Azure Active Directory gets 16 new built-in roles including Global reader

In August, Microsoft brought Azure Active Directory Domain Service (Azure AD DS) authentication support for Server Message Block (SMB) access in Azure Files. Later in the same month, the tech giant announced that users in the latest Canary, Dev, and Beta channel preview builds of Microsoft Edge would be able to sign-in with their Azure AD accounts.

Now, Microsoft has introduced 16 new built-in roles for Azure AD in preview. According to the firm, these roles have been added in order to reduce the number of Global administrators required in a directory. Essentially, these additions helps delegate daily administration tasks.

Among the new roles is the "highly requested" Global reader, which enables viewing of all information that can be seen by Global administrators - without the ability to edit or change anything though, as one would expect. It can also be used in combination with other administrative roles such as Exchange administrator. For now, however, the ability to view SharePoint Online settings and administrative information isn't available, though that will be arriving soon.

These roles will be available in the Azure Portal under the Roles and Administrators tab, as can be observed in the image above. There will also be a green flag present beside each of the new roles to help users separate them from the older ones.

You can check out all 16 of them in the table below:

Role name


Authentication administrator

View, set, and reset authentication method information and passwords for any non-admin user.

Azure DevOps administrator

Manage Azure DevOps organization policy and settings.

B2C user flow administrator

Create and manage all aspects of user flows.

B2C user flow attribute administrator

Create and manage the attribute schema available to all user flows.

B2C IEF Keyset administrator

Manage secrets for federation and encryption in the Identity Experience Framework.

B2C IEF Policy administrator

Create and manage trust framework policies in the Identity Experience Framework.

Compliance data administrator

Create and manage compliance data and alerts.

External Identity Provider administrator

Configure identity providers for use in direct federation.

Global reader

View everything a Global administrator can view without the ability to edit or change.

Kaizala administrator

Manage settings for Microsoft Kaizala.

Message center privacy reader

Read Message center posts, data privacy messages, groups, domains and subscriptions.

Password administrator

Reset passwords for non-administrators and Password administrators.

Privileged authentication administrator

View, set, and reset authentication method information for any user (admin or non-admin).

Security operator

Creates and manages security events.

Search administrator

Create and manage all aspects of Microsoft Search settings.

Search editor

Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.

Notably, Microsoft recommends having no more than five Global administrators for one organization, and this change should help in adhering to that limit. The new roles won't be constrained to any specific region; they'll be available globally across all subscriptions. You can learn in more detail about Administrator role permissions in Azure AD here, and provide feedback on the new capabilities here.

Report a problem with article
Next Article

Apple releases Siri recording opt-in and history deletion features

Previous Article

Google Maps adds more detailed voice guidance for visually impaired users

1 Comments - Add comment