Entra Roles & Administrative Units
Delegate admin access safely with built-in roles, custom roles, and administrative units — the principle of least privilege in action.
Why roles matter
Roles are like hotel key cards — they decide which doors you can open.
A guest gets a key card for their room. A cleaner gets a key card for their floor. The hotel manager gets a master key for everything. You wouldn’t give the master key to every guest — that’s a security disaster.
Entra roles work the same way. Instead of making everyone a Global Admin (master key), you give each person the minimum access they need — that’s the principle of least privilege.
Built-in roles — the essentials
Microsoft Entra ID has 80+ built-in roles. The exam focuses on the most common ones:
| Role | What It Can Do | Risk Level |
|---|---|---|
| Global Administrator | Everything in Entra and M365 | Highest — limit to 2-4 people |
| User Administrator | Create/manage users and groups, reset passwords | High |
| Groups Administrator | Create/manage all group types | Medium |
| Authentication Administrator | Manage auth methods, reset passwords (non-admins) | Medium |
| Privileged Authentication Administrator | Reset passwords for ANY user including admins | High |
| Conditional Access Administrator | Create and manage CA policies | High |
| Security Administrator | Read security info, manage security policies | High |
| Security Reader | Read-only access to security features | Low |
| Application Administrator | Manage all app registrations and enterprise apps | Medium |
| Cloud Application Administrator | Same as above, but cannot manage Application Proxy | Medium |
| Helpdesk Administrator | Reset passwords for non-admins, invalidate tokens | Low-Medium |
| License Administrator | Manage license assignments | Low |
Exam tip: Global Admin vs Privileged Role Admin
Global Administrator can do everything, including assigning roles to others. Privileged Role Administrator can manage role assignments in PIM (Privileged Identity Management) but can’t do everything a Global Admin can.
The exam tests that you know: only Global Admins and Privileged Role Admins can assign roles. You should have no more than 2-4 Global Admins — use more specific roles for everyone else.
Custom roles — when built-in isn’t enough
Sometimes built-in roles are too broad. Custom roles let you pick exactly which permissions to grant.
When to create a custom role:
- A built-in role grants too many permissions for the task
- You need a role that combines permissions from multiple built-in roles
- You want to limit scope to specific resource types
How custom roles work:
- Start with a blank role or clone an existing one
- Add specific permissions (e.g.,
microsoft.directory/users/password/update) - Set the assignable scope (tenant-wide or administrative unit)
- Assign to users or groups
Scenario: Priya creates a custom role for helpdesk leads
At Meridian Health, helpdesk leads need to:
- Reset passwords for non-admin users
- Read user profiles
- Manage MFA registration
But they should NOT be able to:
- Delete users
- Change group memberships
- Modify Conditional Access policies
Priya creates a custom role called “Helpdesk Lead” with just those three permission sets. This is more restrictive than User Administrator but more capable than Helpdesk Administrator — exactly what Dex and his team need.
Custom role requirements:
- Requires Microsoft Entra ID P1 or P2 licence
- Maximum of 5,000 custom roles per tenant
- Permissions use the format:
microsoft.directory/{resource}/{action}
Administrative units — scoped management
| Feature | Tenant-Wide Role | Role + Administrative Unit |
|---|---|---|
| Scope | All users/groups/devices in the tenant | Only objects inside the AU |
| Use case | Small org, single IT team | Large org, regional/departmental IT teams |
| Example | User Admin manages all 5,000 users | User Admin manages only 500 users in the Auckland AU |
| Supports custom roles | ||
| Licence required | Free tier | P1 or P2 for some features |
Administrative units (AUs) are containers that restrict the scope of a role assignment. Instead of granting a role over the entire tenant, you grant it over a specific subset.
When to recommend administrative units:
- Multiple regional IT teams managing their own users
- Departments that need autonomy without tenant-wide access
- Compliance requirements that mandate separation of admin duties
- Mergers where two organisations share a tenant but need independent management
How to set up an AU:
- Create an AU (e.g., “Auckland Office” or “Finance Department”)
- Add members — users, groups, or devices
- Assign a role scoped to that AU
Scenario: Priya scopes admin by hospital site
Meridian Health has hospitals in Auckland, Wellington, and Christchurch. Each site has its own IT team.
Priya creates three administrative units:
- AU: Auckland Hospital — 2,000 users
- AU: Wellington Hospital — 1,800 users
- AU: Christchurch Hospital — 1,200 users
She assigns each site’s IT lead as User Administrator scoped to their AU. The Auckland IT lead can reset passwords and manage users at Auckland, but can’t touch Wellington or Christchurch users.
Result: Least privilege + operational independence. Each site manages its own identities without needing tenant-wide admin rights.
AU membership types:
- Assigned — manually add specific users/groups/devices
- Dynamic — rule-based (e.g., all users where
department eq 'Finance') - Dynamic + assigned — combine both
Evaluating effective permissions
When a user has multiple role assignments, their effective permissions are the union of all granted permissions. Entra roles are additive — they never subtract permissions.
Key rules:
- Multiple role assignments → permissions combine (union)
- No “deny” mechanism — you can’t remove specific permissions from a role
- AU-scoped roles only apply within that AU
- Tenant-wide roles always apply across the entire tenant
- If someone has both tenant-wide and AU-scoped roles, they get both sets of permissions
Important: eligible vs active assignments (PIM)
In organisations using Privileged Identity Management (PIM), a role assignment can be eligible or active:
- Active = the user has the permissions RIGHT NOW
- Eligible = the user CAN activate the role on demand (for a limited time, with approval/MFA)
When evaluating effective permissions, only active assignments count. An eligible Global Admin who hasn’t activated has zero Global Admin permissions until they activate through PIM. This is covered in depth in the PIM module (Domain 4).
Exam tip: evaluating effective permissions
Scenario the exam loves: A user is assigned Helpdesk Administrator at the tenant scope AND User Administrator scoped to an AU. What can they do?
Answer: They can reset passwords for non-admins tenant-wide (Helpdesk Admin), AND create/manage users within the AU (User Administrator). Outside the AU, they only have Helpdesk Admin permissions.
Remember: permissions are additive, scopes are independent, and only active (not eligible) PIM assignments grant permissions.
🎬 Video walkthrough
🎬 Video coming soon
Entra Roles & Administrative Units — SC-300 Module 2
Entra Roles & Administrative Units — SC-300 Module 2
~12 minFlashcards
Knowledge Check
Meridian Health has IT teams at three hospital sites. Priya wants each site's IT lead to manage only their site's users. Which approach follows least privilege?
Dex is assigned Helpdesk Administrator at the tenant scope and User Administrator scoped to the Auckland AU. A Wellington user calls about a password reset. Can Dex help?
Anika recommends a client create a custom role for app registration reviewers. The role should only allow reading app registrations and their permissions — nothing else. What is required?
Next up: Managing Users & Groups — create, configure, and automate identity management with bulk operations, custom security attributes, and PowerShell.