attribute Assignment Reader Read custom security attribute keys and values for supported Azure AD objects. Sensitive Access ffd52fa5-98dc-465c-991d-fc073eb59f8f
Attribute Definition Administrator Define and manage the definition of custom security attributes. Technician 8424c6f0-a189-499e-bbd0-26c1753c96d4
Attribute Definition Reader Read the definition of custom security attributes. Limited Access 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c
Authentication Administrator Can access to view, set and reset authentication method information for any non-admin user. Administrator c4e39bd9-1100-46d3-8c65-fb160da0071f
Authentication Policy Administrator Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. Sensitive Access 0526716b-113d-4c15-b2c8-68e3c22b9f80
Azure AD Joined Device Local Administrator Users assigned to this role are added to the local administrators group on Azure AD-joined devices. Administrator 9f06204d-73c1-4d4c-880a-6edb90606fd8
Azure DevOps Administrator Can manage Azure DevOps policies and settings. Administrator e3973bdf-4987-49ae-837a-ba8e231c7286
Azure Information Protection Administrator Can manage all aspects of the Azure Information Protection product. Sensitive Access 7495fdc4-34c4-4d15-a289-98788ce399fd
B2C IEF Keyset Administrator Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). Administrator aaf43236-0c0d-4d5f-883a-6955382ac081
B2C IEF Policy Administrator Can create and manage trust framework policies in the Identity Experience Framework (IEF). Administrator 3edaf663-341e-4475-9f94-5c398ef6c070
Billing Administrator Can perform common billing related tasks like updating payment information. Administrator b0f54661-2d74-4c50-afa3-1ec803f12efe
Cloud App Security Administrator Can manage all aspects of the Defender for Cloud Apps product. Sensitive Access 892c5842-a9a6-463a-8041-72aa08ca3cf6
Cloud Application Administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Administrator 158c047a-c907-4556-b7ef-446551a6b5f7
Cloud Device Administrator Limited access to manage devices in Azure AD. Sensitive Access 7698a772-787b-4ac8-901f-60d6b08affd2
Compliance Administrator Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. Administrator 17315797-102d-40b4-93e0-432062caca18
Compliance Data Administrator Creates and manages compliance content. Administrator e6d1a23a-da11-4be4-9570-befc86d067a7
Conditional Access Administrator Can manage Conditional Access capabilities. Administrator b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data. Administrator 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
Desktop Analytics Administrator Can access and manage Desktop management tools and services. Limited Access 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
Directory Readers Can read basic directory information. Commonly used to grant directory read access to applications and guests. Limited Access 88d8e3e3-8f55-4a1e-953a-9b9898b8876b
Directory Synchronization Accounts Only used by Azure AD Connect service. Administrator d29b2b05-8046-44ba-8758-1e26182fcf32
Directory Writers Can read and write basic directory information. For granting access to applications, not intended for users. Administrator 9360feb5-f418-4baa-8175-e2a00bac4301
Domain Name Administrator Can manage domain names in cloud and on-premises. Technician 8329153b-31d0-4727-b945-745eb3bc5f31
Dynamics 365 Administrator Can manage all aspects of the Dynamics 365 product. Administrator 44367163-eba1-44c3-98af-f5787879f96a
Edge Administrator Manage all aspects of Microsoft Edge. Technician 3f1acade-1e04-4fbc-9b69-f0302cd84aef
Exchange Administrator Can manage all aspects of the Exchange product. Administrator 29232cdf-9323-42fd-ade2-1d097af3e4de
Exchange Recipient Administrator Can create or update Exchange Online recipients within the Exchange Online organization. Technician 31392ffb-586c-42d1-9346-e59415a2cc4e
External ID User Flow Administrator Can create and manage all aspects of user flows. Sensitive Access 6e591065-9bad-43ed-90f3-e9424366d2f0
External ID User Flow Attribute Administrator Can create and manage the attribute schema available to all user flows. Sensitive Access 0f971eea-41eb-4569-a71e-57bb8a3eff1e
External Identity Provider Administrator Can configure identity providers for use in direct federation. Administrator be2f45a1-457d-42af-a067-6ec1fa63bc45
Global Administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. Global Administrator 62e90394-69f5-4237-9190-012177145e10
Global Reader Can read everything that a Global Administrator can, but not update anything. Administrator f2ef992c-3afb-46b9-b7cf-a126ee74c451
Groups Administrator Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. Limited Access fdd7a751-b60b-444a-984c-02652fe8fa1c
Guest Inviter Can invite guest users independent of the 'members can invite guests' setting. Limited Access 95e79109-95c0-4d8e-aee3-d01accf2d47b
Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators. Administrator 729827e3-9c14-49f7-bb1b-9608f156bbb8
Hybrid Identity Administrator Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. Sensitive Access 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2
Identity Governance Administrator Manage access using Azure AD for identity governance scenarios. Technician 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e
Insights Administrator Has administrative access in the Microsoft 365 Insights app. Administrator eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c
Insights Analyst Access the analytical capabilities in Microsoft Viva Insights and run custom queries. Technician 25df335f-86eb-4119-b717-0ff02de207e9
Insights Business Leader Can view and share dashboards and insights via the Microsoft 365 Insights app. Limited Access 31e939ad-9672-4796-9c2e-873181342d2d
Intune Administrator Can manage all aspects of the Intune product. Administrator 3a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala Administrator Can manage settings for Microsoft Kaizala. Limited Access 74ef975b-6605-40af-a5d2-b9539d836353
Knowledge Administrator Can configure knowledge, learning, and other intelligent features. Limited Access b5a8dcf3-09d5-43a9-a639-8e29ef291470
Knowledge Manager Can organize, create, manage, and promote topics and knowledge. Limited Access 744ec460-397e-42ad-a462-8b3f9747a02c
License Administrator Can manage product licenses on users and groups. Technician 4d6ac14f-3453-41d0-bef9-a3e0c569773a
Lifecycle Workflows Administrator Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Azure AD. Sensitive Access 59d46f88-662b-457b-bceb-5c3809e5908f
Message Center Privacy Reader Can read security messages and updates in Office 365 Message Center only. Limited Access ac16e43d-7b2d-40e0-ac05-243ff356ab5b
Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only. Limited Access 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
Microsoft Hardware Warranty Administrator Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens. Limited Access 1501b917-7653-4ff9-a4b5-203eaf33784f
Microsoft Hardware Warranty Specialist Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. Limited Access 281fe777-fb20-4fbb-b7a3-ccebce5b0d96
Modern Commerce User Can manage commercial purchases for a company, department or team. Limited Access d24aef57-1500-4070-84db-2666f29cf966
Network Administrator Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. Limited Access d37c8bed-0711-4417-ba38-b4abe66ce4c2
Office Apps Administrator Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. Limited Access 2b745bdf-0803-4d80-aa65-822c4493daac
Organizational Messages Writer Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. Limited Access 507f53e4-4e52-4077-abd3-d2e1558b6ea2
Partner Tier1 Support Do not use - not intended for general use. Warning 4ba39ca4-527c-499a-b93d-d9b492c50246
Partner Tier2 Support Do not use - not intended for general use. Warning e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
Password Administrator Can reset passwords for non-administrators and Password Administrators. Sensitive Access 966707d0-3269-4727-9be2-8c3a10f19b9d
Permissions Management Administrator Manage all aspects of Entra Permissions Management. Administrator af78dc32-cf4d-46f9-ba4e-4428526346b5
Power BI Administrator Can manage all aspects of the Power BI product. Sensitive Access a9ea8996-122f-4c74-9520-8edcd192826c
Power Platform Administrator Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. Limited Access 11648597-926c-4cf3-9c36-bcebb0ba8dcc
Printer Administrator Can manage all aspects of printers and printer connectors. Limited Access 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f
Printer Technician Can register and unregister printers and update printer status. Limited Access e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
Privileged Authentication Administrator Can access to view, set and reset authentication method information for any user (admin or non-admin). Administrator 7be44c8a-adaf-4e2a-84d6-ab2649e08a13
Privileged Role Administrator Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. Administrator e8611ab8-c189-46e8-94e1-60213ab1f814
Reports Reader Can read sign-in and audit reports. Limited Access 4a5d8f65-41da-4de4-8968-e035b65339cf
Search Administrator Can create and manage all aspects of Microsoft Search settings. Limited Access 0964bb5e-9bdb-4d7b-ac29-58e794862a40
Search Editor Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. Limited Access 8835291a-918c-4fd7-a9ce-faa49f0cf7d9
Security Administrator Can read security information and reports, and manage configuration in Azure AD and Office 365. Administrator 194ae4cb-b126-40b2-bd5b-6091b380977d
Security Operator Creates and manages security events. Sensitive Access 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
Security Reader Can read security information and reports in Azure AD and Office 365. Technician 5d6b6bb7-de71-4623-b4af-96380a352509
Service Support Administrator Can read service health information and manage support tickets. Limited Access f023fd81-a637-4b56-95fd-791ac0226033
SharePoint Administrator Can manage all aspects of the SharePoint service. Sensitive Access f28a1f50-f6e7-4571-818b-6a12f2af6b6c
Skype for Business Administrator Can manage all aspects of the Skype for Business product. Limited Access 75941009-915a-4869-abe7-691bff18279e
Teams Administrator Can manage the Microsoft Teams service. Sensitive Access 69091246-20e8-4a56-aa4d-066075b2a7a8
Teams Communications Administrator Can manage calling and meetings features within the Microsoft Teams service. Limited Access baf37b3a-610e-45da-9e62-d9d1e5e8914b
Teams Communications Support Engineer Can troubleshoot communications issues within Teams using advanced tools. Limited Access f70938a0-fc10-4177-9e90-2178f8765737
Teams Communications Support Specialist Can troubleshoot communications issues within Teams using basic tools. Limited Access fcf91098-03e3-41a9-b5ba-6f0ec8188a12
Teams Devices Administrator Can perform management related tasks on Teams certified devices. Administrator 3d762c5a-1b6c-493f-843e-55a3b42923d4
Tenant Creator Create new Azure AD or Azure AD B2C tenants. Administrator 112ca1a2-15ad-4102-995e-45b0bc479a6a
Usage Summary Reports Reader Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. Limited Access 75934031-6c7e-415a-99d7-48dbd49e875e
User Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins. Limited Access fe930be7-5e62-47db-91af-98c3a49a38b1
Virtual Visits Administrator Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. Limited Access e300d9e7-4a2b-4295-9eff-f1c78b36cc98
Viva Goals Administrator Manage and configure all aspects of Microsoft Viva Goals. Limited Access 92b086b3-e367-4ef2-b869-1de128fb986e
Windows 365 Administrator Can provision and manage all aspects of Cloud PCs. Sensitive Access 11451d60-acb2-45eb-a7d6-43d0f0125c13
Windows Update Deployment Administrator Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. Technician 32696413-001a-46ae-978c-ce0f6b3620d2
Yammer Administrator Manage all aspects of the Yammer service. Limited Access 810a2642-a034-447f-a5e8-41beaa378541