Directory Writers

Privilegiada

Control PlaneIdentity42 role actions

Template ID

9360feb5-f418-4baa-8175-e2a00bac4301

Categoria

Identity

EAM Tier

Control Plane (Tier 0)

Enterprise Access Model: Control Plane

Controle total do tenant. Comprometimento leva a takeover completo. Isole de planos inferiores.

Descrição

Users in this role can read and update basic information of users, groups, and service principals. Assign this role only to applications that don't support the Consent Framework. It should not be assigned to any users.

Permissões completas

Todas as 42 role actions desta role, classificadas por tier do EAM.

Role Action	Categoria	Tier
`microsoft.directory/applications/extensionProperties/update`	Application and Workload Identity	Tier 0
`microsoft.directory/groupSettings/basic/update`	Group Management	Tier 0
`microsoft.directory/groupSettings/create`	Group Management	Tier 0
`microsoft.directory/groupSettings/delete`	Group Management	Tier 0
`microsoft.directory/groups/assignLicense`	License Management	Tier 0
`microsoft.directory/groups/assignedLabels/update`	Group Management	Tier 0
`microsoft.directory/groups/basic/update`	Group Management	Tier 0
`microsoft.directory/groups/classification/update`	Group Management	Tier 0
`microsoft.directory/groups/create`	Group Management	Tier 0
`microsoft.directory/groups/dynamicMembershipRule/update`	Group Management	Tier 0
`microsoft.directory/groups/groupType/update`	Group Management	Tier 0
`microsoft.directory/groups/members/update`	Group Management	Tier 0
`microsoft.directory/groups/onPremWriteBack/update`	Group Management	Tier 0
`microsoft.directory/groups/owners/update`	Group Management	Tier 0
`microsoft.directory/groups/reprocessLicenseAssignment`	License Management	Tier 0
`microsoft.directory/groups/settings/update`	Group Management	Tier 0
`microsoft.directory/groups/visibility/update`	Group Management	Tier 0
`microsoft.directory/oAuth2PermissionGrants/basic/update`	Application and Workload Identity	Tier 0
`microsoft.directory/oAuth2PermissionGrants/create`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/appRoleAssignedTo/update`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/credentials/manage`	User Lifecycle and Provisioning Management	Tier 0
`microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/jobs/manage`	User Lifecycle and Provisioning Management	Tier 0
`microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/schema/manage`	User Lifecycle and Provisioning Management	Tier 0
`microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage`	User Lifecycle and Provisioning Management	Tier 0
`microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage`	User Lifecycle and Provisioning Management	Tier 0
`microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage`	User Lifecycle and Provisioning Management	Tier 0
`microsoft.directory/servicePrincipals/synchronizationCredentials/manage`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/synchronizationJobs/manage`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/synchronizationSchema/manage`	Application and Workload Identity	Tier 0
`microsoft.directory/users/assignLicense`	License Management	Tier 0
`microsoft.directory/users/basic/update`	Global User Management	Tier 0
`microsoft.directory/users/create`	Global User Management	Tier 0
`microsoft.directory/users/disable`	Global User Management	Tier 0
`microsoft.directory/users/enable`	Global User Management	Tier 0
`microsoft.directory/users/invalidateAllRefreshTokens`	Global User Management	Tier 0
`microsoft.directory/users/manager/update`	Global User Management	Tier 0
`microsoft.directory/users/photo/update`	Global User Management	Tier 0
`microsoft.directory/users/reprocessLicenseAssignment`	License Management	Tier 0
`microsoft.directory/users/sponsors/update`	Global User Management	Tier 0
`microsoft.directory/users/userPrincipalName/update`	Global User Management	Tier 0
`microsoft.directory/contacts/create`	Microsoft Exchange Online	Tier 1
`microsoft.directory/users/inviteGuest`	External Identities	Tier 2

42 de 42 role actions

PowerShell

Get-MgRoleManagementDirectoryRoleDefinition `
  -UnifiedRoleDefinitionId "9360feb5-f418-4baa-8175-e2a00bac4301"

Microsoft Graph

GET https://graph.microsoft.com/v1.0/
  roleManagement/directory/
  roleDefinitions/9360feb5-f418-4baa-8175-e2a00bac4301

Ver documentação oficial na Microsoft Learn

Roles relacionadas

Agent ID Administrator

Tier 0Identity

Agent ID Developer

Tier 0Identity

Agent Registry Administrator

Tier 0Identity

Directory Synchronization Accounts

Tier 0Identity

Domain Name Administrator

Tier 0Identity