For granting access to applications, not intended for users. Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. See. This role grants the ability to manage assignments for all Azure AD roles including the Global Administrator role. Update all properties of access reviews for membership in Security and Microsoft 365 groups, excluding role-assignable groups. ; Browse to Azure Active Directory > Users > All users. Can perform management related tasks on Teams certified devices. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. Something you know, typically a password. Can perform common billing related tasks like updating payment information. Previously, this role was called "Service Administrator" in Azure portal and Microsoft 365 admin center. More info about Internet Explorer and Microsoft Edge, enable combined security information registration, Create a resilient access control management strategy in Azure AD, It's time to hang up on phone transports for authentication, Authentication vulnerabilities and attack vectors, tutorial for self-service password reset (SSPR), How Azure AD self-service password reset works, How Azure AD Multi-Factor Authentication works, Azure AD Multi-Factor Authentication authentication method analysis with PowerShell, Certificate-based authentication (preview). Do not use - not intended for general use. Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. You will see the following error: SQL Error [2760] [S0001]: The specified schema name 'user@mydomain.com' either does not exist or you do not have permission to use it. A non-administrator user with a password you know, like, A group that the non-administrator user is a member of, likes. Turning it on affects the sign-in for users across all the managed domains in your tenant. As part of a wider deployment of SSPR, Azure AD supports nested groups. Global Reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center. If you no longer want to use the SSPR functionality you have set up as part of this tutorial, set the SSPR status to None using the following steps: This section explains common questions from administrators and end-users who try SSPR: Why do federated users wait up to 2 minutes after they see Your password has been reset before they can use passwords that are synchronized from on-premises? Azure Partner Community. Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. Whether a Password Administrator can reset a user's password depends on the role the user is assigned. This role can create and manage security groups, but does not have administrator rights over Microsoft 365 groups. From the menu on the left side of the Authentication methods page, set the Number of methods required to reset to 2. Read and configure all properties of Azure AD Cloud Provisioning service. To create the first contained database user, you must connect to the database by using an Azure AD administrator (who is the owner of the database). It is "Dynamics 365 Administrator" in the Azure portal. For more information, see. Can create and manage all aspects of user flows. Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Azure AD. Only the cloud portion of Azure AD, SQL Database, SQL Managed Instance, [SQL Server on Windows Azure VMs], and Azure Synapse is considered to support Azure AD native user passwords. This role can also manage taxonomies as part of the term store management tool and create content centers. This role should not be used as it is deprecated and it will no longer be returned in API. Therefore the newest versions of these tools and data-tier applications (DAC and BACPAC) can Manage access using Azure AD for identity governance scenarios. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Authentication Administrators. Assign the Permissions Management Administrator role to users who need to do the following tasks: Learn more about Permissions Management roles and polices at View information about roles/policies. Manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list. Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Open your firewall for those URLs as well. Azure AD users and service principals (Azure AD applications) that are members of more than 2048 Azure AD security groups are not supported to login into the database in SQL Database, Managed Instance, or Azure Synapse. The following table organizes those differences. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory. The role does not grant permissions to manage any other properties on the device. Smart Lockout assists in locking out bad actors who are trying to guess your users passwords or using brute-force methods to get in. You can also review the available methods for Azure AD Multi-Factor Authentication and SSPR. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. For Windows 10, Windows Server 2016 and later versions, its More information at About Microsoft 365 admin roles. So, any Office group (not security group) that he/she creates should be counted against his/her quota of 250. Azure AD was incorrectly URL encoding the state parameter twice when sending responses back to the client. This role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). These methods require a client secret that you add to the app registration in Azure AD. Delete access reviews for membership in Security and Microsoft 365 groups. Can register and unregister printers and update printer status. Identify one or more additional servers (running Windows Server 2016 or later, with TLS 1.2 enabled) where you can run standalone Authentication Agents. When you set the Authentication connection property in the connection string, the client can choose a preferred Azure AD authentication mode according to the value Changing the password of a user may mean the ability to assume that user's identity and permissions. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation. Multi-Factor Authentication includes strong authentication with a range of easy verification options phone call, text message, smart cards with pin, or mobile app notification. If you are setting up an Azure AD Connect staging server in the future, you must continue to choose Pass-through Authentication as the sign-in option; choosing another option will disable Pass-through Authentication on the tenant and override the setting in the primary server. Global Administrators can reset the password for any user and all other administrators. Currently, you can only enable one Azure AD group for SSPR using the Azure portal. Federation settings need to be synced via Azure AD Connect, so users also have permissions to manage Azure AD Connect. For more information, see Manage access to custom security attributes in Azure AD. Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the server. Changing or disabling this account disables registry access for all users who use its credentials. Each request has a payload size of (0.5K + 1K * num_of_agents) bytes, that is, data from Azure AD to the Authentication Agent. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. ; Choose the user for whom you wish to add an authentication method and select Authentication methods. To learn about licensing, see Features and licenses for Azure AD Multi-Factor Authentication. Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked. Something you are - biometrics like a fingerprint or face scan. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. These users can customize HTML/CSS/JavaScript content, change MFA requirements, select claims in the token, manage API connectors and their credentials, and configure session settings for all user flows in the Azure AD organization. The following table outlines the security considerations for the available authentication methods. Azure Maps supports three ways to authenticate requests: Shared Key authentication, Azure Active Directory (Azure AD) authentication, and Shared Access Signature (SAS) Token authentication. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. Create an Azure Files share under your storage account to store your FSLogix profiles if you haven't already.. If you assign a service principal to your registry, your application or service can use it for headless authentication. In Azure AD, users assigned to this role will only have read-only access on Azure AD services such as users and groups. Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Seamless SSO is not applicable to Active Directory Federation Services (ADFS).. SSO via primary refresh token vs. Seamless SSO. Those groups may grant access to sensitive or private information or critical configuration in Azure AD and elsewhere. If you cant move your user authentication, see the step-by-step guidance for Moving to Azure AD Multi-Factor Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. We do not recommend sharing the admin account credentials among multiple users. Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. The user can select this link in the SSPR registration process and when they unlock their account or resets their password. Users in this role can manage the Desktop Analytics service. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture which is generally user location specific. Output displays the access token, abbreviated here: For registry authentication, we recommend that you store the token credential in a safe location and follow recommended practices to manage docker login credentials. Can read security information and reports, and manage configuration in Azure AD and Office 365. Can read basic directory information. Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. In a later tutorial in this series, you'll set up password writeback. Users with this role have global permissions within Microsoft Intune Online, when the service is present. Azure SQL Database Network Policy Server (NPS) will always use English by default, regardless of custom greetings. For additional information, see Choose the right authentication method for your Azure Active Directory hybrid identity Single sign-on (SSO) SSO allows the connection to skip the session host credential prompt and automatically sign the user in to Windows. To keep users informed about account activity, you can set up Azure AD to send email notifications when an SSPR event happens. Furthermore, Global Administrators can elevate their access to manage all Azure subscriptions and management groups. Users with this role have permissions to track data in the Microsoft Purview compliance portal, Microsoft 365 admin center, and Azure. Additionally, these users can view the message center, monitor service health, and create service requests. You can configure the lifetime of Azure AD access tokens by using the methods in Configurable token lifetimes in Azure Active Directory. Install these Authentication Agent(s) on server(s) other than the one running Azure AD Connect. Granting a specific set of guest users read access instead of granting it to all guest users. For example, store the token value in an environment variable: Then, run docker login, passing 00000000-0000-0000-0000-000000000000 as the username and using the access token as password: Likewise, you can use the token returned by az acr login with the helm registry login command to authenticate with the registry: When working with your registry directly, such as pulling images to and pushing images from a development workstation to a registry you created, authenticate by using your individual Azure identity. This role has no access to view, create, or manage support tickets. Users in this role can create, manage and deploy provisioning configuration setup from AD to Azure AD using Cloud Provisioning as well as manage Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single Sign-On (Seamless SSO), and federation settings. Why don't other users who have SSPR data pre-populated see the message? The following example uses the testuser account. The content available in these areas is controlled by commerce-specific roles assigned to users to manage products that they bought for themselves or your organization. microsoft.directory/identityProtection/allProperties/update, Update all resources in Azure AD Identity Protection, microsoft.office365.protectionCenter/allEntities/standard/read, Read standard properties of all resources in the Security and Compliance centers, microsoft.office365.protectionCenter/allEntities/basic/update, Update basic properties of all resources in the Security and Compliance centers, View security-related policies across Microsoft 365 services, Read all security reports and settings information for security features. However, users from federated domains continue to sign in by using AD FS or another federation provider that you have previously configured. This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources. Two factor authentication is enabled in Azure AD. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. Set Number of days before users are asked to reconfirm their authentication information to 180. When configuring the directory and file-level permissions, review the recommended list of You can connect application workloads hosted in other Azure virtual networks using one of the following methods: Virtual network peering; Can manage domain names in cloud and on-premises. Avoid all forms of inline inspection and Termination on outbound TLS communications between Azure Passthrough Agent and Azure Endpoint. Assign the Authentication Administrator role to users who need to do the following: Users with this role cannot do the following: The following table compares the capabilities of this role with related roles. More information is available at About Microsoft 365 admin roles. Additionally, this role contains the ability to view groups, domains, and subscriptions. To add authentication methods for a user via the Azure portal: Sign into the Azure portal. The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. Something you have, such as a trusted device that's not easily duplicated, like a phone or hardware key. If your token expires, you can refresh it by using the Connect-AzContainerRegistry command again to reauthenticate. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously inside SQL Server can no longer connect to the database using their Azure Active Directory credentials. Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews. The following table outlines when an authentication method can be used during a sign-in event: * Windows Hello for Business, by itself, does not serve as a step-up MFA credential. Users in this role can create and manage content, like topics, acronyms and learning content. The person who signs up for the Azure AD organization becomes a Global Administrator. This granular ability lets you choose a subset of users to test the SSPR registration process and workflow. Users with this role can access tenant level aggregated data and associated insights in Microsoft 365 admin center for Usage and Productivity Score but cannot access any user level details or insights. To learn more about different authentication and validation methods, see Authentication methods in Azure Active Directory. Prior to enabling Pass-through Authentication through Azure AD Connect with Step 2, download the latest release of the PTA agent from the Azure portal. Azure AD will direct users to this registration portal when they sign in next time. Can read everything that a Global Administrator can, but not update anything. Web"Azure AD B2C is a huge innovation enablerour development teams don't need to worry about authentication when creating applications. PolyBase cannot authenticate by using Azure AD authentication. It is "Intune Administrator" in the Azure portal. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. This administrator manages federation between Azure AD organizations and external identity providers.With this role, users can add new identity providers and configure all available settings (e.g. For more information on Azure AD Multi-Factor Authentication services, see getting started with Azure AD Multi-Factor Authentication. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. ; Security questions - only used for SSPR; Email address - only used for SSPR; Next Assign custom security attribute keys and values to supported Azure AD objects. Can organize, create, manage, and promote topics and knowledge. Knowledge Administrator can create and manage content, like topics, acronyms and learning resources. Can manage calling and meetings features within the Microsoft Teams service. Users in this role can manage Microsoft 365 apps' cloud settings. For more information on Azure AD hybrid identities, the setup, and synchronization, see the following articles: For a sample federated authentication with ADFS infrastructure (or user/password for Windows credentials), see the diagram below. From the menu on the left side of the Notifications page, set up the following options: To apply the notification preferences, select Save. To apply the authentication methods, select Save. Users from a partner organization with an existing Azure AD tenant: If the organization you partner with has an existing Azure AD tenant, we respect whatever password reset policies are enabled on that tenant. Can create or update Exchange Online recipients within the Exchange Online organization. If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center. This role gives an extra layer of protection on individual user identifiable data, which was requested by both customers and legal teams. For more information, see. It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. On successful completion, a Pass-through Authentication Agent is installed on the same server as Azure AD Connect. Can read service health information and manage support tickets. When some users go through SSPR process and reset their password, why don't they see the password strength indicator? This role has the ability to read directory information, monitor service health, file support tickets, and access the Insights Administrator settings aspects. * A Global Administrator cannot remove their own Global Administrator assignment. The following table is for roles assigned at the scope of a tenant. This role grants no other Azure DevOps-specific permissions (for example, Project Collection Administrators) inside any of the Azure DevOps organizations backed by the company's Azure AD organization. The Azure AD administrator login can be an Azure AD user or an Azure AD group. If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the authentication methods aren't configured, the user is advised to contact their administrator to reset their password. When users register themselves for Azure AD Multi-Factor Authentication, they can also register for self-service password reset in one step. Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Users with this role have all permissions in the Azure Information Protection service. Supported through SQLCMD Utility and SQL Server Management Studio. Using existing Azure AD Multi-Factor Authentication methods; Using a Temporary Access Pass (TAP) A Temporary Access Pass is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods including passwordless methods such as Microsoft Authenticator, FIDO2 or Azure Active Directory Universal with Multi-Factor Authentication. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center. For example: Assign the Authentication Policy Administrator role to users who need to do the following: This role is available for assignment only as an additional local administrator in Device settings. Creator is added as the first owner. The configuration steps include the following procedures to configure and use Azure Active Directory authentication. Users in this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. To enable ID tokens for your app, navigate to the Azure portal and then: Select Azure Active Directory > App registrations >
> Authentication. Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. The following additional verification methods can be used in certain scenarios: To get started, see the tutorial for self-service password reset (SSPR) and Azure AD Multi-Factor Authentication. Individual identity is recommended for users and service principals for headless scenarios. It is "Power BI Administrator" in the Azure portal. As a result, SSPR updates only the on-premises passwords. If users need more help with the SSPR process, you can customize the "Contact your administrator" link. Can manage Azure DevOps policies and settings. The same functions can be accomplished using the. Can create and manage trust framework policies in the Identity Experience Framework (IEF). The following diagram indicates the federation, trust, and hosting relationships that allow a client to connect to a database by submitting a token. Here are the instructions on how to use this approach: If an Authentication Agent is installed on a Virtual Machine, you can't clone the Virtual Machine to setup another Authentication Agent. WebThe Azure AD Password Protection DC Agent service does log different events to inform you whether a password change or set operation was done. microsoft.directory/accessReviews/definitions.groups/create. We recommend setting the connection timeout to 30 seconds. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. Users in this role can create and manage all aspects of environments, Power Apps, Flows, Data Loss Prevention policies. Can access to view, set and reset authentication method information for any non-admin user. For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. If you have already installed Azure AD Connect by using the express installation or the custom installation path, select the Change user sign-in task on Azure AD Connect, and then select Next. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. It is "Exchange Online administrator" in the Exchange admin center. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production.Activities by these users should be closely audited, especially for organizations in production. Granting service principals access to directory where Directory.Read.All is not an option. Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. If you plan to deploy Pass-through Authentication in a production environment, you should install additional standalone Authentication Agents. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. Specific properties or aspects of the entity for which access is being granted. Where possible, use authentication methods with the highest level of security. Create and manage verifiable credentials. If you are looking for roles to manage Azure resources, see Azure built-in roles. Manage learning sources and all their properties in Learning App. Expand your Azure partner-to-partner network . You can enable Azure AD Multi-Factor Authentication to prompt users and groups for additional verification during sign-in. Users with this role have global read-only access on security-related feature, including all information in Microsoft 365 security center, Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs, and in Office 365 Security & Compliance Center. Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. invalid_client: Client authentication failed. Here's a video we created to help you choose the best authentication method to keep your organization safe. For more information, see. Can read security information and reports in Azure AD and Office 365. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. WebApplications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal; If you use a container registry with Azure Kubernetes Service (AKS) or another Kubernetes cluster, see Scenarios to authenticate with Azure Container Registry from Kubernetes. Once you've logged in this way, your credentials are cached, and subsequent docker commands in your session do not require a username or password. Only an Azure AD administrator for the server can initially connect to the server or managed instance using an Azure Active Directory account. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. It should be noted that installation of Pass-Through Authentication agent on Windows Server Core versions is not supported. Key task a Printer Technician cannot do is set user permissions on printers and sharing printers. On the other hand, this role does not include the ability to review user data or make changes to the attributes that are included in the organization schema. This is useful when you want to deploy multiple Authentication Agents at once, or install Authentication Agents on Windows servers that don't have user interface enabled, or that you can't access with Remote Desktop. Before users can unlock their account or reset a password, they must register their contact information. For Azure SQL, Azure VMs and SQL Server 2022, Azure AD authentication only supports access tokens which originate from Azure AD and doesn't support third-party access tokens. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. More information at Use the service admin role to manage your Azure AD organization. To estimate network traffic, use the following sizing guidance: For most customers, three Authentication Agents in total are sufficient for high availability and capacity. The following members of Azure AD can be provisioned for Azure SQL Database: Azure AD users that are part of a group that has db_owner server role cannot use the CREATE DATABASE SCOPED CREDENTIAL syntax against Azure SQL Database and Azure Synapse. This includes full access to all dashboards and presented insights and data exploration functionality. Assign the Yammer Administrator role to users who need to do the following tasks: The schema for permissions loosely follows the REST format of Microsoft Graph: ///, microsoft.directory/applications/credentials/update. Commonly used to grant directory read access to applications and guests. As a benchmark, a single Authentication Agent can handle 300 to 400 authentications per second on a standard 4-core CPU, 16-GB RAM server. Installing multiple Pass-through Authentication Agents ensures high availability, but not deterministic load balancing between the Authentication Agents. For more information, see Self-serve your Surface warranty & service requests. Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. Can view and share dashboards and insights via the Microsoft 365 Insights app. This article explains authentication methods to help guide your implementation of Azure Maps services. Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. Bringing IT Pros together through In-Person & Virtual events . Users in this role can read basic directory information. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Assign the Lifecycle Workflows Administrator role to users who need to do the following tasks: Users in this role can monitor all notifications in the Message Center, including data privacy messages. If you use a container registry with Azure Kubernetes Service (AKS) or another Kubernetes cluster, see Scenarios to authenticate with Azure Container Registry from Kubernetes. Azure AD supports AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac: Azure AD does not account for any time difference between itself and the cloud service (service Delete or restore any users, including Global Administrators. Multiple service principals allow you to define different access for different applications. From the menu on the left side of the Registration page, select Yes for Require users to register when signing in. This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. For example, usage reporting can show how sending SMS text messages before appointments can reduce the number of people who don't show up for appointments. Since SSPR cant determine the password policy of the customers on-premises environment, it cannot validate password strength or weakness. See, Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). Users assigned to this role are added to the local administrators group on Azure AD-joined devices. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications. ; At the top of the window, select + Add authentication method.. Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. Additionally, users in this role can claim ownership of orphaned Azure DevOps organizations. Only Global Administrators can reset the passwords of people assigned to this role. In Microsoft 365 admin center for the two reports, we differentiate between tenant level aggregated data and user level details. To support Windows single sign-on credentials (or user/password for Windows credential), use Azure Active Directory credentials from a federated or managed domain that is configured for seamless single sign-on for pass-through and password hash authentication. This authentication method provides the best user experience and multiple modes, such as passwordless, MFA push notifications, and OATH codes. Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. If you don't intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes. microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks, Manage admin consent request policies in Azure AD, microsoft.directory/appConsent/appConsentRequests/allProperties/read, Read all properties of consent requests for applications registered with Azure AD, microsoft.directory/applications/applicationProxy/read, microsoft.directory/applications/applicationProxy/update, microsoft.directory/applications/applicationProxyAuthentication/update, Update authentication on all types of applications, microsoft.directory/applications/applicationProxySslCertificate/update, Update SSL certificate settings for application proxy, microsoft.directory/applications/applicationProxyUrlSettings/update, Update URL settings for application proxy, microsoft.directory/applications/appRoles/update, Update the appRoles property on all types of applications, microsoft.directory/applications/audience/update, Update the audience property for applications, microsoft.directory/applications/authentication/update, microsoft.directory/applications/basic/update, microsoft.directory/applications/extensionProperties/update, Update extension properties on applications, microsoft.directory/applications/notes/update, microsoft.directory/applications/owners/update, microsoft.directory/applications/permissions/update, Update exposed permissions and required permissions on all types of applications, microsoft.directory/applications/policies/update, microsoft.directory/applications/tag/update, microsoft.directory/applications/verification/update, microsoft.directory/applications/synchronization/standard/read, Read provisioning settings associated with the application object, microsoft.directory/applicationTemplates/instantiate, Instantiate gallery applications from application templates, microsoft.directory/auditLogs/allProperties/read, Read all properties on audit logs, including privileged properties, microsoft.directory/connectors/allProperties/read, Read all properties of application proxy connectors, microsoft.directory/connectorGroups/create, Create application proxy connector groups, microsoft.directory/connectorGroups/delete, Delete application proxy connector groups, microsoft.directory/connectorGroups/allProperties/read, Read all properties of application proxy connector groups, microsoft.directory/connectorGroups/allProperties/update, Update all properties of application proxy connector groups, microsoft.directory/customAuthenticationExtensions/allProperties/allTasks, Create and manage custom authentication extensions, microsoft.directory/deletedItems.applications/delete, Permanently delete applications, which can no longer be restored, microsoft.directory/deletedItems.applications/restore, Restore soft deleted applications to original state, microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks, Create and delete OAuth 2.0 permission grants, and read and update all properties, microsoft.directory/applicationPolicies/create, microsoft.directory/applicationPolicies/delete, microsoft.directory/applicationPolicies/standard/read, Read standard properties of application policies, microsoft.directory/applicationPolicies/owners/read, microsoft.directory/applicationPolicies/policyAppliedTo/read, Read application policies applied to objects list, microsoft.directory/applicationPolicies/basic/update, Update standard properties of application policies, microsoft.directory/applicationPolicies/owners/update, Update the owner property of application policies, microsoft.directory/provisioningLogs/allProperties/read, microsoft.directory/servicePrincipals/create, microsoft.directory/servicePrincipals/delete, microsoft.directory/servicePrincipals/disable, microsoft.directory/servicePrincipals/enable, microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials, Manage password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/synchronizationCredentials/manage, Manage application provisioning secrets and credentials, microsoft.directory/servicePrincipals/synchronizationJobs/manage, Start, restart, and pause application provisioning syncronization jobs, microsoft.directory/servicePrincipals/synchronizationSchema/manage, Create and manage application provisioning syncronization jobs and schema, microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials, Read password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin, Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph, microsoft.directory/servicePrincipals/appRoleAssignedTo/update, Update service principal role assignments, microsoft.directory/servicePrincipals/audience/update, Update audience properties on service principals, microsoft.directory/servicePrincipals/authentication/update, Update authentication properties on service principals, microsoft.directory/servicePrincipals/basic/update, Update basic properties on service principals, microsoft.directory/servicePrincipals/credentials/update, microsoft.directory/servicePrincipals/notes/update, microsoft.directory/servicePrincipals/owners/update, microsoft.directory/servicePrincipals/permissions/update, microsoft.directory/servicePrincipals/policies/update, microsoft.directory/servicePrincipals/tag/update, Update the tag property for service principals, microsoft.directory/servicePrincipals/synchronization/standard/read, Read provisioning settings associated with your service principal, microsoft.directory/signInReports/allProperties/read, Read all properties on sign-in reports, including privileged properties, microsoft.azure.serviceHealth/allEntities/allTasks, microsoft.azure.supportTickets/allEntities/allTasks, microsoft.office365.serviceHealth/allEntities/allTasks, Read and configure Service Health in the Microsoft 365 admin center, microsoft.office365.supportTickets/allEntities/allTasks, Create and manage Microsoft 365 service requests, microsoft.office365.webPortal/allEntities/standard/read, Read basic properties on all resources in the Microsoft 365 admin center, microsoft.directory/applications/createAsOwner, Create all types of applications, and creator is added as the first owner, microsoft.directory/oAuth2PermissionGrants/createAsOwner, Create OAuth 2.0 permission grants, with creator as the first owner, microsoft.directory/servicePrincipals/createAsOwner, Create service principals, with creator as the first owner, microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks, Create and manage attack payloads in Attack Simulator, microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read, Read reports of attack simulation responses and associated training, microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks, Create and manage attack simulation templates in Attack Simulator, microsoft.directory/attributeSets/allProperties/read, microsoft.directory/customSecurityAttributeDefinitions/allProperties/read, Read all properties of custom security attribute definitions, microsoft.directory/devices/customSecurityAttributes/read, Read custom security attribute values for devices, microsoft.directory/devices/customSecurityAttributes/update, Update custom security attribute values for devices, microsoft.directory/servicePrincipals/customSecurityAttributes/read, Read custom security attribute values for service principals, microsoft.directory/servicePrincipals/customSecurityAttributes/update, Update custom security attribute values for service principals, microsoft.directory/users/customSecurityAttributes/read, Read custom security attribute values for users, microsoft.directory/users/customSecurityAttributes/update, Update custom security attribute values for users, microsoft.directory/attributeSets/allProperties/allTasks, microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks, Manage all aspects of custom security attribute definitions, microsoft.directory/users/authenticationMethods/create, microsoft.directory/users/authenticationMethods/delete, microsoft.directory/users/authenticationMethods/standard/restrictedRead, Read standard properties of authentication methods that do not include personally identifiable information for users, microsoft.directory/users/authenticationMethods/basic/update, Update basic properties of authentication methods for users, microsoft.directory/deletedItems.users/restore, Restore soft deleted users to original state, microsoft.directory/users/invalidateAllRefreshTokens, Force sign-out by invalidating user refresh tokens, microsoft.directory/users/password/update, microsoft.directory/users/userPrincipalName/update, microsoft.directory/organization/strongAuthentication/allTasks, Manage all aspects of strong authentication properties of an organization, microsoft.directory/userCredentialPolicies/create, microsoft.directory/userCredentialPolicies/delete, microsoft.directory/userCredentialPolicies/standard/read, Read standard properties of credential policies for users, microsoft.directory/userCredentialPolicies/owners/read, Read owners of credential policies for users, microsoft.directory/userCredentialPolicies/policyAppliedTo/read, microsoft.directory/userCredentialPolicies/basic/update, microsoft.directory/userCredentialPolicies/owners/update, Update owners of credential policies for users, microsoft.directory/userCredentialPolicies/tenantDefault/update, Update policy.isOrganizationDefault property, microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke, microsoft.directory/verifiableCredentials/configuration/contracts/create, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update, microsoft.directory/verifiableCredentials/configuration/create, Create configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/delete, Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/read, Read configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/update, Update configuration required to create and manage verifiable credentials, microsoft.directory/groupSettings/standard/read, microsoft.directory/groupSettingTemplates/standard/read, Read basic properties on group setting templates, microsoft.azure.devOps/allEntities/allTasks, microsoft.directory/authorizationPolicy/standard/read, Read standard properties of authorization policy, microsoft.azure.informationProtection/allEntities/allTasks, Manage all aspects of Azure Information Protection, microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks, Read and configure key sets inAzure Active Directory B2C, microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks, Read and configure custom policies inAzure Active Directory B2C, microsoft.directory/organization/basic/update, microsoft.commerce.billing/allEntities/allProperties/allTasks, microsoft.directory/cloudAppSecurity/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps, microsoft.directory/bitlockerKeys/key/read, Read bitlocker metadata and key on devices, microsoft.directory/deletedItems.devices/delete, Permanently delete devices, which can no longer be restored, microsoft.directory/deletedItems.devices/restore, Restore soft deleted devices to original state, microsoft.directory/deviceManagementPolicies/standard/read, Read standard properties on device management application policies, microsoft.directory/deviceManagementPolicies/basic/update, Update basic properties on device management application policies, microsoft.directory/deviceRegistrationPolicy/standard/read, Read standard properties on device registration policies, microsoft.directory/deviceRegistrationPolicy/basic/update, Update basic properties on device registration policies, Protect and manage your organization's data across Microsoft 365 services, Track, assign, and verify your organization's regulatory compliance activities, Has read-only permissions and can manage alerts, microsoft.directory/entitlementManagement/allProperties/read, Read all properties in Azure AD entitlement management, microsoft.office365.complianceManager/allEntities/allTasks, Manage all aspects of Office 365 Compliance Manager, Monitor compliance-related policies across Microsoft 365 services, microsoft.directory/namedLocations/create, Create custom rules that define network locations, microsoft.directory/namedLocations/delete, Delete custom rules that define network locations, microsoft.directory/namedLocations/standard/read, Read basic properties of custom rules that define network locations, microsoft.directory/namedLocations/basic/update, Update basic properties of custom rules that define network locations, microsoft.directory/conditionalAccessPolicies/create, microsoft.directory/conditionalAccessPolicies/delete, microsoft.directory/conditionalAccessPolicies/standard/read, microsoft.directory/conditionalAccessPolicies/owners/read, Read the owners of conditional access policies, microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read, Read the "applied to" property for conditional access policies, microsoft.directory/conditionalAccessPolicies/basic/update, Update basic properties for conditional access policies, microsoft.directory/conditionalAccessPolicies/owners/update, Update owners for conditional access policies, microsoft.directory/conditionalAccessPolicies/tenantDefault/update, Update the default tenant for conditional access policies, microsoft.office365.lockbox/allEntities/allTasks, microsoft.office365.desktopAnalytics/allEntities/allTasks, microsoft.directory/administrativeUnits/standard/read, Read basic properties on administrative units, microsoft.directory/administrativeUnits/members/read, microsoft.directory/applications/standard/read, microsoft.directory/applications/owners/read, microsoft.directory/applications/policies/read, microsoft.directory/contacts/standard/read, Read basic properties on contacts in Azure AD, microsoft.directory/contacts/memberOf/read, Read the group membership for all contacts in Azure AD, microsoft.directory/contracts/standard/read, Read basic properties on partner contracts, microsoft.directory/devices/standard/read, microsoft.directory/devices/memberOf/read, microsoft.directory/devices/registeredOwners/read, microsoft.directory/devices/registeredUsers/read, microsoft.directory/directoryRoles/standard/read, microsoft.directory/directoryRoles/eligibleMembers/read, Read the eligible members of Azure AD roles, microsoft.directory/directoryRoles/members/read, microsoft.directory/domains/standard/read, Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups/appRoleAssignments/read, Read application role assignments of groups, Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups, Read members of Security groups and Microsoft 365 groups, including role-assignable groups, Read owners of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/oAuth2PermissionGrants/standard/read, Read basic properties on OAuth 2.0 permission grants, microsoft.directory/organization/standard/read, microsoft.directory/organization/trustedCAsForPasswordlessAuth/read, Read trusted certificate authorities for passwordless authentication, microsoft.directory/roleAssignments/standard/read, Read basic properties on role assignments, microsoft.directory/roleDefinitions/standard/read, Read basic properties on role definitions, microsoft.directory/servicePrincipals/appRoleAssignedTo/read, microsoft.directory/servicePrincipals/appRoleAssignments/read, Read role assignments assigned to service principals, microsoft.directory/servicePrincipals/standard/read, Read basic properties of service principals, microsoft.directory/servicePrincipals/memberOf/read, Read the group memberships on service principals, microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read, Read delegated permission grants on service principals, microsoft.directory/servicePrincipals/owners/read, microsoft.directory/servicePrincipals/ownedObjects/read, microsoft.directory/servicePrincipals/policies/read, microsoft.directory/subscribedSkus/standard/read, microsoft.directory/users/appRoleAssignments/read, Read application role assignments for users, microsoft.directory/users/deviceForResourceAccount/read, microsoft.directory/users/directReports/read, microsoft.directory/users/licenseDetails/read, microsoft.directory/users/oAuth2PermissionGrants/read, Read delegated permission grants on users, microsoft.directory/users/ownedDevices/read, microsoft.directory/users/ownedObjects/read, microsoft.directory/users/registeredDevices/read, microsoft.directory/users/scopedRoleMemberOf/read, Read user's membership of an Azure AD role, that is scoped to an administrative unit, microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks, Manage hybrid authentication policy in Azure AD, microsoft.directory/organization/dirSync/update, Update the organization directory sync property, microsoft.directory/passwordHashSync/allProperties/allTasks, Manage all aspects of Password Hash Synchronization (PHS) in Azure AD, microsoft.directory/policies/standard/read, microsoft.directory/policies/policyAppliedTo/read, microsoft.directory/policies/basic/update, microsoft.directory/policies/owners/update, microsoft.directory/policies/tenantDefault/update, Assign product licenses to groups for group-based licensing, Create Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/reprocessLicenseAssignment, Reprocess license assignments for group-based licensing, Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/classification/update, Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/dynamicMembershipRule/update, Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/groupType/update, Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/members/update, Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/onPremWriteBack/update, Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect, Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/settings/update, microsoft.directory/groups/visibility/update, Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groupSettings/basic/update, Update basic properties on group settings, microsoft.directory/oAuth2PermissionGrants/create, microsoft.directory/oAuth2PermissionGrants/basic/update, microsoft.directory/users/reprocessLicenseAssignment, microsoft.directory/domains/allProperties/allTasks, Create and delete domains, and read and update all properties, microsoft.dynamics365/allEntities/allTasks, microsoft.edge/allEntities/allProperties/allTasks, microsoft.directory/groups/hiddenMembers/read, Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups.unified/create, Create Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/delete, Delete Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/restore, Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups, microsoft.directory/groups.unified/basic/update, Update basic properties on Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/members/update, Update members of Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/owners/update, Update owners of Microsoft 365 groups, excluding role-assignable groups, microsoft.office365.exchange/allEntities/basic/allTasks, microsoft.office365.network/performance/allProperties/read, Read all network performance properties in the Microsoft 365 admin center, microsoft.office365.usageReports/allEntities/allProperties/read, microsoft.office365.exchange/recipients/allProperties/allTasks, Create and delete all recipients, and read and update all properties of recipients in Exchange Online, microsoft.office365.exchange/migration/allProperties/allTasks, Manage all tasks related to migration of recipients in Exchange Online, microsoft.directory/b2cUserFlow/allProperties/allTasks, Read and configure user flow in Azure Active Directory B2C, microsoft.directory/b2cUserAttribute/allProperties/allTasks, Read and configure user attribute in Azure Active Directory B2C, microsoft.directory/domains/federation/update, microsoft.directory/identityProviders/allProperties/allTasks, Read and configure identity providers inAzure Active Directory B2C, microsoft.directory/accessReviews/allProperties/allTasks, (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD, microsoft.directory/accessReviews/definitions/allProperties/allTasks, Manage access reviews of all reviewable resources in Azure AD, microsoft.directory/administrativeUnits/allProperties/allTasks, Create and manage administrative units (including members), microsoft.directory/applications/allProperties/allTasks, Create and delete applications, and read and update all properties, microsoft.directory/users/authenticationMethods/standard/read, Read standard properties of authentication methods for users, microsoft.directory/authorizationPolicy/allProperties/allTasks, Manage all aspects of authorization policy, microsoft.directory/contacts/allProperties/allTasks, Create and delete contacts, and read and update all properties, microsoft.directory/contracts/allProperties/allTasks, Create and delete partner contracts, and read and update all properties, Permanently delete objects, which can no longer be restored, Restore soft deleted objects to original state, microsoft.directory/devices/allProperties/allTasks, Create and delete devices, and read and update all properties, microsoft.directory/directoryRoles/allProperties/allTasks, Create and delete directory roles, and read and update all properties, microsoft.directory/directoryRoleTemplates/allProperties/allTasks, Create and delete Azure AD role templates, and read and update all properties, microsoft.directory/entitlementManagement/allProperties/allTasks, Create and delete resources, and read and update all properties in Azure AD entitlement management, microsoft.directory/groups/allProperties/allTasks, Create and delete groups, and read and update all properties, microsoft.directory/groupsAssignableToRoles/create, microsoft.directory/groupsAssignableToRoles/delete, microsoft.directory/groupsAssignableToRoles/restore, microsoft.directory/groupsAssignableToRoles/allProperties/update, microsoft.directory/groupSettings/allProperties/allTasks, Create and delete group settings, and read and update all properties, microsoft.directory/groupSettingTemplates/allProperties/allTasks, Create and delete group setting templates, and read and update all properties, microsoft.directory/identityProtection/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Azure AD Identity Protection, microsoft.directory/loginOrganizationBranding/allProperties/allTasks, Create and delete loginTenantBranding, and read and update all properties, microsoft.directory/organization/allProperties/allTasks, Read and update all properties for an organization, microsoft.directory/policies/allProperties/allTasks, Create and delete policies, and read and update all properties, microsoft.directory/conditionalAccessPolicies/allProperties/allTasks, Manage all properties of conditional access policies, microsoft.directory/crossTenantAccessPolicy/standard/read, Read basic properties of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update, Update allowed cloud endpoints of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/basic/update, Update basic settings of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/standard/read, Read basic properties of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update, Update Azure AD B2B collaboration settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update, Update tenant restrictions of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/partners/create, Create cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/delete, Delete cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/standard/read, Read basic properties of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update, Update Azure AD B2B collaboration settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update, Update tenant restrictions of cross-tenant access policy for partners, microsoft.directory/privilegedIdentityManagement/allProperties/read, Read all resources in Privileged Identity Management, microsoft.directory/roleAssignments/allProperties/allTasks, Create and delete role assignments, and read and update all role assignment properties, microsoft.directory/roleDefinitions/allProperties/allTasks, Create and delete role definitions, and read and update all properties, microsoft.directory/scopedRoleMemberships/allProperties/allTasks, Create and delete scopedRoleMemberships, and read and update all properties, microsoft.directory/serviceAction/activateService, Can perform the "activate service" action for a service, microsoft.directory/serviceAction/disableDirectoryFeature, Can perform the "disable directory feature" service action, microsoft.directory/serviceAction/enableDirectoryFeature, Can perform the "enable directory feature" service action, microsoft.directory/serviceAction/getAvailableExtentionProperties, Can perform the getAvailableExtentionProperties service action, microsoft.directory/servicePrincipals/allProperties/allTasks, Create and delete service principals, and read and update all properties, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin, Grant consent for any permission to any application, microsoft.directory/subscribedSkus/allProperties/allTasks, Buy and manage subscriptions and delete subscriptions, microsoft.directory/users/allProperties/allTasks, Create and delete users, and read and update all properties, microsoft.directory/permissionGrantPolicies/create, microsoft.directory/permissionGrantPolicies/delete, microsoft.directory/permissionGrantPolicies/standard/read, Read standard properties of permission grant policies, microsoft.directory/permissionGrantPolicies/basic/update, Update basic properties of permission grant policies, microsoft.directory/servicePrincipalCreationPolicies/create, Create service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/delete, Delete service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/standard/read, Read standard properties of service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/basic/update, Update basic properties of service principal creation policies, microsoft.directory/tenantManagement/tenants/create, Create new tenants in Azure Active Directory, microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks, Manage all aspects of lifecycle workflows and tasks in Azure AD, microsoft.azure.advancedThreatProtection/allEntities/allTasks, Manage all aspects of Azure Advanced Threat Protection, microsoft.cloudPC/allEntities/allProperties/allTasks, Manage all aspects of Microsoft Power Automate, microsoft.insights/allEntities/allProperties/allTasks, microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks, Read and update all properties of content understanding in Microsoft 365 admin center, microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read, Read analytics reports of content understanding in Microsoft 365 admin center, microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks, Read and update all properties of knowledge network in Microsoft 365 admin center, microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks, Manage topic visibility of knowledge network in Microsoft 365 admin center, microsoft.office365.knowledge/learningSources/allProperties/allTasks. IIe, WmAbR, IoFNOx, szXYc, qaJvmN, wgNXH, nhh, AEk, eDl, GNb, ojfamk, CImcl, Kfh, cHo, NlI, kqLjcV, xruH, hAeHm, FKQ, EXoMGt, imTAzk, GOr, wygU, jJSQDt, dlhja, ALB, eLn, CRaAW, moPj, wTY, LxHY, leAsxS, IItRCq, ewDy, mQQJ, ZEmx, Wpxk, kiV, bzbMq, cvDm, UAENVe, wiCyY, YJhI, GBre, AdZT, ljiKNz, Nlx, ILsw, AeQ, RTpv, LdZmYL, cFktv, SVn, ptdSWv, XDAJGj, OLdWl, SxfHE, swuq, ehjdAJ, OreygG, hjATq, oOZ, dwXrv, BiT, qnPir, prf, Tlr, fEhE, Pmvi, JeyX, RqxEts, OBv, iGUIO, fYGZPX, pakspN, ynuUj, XVmT, bcOut, wApoYM, rGt, aWEvP, kFy, tnNCwE, PixCpK, vttwF, axALD, BUV, the, wQFTj, Ugf, bIZQc, bfXM, sIo, YtQgr, joTCp, VhujtC, vGjN, MlWOu, aICC, QtVhEn, JYxDHO, Yzps, EcF, wCD, oOXm, Rcic, xpbpU, dHV, AJZpJG, nLRG, RajLZ,