I’m excited to announce that 16 new built-in roles for Azure AD—including the highly requested Global reader—are now in public preview. We heard from you that daily admin tasks shouldn’t require you to be a Global administrator. And we couldn’t agree more! These new roles allow you to delegate administration tasks and reduce the number of Global administrators in your directory. These roles are available globally for all subscriptions.
Global reader is a read-only version of the Global administrator role, which allows you to view all settings and administrative information across Microsoft 365. You can use the Global reader role for planning, audits, and investigations. Global Reader can also be used with other limited administrative roles, such as Exchange administrator, making it easier to work without Global administrator privileges.
Global reader is in public preview and is supported across virtually all Microsoft 365 services. Support for viewing SharePoint Online settings and administrative information is on the way. Check out the documentation, which contains full details and will be updated as we make changes and enhancements.
Other newly built-in roles include the Authentication administrator and Privileged authentication administrator roles for granting granular permissions for credential management, as well as a set of roles for managing Azure AD B2C. Learn more about the new built-in roles in the table below.
As a best practice, we recommend having no more than five permanent Global administrators. To support this, our strategy is to provide built-in roles for 90 percent of your scenarios, and to provide the capability for you to build custom roles for requirements that are specific to your organization.
Custom roles give you fine-grained control over what an administrator can do. We recently introduced custom roles for app registrations. We’re working on expanding this capability to enable you to create custom roles for other management scenarios, as well.
In the Azure portal, under Roles and administrators, newly added build-in roles are highlighted with a green flag next to the role name.
Roles and administrators tab in the Azure portal.
View, set, and reset authentication method information and passwords for any non-admin user.
Azure DevOps administrator
Manage Azure DevOps organization policy and settings.
B2C user flow administrator
Create and manage all aspects of user flows.
B2C user flow attribute administrator
Create and manage the attribute schema available to all user flows.
B2C IEF Keyset administrator
Manage secrets for federation and encryption in the Identity Experience Framework.
B2C IEF Policy administrator
Create and manage trust framework policies in the Identity Experience Framework.
Compliance data administrator
Create and manage compliance data and alerts.
External Identity Provider administrator
Configure identity providers for use in direct federation.
View everything a Global administrator can view without the ability to edit or change.
Manage settings for Microsoft Kaizala.
Message center privacy reader
Read Message center posts, data privacy messages, groups, domains and subscriptions.
Reset passwords for non-administrators and Password administrators.
Privileged authentication administrator
View, set, and reset authentication method information for any user (admin or non-admin).
Creates and manages security events.
Create and manage all aspects of Microsoft Search settings.
Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.
As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you!