🔍
StartseiteHome Microsoft Entra IDMicrosoft Entra ID Rollen & AdministratorenRoles & Administrators

Rollen & AdministratorenRoles & Administrators

RBAC, eingebaute Rollen, benutzerdefinierte Rollen, Administrative Units und Least-Privilege-Praktiken.RBAC, built-in roles, custom roles, administrative units, and least-privilege practices.

RBACRBAC

Microsoft Entra nutzt Rollen statt klassischer ACL-Verwaltung für Adminaufgaben.Microsoft Entra uses roles instead of classic ACL administration for admin tasks.

ScopeScope

Zuweisungen können tenantweit, über Gruppen oder über Administrative Units wirken.Assignments can apply tenant-wide, through groups, or through administrative units.

PrivilegierungPrivilege

PIM ergänzt Just-in-Time-Aktivierung und Rezertifizierung für kritische Rollen.PIM adds just-in-time activation and recertification for critical roles.

RBAC-KonzeptRBAC concept

Role-Based Access Control trennt Aufgaben, Rollen und Geltungsbereiche. Ziel ist, Administratoren genau die Rechte zu geben, die sie für ihre Aufgabe benötigen – nicht mehr.Role-Based Access Control separates tasks, roles, and scopes. The goal is to grant administrators exactly the rights they need for their task—no more.

ElementElement ErklärungExplanation
Role definitionRole definition Beschreibt zulässige Aktionen und Leserechte.Describes allowed actions and read permissions.
AssignmentAssignment Verknüpft Rolle mit Benutzer, Gruppe oder Service Principal.Links a role to a user, group, or service principal.
ScopeScope Tenantweit oder über Administrative Units eingegrenzt.Tenant-wide or limited through administrative units.
EligibilityEligibility Über PIM temporär aktivierbar statt permanent aktiv.Can be activated temporarily via PIM instead of staying permanently active.
PowerShellPowerShell 
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleDefinition -Top 10 |
  Select-Object DisplayName, Description
Graph APIGraph API 
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$top=10
Authorization: Bearer <token>

Eingebaute RollenBuilt-in roles

Die folgende Auswahl deckt die in der Praxis am häufigsten verwendeten integrierten Rollen ab. Für vollständige Details sollten produktive Delegationsmodelle dennoch gegen die aktuelle Microsoft-Dokumentation geprüft werden.The following selection covers the most commonly used built-in roles in practice. For full details, production delegation models should still be validated against current Microsoft documentation.

RolleRole BeschreibungDescription SchlüsselberechtigungenKey permissions
Global AdministratorGlobal Administrator Vollzugriff auf nahezu alle Mandanteneinstellungen, Benutzer, Rollen und Richtlinien.Full access to almost all tenant settings, users, roles, and policies. Mandantenweite Verwaltung, Notfallkonto, Rollendelegation.Tenant-wide administration, break-glass account, role delegation.
Global ReaderGlobal Reader Lesender Zugriff auf nahezu alle Verwaltungsbereiche.Read-only access to almost all admin areas. Sicherheits- und Konfigurationsprüfung ohne Änderungsrecht.Security and configuration review without change rights.
User AdministratorUser Administrator Verwaltet Benutzer, Kontakte, Gruppen und Lizenzzuweisungen.Manages users, contacts, groups, and license assignments. Benutzerlebenszyklus, UPN, Profile, Kennwort, Lizenzen.User lifecycle, UPN, profile, password, licenses.
Password AdministratorPassword Administrator Setzt Kennwörter für Nicht-Administratoren und ausgewählte Admins zurück.Resets passwords for non-admins and selected admins. Helpdesk-nahe Kennwortverwaltung.Helpdesk-oriented password administration.
Helpdesk AdministratorHelpdesk Administrator Führt gängige Helpdesk-Aufgaben wie Kennwortzurücksetzungen aus.Performs common helpdesk tasks such as password resets. Erste Supportlinie für Konten und Tickets.First-line support for accounts and tickets.
Groups AdministratorGroups Administrator Verwaltet Gruppen und Gruppeneinstellungen.Manages groups and group settings. Mitglieder, Besitzer, Namensrichtlinien, Ablauf.Members, owners, naming policies, expiration.
Directory ReadersDirectory Readers Liest Verzeichnisinformationen ohne Schreibrechte.Reads directory information without write permissions. Inventar, Reports, App-Berechtigungen mit Lesezugriff.Inventory, reports, app permissions with read access.
Directory WritersDirectory Writers Schreibt Basisverzeichnisdaten für Apps oder Dienste.Writes basic directory data for apps or services. Automatisierung und Integrationen mit eingeschränktem Schreibzugriff.Automation and integrations with limited write access.
License AdministratorLicense Administrator Verwaltet Produktlizenzen und Dienstpläne.Manages product licenses and service plans. SKU-Zuweisung, Verbrauchsprüfung, Service-Plan-Steuerung.SKU assignment, consumption review, service plan control.
Billing AdministratorBilling Administrator Verwaltet Rechnungs- und Abrechnungsinformationen.Manages billing and payment information. Abos, Rechnungsempfänger, Zahlungsdaten.Subscriptions, billing recipients, payment data.
Reports ReaderReports Reader Liest Nutzungs- und Aktivitätsberichte.Reads usage and activity reports. Sign-ins, Audits, Nutzungsauswertungen.Sign-ins, audits, usage analytics.
Security AdministratorSecurity Administrator Verwaltet Sicherheitskonfigurationen und Sicherheitswarnungen.Manages security configurations and alerts. Defender- und Entra-Sicherheitsfunktionen.Defender and Entra security features.
Security ReaderSecurity Reader Liest Sicherheitsinformationen und Warnungen.Reads security information and alerts. SOC-/Auditor-Zugriff ohne Änderung.SOC/auditor access without change.
Conditional Access AdministratorConditional Access Administrator Erstellt und verwaltet Conditional-Access-Richtlinien.Creates and manages Conditional Access policies. Zuweisungen, Bedingungen, Report-only, Ausschlüsse.Assignments, conditions, report-only, exclusions.
Authentication AdministratorAuthentication Administrator Verwaltet Authentifizierungsmethoden für Nicht-Administratoren.Manages authentication methods for non-admin users. MFA-Methoden, Registrierungsstatus, Zurücksetzungen.MFA methods, registration status, resets.
Privileged Authentication AdministratorPrivileged Authentication Administrator Verwaltet Authentifizierungsmethoden auch für privilegierte Konten.Manages authentication methods, including privileged accounts. MFA/FIDO2-Reset für Adminkonten.MFA/FIDO2 reset for admin accounts.
Authentication Policy AdministratorAuthentication Policy Administrator Verwaltet Authentifizierungsrichtlinien, Passwortschutz und MFA-Settings.Manages authentication policies, password protection, and MFA settings. Methodenrichtlinien, Passwortschutz, Tenant-MFA.Method policies, password protection, tenant MFA.
Privileged Role AdministratorPrivileged Role Administrator Verwaltet Rollenzuweisungen und PIM-nahe Einstellungen.Manages role assignments and PIM-related settings. RBAC, Rollendelegation, Aktivierungsrichtlinien.RBAC, role delegation, activation policies.
Role Management AdministratorRole Management Administrator Verwaltet Rollen in Entra, Azure und einigen M365-Diensten.Manages roles in Entra, Azure, and some Microsoft 365 services. Zuweisungen über mehrere Kontrollbereiche hinweg.Assignments across multiple control planes.
Application AdministratorApplication Administrator Verwaltet App-Registrierungen und Enterprise Apps umfassend.Manages app registrations and enterprise apps broadly. Secrets, Zertifikate, API-Berechtigungen, Zustimmung.Secrets, certificates, API permissions, consent.
Cloud Application AdministratorCloud Application Administrator Verwaltet App-Registrierungen und Enterprise Apps ohne App Proxy.Manages app registrations and enterprise apps except App Proxy. Allgemeine Cloud-App-Verwaltung.General cloud app administration.
Application DeveloperApplication Developer Darf Anwendungen registrieren, auch wenn Benutzerregistrierung deaktiviert ist.Can register applications even when user registration is disabled. Entwicklerfreundliche App-Erstellung.Developer-friendly app creation.
Cloud Device AdministratorCloud Device Administrator Verwaltet Geräteobjekte in Entra ID.Manages device objects in Entra ID. Geräte deaktivieren, löschen, prüfen.Disable, delete, and review devices.
Intune AdministratorIntune Administrator Verwaltet Intune-Konfigurationen und Gerätekontrolle.Manages Intune configuration and device control. Compliance, Konfiguration, App-Bereitstellung.Compliance, configuration, app deployment.
Exchange AdministratorExchange Administrator Verwaltet Exchange Online.Manages Exchange Online. Postfächer, Transport, Empfänger, Mailflow.Mailboxes, transport, recipients, mail flow.
SharePoint AdministratorSharePoint Administrator Verwaltet SharePoint Online und OneDrive.Manages SharePoint Online and OneDrive. Sites, Sharing, Storage, Governance.Sites, sharing, storage, governance.
Teams AdministratorTeams Administrator Verwaltet Teams-Richtlinien und Teams-Dienste.Manages Teams policies and services. Meetings, Messaging, Telefonie, Apps.Meetings, messaging, telephony, apps.
Compliance AdministratorCompliance Administrator Verwaltet Compliance-Konfigurationen und Berichte.Manages compliance configurations and reports. Purview, Richtlinien, Reports.Purview, policies, reports.
Compliance Data AdministratorCompliance Data Administrator Verwaltet Compliance-Inhalte und Prüfpfade.Manages compliance content and audit artifacts. eDiscovery, Inhalte, Aufbewahrungskontext.eDiscovery, content, retention context.
Security OperatorSecurity Operator Bearbeitet und reagiert auf Sicherheitsereignisse.Investigates and responds to security events. Operative Sicherheitsarbeit mit Reaktionsrechten.Operational security work with response rights.
Guest InviterGuest Inviter Lädt Gastbenutzer ein.Invites guest users. B2B-Einladungen ohne Volladministration.B2B invitations without full administration.
Domain Name AdministratorDomain Name Administrator Verwaltet verifizierte und föderierte Domänen.Manages verified and federated domains. DNS- und Domänenlebenszyklus.DNS and domain lifecycle.
Hybrid Identity AdministratorHybrid Identity Administrator Verwaltet Synchronisierung, Connect und Hybrididentität.Manages sync, Connect, and hybrid identity. PHS/PTA/Seamless SSO und Agents.PHS/PTA/Seamless SSO and agents.
Cloud App Security AdministratorCloud App Security Administrator Verwaltet Defender for Cloud Apps.Manages Defender for Cloud Apps. App Governance, Richtlinien, Untersuchungen.App governance, policies, investigations.
Identity Governance AdministratorIdentity Governance Administrator Verwaltet Access Reviews, Entitlements und Lifecycle Workflows.Manages access reviews, entitlements, and lifecycle workflows. Governance-Automatisierung und Rezertifizierung.Governance automation and recertification.
Attribute Definition AdministratorAttribute Definition Administrator Definiert benutzerdefinierte Sicherheitsattribute.Defines custom security attributes. Schema für Custom Security Attributes.Schema for custom security attributes.
Attribute Assignment AdministratorAttribute Assignment Administrator Weist benutzerdefinierte Sicherheitsattribute zu.Assigns custom security attributes. Attributwerte auf unterstützte Objekte anwenden.Apply attribute values to supported objects.
Access Reviews AdministratorAccess Reviews Administrator Verwaltet Zugriffsüberprüfungen.Manages access reviews. Review-Zyklen, Reviewer, Entscheidungen.Review cycles, reviewers, decisions.
Lifecycle Workflows AdministratorLifecycle Workflows Administrator Verwaltet Lifecycle Workflows.Manages lifecycle workflows. Joiner/Mover/Leaver-Automatisierung.Joiner/mover/leaver automation.
Partner Tier1 SupportPartner Tier1 Support Führt Supportaufgaben für Partnerumgebungen aus.Performs support tasks for partner scenarios. Delegierter Support auf Mandantenebene.Delegated tenant-level support.
Partner Tier2 SupportPartner Tier2 Support Erweiterter Partnersupport mit mehr Diagnosezugriff.Advanced partner support with broader diagnostic access. Escalation- und Troubleshooting-Aufgaben.Escalation and troubleshooting tasks.
Service Support AdministratorService Support Administrator Verwaltet Supportanfragen und Service Health.Manages support requests and service health. Tickets, Incidents, Kommunikationskanäle.Tickets, incidents, communication channels.
Message Center Privacy ReaderMessage Center Privacy Reader Liest datenschutzrelevante Mitteilungen im Message Center.Reads privacy-related posts in Message Center. Compliance- und Datenschutzkommunikation.Compliance and privacy communication.
Message Center ReaderMessage Center Reader Liest Meldungen und Roadmap-nahe Hinweise.Reads service announcements and roadmap messages. Service-Kommunikation ohne Adminrechte.Service communication without admin rights.
Printer AdministratorPrinter Administrator Verwaltet Universal Print.Manages Universal Print. Drucker, Freigaben, Richtlinien.Printers, shares, policies.
Desktop Analytics AdministratorDesktop Analytics Administrator Verwaltet Desktop Analytics.Manages Desktop Analytics. Windows-Bereitstellungsanalyse.Windows deployment analytics.
Usage Summary Reports ReaderUsage Summary Reports Reader Liest zusammengefasste Nutzungsberichte.Reads summarized usage reports. Lizenz- und Dienstnutzungsübersichten.License and service usage summaries.
Search AdministratorSearch Administrator Verwaltet unternehmensweite Suchkonfigurationen.Manages enterprise search settings. Vertikale, Konnektoren, Sucherlebnis.Verticals, connectors, search experience.
Search EditorSearch Editor Pflegt Suchinhalte und Bookmarks.Maintains search content and bookmarks. Kuratierte Suchergebnisse.Curated search results.
PowerShellPowerShell 
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleDefinition -All |
  Sort-Object DisplayName |
  Select-Object DisplayName, Description
Graph APIGraph API 
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Authorization: Bearer <token>

Benutzerdefinierte RollenCustom roles

Custom Roles sind sinnvoll, wenn Standardrollen zu breit oder zu eng sind. Das ist vor allem für App-Registrierungen, Attributverwaltung oder spezialisierte Helpdesk-Prozesse interessant.Custom roles are useful when built-in roles are too broad or too narrow. This is especially relevant for app registrations, attribute management, or specialized helpdesk processes.

PowerShellPowerShell 
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
$definition = @{
  displayName = "Custom App Registration Reader"
  description = "Read app registrations and service principals"
  isEnabled = $true
  rolePermissions = @(
    @{
      allowedResourceActions = @(
        "microsoft.directory/applications/basic/read",
        "microsoft.directory/servicePrincipals/basic/read"
      )
    }
  )
}
New-MgRoleManagementDirectoryRoleDefinition -BodyParameter $definition
Graph APIGraph API 
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Content-Type: application/json
Authorization: Bearer <token>

{
  "displayName": "Custom App Registration Reader",
  "description": "Read app registrations and service principals",
  "isEnabled": true,
  "rolePermissions": [
    {
      "allowedResourceActions": [
        "microsoft.directory/applications/basic/read",
        "microsoft.directory/servicePrincipals/basic/read"
      ]
    }
  ]
}

Administrative UnitsAdministrative Units

Administrative Units begrenzen die Reichweite bestimmter Rollen auf Benutzer, Gruppen oder Geräte innerhalb eines definierten Teilbereichs. Das ist ideal für Regionen, Tochtergesellschaften oder Bildungseinrichtungen.Administrative Units limit the reach of certain roles to users, groups, or devices inside a defined subset. This is ideal for regions, subsidiaries, or educational environments.

PowerShellPowerShell 
Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All"
New-MgDirectoryAdministrativeUnit `
  -DisplayName "AU-DE-Region" `
  -Description "Administrative Unit for Germany"
Graph APIGraph API 
POST https://graph.microsoft.com/v1.0/directory/administrativeUnits
Content-Type: application/json
Authorization: Bearer <token>

{
  "displayName": "AU-DE-Region",
  "description": "Administrative Unit for Germany"
}

RollenzuweisungRole assignment

Rollen können direkt, gruppenbasiert oder über PIM-Elegibility vergeben werden. Dauerhafte Global-Admin-Zuweisungen sollten die absolute Ausnahme bleiben.Roles can be assigned directly, through groups, or as PIM eligibility. Permanent Global Administrator assignments should remain the absolute exception.

MethodeMethod VorteilAdvantage Typischer EinsatzTypical use
DirektDirect Einfach und transparent.Simple and transparent. Kleine Ausnahmefälle.Small exception cases.
Über GruppeThrough group Skalierbar und auditierbar.Scalable and auditable. Standardisierte Betriebsrollen.Standardized operational roles.
PIM eligiblePIM eligible Just-in-Time und Approval möglich.Supports just-in-time and approval. Privilegierte Rollen.Privileged roles.
PowerShellPowerShell 
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
New-MgRoleManagementDirectoryRoleAssignment `
  -PrincipalId "<principal-id>" `
  -RoleDefinitionId "<role-definition-id>" `
  -DirectoryScopeId "/"
Graph APIGraph API 
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
Content-Type: application/json
Authorization: Bearer <token>

{
  "principalId": "<principal-id>",
  "roleDefinitionId": "<role-definition-id>",
  "directoryScopeId": "/"
}

Least-Privilege-EmpfehlungenLeast privilege recommendations

Least Privilege bedeutet nicht nur kleinere Rollen, sondern auch sauber definierte Prozesse, getrennte Adminkonten, Break-Glass-Konzepte und regelmäßige Reviews.Least privilege means not only smaller roles but also well-defined processes, separate admin accounts, break-glass concepts, and regular reviews.

AufgabeTask Empfohlene RolleRecommended role BegründungReason
Kennwort-Reset für StandardbenutzerPassword reset for standard users Helpdesk Administrator / Password AdministratorHelpdesk Administrator / Password Administrator Kein Global Admin erforderlich.No Global Admin required.
GruppenlebenszyklusGroup lifecycle Groups AdministratorGroups Administrator Gezielte Zuständigkeit für Gruppen.Targeted responsibility for groups.
LizenzbetriebLicense operations License AdministratorLicense Administrator Direkt auf SKU-Management begrenzt.Directly limited to SKU management.
Conditional AccessConditional Access Conditional Access AdministratorConditional Access Administrator Sicherheitsrelevante, aber fokussierte Rolle.Security-sensitive but focused role.
App-RegistrierungenApp registrations Application Administrator / Cloud Application AdministratorApplication Administrator / Cloud Application Administrator Keine Volladministration nötig.No full administration needed.
PowerShellPowerShell 
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","AuditLog.Read.All"
Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance -Top 20
Graph APIGraph API 
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleInstances?$top=20
Authorization: Bearer <token>

PowerShell & Graph für RollenverwaltungPowerShell & Graph for role management

Für Inventare werden Role Definitions, Assignments und Principal-Objekte zusammengeführt. Gute Skripte dokumentieren nicht nur, wer welche Rolle hat, sondern auch warum und mit welchem Scope.For inventories, combine role definitions, assignments, and principal objects. Good scripts document not only who has which role, but also why and with which scope.

PowerShellPowerShell 
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"
$assignments = Get-MgRoleManagementDirectoryRoleAssignment -All
$definitions = Get-MgRoleManagementDirectoryRoleDefinition -All

foreach ($assignment in $assignments) {
  $definition = $definitions | Where-Object Id -eq $assignment.RoleDefinitionId
  [pscustomobject]@{
    PrincipalId = $assignment.PrincipalId
    Role = $definition.DisplayName
    Scope = $assignment.DirectoryScopeId
  }
}
Graph APIGraph API 
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Authorization: Bearer <token>

Alle Built-in Roles – KompletttabelleAll built-in roles – complete table

Die Tabelle basiert auf der aktuellen Microsoft-Entra-Built-in-Roles-Referenz und enthält Name, templateId, Kurzbeschreibung und operative Schlüsselaktionen. Sie ist damit sowohl für Governance-Workshops als auch für Automatisierungsabgleiche mit roleDefinitions einsetzbar.This table is based on the current Microsoft Entra built-in roles reference and includes name, templateId, a concise description, and operational key actions. It is useful both in governance workshops and for automation comparisons against roleDefinitions.

RolleRole templateId GUIDtemplateId GUID BeschreibungDescription Key ActionsKey actions
Agent ID AdministratorAgent ID Administrator db506228-d27e-4b7d-95e5-295956d6615fdb506228-d27e-4b7d-95e5-295956d6615f Verwaltet alle Aspekte von agents in a Mandant including identity lifecycle operations for agent blueprints, agent identity blueprint principals, agent identities, and agentic Benutzer.;Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent identity blueprint principals, agent identities, and agentic users.; Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
Agent ID DeveloperAgent ID Developer adb2368d-a9be-41b5-8667-d96778e081b0adb2368d-a9be-41b5-8667-d96778e081b0 Erstellt an agent identity blueprint and its agent identity blueprint principal in a Mandant. User will be added as an owner of the created agent identity blueprint and its agent identity blueprint principal.Create an agent identity blueprint and its agent identity blueprint principal in a tenant. User will be added as an owner of the created agent identity blueprint and its agent identity blueprint principal. Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
Agent Registry AdministratorAgent Registry Administrator 6b942400-691f-4bf0-9d12-d8a254a2baf56b942400-691f-4bf0-9d12-d8a254a2baf5 Verwaltet alle Aspekte von the Agent Registry Dienst in Microsoft Entra IDManage all aspects of the Agent Registry service in Microsoft Entra ID Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
AI AdministratorAI Administrator d2562ede-74db-457e-a7b6-544e236ebb61d2562ede-74db-457e-a7b6-544e236ebb61 Verwaltet alle Aspekte von Microsoft 365 Copilot and AI-related enterprise Diensts in Microsoft 365.;Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
AI ReaderAI Reader 1fe13547-53f6-408d-ac04-7f8eed167b381fe13547-53f6-408d-ac04-7f8eed167b38 Liest alle Aspekte von Microsoft 365 Copilot and AI-related enterprise Diensts in Microsoft 365.;Read all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365.; Inventur, Audit, ReportingInventory, audit, reporting
Application AdministratorApplication Administrator 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c39b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 Kann erstellen und verwalten: all aspects of App-Registrierungen and Enterprise-Apps.;Can create and manage all aspects of app registrations and enterprise apps.; App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Application DeveloperApplication Developer cf1c38e5-3621-4004-a7cb-879624dced7ccf1c38e5-3621-4004-a7cb-879624dced7c Kann erstellen: application registrations independent of the 'Users can register Anwendungen' setting.;Can create application registrations independent of the 'Users can register applications' setting.; App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Attack Payload AuthorAttack Payload Author 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f Kann erstellen: attack payloads that an administrator can initiate later.Can create attack payloads that an administrator can initiate later. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Attack Simulation AdministratorAttack Simulation Administrator c430b396-e693-46cc-96f3-db01bf8bb62ac430b396-e693-46cc-96f3-db01bf8bb62a Kann erstellen und verwalten: all aspects of attack simulation campaigns.Can create and manage all aspects of attack simulation campaigns. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Attribute Assignment AdministratorAttribute Assignment Administrator 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d Assign custom Sicherheit attribute keys and values to supported Microsoft Entra objects.Assign custom security attribute keys and values to supported Microsoft Entra objects. Warnungen, Richtlinien, Incident-TriageAlerts, policies, incident triage
Attribute Assignment ReaderAttribute Assignment Reader ffd52fa5-98dc-465c-991d-fc073eb59f8fffd52fa5-98dc-465c-991d-fc073eb59f8f Liest custom Sicherheit attribute keys and values for supported Microsoft Entra objects.Read custom security attribute keys and values for supported Microsoft Entra objects. Inventur, Audit, ReportingInventory, audit, reporting
Attribute Definition AdministratorAttribute Definition Administrator 8424c6f0-a189-499e-bbd0-26c1753c96d48424c6f0-a189-499e-bbd0-26c1753c96d4 Define and manage the definition of custom Sicherheit attributes.Define and manage the definition of custom security attributes. Warnungen, Richtlinien, Incident-TriageAlerts, policies, incident triage
Attribute Definition ReaderAttribute Definition Reader 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c1d336d2c-4ae8-42ef-9711-b3604ce3fc2c Liest the definition of custom Sicherheit attributes.Read the definition of custom security attributes. Inventur, Audit, ReportingInventory, audit, reporting
Attribute Log AdministratorAttribute Log Administrator 5b784334-f94b-471a-a387-e7219fc49ca25b784334-f94b-471a-a387-e7219fc49ca2 Liest audit logs and configure diagnostic settings for events related to custom Sicherheit attributes.Read audit logs and configure diagnostic settings for events related to custom security attributes. Warnungen, Richtlinien, Incident-TriageAlerts, policies, incident triage
Attribute Log ReaderAttribute Log Reader 9c99539d-8186-4804-835f-fd51ef9e2dcd9c99539d-8186-4804-835f-fd51ef9e2dcd Liest audit logs related to custom Sicherheit attributes.Read audit logs related to custom security attributes. Inventur, Audit, ReportingInventory, audit, reporting
Attribute Provisioning AdministratorAttribute Provisioning Administrator ecb2c6bf-0ab6-418e-bd87-7986f8d63bbeecb2c6bf-0ab6-418e-bd87-7986f8d63bbe Liest and edit the provisioning configuration of all active custom Sicherheit attributes for an application.;Read and edit the provisioning configuration of all active custom security attributes for an application.; App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Attribute Provisioning ReaderAttribute Provisioning Reader 422218e4-db15-4ef9-bbe0-8afb41546d79422218e4-db15-4ef9-bbe0-8afb41546d79 Liest the provisioning configuration of all active custom Sicherheit attributes for an application.;Read the provisioning configuration of all active custom security attributes for an application.; Inventur, Audit, ReportingInventory, audit, reporting
Authentication AdministratorAuthentication Administrator c4e39bd9-1100-46d3-8c65-fb160da0071fc4e39bd9-1100-46d3-8c65-fb160da0071f Can access to view, set and reset authentication method information for any non-admin user.;Can access to view, set and reset authentication method information for any non-admin user.; MFA, Methoden, RegistrierungsrichtlinienMFA, methods, registration policies
Authentication Extensibility AdministratorAuthentication Extensibility Administrator 25a516ed-2fa0-40ea-a2d0-12923a21473a25a516ed-2fa0-40ea-a2d0-12923a21473a Customize sign in and sign up experiences for Benutzer by creating and managing custom authentication extensions.;Customize sign in and sign up experiences for users by creating and managing custom authentication extensions.; MFA, Methoden, RegistrierungsrichtlinienMFA, methods, registration policies
Authentication Extensibility Password AdministratorAuthentication Extensibility Password Administrator 0b00bede-4072-4d22-b441-e7df02a1ef630b00bede-4072-4d22-b441-e7df02a1ef63 Trigger a password submit event for custom authentication.;Trigger a password submit event for custom authentication.; MFA, Methoden, RegistrierungsrichtlinienMFA, methods, registration policies
Authentication Policy AdministratorAuthentication Policy Administrator 0526716b-113d-4c15-b2c8-68e3c22b9f800526716b-113d-4c15-b2c8-68e3c22b9f80 Kann erstellen und verwalten: the authentication methods policy, Mandant-wide MFA settings, password protection policy, and verifiable credentials.Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. MFA, Methoden, RegistrierungsrichtlinienMFA, methods, registration policies
Azure DevOps AdministratorAzure DevOps Administrator e3973bdf-4987-49ae-837a-ba8e231c7286e3973bdf-4987-49ae-837a-ba8e231c7286 Verwaltet Azure DevOps Richtlinien and settings.Manage Azure DevOps policies and settings. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Azure Information Protection AdministratorAzure Information Protection Administrator 7495fdc4-34c4-4d15-a289-98788ce399fd7495fdc4-34c4-4d15-a289-98788ce399fd Kann alle Aspekte von the Azure Information Protection product.Can manage all aspects of the Azure Information Protection product. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
B2C IEF Keyset AdministratorB2C IEF Keyset Administrator aaf43236-0c0d-4d5f-883a-6955382ac081aaf43236-0c0d-4d5f-883a-6955382ac081 Kann secrets for federation and encryption in the Identity Experience Framework (IEF).;Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
B2C IEF Policy AdministratorB2C IEF Policy Administrator 3edaf663-341e-4475-9f94-5c398ef6c0703edaf663-341e-4475-9f94-5c398ef6c070 Kann erstellen und verwalten: trust framework Richtlinien in the Identity Experience Framework (IEF).Can create and manage trust framework policies in the Identity Experience Framework (IEF). Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Billing AdministratorBilling Administrator b0f54661-2d74-4c50-afa3-1ec803f12efeb0f54661-2d74-4c50-afa3-1ec803f12efe Can perform common billing related tasks like updating payment information.Can perform common billing related tasks like updating payment information. Abos, Rechnungen, CommerceSubscriptions, billing, commerce
Cloud App Security AdministratorCloud App Security Administrator 892c5842-a9a6-463a-8041-72aa08ca3cf6892c5842-a9a6-463a-8041-72aa08ca3cf6 Verwaltet alle Aspekte von the Defender for Cloud Apps product.Manage all aspects of the Defender for Cloud Apps product. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Cloud Application AdministratorCloud Application Administrator 158c047a-c907-4556-b7ef-446551a6b5f7158c047a-c907-4556-b7ef-446551a6b5f7 Kann erstellen und verwalten: all aspects of App-Registrierungen and Enterprise-Apps except App Proxy.;Can create and manage all aspects of app registrations and enterprise apps except App Proxy.; App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Cloud Device AdministratorCloud Device Administrator 7698a772-787b-4ac8-901f-60d6b08affd27698a772-787b-4ac8-901f-60d6b08affd2 Limited access to manage Geräte in Microsoft Entra ID.;Limited access to manage devices in Microsoft Entra ID.; Geräte, Compliance, EnrollmentDevices, compliance, enrollment
Compliance AdministratorCompliance Administrator 17315797-102d-40b4-93e0-432062caca1817315797-102d-40b4-93e0-432062caca18 Can read and manage compliance configuration and Berichte in Microsoft Entra ID and Microsoft 365.Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365. Inventur, Audit, ReportingInventory, audit, reporting
Compliance Data AdministratorCompliance Data Administrator e6d1a23a-da11-4be4-9570-befc86d067a7e6d1a23a-da11-4be4-9570-befc86d067a7 Creates and manages compliance content.Creates and manages compliance content. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Conditional Access AdministratorConditional Access Administrator b1be1c3e-b65d-4f19-8427-f6fa0d97feb9b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 Kann Conditional Access capabilities.;Can manage Conditional Access capabilities.; CA-Regeln, Ausschlüsse, Report-onlyCA rules, exclusions, report-only
Customer Delegated Admin Relationship AdministratorCustomer Delegated Admin Relationship Administrator fc8ad4e2-40e4-4724-8317-bcda7503ecbffc8ad4e2-40e4-4724-8317-bcda7503ecbf Verwaltet alle Aspekte von granular delegated admin privileges (GDAP) relationships in a customer Mandant.Manage all aspects of granular delegated admin privileges (GDAP) relationships in a customer tenant. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Customer Lockbox Access ApproverCustomer Lockbox Access Approver 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc915c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Can approve Microsoft support requests to access customer organizational data.Can approve Microsoft support requests to access customer organizational data. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Desktop Analytics AdministratorDesktop Analytics Administrator 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a438a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 Can access and manage Desktop management tools and Diensts.Can access and manage Desktop management tools and services. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Directory ReadersDirectory Readers 88d8e3e3-8f55-4a1e-953a-9b9898b8876b88d8e3e3-8f55-4a1e-953a-9b9898b8876b Can read basic Verzeichnis information. Commonly used to grant Verzeichnis read access to Anwendungen and guests.Can read basic directory information. Commonly used to grant directory read access to applications and guests. Inventur, Audit, ReportingInventory, audit, reporting
Directory Synchronization AccountsDirectory Synchronization Accounts d29b2b05-8046-44ba-8758-1e26182fcf32d29b2b05-8046-44ba-8758-1e26182fcf32 Only used by Microsoft Entra Connect Dienst.Only used by Microsoft Entra Connect service. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Directory WritersDirectory Writers 9360feb5-f418-4baa-8175-e2a00bac43019360feb5-f418-4baa-8175-e2a00bac4301 Can read and write basic Verzeichnis information. For granting access to Anwendungen, not intended for Benutzer.;Can read and write basic directory information. For granting access to applications, not intended for users.; App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Domain Name AdministratorDomain Name Administrator 8329153b-31d0-4727-b945-745eb3bc5f318329153b-31d0-4727-b945-745eb3bc5f31 Kann domain names in cloud and on-premises.;Can manage domain names in cloud and on-premises.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Dragon AdministratorDragon Administrator e93e3737-fa85-474a-aee4-7d3fb86510f3e93e3737-fa85-474a-aee4-7d3fb86510f3 Verwaltet alle Aspekte von the Microsoft Dragon admin center.Manage all aspects of the Microsoft Dragon admin center. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Dynamics 365 AdministratorDynamics 365 Administrator 44367163-eba1-44c3-98af-f5787879f96a44367163-eba1-44c3-98af-f5787879f96a Kann alle Aspekte von the Dynamics 365 product.Can manage all aspects of the Dynamics 365 product. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Dynamics 365 Business Central AdministratorDynamics 365 Business Central Administrator 963797fb-eb3b-4cde-8ce3-5878b3f32a3f963797fb-eb3b-4cde-8ce3-5878b3f32a3f Access and perform all administrative tasks on Dynamics 365 Business Central environments.Access and perform all administrative tasks on Dynamics 365 Business Central environments. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Edge AdministratorEdge Administrator 3f1acade-1e04-4fbc-9b69-f0302cd84aef3f1acade-1e04-4fbc-9b69-f0302cd84aef Verwaltet alle Aspekte von Microsoft Edge.Manage all aspects of Microsoft Edge. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Entra Backup AdministratorEntra Backup Administrator b6a27b2b-f905-4b2e-81b5-0d90e0ef1fdbb6a27b2b-f905-4b2e-81b5-0d90e0ef1fdb Verwaltet alle Aspekte von Microsoft Entra Backup, such as create recovery jobs and manage backup snapshots.Manage all aspects of Microsoft Entra Backup, such as create recovery jobs and manage backup snapshots. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Entra Backup ReaderEntra Backup Reader f42252d9-5400-4d7b-b9ef-cc582dbb8577f42252d9-5400-4d7b-b9ef-cc582dbb8577 Liest alle Aspekte von Microsoft Entra Backup, such as list all preview jobs, recovery jobs, backup snapshots, and create preview jobs.Read all aspects of Microsoft Entra Backup, such as list all preview jobs, recovery jobs, backup snapshots, and create preview jobs. Inventur, Audit, ReportingInventory, audit, reporting
Exchange AdministratorExchange Administrator 29232cdf-9323-42fd-ade2-1d097af3e4de29232cdf-9323-42fd-ade2-1d097af3e4de Kann alle Aspekte von the Exchange product.Can manage all aspects of the Exchange product. Empfänger, Transport, Admin CenterRecipients, transport, admin center
Exchange Backup AdministratorExchange Backup Administrator 49eb8f75-97e9-4e37-9b2b-6c3ebfcffa3149eb8f75-97e9-4e37-9b2b-6c3ebfcffa31 Back up and restore content (including granular restore) for Exchange in Microsoft 365 BackupBack up and restore content (including granular restore) for Exchange in Microsoft 365 Backup Empfänger, Transport, Admin CenterRecipients, transport, admin center
Exchange Recipient AdministratorExchange Recipient Administrator 31392ffb-586c-42d1-9346-e59415a2cc4e31392ffb-586c-42d1-9346-e59415a2cc4e Kann erstellen: or update Exchange Online recipients within the Exchange Online organization.Can create or update Exchange Online recipients within the Exchange Online organization. Empfänger, Transport, Admin CenterRecipients, transport, admin center
Extended Directory User AdministratorExtended Directory User Administrator dd13091a-6207-4fc0-82ba-3641e056ab95dd13091a-6207-4fc0-82ba-3641e056ab95 Verwaltet alle Aspekte von external user profiles in the extended Verzeichnis for Teams.Manage all aspects of external user profiles in the extended directory for Teams. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
External ID User Flow AdministratorExternal ID User Flow Administrator 6e591065-9bad-43ed-90f3-e9424366d2f06e591065-9bad-43ed-90f3-e9424366d2f0 Kann erstellen und verwalten: all aspects of user flows.Can create and manage all aspects of user flows. Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
External ID User Flow Attribute AdministratorExternal ID User Flow Attribute Administrator 0f971eea-41eb-4569-a71e-57bb8a3eff1e0f971eea-41eb-4569-a71e-57bb8a3eff1e Kann erstellen und verwalten: the attribute schema available to all user flows.Can create and manage the attribute schema available to all user flows. Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
External Identity Provider AdministratorExternal Identity Provider Administrator be2f45a1-457d-42af-a067-6ec1fa63bc45be2f45a1-457d-42af-a067-6ec1fa63bc45 Can configure identity providers for use in direct federation.;Can configure identity providers for use in direct federation.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Fabric AdministratorFabric Administrator a9ea8996-122f-4c74-9520-8edcd192826ca9ea8996-122f-4c74-9520-8edcd192826c Verwaltet alle Aspekte von the Fabric and Power BI products.Manage all aspects of the Fabric and Power BI products. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Global AdministratorGlobal Administrator 62e90394-69f5-4237-9190-012177145e1062e90394-69f5-4237-9190-012177145e10 Kann alle Aspekte von Microsoft Entra ID and Microsoft Diensts that use Microsoft Entra identities.;Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Global ReaderGlobal Reader f2ef992c-3afb-46b9-b7cf-a126ee74c451f2ef992c-3afb-46b9-b7cf-a126ee74c451 Can read everything that a Global Administrator can, but not update anything.;Can read everything that a Global Administrator can, but not update anything.; Inventur, Audit, ReportingInventory, audit, reporting
Global Secure Access AdministratorGlobal Secure Access Administrator ac434307-12b9-4fa1-a708-88bf58caabc1ac434307-12b9-4fa1-a708-88bf58caabc1 Erstellt and manage all aspects of Global Secure Internet Access and Microsoft Global Secure Private Access, including managing access to public and private endpoints.Create and manage all aspects of Global Secure Internet Access and Microsoft Global Secure Private Access, including managing access to public and private endpoints. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Global Secure Access Log ReaderGlobal Secure Access Log Reader 843318fb-79a6-4168-9e6f-aa9a07481cc4843318fb-79a6-4168-9e6f-aa9a07481cc4 Provides designated Sicherheit personnel with read-only access to network traffic logs in Microsoft Entra Internet Access and Microsoft Entra Private Access for detailed analysis.Provides designated security personnel with read-only access to network traffic logs in Microsoft Entra Internet Access and Microsoft Entra Private Access for detailed analysis. Inventur, Audit, ReportingInventory, audit, reporting
Groups AdministratorGroups Administrator fdd7a751-b60b-444a-984c-02652fe8fa1cfdd7a751-b60b-444a-984c-02652fe8fa1c Members of this role can create/manage Gruppen, create/manage Gruppen settings like naming and expiration Richtlinien, and view Gruppen activity and audit Berichte.Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. Inventur, Audit, ReportingInventory, audit, reporting
Guest InviterGuest Inviter 95e79109-95c0-4d8e-aee3-d01accf2d47b95e79109-95c0-4d8e-aee3-d01accf2d47b Can invite guest Benutzer independent of the 'members can invite guests' setting.Can invite guest users independent of the 'members can invite guests' setting. Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
Helpdesk AdministratorHelpdesk Administrator 729827e3-9c14-49f7-bb1b-9608f156bbb8729827e3-9c14-49f7-bb1b-9608f156bbb8 Can reset passwords for non-administrators and Helpdesk Administrators.;Can reset passwords for non-administrators and Helpdesk Administrators.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Hybrid Identity AdministratorHybrid Identity Administrator 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb28ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 Verwaltet Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.;Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health.; MFA, Methoden, RegistrierungsrichtlinienMFA, methods, registration policies
Identity Governance AdministratorIdentity Governance Administrator 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e45d8d3c5-c802-45c6-b32a-1d70b5e1e86e Verwaltet access using Microsoft Entra ID for identity governance scenarios.;Manage access using Microsoft Entra ID for identity governance scenarios.; Access Reviews, Entitlements, LifecycleAccess reviews, entitlements, lifecycle
Insights AdministratorInsights Administrator eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7ceb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c Has administrative access in the Microsoft 365 Insights app.Has administrative access in the Microsoft 365 Insights app. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Insights AnalystInsights Analyst 25df335f-86eb-4119-b717-0ff02de207e925df335f-86eb-4119-b717-0ff02de207e9 Access the analytical capabilities in Microsoft Viva Insights and run custom queries.Access the analytical capabilities in Microsoft Viva Insights and run custom queries. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Insights Business LeaderInsights Business Leader 31e939ad-9672-4796-9c2e-873181342d2d31e939ad-9672-4796-9c2e-873181342d2d Sieht and share dashboards and insights via the Microsoft Viva Insights app.View and share dashboards and insights via the Microsoft Viva Insights app. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Intune AdministratorIntune Administrator 3a2c62db-5318-420d-8d74-23affee5d9d53a2c62db-5318-420d-8d74-23affee5d9d5 Kann alle Aspekte von the Intune product.;Can manage all aspects of the Intune product.; Geräte, Compliance, EnrollmentDevices, compliance, enrollment
IoT Device AdministratorIoT Device Administrator 2ea5ce4c-b2d8-4668-bd81-3680bd2d227a2ea5ce4c-b2d8-4668-bd81-3680bd2d227a Provision new IoT Geräte, manage their lifecycle, configure certificates, and manage device templates.Provision new IoT devices, manage their lifecycle, configure certificates, and manage device templates. Geräte, Compliance, EnrollmentDevices, compliance, enrollment
Kaizala AdministratorKaizala Administrator 74ef975b-6605-40af-a5d2-b9539d83635374ef975b-6605-40af-a5d2-b9539d836353 Kann settings for Microsoft Kaizala.Can manage settings for Microsoft Kaizala. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Knowledge AdministratorKnowledge Administrator b5a8dcf3-09d5-43a9-a639-8e29ef291470b5a8dcf3-09d5-43a9-a639-8e29ef291470 Can configure knowledge, learning, and other intelligent features.Can configure knowledge, learning, and other intelligent features. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Knowledge ManagerKnowledge Manager 744ec460-397e-42ad-a462-8b3f9747a02c744ec460-397e-42ad-a462-8b3f9747a02c Organize, create, manage, and promote topics and knowledge.Organize, create, manage, and promote topics and knowledge. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
License AdministratorLicense Administrator 4d6ac14f-3453-41d0-bef9-a3e0c569773a4d6ac14f-3453-41d0-bef9-a3e0c569773a Kann product Lizenzen on Benutzer and Gruppen.Can manage product licenses on users and groups. Gruppenobjekte, Besitzer, EinstellungenGroup objects, owners, settings
Lifecycle Workflows AdministratorLifecycle Workflows Administrator 59d46f88-662b-457b-bceb-5c3809e5908f59d46f88-662b-457b-bceb-5c3809e5908f Erstellt and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.;Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Message Center Privacy ReaderMessage Center Privacy Reader ac16e43d-7b2d-40e0-ac05-243ff356ab5bac16e43d-7b2d-40e0-ac05-243ff356ab5b Can read Sicherheit messages and updates in Office 365 Message Center only.Can read security messages and updates in Office 365 Message Center only. Inventur, Audit, ReportingInventory, audit, reporting
Message Center ReaderMessage Center Reader 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b Can read messages and updates for their organization in Office 365 Message Center only.Can read messages and updates for their organization in Office 365 Message Center only. Inventur, Audit, ReportingInventory, audit, reporting
Microsoft 365 Backup AdministratorMicrosoft 365 Backup Administrator 1707125e-0aa2-4d4d-8655-a7c786c76a251707125e-0aa2-4d4d-8655-a7c786c76a25 Back up and restore content across supported Diensts (SharePoint, OneDrive, and Exchange Online) in Microsoft 365 BackupBack up and restore content across supported services (SharePoint, OneDrive, and Exchange Online) in Microsoft 365 Backup Empfänger, Transport, Admin CenterRecipients, transport, admin center
Microsoft 365 Migration AdministratorMicrosoft 365 Migration Administrator 8c8b803f-96e1-4129-9349-20738d9f96528c8b803f-96e1-4129-9349-20738d9f9652 Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager.Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Microsoft Entra Joined Device Local AdministratorMicrosoft Entra Joined Device Local Administrator 9f06204d-73c1-4d4c-880a-6edb90606fd89f06204d-73c1-4d4c-880a-6edb90606fd8 Users zuweisened to this role are added to the local administrators group on Microsoft Entra joined Geräte.Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices. Geräte, Compliance, EnrollmentDevices, compliance, enrollment
Microsoft Graph Data Connect AdministratorMicrosoft Graph Data Connect Administrator ee67aa9c-e510-4759-b906-227085a7fd4dee67aa9c-e510-4759-b906-227085a7fd4d Verwaltet aspects of Microsoft Graph Data Connect Dienst in a Mandant.Manage aspects of Microsoft Graph Data Connect service in a tenant. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Microsoft Hardware Warranty AdministratorMicrosoft Hardware Warranty Administrator 1501b917-7653-4ff9-a4b5-203eaf33784f1501b917-7653-4ff9-a4b5-203eaf33784f Erstellt and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens.Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens. Access Reviews, Entitlements, LifecycleAccess reviews, entitlements, lifecycle
Microsoft Hardware Warranty SpecialistMicrosoft Hardware Warranty Specialist 281fe777-fb20-4fbb-b7a3-ccebce5b0d96281fe777-fb20-4fbb-b7a3-ccebce5b0d96 Erstellt and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens.Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Network AdministratorNetwork Administrator d37c8bed-0711-4417-ba38-b4abe66ce4c2d37c8bed-0711-4417-ba38-b4abe66ce4c2 Kann network locations and review enterprise network design insights for Microsoft 365 Software as a Service Anwendungen.Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Office Apps AdministratorOffice Apps Administrator 2b745bdf-0803-4d80-aa65-822c4493daac2b745bdf-0803-4d80-aa65-822c4493daac Kann Office apps cloud Diensts, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's Geräte.Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Organizational Branding AdministratorOrganizational Branding Administrator 92ed04bf-c94a-4b82-9729-b799a7a4c17892ed04bf-c94a-4b82-9729-b799a7a4c178 Verwaltet alle Aspekte von organizational branding in a Mandant.Manage all aspects of organizational branding in a tenant. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Organizational Data Source AdministratorOrganizational Data Source Administrator 9d70768a-0cbc-4b4c-aea3-2e124b2477f49d70768a-0cbc-4b4c-aea3-2e124b2477f4 Set up and manage the ingestion of organizational data into Microsoft 365.Set up and manage the ingestion of organizational data into Microsoft 365. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Organizational Messages ApproverOrganizational Messages Approver e48398e2-f4bb-4074-8f31-4586725e205be48398e2-f4bb-4074-8f31-4586725e205b Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to Benutzer.Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Organizational Messages WriterOrganizational Messages Writer 507f53e4-4e52-4077-abd3-d2e1558b6ea2507f53e4-4e52-4077-abd3-d2e1558b6ea2 Write, publish, manage, and review the organizational messages for end-Benutzer through Microsoft product surfaces.Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
Partner Tier1 SupportPartner Tier1 Support 4ba39ca4-527c-499a-b93d-d9b492c502464ba39ca4-527c-499a-b93d-d9b492c50246 Do not use - not intended for general use.;Do not use - not intended for general use.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Partner Tier2 SupportPartner Tier2 Support e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Do not use - not intended for general use.;Do not use - not intended for general use.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Password AdministratorPassword Administrator 966707d0-3269-4727-9be2-8c3a10f19b9d966707d0-3269-4727-9be2-8c3a10f19b9d Can reset passwords for non-administrators and Password Administrators.;Can reset passwords for non-administrators and Password Administrators.; Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
People AdministratorPeople Administrator 024906de-61e5-49c8-8572-40335f1e0e10024906de-61e5-49c8-8572-40335f1e0e10 Verwaltet profile photos of Benutzer and people settings for all Benutzer in the organization.Manage profile photos of users and people settings for all users in the organization. Benutzerprofil, Kennwort, WiederherstellungUser profile, password, recovery
Permissions Management AdministratorPermissions Management Administrator af78dc32-cf4d-46f9-ba4e-4428526346b5af78dc32-cf4d-46f9-ba4e-4428526346b5 Verwaltet alle Aspekte von Microsoft Entra Permissions Management.Manage all aspects of Microsoft Entra Permissions Management. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Places AdministratorPlaces Administrator 78b0ccd1-afc2-4f92-9116-b41aedd0959278b0ccd1-afc2-4f92-9116-b41aedd09592 Verwaltet alle Aspekte von the Microsoft Places Dienst.Manage all aspects of the Microsoft Places service. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Power Platform AdministratorPower Platform Administrator 11648597-926c-4cf3-9c36-bcebb0ba8dcc11648597-926c-4cf3-9c36-bcebb0ba8dcc Verwaltet alle Aspekte von Microsoft Dynamics 365, Power Apps and Power Automate.Manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Printer AdministratorPrinter Administrator 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f644ef478-e28f-4e28-b9dc-3fdde9aa0b1f Kann alle Aspekte von printers and printer connectors.Can manage all aspects of printers and printer connectors. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Printer TechnicianPrinter Technician e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 Can register and unregister printers and update printer status.Can register and unregister printers and update printer status. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Privileged Authentication AdministratorPrivileged Authentication Administrator 7be44c8a-adaf-4e2a-84d6-ab2649e08a137be44c8a-adaf-4e2a-84d6-ab2649e08a13 Can access to view, set and reset authentication method information for any user (admin or non-admin).;Can access to view, set and reset authentication method information for any user (admin or non-admin).; MFA, Methoden, RegistrierungsrichtlinienMFA, methods, registration policies
Privileged Role AdministratorPrivileged Role Administrator e8611ab8-c189-46e8-94e1-60213ab1f814e8611ab8-c189-46e8-94e1-60213ab1f814 Kann role zuweisenments in Microsoft Entra ID, and all aspects of Privileged Identity Management.;Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.; PIM, Rollenaktivierung, privilegierte KontrollenPIM, role activation, privileged controls
Reports ReaderReports Reader 4a5d8f65-41da-4de4-8968-e035b65339cf4a5d8f65-41da-4de4-8968-e035b65339cf Can read sign-in and audit Berichte.Can read sign-in and audit reports. Inventur, Audit, ReportingInventory, audit, reporting
Search AdministratorSearch Administrator 0964bb5e-9bdb-4d7b-ac29-58e794862a400964bb5e-9bdb-4d7b-ac29-58e794862a40 Kann erstellen und verwalten: all aspects of Microsoft Search settings.Can create and manage all aspects of Microsoft Search settings. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Search EditorSearch Editor 8835291a-918c-4fd7-a9ce-faa49f0cf7d98835291a-918c-4fd7-a9ce-faa49f0cf7d9 Kann erstellen und verwalten: the editorial content such as bookmarks, Q and As, locations, floorplan.Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Security AdministratorSecurity Administrator 194ae4cb-b126-40b2-bd5b-6091b380977d194ae4cb-b126-40b2-bd5b-6091b380977d Can read Sicherheit information and Berichte, and manage configuration in Microsoft Entra ID and Office 365.;Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365.; Inventur, Audit, ReportingInventory, audit, reporting
Security OperatorSecurity Operator 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f5f2222b1-57c3-48ba-8ad5-d4759f1fde6f Creates and manages Sicherheit events.;Creates and manages security events.; Warnungen, Richtlinien, Incident-TriageAlerts, policies, incident triage
Security ReaderSecurity Reader 5d6b6bb7-de71-4623-b4af-96380a3525095d6b6bb7-de71-4623-b4af-96380a352509 Can read Sicherheit information and Berichte in Microsoft Entra ID and Office 365.;Can read security information and reports in Microsoft Entra ID and Office 365.; Inventur, Audit, ReportingInventory, audit, reporting
Service Support AdministratorService Support Administrator f023fd81-a637-4b56-95fd-791ac0226033f023fd81-a637-4b56-95fd-791ac0226033 Can read Dienst health information and manage support tickets.Can read service health information and manage support tickets. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
SharePoint AdministratorSharePoint Administrator f28a1f50-f6e7-4571-818b-6a12f2af6b6cf28a1f50-f6e7-4571-818b-6a12f2af6b6c Kann alle Aspekte von the SharePoint Dienst.Can manage all aspects of the SharePoint service. Sites, Sharing, Storage, GovernanceSites, sharing, storage, governance
SharePoint Advanced Management AdministratorSharePoint Advanced Management Administrator 99009c4a-3b3f-4957-82a9-9d35e12db77e99009c4a-3b3f-4957-82a9-9d35e12db77e Verwaltet alle Aspekte von SharePoint Advanced Management.Manage all aspects of SharePoint Advanced Management. Sites, Sharing, Storage, GovernanceSites, sharing, storage, governance
SharePoint Backup AdministratorSharePoint Backup Administrator 9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be Back up and restore content (including granular restore) for SharePoint and OneDrive in Microsoft 365 BackupBack up and restore content (including granular restore) for SharePoint and OneDrive in Microsoft 365 Backup Sites, Sharing, Storage, GovernanceSites, sharing, storage, governance
SharePoint Embedded AdministratorSharePoint Embedded Administrator 1a7d78b6-429f-476b-b8eb-35fb715fffd41a7d78b6-429f-476b-b8eb-35fb715fffd4 Verwaltet alle Aspekte von SharePoint Embedded containers.Manage all aspects of SharePoint Embedded containers. Sites, Sharing, Storage, GovernanceSites, sharing, storage, governance
Skype for Business AdministratorSkype for Business Administrator 75941009-915a-4869-abe7-691bff18279e75941009-915a-4869-abe7-691bff18279e Kann alle Aspekte von the Skype for Business product.Can manage all aspects of the Skype for Business product. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Teams AdministratorTeams Administrator 69091246-20e8-4a56-aa4d-066075b2a7a869091246-20e8-4a56-aa4d-066075b2a7a8 Kann the Microsoft Teams Dienst.Can manage the Microsoft Teams service. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
Teams Communications AdministratorTeams Communications Administrator baf37b3a-610e-45da-9e62-d9d1e5e8914bbaf37b3a-610e-45da-9e62-d9d1e5e8914b Kann calling and meetings features within the Microsoft Teams Dienst.Can manage calling and meetings features within the Microsoft Teams service. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
Teams Communications Support EngineerTeams Communications Support Engineer f70938a0-fc10-4177-9e90-2178f8765737f70938a0-fc10-4177-9e90-2178f8765737 Can troubleshoot communications issues within Teams using advanced tools.Can troubleshoot communications issues within Teams using advanced tools. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
Teams Communications Support SpecialistTeams Communications Support Specialist fcf91098-03e3-41a9-b5ba-6f0ec8188a12fcf91098-03e3-41a9-b5ba-6f0ec8188a12 Can troubleshoot communications issues within Teams using basic tools.Can troubleshoot communications issues within Teams using basic tools. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
Teams Devices AdministratorTeams Devices Administrator 3d762c5a-1b6c-493f-843e-55a3b42923d43d762c5a-1b6c-493f-843e-55a3b42923d4 Can perform management related tasks on Teams certified Geräte.Can perform management related tasks on Teams certified devices. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
Teams External Collaboration AdministratorTeams External Collaboration Administrator 2fe872fb-daa8-4afc-8f6c-53c4565cfef42fe872fb-daa8-4afc-8f6c-53c4565cfef4 Verwaltet external collaboration Richtlinien and settings for Teams, including configuring external domains and controlling which Gruppen and Benutzer can interact with the organization.Manage external collaboration policies and settings for Teams, including configuring external domains and controlling which groups and users can interact with the organization. Gruppenobjekte, Besitzer, EinstellungenGroup objects, owners, settings
Teams ReaderTeams Reader 1076ac91-f3d9-41a7-a339-dcdf5f480acc1076ac91-f3d9-41a7-a339-dcdf5f480acc Liest everything in the Teams admin center, but not update anything.Read everything in the Teams admin center, but not update anything. Inventur, Audit, ReportingInventory, audit, reporting
Teams Telephony AdministratorTeams Telephony Administrator aa38014f-0993-46e9-9b45-30501a20909daa38014f-0993-46e9-9b45-30501a20909d Verwaltet voice and telephony features and troubleshoot communication issues within the Microsoft Teams Dienst.Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service. Teams-Richtlinien, Telefonie, GeräteTeams policies, telephony, devices
Tenant CreatorTenant Creator 112ca1a2-15ad-4102-995e-45b0bc479a6a112ca1a2-15ad-4102-995e-45b0bc479a6a Erstellt new Microsoft Entra or Azure AD B2C Mandants.Create new Microsoft Entra or Azure AD B2C tenants. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Tenant Governance AdministratorTenant Governance Administrator 1981f584-96e9-4a6f-95b0-f522373f8fae1981f584-96e9-4a6f-95b0-f522373f8fae Verwaltet all capabilities in the Microsoft Entra Tenant Governance Dienst.Manage all capabilities in the Microsoft Entra Tenant Governance service. Access Reviews, Entitlements, LifecycleAccess reviews, entitlements, lifecycle
Tenant Governance ReaderTenant Governance Reader e0a4caa6-fe82-443f-b92f-d87341d17b2ee0a4caa6-fe82-443f-b92f-d87341d17b2e Can read all Mandant governance data.Can read all tenant governance data. Inventur, Audit, ReportingInventory, audit, reporting
Tenant Governance Relationship AdministratorTenant Governance Relationship Administrator b8e31d83-1534-480f-9b10-0338ded51b7eb8e31d83-1534-480f-9b10-0338ded51b7e Can initiate governance relationships and terminate them.Can initiate governance relationships and terminate them. Access Reviews, Entitlements, LifecycleAccess reviews, entitlements, lifecycle
Tenant Governance Relationship ReaderTenant Governance Relationship Reader 124577f8-48ed-456a-839f-13b419002e33124577f8-48ed-456a-839f-13b419002e33 Can read Mandant governance relationships and relevant objects.Can read tenant governance relationships and relevant objects. Inventur, Audit, ReportingInventory, audit, reporting
Usage Summary Reports ReaderUsage Summary Reports Reader 75934031-6c7e-415a-99d7-48dbd49e875e75934031-6c7e-415a-99d7-48dbd49e875e Liest Usage Berichte and Adoption Score, but can't access user details.Read Usage reports and Adoption Score, but can't access user details. Inventur, Audit, ReportingInventory, audit, reporting
User AdministratorUser Administrator fe930be7-5e62-47db-91af-98c3a49a38b1fe930be7-5e62-47db-91af-98c3a49a38b1 Kann alle Aspekte von Benutzer and Gruppen, including resetting passwords for limited admins.;Can manage all aspects of users and groups, including resetting passwords for limited admins.; Gruppenobjekte, Besitzer, EinstellungenGroup objects, owners, settings
User Experience Success ManagerUser Experience Success Manager 27460883-1df1-4691-b032-3b79643e5e6327460883-1df1-4691-b032-3b79643e5e63 Sieht product feedback, survey results, and Berichte to find training and communication opportunities.View product feedback, survey results, and reports to find training and communication opportunities. Inventur, Audit, ReportingInventory, audit, reporting
Virtual Visits AdministratorVirtual Visits Administrator e300d9e7-4a2b-4295-9eff-f1c78b36cc98e300d9e7-4a2b-4295-9eff-f1c78b36cc98 Verwaltet and share Virtual Visits information and metrics from admin centers or the Virtual Visits app.Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Viva Glint Tenant AdministratorViva Glint Tenant Administrator 0ec3f692-38d6-4d14-9e69-0377ca7797ad0ec3f692-38d6-4d14-9e69-0377ca7797ad Verwaltet and configure Microsoft Viva Glint settings in the Microsoft 365 admin center.Manage and configure Microsoft Viva Glint settings in the Microsoft 365 admin center. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Viva Goals AdministratorViva Goals Administrator 92b086b3-e367-4ef2-b869-1de128fb986e92b086b3-e367-4ef2-b869-1de128fb986e Verwaltet and configure all aspects of Microsoft Viva Goals.Manage and configure all aspects of Microsoft Viva Goals. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Viva Pulse AdministratorViva Pulse Administrator 87761b17-1ed2-4af3-9acd-92a15003816087761b17-1ed2-4af3-9acd-92a150038160 Kann all settings for Microsoft Viva Pulse app.Can manage all settings for Microsoft Viva Pulse app. App-Lebenszyklus, Geheimnisse, ZustimmungenApp lifecycle, secrets, consents
Windows 365 AdministratorWindows 365 Administrator 11451d60-acb2-45eb-a7d6-43d0f0125c1311451d60-acb2-45eb-a7d6-43d0f0125c13 Can provision and manage all aspects of Cloud PCs.Can provision and manage all aspects of Cloud PCs. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Windows Update Deployment AdministratorWindows Update Deployment Administrator 32696413-001a-46ae-978c-ce0f6b3620d232696413-001a-46ae-978c-ce0f6b3620d2 Kann erstellen und verwalten: all aspects of Windows Aktualisiert deployments through the Windows Aktualisiert for Business deployment Dienst.Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
Yammer AdministratorYammer Administrator 810a2642-a034-447f-a5e8-41beaa378541810a2642-a034-447f-a5e8-41beaa378541 Verwaltet alle Aspekte von the Yammer Dienst.Manage all aspects of the Yammer service. Delegation spezialisierter VerwaltungsaufgabenDelegation of specialized administrative tasks
⚠️ Scope beachtenWatch the scope

Eine Rolle allein beantwortet nicht die volle Frage nach Privilegien. Prüfen Sie immer Scope, group-based assignment, PIM eligibility, administrative units und mögliche indirekte Rechte über andere Workloads.A role name alone never tells the whole privilege story. Always evaluate scope, group-based assignment, PIM eligibility, administrative units, and indirect rights through other workloads.

Role Comparison MatrixRole comparison matrix

Die Matrix reduziert die häufigsten Delegationsfragen auf konkrete Aufgaben. Sie ersetzt nicht die Vollreferenz, ist aber ideal für Operating Model, Service Desk und SoD-Diskussionen.The matrix reduces common delegation questions to concrete tasks. It does not replace the full reference, but it is ideal for operating model, service desk, and separation-of-duties discussions.

AktionAction Global AdminGlobal Admin Global ReaderGlobal Reader User AdminUser Admin Password AdminPassword Admin Groups AdminGroups Admin Privileged Role AdminPrivileged Role Admin Application AdminApplication Admin Cloud App AdminCloud App Admin Conditional Access AdminConditional Access Admin License AdminLicense Admin Reports ReaderReports Reader
Kennwort-Reset StandardbenutzerPassword reset standard users
Benutzerprofil ändernUpdate user profile
Gruppen verwaltenManage groups
Rollen delegierenDelegate roles
App-Registrierungen verwaltenManage app registrations
Conditional Access ändernModify Conditional Access
Lizenzierung verwaltenManage licensing
Sign-in-Logs lesenRead sign-in logs
Intune verwaltenManage Intune
Exchange verwaltenManage Exchange
PowerShell 
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleDefinition -All |
  Select-Object DisplayName, TemplateId, IsBuiltIn |
  Sort-Object DisplayName |
  Export-Csv ".\entra-built-in-roles.csv" -NoTypeInformation -Encoding UTF8