Planning and Allocating Roles
Delegating and Managing Access
Planning Security and Compliance Roles
The course is part of this learning path
This Managing Azure AD User Roles course will teach you how to plan user roles in Microsoft 365 and how to allocate roles in workloads. You will learn how to configure administrative accounts and how to configure RBAC within Azure AD. You'll also learn how to delegate and manage admin roles.
Later in the course, you will learn how to manage role allocations by using Azure AD and how to plan security and compliance roles for Microsoft 365.
- Plan and Allocate User Roles
- Configure Role-Based Access (RBAC)
- Delegate and Manage Admin Access
- Plan Security and Compliance Roles
- IT professionals who are interested in obtaining Microsoft 365 certification
- Those tasked with configuring and managing Office 365 access
- A moderate understanding of Microsoft 365 and of Azure AD
Azure AD Administrator roles are used to create and edit users, to assign admin roles to other users, to reset user passwords, manage domains, user licenses, and such. The table on your screen shows a few of the more key Azure AD Administrator roles. You can see that the Global Administrator is typically used to manage access to all administrative features in Azure Active Directory and to services that federate to Azure Active Directory.
The Global Administrator also assigns admin roles to other users, and resets passwords for users and all other administrators. It's important to note that, whoever signs up for the Azure AD tenant becomes a Global Administrator. The User Administrator creates and manages users and groups, manages support tickets, and monitors service health. The User Administrator also changes passwords for users, Helpdesk administrators, and other User Administrators. The Billing Administrator makes purchases and manages subscriptions, and also manages support tickets, and monitors service health.
So, let's compare Azure RBAC roles versus Azure AD administrator roles. Looking at it from a high level, Azure RBAC roles are used to control permissions for managing Azure resources, while Azure AD administrator roles control permissions to manage Azure Active Directory resources. Other differences between Azure RBAC roles and Azure AD administrator roles include the fact that, while Azure RBAC roles support the creation of custom roles, custom Azure AD administrator roles cannot be created. It's also important to note that Azure RBAC roles can be specified at multiple levels, including management groups, subscriptions, resource groups, and even resources, while Azure AD administrator roles are scoped specifically at the tenant level. When it comes to accessing role information, the role information for Azure RBAC roles can be accessed via the Azure Portal, Azure CLI, Azure PowerShell, Azure Resource Manager Templates, and via the REST API. Azure AD Administrator role information, however, is accessed via the Azure Admin Portal, the Microsoft 365 Admin Center, Microsoft Graph, and via Azure AD PowerShell. The table that you see on your screen highlights these differences.
So, do any Azure RBAC roles and Azure AD administrator roles overlap? Not by default. As a matter of fact, Azure RBAC roles and Azure AD administrator roles, by default, do not even span both Azure and Azure AD. That said, if a Global Admin elevates his access by activating the Global Admin can manage Azure Subscriptions and Management Groups switch in the Azure portal, he will, as a result, be granted the User Access Administrator role, which is, in fact, an RBAC role. He'll be granted this role on all subscriptions for the tenant. This is important to understand, because the User Access Administrator role allows the user to, in turn, grant other users access to Azure resources. It's also important to note that there are some Azure AD administrator roles that span Azure AD and Microsoft Office 365. These roles include the Global Administrator role and the User Administrator role. For example, a user that is a member of the Global Administrator role will have Global Admin access in both Azure AD and in Office 365. In such cases, the user would be able to make changes to Microsoft Exchange and Microsoft SharePoint, but since the roles don't overlap into Azure, the user wouldn't, by default, have access to Azure resources.
So, when you are configuring RBAC within Azure, it's important to understand the differences between Azure RBAC roles and Azure AD administrator roles.
About the Author
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.