Understanding Roles in Azure, Microsoft Entra, and Microsoft 365
Security-focused Cloud & Automation Engineer with a Master’s in Computer Science and 6+ years of experience automating and supporting enterprise IT environments across multi-site corporate and operational infrastructures. Proficient in Python scripting, Azure infrastructure, Windows Server, and identity management. Skilled in integrating third-party platforms, securing configurations, and streamlining operations. Currently pursuing the Cybersecurity Architect Expert certification with a strong focus on cloud security and automation.
I’m Amir Rouhanipoor, an IT Consultant specializing in Azure and cloud solutions. I help organizations streamline their IT and drive growth through secure, efficient cloud technologies.
When managing access and permissions in the Microsoft cloud ecosystem, it’s important to understand the different types of roles available across Azure, Microsoft Entra (formerly Azure Active Directory), and Microsoft 365. While they might seem similar at first glance, each serves a unique purpose within its own scope.
Azure Roles (RBAC)
Azure uses Role-Based Access Control (RBAC) to manage access to Azure resources. These roles determine what actions users can take on Azure services.
Common Built-in Azure Roles:
| Role Name | Description |
| Owner | Full access to all resources, including the ability to delegate access to others. |
| Contributor | Can create and manage all types of Azure resources but cannot grant access to others. |
| Reader | Can view existing Azure resources without making changes. |
| User Access Administrator | Can manage user access to Azure resources. |
| VM Administrator Login | Login as administrator to VMs. |
| Virtual Machine User Login | Login as regular user to VMs. |
| Privileged Role Admin | (Privileged Role Administrator) Manage role assignments in Azure AD. |
| DevTest Labs User | Manage DevTest Lab environments |
| Key Vault Secrets Officer | Manage secrets only. |
Custom Roles
You can also create custom roles tailored to specific needs using JSON to define:
Allowed actions
Denied actions
Assignable scopes
Microsoft Entra Roles (Azure AD Roles)
Microsoft Entra (formerly Azure Active Directory) uses its own set of roles to manage identity-related tasks such as users, groups, security policies, and authentication settings.
Common Entra (Azure AD) Roles:
| Role Name | Description |
| Global Administrator | Full control over all aspects of Microsoft Entra ID and Microsoft 365 services. |
| User Administrator | Manage users, groups, and helpdesk tasks (e.g., password resets). |
| Groups Administrator | Manage group settings and memberships. |
| Helpdesk Administrator | Reset passwords and monitor service health. |
| Billing Administrator | Manage subscriptions, support tickets, and billing. |
| License Administrator | Assign and remove licenses from users. |
| Application Administrator | Manage enterprise applications, including configuring SSO. |
| Cloud Application Administrator | Similar to Application Admin, but limited to non-gallery apps. |
| Authentication Administrator | Manage authentication methods, including password policies and MFA. |
| Privileged Role Administrator | Manage role assignments (elevated access, including PIM). |
| Security Administrator | View and manage all security settings. |
| Security Reader | View security reports and settings without making changes. |
| Compliance Administrator | Manage compliance data and configurations (e.g., M365 compliance center). |
| Conditional Access Administrator | Create and manage Conditional Access policies. |
| Intune Administrator | Manage Microsoft Intune and device configurations. |
| Directory Readers | Read basic directory info (used for apps or services needing read access). |
| Directory Writers | Add or update directory data (more permissions than Readers). |
| Exchange Administrator | Manage Exchange Online settings and mailboxes. |
| Teams Administrator | Manage Microsoft Teams settings. |
| SharePoint Administrator | Manage SharePoint sites and settings. |
| Power Platform Administrator | Manage Power Apps, Power Automate, and related settings. |
| Reports Reader | View usage reports and analytics across Microsoft 365. |
🔐 Privileged Identity Management (PIM) Integration
Many of these roles can be made eligible through PIM, so they are only activated when needed, reducing security risks.
These roles are part of Microsoft Entra ID, which is the identity and access management service in Azure and are assigned at the directory/tenant level and are separate from Azure RBAC roles and are used to manage identity-related tasks, like users, groups, enterprise apps, security settings, and more.
Microsoft 365 Roles
Microsoft 365 has its own set of roles designed to manage specific M365 services like Exchange Online, SharePoint, and Teams.
Core Microsoft 365 Admin Roles
| Role | Description |
| Global Administrator | Full access to all Microsoft 365 services and settings. Can assign any admin role. |
| User Administrator | Manage users, groups, and licenses. Reset passwords. |
| Billing Administrator | Manage subscriptions, billing, invoices, and support tickets. |
| Password Administrator | Reset passwords for most users (except admins like Global Admins). |
| License Administrator | Assign and remove product licenses from users. |
| Service Support Administrator | Open support requests and view service health dashboard. |
| Global Reader | Read-only view across all Microsoft 365 admin centers. Great for auditors or managers. |
Product-Specific Admin Roles
| Role | Manages |
| Exchange Administrator | Mailboxes, mail flow, and Exchange Online settings. |
| Teams Administrator | Teams policies, meetings, messaging, and organization-wide settings. |
| SharePoint Administrator | Site collections, storage, and global SharePoint settings. |
| Skype for Business Administrator | Legacy Skype for Business settings. |
| Yammer Administrator | Yammer configuration for Enterprise Networks. |
| Intune Administrator | Devices, compliance policies, and mobile app management (via Microsoft Intune). |
| Dynamics 365 Administrator | Instances, security roles, and Dynamics apps. |
| Power Platform Administrator | Power Apps, Power Automate, DLP policies, and environment settings. |
| Power BI Administrator | Tenant-level settings for Power BI. |
Security & Compliance Roles
| Role | Manages |
| Security Administrator | Microsoft 365 Defender, security policies, alerts, and reports. |
| Security Reader | View-only access to security features and reports. |
| Compliance Administrator | Compliance portal, retention policies, labels, audit, etc. |
| eDiscovery Manager | Content search and eDiscovery cases. |
| Information Protection Administrator | Sensitivity labels, encryption, and data loss prevention. |
| Privileged Role Administrator | Assign roles, manage PIM and admin access settings. |
| Audit Logs Reader | Access to Microsoft 365 audit logs. |
Support & Reporting Roles
| Role | Manages |
| Reports Reader | View usage reports and analytics across Microsoft 365 services. |
| Message Center Reader | Read-only access to Microsoft 365 Message Center for updates and alerts. |
| Service Health Reader | View service health reports and incidents across the organization. |
🧠 Notes:
These roles are Entra ID (Azure AD) roles but are especially used for Microsoft 365 service management.
They can be assigned in both the Microsoft 365 admin center and the Entra admin center.
These roles are focused on M365 apps and services, and are often used alongside Entra roles.
Summary: Role Systems at a Glance
| Platform | Role Type | Scope |
| Azure | RBAC Roles (Owner, Reader, etc.) | Azure resources like VMs, databases, storage |
| Microsoft Entra | Directory Roles (Global Admin, User Admin, etc.) | Identity and access management |
| Microsoft 365 | Service-Specific Roles (Exchange Admin, Teams Admin, etc.) | Microsoft 365 service configuration and management |
Does a Global Administrator Have Access to Azure Resources?
✅ Yes — to Microsoft Entra (formerly Azure AD) and Microsoft 365
Full control over:
User and group management
Role assignments
Security configurations (e.g., MFA, Conditional Access)
Microsoft 365 tenant settings (e.g., organization-wide policies, service configurations)
• ❌ No — not automatically to Azure subscriptions or resources
• Global Administrators do not have access to Azure resources like virtual machines, storage accounts, or databases
• To manage these, they must be explicitly assigned an Azure RBAC role (e.g., Owner, Contributor, Reader)
How Can a Global Administrator Gain Access to Azure Resources?
To manage Azure resources, the Global Administrator must:
Be assigned an Azure RBAC role such as Owner, Contributor, or Reader at the subscription, resource group, or resource level
Use Privileged Identity Management (PIM) to elevate their access (if available)
Using Privileged Identity Management (PIM)
If your organization uses Microsoft Entra PIM, a Global Administrator can activate temporary access to Azure resources by:
Going to the Microsoft Entra Admin Center
Navigating to Roles and Administrators
Selecting Global Administrator
Activating a role like Subscription Owner or Contributor via PIM
This is useful for just-in-time privileged access without assigning permanent roles.
Summary
| Role | Access to Azure Resources (RBAC) | Access to Entra (Azure AD) |
| Global Administrator | No (needs explicit assignment) | Yes |
| Azure RBAC Roles (e.g., Owner) | Yes | No (unless also assigned Entra roles) |
| System | Uses Roles? | Technically RBAC? | Branded as “RBAC”? |
| Azure | ✅ | ✅ | ✅ |
| Entra (Azure AD) | ✅ | ✅ | ❌ (branded as Directory Roles) |
| Microsoft 365 | ✅ | ✅ | ❌ (branded as Admin Roles) |