This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 68%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVO%3C/text%3E%3C/svg%3E)
Hello,
In my test default tenant, when I set up Entra External ID as a Global Administrator, I can access all available features. However, in my client’s Entra External tenant, where I have the roles of Application Administrator and Cloud Application Administrator, I notice several features are missing.
The missing features include but are not limited to:
I would like to understand why these features are unavailable in my client tenant and how I can enable them.
Thank you for your assistance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Vedran Opančar - dotSource SE,
Thank you for posting your query on Microsoft Q&A.
As @Abiola Akinbade mentioned, the difference between your test tenant and the client’s tenant is due to the roles assigned to your user account. In your test tenant, you can perform actions in the External ID tenant because you have the Global Administrator role. However, in the client’s tenant, where you only have the "Application Administrator" and "Cloud Application Administrator" roles, you lack the necessary permissions to manage or make changes to Entra features.
To manage conditional access policies, you need to have at least the Conditional Access Administrator or Security Administrator role assigned.
To manage user flows, your account must have the External ID User Flow Administrator role.
Additionally, if you are encountering any error messages when trying to create a Custom Authentication Extension (Preview), please share a screenshot of the error. This will help us troubleshoot the issue more effectively.
You also mentioned that some features currently in Preview are unavailable for use. Could you provide more details about these options so we can investigate and provide further guidance?
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Thanks,
Raja Pothuraju.
Thank you for your fast response and help, I appreciate it.
Makes sense for some parts, for this it does not:
What I found out is that the client tenant has no linked subscription and that could be the reason.
Hello @Vedran Opančar - dotSource SE,
Thank you for your response.
Based on your statement, this does not seem like an expected scenario.
To gain a better understanding of the situation, I’d like to connect with you offline to investigate further. Please send an email to AzCommunity@microsoft.com with the subject line Attn: Pothurajur and include a link to this thread for reference.
We can discuss this in detail offline.
Thanks,
Raja Pothuraju.
Hello @Vedran Opančar - dotSource SE,
I just wanted to check if you'd be interested in taking this offline via a remote session to better understand the scenario. Please feel free to email me at AzCommunity@microsoft.com with the subject line "Attn: Pothurajur" and include a link to this thread for reference.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello Vedran Opančar - dotSource SE,
Thanks for your question
This is an RBAC issue. The discrepancies you’re observing between your test tenant and your client’s Entra External ID tenant are likely due to the differences in the roles assigned to you in each environment.
For example To manage Conditional access you need at least the Conditional Access Administrator role as the cloud application administrator does not have the needed ppermissions for CA management:
To resolve the issue, for what you need on the tenant you need to have the appropriate roles assigned.
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola