New Administrative Roles for Azure AD as Public Preview
In its own Community Portal, Microsoft has announced 16 new administrative build-in roles for Azure Active Directory. Among the new roles for various administrative tasks in Microsoft 365 is a role that was in demand again and again in the past: the Global Reader. This role is a read-only version of the Global Administrator role and provides read access to all settings and administrative information in Azure AD and Microsoft 365. According to Microsoft, this role is not only suitable for planning tasks, audits or investigations, but can also be used with other limited administrator roles, such as Exchange or SharePoint Administrator.
The Global Reader role is currently in a public preview, but is already supported by nearly all Microsoft 365 services. Full support in SharePoint Online services is still missing.
Further newly integrated roles are the roles Authentication Administrator and Privileged Authentication Administrator for granting granular permissions for permission management, as well as a number of roles for managing Azure AD B2C. All new Built-In roles are listed in the table below.
Role name |
Description |
| Authentication administrator | View, set, and reset authentication method information and passwords for any non-admin user. |
| Azure DevOps administrator | Manage Azure DevOps organization policy and settings. |
| B2C user flow administrator | Create and manage all aspects of user flows. |
| B2C user flow attribute administrator | Create and manage the attribute schema available to all user flows. |
| B2C IEF Keyset administrator | Manage secrets for federation and encryption in the Identity Experience Framework. |
| B2C IEF Policy administrator | Create and manage trust framework policies in the Identity Experience Framework. |
| Compliance data administrator | Create and manage compliance data and alerts. |
| External Identity Provider administrator | Configure identity providers for use in direct federation. |
| Global reader | View everything a Global administrator can view without the ability to edit or change. |
| Kaizala administrator | Manage settings for Microsoft Kaizala. |
| Message center privacy reader | Read Message center posts, data privacy messages, groups, domains and subscriptions. |
| Password administrator | Reset passwords for non-administrators and Password administrators. |
| Privileged authentication administrator | View, set, and reset authentication method information for any user (admin or non-admin). |
| Security operator | Creates and manages security events |
| Search administrator | Create and manage all aspects of Microsoft Search settings. |
| Search editor | Create and manage editorial content such as bookmarks, Q & As, locations, floorplan. |
Source: Microsoft