Role-based access control allows assignment of pre-built and custom roles to users and groups. Roles have a series of permitted actions, and can be granted at the tenant level.

Template roles aren't in use, and must be activated prior to first assignment.

Note that this service differs from Azure RBAC, which allows more granular, scoped delegation of permissions to ARM resources.

External access

External access allows users outside of the AAD tenancy to collaborate on documents and access internal applications via AAD. An Azure AD tenant is not required for the external user's organisation: users can instead authenticate via a Microsoft Account.

Common roles

  • Groups Administrator can manage group memberships and add/remove groups. To allow group membership changes, add the user (or one of their other groups) as an owner.
  • Privileged Role Administrator can manage role assignments to users and groups.