Privileged Role Administrator

Privilegiada

Control PlaneIdentity28 role actions

Template ID

e8611ab8-c189-46e8-94e1-60213ab1f814

Categoria

Identity

EAM Tier

Control Plane (Tier 0)

Enterprise Access Model: Control Plane

Controle total do tenant. Comprometimento leva a takeover completo. Isole de planos inferiores.

Descrição

Users with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management. In addition, this role allows management of all aspects of Privileged Identity Management.

Permissões completas

Todas as 28 role actions desta role, classificadas por tier do EAM.

Role Action	Categoria	Tier
`microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/allTasks`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/allProperties/update`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/create`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/delete`	Entitlement Management	Tier 0
`microsoft.directory/administrativeUnits/allProperties/allTasks`	Tenant Management	Tier 0
`microsoft.directory/authorizationPolicy/allProperties/allTasks`	Tenant Management	Tier 0
`microsoft.directory/directoryRoles/allProperties/allTasks`	Privileged IAM	Tier 0
`microsoft.directory/groupsAssignableToRoles/allProperties/update`	Privileged IAM	Tier 0
`microsoft.directory/groupsAssignableToRoles/assignLicense`	License Management	Tier 0
`microsoft.directory/groupsAssignableToRoles/create`	Privileged IAM	Tier 0
`microsoft.directory/groupsAssignableToRoles/delete`	Privileged IAM	Tier 0
`microsoft.directory/groupsAssignableToRoles/reprocessLicenseAssignment`	License Management	Tier 0
`microsoft.directory/groupsAssignableToRoles/restore`	Privileged IAM	Tier 0
`microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks`	Application and Workload Identity	Tier 0
`microsoft.directory/permissionGrantPolicies/allProperties/update`	Application and Workload Identity	Tier 0
`microsoft.directory/permissionGrantPolicies/create`	Application and Workload Identity	Tier 0
`microsoft.directory/permissionGrantPolicies/delete`	Application and Workload Identity	Tier 0
`microsoft.directory/privilegedIdentityManagement/allProperties/allTasks`	Privileged IAM	Tier 0
`microsoft.directory/roleAssignments/allProperties/allTasks`	Privileged IAM	Tier 0
`microsoft.directory/roleDefinitions/allProperties/allTasks`	Privileged IAM	Tier 0
`microsoft.directory/scopedRoleMemberships/allProperties/allTasks`	Privileged IAM	Tier 0
`microsoft.directory/servicePrincipals/appRoleAssignedTo/update`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/permissions/update`	Application and Workload Identity	Tier 0
`microsoft.directory/accessReviews/definitions.applications/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/accessReviews/definitions.groups/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/permissionGrantPolicies/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.office365.webPortal/allEntities/standard/read`	Microsoft 365 Support Operations	Tier 1

28 de 28 role actions

PowerShell

Get-MgRoleManagementDirectoryRoleDefinition `
  -UnifiedRoleDefinitionId "e8611ab8-c189-46e8-94e1-60213ab1f814"

Microsoft Graph

GET https://graph.microsoft.com/v1.0/
  roleManagement/directory/
  roleDefinitions/e8611ab8-c189-46e8-94e1-60213ab1f814

Ver documentação oficial na Microsoft Learn

Roles relacionadas

Agent ID Administrator

Tier 0Identity

Agent ID Developer

Tier 0Identity

Agent Registry Administrator

Tier 0Identity

Directory Synchronization Accounts

Tier 0Identity

Directory Writers

Tier 0Identity