I recently had the requirement to grant a user in my organization to be able to do the following:

  1. Create an Azure AD user
  2. Create an Azure AD group
  3. Add an Azure AD user to an Azure AD group
  4. Remove an Azure AD user to an Azure AD group

Using Azure Active Directory (Azure AD), I was able to designate this user as an administrator of a specific role to serve these specific requirements.  The administrator role I gave the user was:

User Account Administrator: Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator, and while it does allow changing passwords for non-admins, it does not allow changing passwords for global administrators or other privileged administrators.

To perform this, follow these steps:

  1. Select the user from your Azure AD / All users blade
  2. Select Directory role option from the user blade
  3. Select Limited administrator option from the Directory Role blade
  4. Set the Administrator role you want
  5. Press the Save button

Here is more information on what this User Administrator can and can’t do:

Can do Cannot do

View company and user information 

Manage Office support tickets

Reset user passwords, with limitations.

Reset other administrator’s passwords 

Reset other users’ passwords

Create and manage user views

Create, edit, and delete users and groups

Manage user licenses, with limitations

Perform billing and purchasing operations for Office products

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Enable or disable multi-factor authentication

View audit logs

Cannot delete a global administrator or create other administrators

Below is an extract of the types of administrator roles as well as a quick description on each one:

  • Billing Administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Compliance Administrator:Users with this role have management permissions within in the Office 365 Security & Compliance Center and Exchange Admin Center. More information at “About Office 365 admin roles.”
  • CRM Service Administrator: Users with this role have global permissions within Microsoft CRM Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.
  • Device Administrators: Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.
  • Directory Readers: This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.
  • Directory Synchronization Accounts: Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.
  • Directory Writers: This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.
  • Exchange Service Administrator: Users with this role have global permissions within Microsoft Exchange Online, when the service is present. More information at About Office 365 admin roles.
  • Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.
  • Guest Inviter: Users in this role can manage Azure Active Directory B2B guest user invitations when the “Members can invite” user setting is set to No. More information about B2B collaboration at About the Azure AD B2B collaboration preview. It does not include any other permissions.
  • Intune Service Administrator: Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups.
  • Mailbox Administrator: This role is only used as part of Exchange Online email support for RIM Blackberry devices. If your organization does not use Exchange Online email on RIM Blackberry devices, do not use this role.
  • Partner Tier 1 Support: Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.
  • Partner Tier 2 Support: Do not use. This role has been deprecated and will be removed from Azure AD in the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use.
  • Password Administrator / Helpdesk Administrator: Users with this role can reset passwords, manage service requests, and monitor service health. Password administrators can reset passwords only for users and other password administrators.
  • Power BI Service Administrator: Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.
  • Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management.
  • Security Administrator: Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity Protection, Privileged Identity Management, and Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
  • Security Reader: Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center. More information about Office 365 permissions is available at Permissions in the Office 365 Security & Compliance Center.
  • Service Support Administrator: Users with this role can open support requests with Microsoft for Azure and Office 365 services, and views the service dashboard and message center in the Azure portal and Office 365 admin portal. More information at About Office 365 admin roles.
  • SharePoint Service Administrator: Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.
  • Skype for Business / Lync Service Administrator: Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health. More information at About Office 365 admin roles.

Refer to the Assigning administrator roles in Azure Active Directory source article for more information on the various Azure AD administrator role types.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *