Security Administrator

Privilegiada

Control PlaneSecurity82 role actions

Template ID

194ae4cb-b126-40b2-bd5b-6091b380977d

Categoria

Security

EAM Tier

Control Plane (Tier 0)

Enterprise Access Model: Control Plane

Controle total do tenant. Comprometimento leva a takeover completo. Isole de planos inferiores.

Descrição

Users with this role have all of the read-only permissions of the Security reader role, plus the ability to manage configuration for security-related services: Microsoft Entra ID Protection, Azure Information Protection, Privileged Ident...

Permissões completas

Todas as 82 role actions desta role, classificadas por tier do EAM.

Role Action	Categoria	Tier
`microsoft.directory/applications/policies/update`	Tenant Policy Management	Tier 0
`microsoft.directory/bitlockerKeys/key/read`	Global Endpoint Bitlocker Recovery	Tier 0
`microsoft.directory/conditionalAccessPolicies/basic/update`	Conditional Access	Tier 0
`microsoft.directory/conditionalAccessPolicies/create`	Conditional Access	Tier 0
`microsoft.directory/conditionalAccessPolicies/delete`	Conditional Access	Tier 0
`microsoft.directory/conditionalAccessPolicies/owners/update`	Conditional Access	Tier 0
`microsoft.directory/conditionalAccessPolicies/tenantDefault/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/basic/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/delete`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/basic/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/resetToDefaultSettings`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/basic/update`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/resetToDefaultSettings`	Conditional Access	Tier 0
`microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update`	Conditional Access	Tier 0
`microsoft.directory/domains/federation/update`	Authentication	Tier 0
`microsoft.directory/domains/federationConfiguration/basic/update`	Authentication	Tier 0
`microsoft.directory/domains/federationConfiguration/create`	Authentication	Tier 0
`microsoft.directory/domains/federationConfiguration/delete`	Authentication	Tier 0
`microsoft.directory/identityProtection/allProperties/update`	Identity Threat Detection and Response	Tier 0
`microsoft.directory/multiTenantOrganization/basic/update`	Multi Tenant Management	Tier 0
`microsoft.directory/multiTenantOrganization/create`	Multi Tenant Management	Tier 0
`microsoft.directory/multiTenantOrganization/joinRequest/organizationDetails/update`	Multi Tenant Management	Tier 0
`microsoft.directory/multiTenantOrganization/tenants/create`	Multi Tenant Management	Tier 0
`microsoft.directory/multiTenantOrganization/tenants/delete`	Multi Tenant Management	Tier 0
`microsoft.directory/multiTenantOrganization/tenants/organizationDetails/update`	Multi Tenant Management	Tier 0
`microsoft.directory/namedLocations/basic/update`	Conditional Access	Tier 0
`microsoft.directory/namedLocations/create`	Conditional Access	Tier 0
`microsoft.directory/namedLocations/delete`	Conditional Access	Tier 0
`microsoft.directory/policies/create`	Tenant Policy Management	Tier 0
`microsoft.directory/policies/delete`	Tenant Policy Management	Tier 0
`microsoft.directory/policies/owners/update`	Tenant Policy Management	Tier 0
`microsoft.directory/policies/tenantDefault/update`	Tenant Policy Management	Tier 0
`microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update`	Conditional Access	Tier 0
`microsoft.directory/servicePrincipals/policies/update`	Application and Workload Identity	Tier 0
`microsoft.networkAccess/allEntities/allProperties/allTasks`	Global Secure Access Management	Tier 0
`microsoft.office365.protectionCenter/allEntities/basic/update`	Global Security and Compliance Management	Tier 0
`microsoft.agentRegistry/allEntities/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.azure.serviceHealth/allEntities/allTasks`	Support and Service Health	Tier 1
`microsoft.azure.supportTickets/allEntities/allTasks`	Support and Service Health	Tier 1
`microsoft.directory/auditLogs/allProperties/read`	Security and Compliance	Tier 1
`microsoft.directory/bulkJobs/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/conditionalAccessPolicies/owners/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/conditionalAccessPolicies/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update`	Cross Tenant Partner Management	Tier 1
`microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update`	Cross Tenant Partner Management	Tier 1
`microsoft.directory/crossTenantAccessPolicy/default/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/crossTenantAccessPolicy/partners/create`	Cross Tenant Partner Management	Tier 1
`microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update`	Cross Tenant Partner Management	Tier 1
`microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/crossTenantAccessPolicy/partners/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/crossTenantAccessPolicy/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/deviceLocalCredentials/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/domains/federationConfiguration/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/entitlementManagement/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/identityProtection/allProperties/read`	Security and Compliance	Tier 1
`microsoft.directory/multiTenantOrganization/joinRequest/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/multiTenantOrganization/tenants/organizationDetails/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/namedLocations/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/policies/basic/update`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/privilegedIdentityManagement/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/provisioningLogs/allProperties/read`	Security and Compliance	Tier 1
`microsoft.directory/signInReports/allProperties/read`	Security and Compliance	Tier 1
`microsoft.office365.protectionCenter/allEntities/standard/read`	Security and Compliance	Tier 1
`microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks`	Security and Compliance	Tier 1
`microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read`	Security and Compliance	Tier 1
`microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks`	Security and Compliance	Tier 1
`microsoft.office365.serviceHealth/allEntities/allTasks`	Microsoft 365 Support Operations	Tier 1
`microsoft.office365.supportTickets/allEntities/allTasks`	Microsoft 365 Support Operations	Tier 1
`microsoft.office365.webPortal/allEntities/standard/read`	Microsoft 365 Support Operations	Tier 1
`microsoft.directory/authorizationPolicy/standard/read`	Default member	Tier 2
`microsoft.directory/multiTenantOrganization/standard/read`	Default member, Guest user	Tier 2
`microsoft.directory/multiTenantOrganization/tenants/standard/read`	Default member, Guest user	Tier 2

82 de 82 role actions

PowerShell

Get-MgRoleManagementDirectoryRoleDefinition `
  -UnifiedRoleDefinitionId "194ae4cb-b126-40b2-bd5b-6091b380977d"

Microsoft Graph

GET https://graph.microsoft.com/v1.0/
  roleManagement/directory/
  roleDefinitions/194ae4cb-b126-40b2-bd5b-6091b380977d

Ver documentação oficial na Microsoft Learn

Roles relacionadas

Authentication Administrator

Tier 0Security

Authentication Extensibility Administrator

Tier 0Security

Authentication Extensibility Password Administrator

Tier 0Security

Authentication Policy Administrator

Tier 0Security

B2C IEF Keyset Administrator

Tier 0Security