Configuring the Azure Portal Settings, Microsoft Azure, Pin Content from a Resource Group Page

Roles and Administrators- Understanding Azure Active Directory

The Roles and Administrators section (shown in Figure 10.5) allows you to see just some of the available Azure AD roles and what each role does.

FIGURE 10.5 Roles and Administrators Section

Table 10.1 shows some of the various roles that are available and what each role does in Azure AD. This table was taken directly from Microsoft’s website.

When you are in the Azure AD Roles and Administrators section, you can click any of these roles to see who currently has this role in your organization.

TABLE 10.1 Azure roles

Application AdministratorCan create and manage all aspects of app registrations and enterprise apps.
Application DeveloperCan create application registrations independent of the ‘Users can register applications’ setting.
Attack Payload AuthorCan create attack payloads that an administrator can initiate later.
Attack Simulation AdministratorCan create and manage all aspects of attack simulation campaigns.
Authentication AdministratorCan access view, set, and reset authentication method information for any non-a dmin user.
Authentication Policy AdministratorCan create and manage the authentication methods policy, tenant- wide MFA settings, password protection policy, and verifiable credentials.
Azure AD Joined Device Local AdministratorUsers assigned to this role are added to the local administrators group on Azure AD- joined devices.
Azure DevOps AdministratorCan manage Azure DevOps organization policy and settings.
Azure Information Protection AdministratorCan manage all aspects of the Azure Information Protection product.
B2C IEF Keyset AdministratorCan manage secrets for federation and encryption in the Identity Experience Framework (IEF).
B2C IEF Policy AdministratorCan create and manage trust framework policies in the Identity Experience Framework (IEF).
Billing AdministratorCan perform common billing related tasks like updating payment information.
Cloud App Security AdministratorCan manage all aspects of the Cloud App Security product.
Cloud Application AdministratorCan create and manage all aspects of app registrations and enterprise apps except App Proxy.
Cloud Device AdministratorLimited access to manage devices in Azure AD.
Compliance AdministratorCan read and manage compliance configuration and reports in Azure AD and Microsoft 365.
Compliance Data AdministratorCreates and manages compliance content.
Conditional Access AdministratorCan manage Conditional Access capabilities.
Customer LockBox Access ApproverCan approve Microsoft support requests to access customer organizational data.

TABLE 10.1 Azure roles (continued)

Desktop Analytics AdministratorCan access and manage Desktop management tools and services.
Directory ReadersCan read basic directory information. Commonly used to grant directory read access to applications and guests.
Directory Synchronization AccountsOnly used by Azure AD Connect service.
Directory WritersCan read and write basic directory information. For granting access to applications, not intended for users.
Domain Name AdministratorCan manage domain names in cloud and on- premises.
Dynamics 365 AdministratorCan manage all aspects of the Dynamics 365 product.
Edge AdministratorManage all aspects of Microsoft Edge.
Exchange AdministratorCan manage all aspects of the Exchange product.
Exchange Recipient AdministratorCan create or update Exchange Online recipients within the Exchange Online organization.
External ID User Flow AdministratorCan create and manage all aspects of user flows.
External ID User Flow Attribute AdministratorCan create and manage the attribute schema available to all user flows.
External Identity Provider AdministratorCan configure identity providers for use in direct federation.
Global AdministratorCan manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
Global ReaderCan read everything that a Global Administrator can, but not update anything.
Groups AdministratorMembers of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.
Guest InviterCan invite guest users independent of the ‘members can invite guests’ setting.
Helpdesk AdministratorCan reset passwords for non- administrators and Helpdesk Administrators.
Hybrid Identity AdministratorCan manage AD to Azure AD cloud provisioning, Azure AD Connect, and federation settings.
Identity Governance AdministratorManage access using Azure AD for identity governance scenarios.
Insights AdministratorHas administrative access in the Microsoft 365 Insights app.
Insights Business LeaderCan view and share dashboards and insights via the Microsoft 365 Insights app.
Intune AdministratorCan manage all aspects of the Intune product.
Kaizala AdministratorCan manage settings for Microsoft Kaizala.
Knowledge AdministratorCan configure knowledge, learning, and other intelligent features.
Knowledge ManagerCan organize, create, manage, and promote topics and knowledge.
License AdministratorCan manage product licenses on users and groups.
Message Center Privacy ReaderCan read security messages and updates in Office 365 Message Center only.
Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only. Modern Commerce       Can manage commercial purchases for a company, department, or User  team. Network Administrator          Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications.

TABLE 10.1 Azure roles (continued)

Office Apps AdministratorCan manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect, and publish ‘what’s new’ feature content to end- user’s devices.
Partner Tier1 SupportDo not use – not intended for general use.
Partner Tier2 SupportDo not use – not intended for general use.
Password AdministratorCan reset passwords for non- administrators and Password Administrators.
Power BI AdministratorCan manage all aspects of the Power BI product.
Power Platform AdministratorCan create and manage all aspects of Microsoft Dynamics 365, Power Apps, and Power Automate.
Printer AdministratorCan manage all aspects of printers and printer connectors.
Printer TechnicianCan register and unregister printers and update printer status.
Privileged Authentication AdministratorCan access view, set, and reset authentication method information for any user (admin or non- admin).
Privileged Role AdministratorCan manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
Reports ReaderCan read sign- in and audit reports.
Search AdministratorCan create and manage all aspects of Microsoft Search settings.
Search EditorCan create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
Security AdministratorCan read security information and reports, and manage configuration in Azure AD and Office 365.
Security OperatorCreates and manages security events.
Security ReaderCan read security information and reports in Azure AD and Office 365.
Service Support AdministratorCan read service health information and manage support tickets.

SharePoint           Can manage all aspects of the SharePoint service. Administrator

Skype for Business         Can manage all aspects of the Skype for Business product. Administrator

Teams Administrator                       Can manage the Microsoft Teams service.

Teams Communica-        Can manage calling and meetings features within the Microsoft tions Administrator       Teams service.

Teams Communica-        Can troubleshoot communications issues within Teams using tions Support Engineer      advanced tools.

Teams Communica-        Can troubleshoot communications issues within Teams using basic tions Support Specialist tools.

Teams Devices     Can perform management related tasks on Teams certified devices. Administrator

Usage Summary Can see only tenant level aggregates in Microsoft 365 Usage AnaReports Reader          lytics and Productivity Score.

User Administrator                 Can manage all aspects of users and groups, including resetting passwords for limited admins.

Windows 365      Can provision and manage all aspects of Cloud PCs. Administrator

Windows Update           Create and manage all aspects of Windows Update deployments Deployment           through the Windows Update for Business deployment service. Administrator

Enterprise Applications

The Enterprise Applications section allows you to view, set up, and configure your organization’s enterprise applications. You can also set up an application proxy within the Enterprise Applications section. An application proxy allows you to provide single sign- on (SSO) and secure remote access for web applications hosted on your on- premises network.

The Enterprise Applications section also lets you set up user settings for your enterprise applications. These settings include users giving consent to applications accessing data on their company networks, users adding applications to their Access panel, and whether users can only see Micrsoft 365 in the M365 portal.

In the Enterprise Applications section, you can also set up Conditional Access (setting up application policies), see who has logged into the applications, and set up auditing. You can also troubleshoot application issues or open a support ticket with Microsoft for additional help.

Devices

The Devices section allows you to specify which devices can access Azure AD. You can also configure device settings and device roaming settings (Enterprise State Roaming). You can do auditing and troubleshooting from the Devices section.

In the Devices section, you also have the ability to set up BitLocker keys. You can view and copy BitLocker keys so that users have the ability to recover encrypted drives. BitLocker keys are only available for Windows devices that have been encrypted using BitLocker, and those keys are stored in Azure AD.

Administrators can find these BitLocker keys when they view a device’s details by selecting Show Recovery Key to generate an audit log. You can find the BitLocker keys in the KeyManagement category of the audit log.

Licenses

The Licenses section allows you to view purchased licensing for additional Azure AD components. If you purchase additional Azure AD components (e.g., Azure Active Directory Premium P2 or Enterprise Mobility + Security E5), those additional components will show up in the Licenses section. You can also see if there are any licensing issues in this section.

The Licenses section also allows you to view additional components that are available and what those components do. You can also view auditing and perform troubleshooting from this section.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *