User Administrator

Privilegiada

Control PlaneIdentity56 role actions

Template ID

fe930be7-5e62-47db-91af-98c3a49a38b1

Categoria

Identity

EAM Tier

Control Plane (Tier 0)

Enterprise Access Model: Control Plane

Controle total do tenant. Comprometimento leva a takeover completo. Isole de planos inferiores.

Descrição

Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allo...

Permissões completas

Todas as 56 role actions desta role, classificadas por tier do EAM.

Role Action	Categoria	Tier
`microsoft.directory/accessReviews/definitions.applications/allProperties/allTasks`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.entitlementManagement/allProperties/allTasks`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.groups/allProperties/update`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.groups/create`	Entitlement Management	Tier 0
`microsoft.directory/accessReviews/definitions.groups/delete`	Entitlement Management	Tier 0
`microsoft.directory/deletedItems.groups/restore`	Group Management	Tier 0
`microsoft.directory/deletedItems.users/restore`	Global User Management	Tier 0
`microsoft.directory/entitlementManagement/allProperties/allTasks`	Entitlement Management	Tier 0
`microsoft.directory/groups/assignLicense`	License Management	Tier 0
`microsoft.directory/groups/basic/update`	Group Management	Tier 0
`microsoft.directory/groups/classification/update`	Group Management	Tier 0
`microsoft.directory/groups/create`	Group Management	Tier 0
`microsoft.directory/groups/delete`	Group Management	Tier 0
`microsoft.directory/groups/dynamicMembershipRule/update`	Group Management	Tier 0
`microsoft.directory/groups/groupType/update`	Group Management	Tier 0
`microsoft.directory/groups/members/update`	Group Management	Tier 0
`microsoft.directory/groups/onPremWriteBack/update`	Group Management	Tier 0
`microsoft.directory/groups/owners/update`	Group Management	Tier 0
`microsoft.directory/groups/reprocessLicenseAssignment`	License Management	Tier 0
`microsoft.directory/groups/restore`	Group Management	Tier 0
`microsoft.directory/groups/settings/update`	Group Management	Tier 0
`microsoft.directory/groups/visibility/update`	Group Management	Tier 0
`microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks`	Application and Workload Identity	Tier 0
`microsoft.directory/servicePrincipals/appRoleAssignedTo/update`	Application and Workload Identity	Tier 0
`microsoft.directory/users/assignLicense`	License Management	Tier 0
`microsoft.directory/users/basic/update`	Global User Management	Tier 0
`microsoft.directory/users/convertExternalToInternalMemberUser`	Global User Management	Tier 0
`microsoft.directory/users/create`	Global User Management	Tier 0
`microsoft.directory/users/delete`	Global User Management	Tier 0
`microsoft.directory/users/disable`	Global User Management	Tier 0
`microsoft.directory/users/enable`	Global User Management	Tier 0
`microsoft.directory/users/invalidateAllRefreshTokens`	Global User Management	Tier 0
`microsoft.directory/users/manager/update`	Global User Management	Tier 0
`microsoft.directory/users/password/update`	Global User Management	Tier 0
`microsoft.directory/users/photo/update`	Global User Management	Tier 0
`microsoft.directory/users/reprocessLicenseAssignment`	License Management	Tier 0
`microsoft.directory/users/restore`	Global User Management	Tier 0
`microsoft.directory/users/sponsors/update`	Global User Management	Tier 0
`microsoft.directory/users/usageLocation/update`	Global User Management	Tier 0
`microsoft.directory/users/userPrincipalName/update`	Global User Management	Tier 0
`microsoft.azure.serviceHealth/allEntities/allTasks`	Support and Service Health	Tier 1
`microsoft.azure.supportTickets/allEntities/allTasks`	Support and Service Health	Tier 1
`microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/accessReviews/definitions.groups/allProperties/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/contacts/basic/update`	Microsoft Exchange Online	Tier 1
`microsoft.directory/contacts/create`	Microsoft Exchange Online	Tier 1
`microsoft.directory/contacts/delete`	Microsoft Exchange Online	Tier 1
`microsoft.directory/groups.unified/assignedLabels/update`	Microsoft 365 Group Management	Tier 1
`microsoft.directory/groups/hiddenMembers/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/onPremisesSynchronization/standard/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.directory/users/lifeCycleInfo/read`	Tenant Configuration (Reader)	Tier 1
`microsoft.office365.serviceHealth/allEntities/allTasks`	Microsoft 365 Support Operations	Tier 1
`microsoft.office365.supportTickets/allEntities/allTasks`	Microsoft 365 Support Operations	Tier 1
`microsoft.office365.webPortal/allEntities/standard/read`	Microsoft 365 Support Operations	Tier 1
`microsoft.directory/policies/standard/read`	Default member	Tier 2
`microsoft.directory/users/inviteGuest`	External Identities	Tier 2

56 de 56 role actions

PowerShell

Get-MgRoleManagementDirectoryRoleDefinition `
  -UnifiedRoleDefinitionId "fe930be7-5e62-47db-91af-98c3a49a38b1"

Microsoft Graph

GET https://graph.microsoft.com/v1.0/
  roleManagement/directory/
  roleDefinitions/fe930be7-5e62-47db-91af-98c3a49a38b1

Ver documentação oficial na Microsoft Learn

Roles relacionadas

Agent ID Administrator

Tier 0Identity

Agent ID Developer

Tier 0Identity

Agent Registry Administrator

Tier 0Identity

Directory Synchronization Accounts

Tier 0Identity

Directory Writers

Tier 0Identity