In August, Microsoft brought Azure Active Directory Domain Service (Azure AD DS) authentication support for Server Message Block (SMB) access in Azure Files. Later in the same month, the tech giant announced that users in the latest Canary, Dev, and Beta channel preview builds of Microsoft Edge would be able to sign-in with their Azure AD accounts.
Now, Microsoft has introduced 16 new built-in roles for Azure AD in preview. According to the firm, these roles have been added in order to reduce the number of Global administrators required in a directory. Essentially, these additions helps delegate daily administration tasks.
Among the new roles is the "highly requested" Global reader, which enables viewing of all information that can be seen by Global administrators - without the ability to edit or change anything though, as one would expect. It can also be used in combination with other administrative roles such as Exchange administrator. For now, however, the ability to view SharePoint Online settings and administrative information isn"t available, though that will be arriving soon.
These roles will be available in the Azure Portal under the Roles and Administrators tab, as can be observed in the image above. There will also be a green flag present beside each of the new roles to help users separate them from the older ones.
You can check out all 16 of them in the table below:
Role name | Description |
Authentication administrator | View, set, and reset authentication method information and passwords for any non-admin user. |
Azure DevOps administrator | Manage Azure DevOps organization policy and settings. |
B2C user flow administrator | Create and manage all aspects of user flows. |
B2C user flow attribute administrator | Create and manage the attribute schema available to all user flows. |
B2C IEF Keyset administrator | Manage secrets for federation and encryption in the Identity Experience Framework. |
B2C IEF Policy administrator | Create and manage trust framework policies in the Identity Experience Framework. |
Compliance data administrator | Create and manage compliance data and alerts. |
External Identity Provider administrator | Configure identity providers for use in direct federation. |
Global reader | View everything a Global administrator can view without the ability to edit or change. |
Kaizala administrator | Manage settings for Microsoft Kaizala. |
Message center privacy reader | Read Message center posts, data privacy messages, groups, domains and subscriptions. |
Password administrator | Reset passwords for non-administrators and Password administrators. |
Privileged authentication administrator | View, set, and reset authentication method information for any user (admin or non-admin). |
Security operator | Creates and manages security events. |
Search administrator | Create and manage all aspects of Microsoft Search settings. |
Search editor | Create and manage editorial content such as bookmarks, Q & As, locations, floorplan. |
Notably, Microsoft recommends having no more than five Global administrators for one organization, and this change should help in adhering to that limit. The new roles won"t be constrained to any specific region; they"ll be available globally across all subscriptions. You can learn in more detail about Administrator role permissions in Azure AD here, and provide feedback on the new capabilities here.