Agent ID Administrator
PrivilegiadaControl PlaneIdentity63 role actions
Template ID
db506228-d27e-4b7d-95e5-295956d6615fCategoria
IdentityEAM Tier
Control Plane (Tier 0)Enterprise Access Model: Control Plane
Controle total do tenant. Comprometimento leva a takeover completo. Isole de planos inferiores.
Descrição
Manage the full lifecycle of agent identities, agent identity blueprint principals, agent identity blueprints, and agent users in a tenant
Permissões completas
Todas as 63 role actions desta role, classificadas por tier do EAM.
| Role Action | Categoria | Tier |
|---|---|---|
microsoft.directory/agentIdentities/appRoleAssignedTo/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/authentication/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/basic/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/create | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/delete | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/disable | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/enable | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/owners/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentities/tag/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/appRoleAssignedTo/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/authentication/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/basic/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/create | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/delete | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/disable | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/enable | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/owners/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprintPrincipals/tag/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/allProperties/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/appRoles/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/audience/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/authentication/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/basic/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/create | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/credentials/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/delete | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/owners/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/permissions/update | Agent Identity | Tier 0 |
microsoft.directory/agentIdentityBlueprints/tag/update | Agent Identity | Tier 0 |
microsoft.directory/agentUsers/assignLicense | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/basic/update | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/create | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/delete | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/disable | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/enable | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/invalidateAllRefreshTokens | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/lifeCycleInfo/read | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/lifeCycleInfo/update | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/manager/update | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/photo/update | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/reprocessLicenseAssignment | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/restore | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/revokeSignInSessions | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/sponsors/update | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/usageLocation/update | Global Agent User Management | Tier 0 |
microsoft.directory/agentUsers/userPrincipalName/update | Global Agent User Management | Tier 0 |
microsoft.directory/deletedItems.agentIdentities/delete | Agent Identity | Tier 0 |
microsoft.directory/deletedItems.agentIdentities/restore | Agent Identity | Tier 0 |
microsoft.directory/deletedItems.agentIdentityBlueprintPrincipals/delete | Agent Identity | Tier 0 |
microsoft.directory/deletedItems.agentIdentityBlueprintPrincipals/restore | Agent Identity | Tier 0 |
microsoft.directory/deletedItems.agentIdentityBlueprints/delete | Agent Identity | Tier 0 |
microsoft.directory/deletedItems.agentIdentityBlueprints/restore | Agent Identity | Tier 0 |
microsoft.azure.serviceHealth/allEntities/allTasks | Support and Service Health | Tier 1 |
microsoft.azure.supportTickets/allEntities/allTasks | Support and Service Health | Tier 1 |
microsoft.directory/auditLogs/allProperties/read | Security and Compliance | Tier 1 |
microsoft.directory/externalUserProfiles/standard/read | Tenant Configuration (Reader) | Tier 1 |
microsoft.directory/groups/hiddenMembers/read | Tenant Configuration (Reader) | Tier 1 |
microsoft.directory/signInReports/allProperties/read | Security and Compliance | Tier 1 |
microsoft.office365.serviceHealth/allEntities/allTasks | Microsoft 365 Support Operations | Tier 1 |
microsoft.office365.supportTickets/allEntities/allTasks | Microsoft 365 Support Operations | Tier 1 |
microsoft.directory/groups.unified/createAsOwner | Extended member | Tier 2 |
microsoft.directory/organization/standard/read | Default member | Tier 2 |
microsoft.directory/policies/standard/read | Default member | Tier 2 |
63 de 63 role actions
PowerShell
Get-MgRoleManagementDirectoryRoleDefinition ` -UnifiedRoleDefinitionId "db506228-d27e-4b7d-95e5-295956d6615f"
Microsoft Graph
GET https://graph.microsoft.com/v1.0/ roleManagement/directory/ roleDefinitions/db506228-d27e-4b7d-95e5-295956d6615f