Skip to content

Enterprise Mobility + Security


Howdy folks,

Today, I am excited to share the details of a brand new roles and administrators experience to make managing and controlling user assignments easier than ever in Azure AD. The new roles and administrators feature—now in preview—provides you with a complete list and description of the built-in directory roles, a streamlined process to manage roles, and links to relevant documentation to help you utilize directory roles. Now you can quickly answer questions like “How many global administrators do I have?” or “What are my assigned roles?”

The new roles and administrators experience is accessed from the left navigation pane of the Azure AD Overview.

Overview of the roles and administrators experience

Start by clicking Roles and administrators to display the complete list and a brief description of all the built-in directory roles—including the new delegated app management roles. You can also see your active Azure AD role assignment (if you have one) and can click Your role to access the list of your active assigned roles.

List of roles and descriptions under Roles and administrators.

A frequent question we’re asked is “What do all these roles do?” With that in mind—we added a super-detailed list of permissions granted to all members of the role. How cool is that!

Description of permissions granted to all members of the displayed role.

In addition to role permission details, we included links to relevant documentation to help you best utilize directory roles. But that’s not all… We also updated the user profile experience, so you can see all the roles assigned to a user—such as user, global administrator, or limited administrator. You can also add roles from a menu of roles not yet assigned—streamlining the role assignment process.

Read Assigning administrator roles in Azure Active Directory to learn more.

List of a user’s assigned roles with the Add role button.

You can assign one or more privileged roles to a user. And you only see roles available to assign, not roles they already assigned.

List of available roles for selected user.

Back in the list of roles, you can jump directly to the new detailed description of the role or select the entire row to view the list of assigned members. Just click the ellipsis on the right side of each row.

List of members assigned to a role.

Support for privileged role administrators and global admins

If you are a privileged role administrator or global admin, you can easily add or remove members, as well as modify the filter to see only guest members or service principal objects. You can also select a row and go directly to a member’s directory roles profile page where you’ll see their active assigned roles. Privileged role administrators can manage both permanent and eligible assignments.

Support for Azure AD PIM

For folks who use Azure AD Privileged Identity Management (PIM) to limit standing admin access there is a dedicated link to a brand-new experience in those blades as well.

If your organization hasn’t enabled PIM, click the Manage in PIM button for information on what PIM can do to protect your administrators and sign up for a trial. If you’re not familiar with these terms or Azure AD PIM, we included information on the ways it keeps your admins safe here.

The Manage in PIM button provides information about Privileged Identity Management.

Learn more and send us feedback

Roles and administrators is currently in preview for Azure AD and other Microsoft online service roles like Exchange, Intune, CRM, and more. To learn more, read Securing privileged access for hybrid and cloud deployments in Azure AD. Please share your feedback and suggestions with us on the Azure AD administrative roles forum or in the comments below—we hope you love it!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division