Microsoft Entra Permissions Management roles and permissions levels

In Microsoft Azure and Microsoft Entra Permissions Management role assignments grant users permissions to monitor and take action in multicloud environments.

  • Global Administrator: Manages all aspects of Microsoft Entra admin center and Microsoft services that use Microsoft Entra admin center identities.
  • Permissions Management Administrator: Manages all aspects of Microsoft Entra Permissions Management.
  • Billing Administrator: Performs common billing related tasks like updating payment information.

See Microsoft Entra built-in roles to learn more.

Enabling Permissions Management

Onboarding your Amazon Web Service (AWS), Microsoft Entra, or Google Cloud Platform (GCP) environments

Notes on permissions and roles in Permissions Management

  • Users can have the following permissions:
    • Admin for all authorization system types
    • Admin for selected authorization system types
    • Fine-grained permissions for all or selected authorization system types
  • If a user isn't an admin, they're assigned Microsoft Entra security group-based, fine-grained permissions for all or selected authorization system types:
    • Viewers: View the specified AWS accounts, Azure subscriptions, and GCP projects
    • Controller: Modify Cloud Infrastructure Entitlement Management (CIEM) properties and use the Remediation dashboard.
    • Approvers: Able to approve permission requests
    • Requestors: Request permissions in the specified AWS accounts, Microsoft Entra subscriptions, and GCP projects.

Permissions Management actions and required roles

Remediation

  • To view the Remediation tab, you must have Viewer, Controller, or Approver permissions.
  • To make changes in the Remediation tab, you must have Controller or Approver permissions.

Autopilot

  • To view and make changes in the Autopilot tab, you must be a Permissions Management Administrator.

Alert

  • Any user (admin, nonadmin) can create an alert.
  • Only the user who creates the alert can edit, rename, deactivate, or delete the alert.

Manage users or groups

  • Only the owner of a group can add or remove a user from the group.
  • Managing users and groups is only done in the Microsoft Entra admin center.

Next steps

For information about managing roles, policies and permissions requests in your organization, see View roles/policies and requests for permission in the Remediation dashboard.