As you know if you use Entra for managing identity and access controls to Microsoft Cloud services, such as Entra ID or M365, you have corresponding Entra ID administration roles to delegate the least privileges permissions to allow users, mostly IT peoples, to execute their tasks.
This means when there is no capabilities or features which will require some administration level, new Entra ID administration roles are required and being introduced.
With the increase of Copilot and AI agents deployments, the need for delegating administration tasks has increased and now new Entra ID administration roles are being made available to delegate Copilot and AI agent management with least privileges.
NOTE These roles are not yet documented in the official Entra ID Built-in Roles documentation. Most likely because they are being made available.
adb2368d-a9be-41b5-8667-d96778e081b0
| Role |
Permission |
Role Permissions |
Id |
| Agent ID Administrator |
Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users. |
microsoft.azure.serviceHealth/allEntities/allTasks
microsoft.azure.supportTickets/allEntities/allTasks
microsoft.directory/accessReviews/definitions.applications/allProperties/allTasks
microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/read
microsoft.directory/accessReviews/definitions.entitlementManagement/allProperties/allTasks
microsoft.directory/accessReviews/definitions.groups/allProperties/read
microsoft.directory/accessReviews/definitions.groups/allProperties/update
microsoft.directory/accessReviews/definitions.groups/create
microsoft.directory/accessReviews/definitions.groups/delete
microsoft.directory/externalUserProfiles/standard/read
microsoft.directory/groups/hiddenMembers/read
microsoft.directory/groups.unified/createAsOwner
microsoft.directory/organization/standard/read
microsoft.directory/policies/standard/read
microsoft.office365.serviceHealth/allEntities/allTasks
microsoft.office365.supportTickets/allEntities/allTasks
|
db506228-d27e-4b7d-95e5-295956d6615f |
| Agent ID Developer |
Create an agent blueprint and its service principal in a tenant. User will be added as an owner of the agent blueprint and its service principal. |
microsoft.directory/servicePrincipals/standard/read |
adb2368d-a9be-41b5-8667-d96778e081b0 |
| Agent Registry Administrator |
Manage all aspects of the Agent Registry service in Microsoft Entra ID |
microsoft.agentRegistry/allEntities/allProperties/allTasks |
6b942400-691f-4bf0-9d12-d8a254a2baf5 |
| AI Administrator |
Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. |
microsoft.azure.serviceHealth/allEntities/allTasks
microsoft.azure.supportTickets/allEntities/allTasks
microsoft.office365.copilot/allEntities/allProperties/allTasks
microsoft.office365.messageCenter/messages/read
microsoft.office365.network/performance/allProperties/read
microsoft.office365.search/content/manage
microsoft.office365.serviceHealth/allEntities/allTasks
microsoft.office365.supportTickets/allEntities/allTasks
microsoft.office365.usageReports/allEntities/allProperties/read
microsoft.office365.webPortal/allEntities/standard/read
microsoft.directory/administrativeUnits/members/read
microsoft.directory/administrativeUnits/standard/read
microsoft.directory/applicationPolicies/standard/read
microsoft.directory/applications/owners/read
microsoft.directory/applications/policies/read
microsoft.directory/applications/standard/read
microsoft.directory/contacts/memberOf/read
microsoft.directory/contacts/standard/read
microsoft.directory/contracts/standard/read
microsoft.directory/devices/memberOf/read
microsoft.directory/devices/registeredOwners/read
microsoft.directory/devices/registeredUsers/read
microsoft.directory/devices/standard/read
microsoft.directory/directoryRoles/eligibleMembers/read
microsoft.directory/directoryRoles/members/read
microsoft.directory/directoryRoles/standard/read
microsoft.directory/domains/standard/read
microsoft.directory/groups/appRoleAssignments/read
microsoft.directory/groupSettings/standard/read
microsoft.directory/groupSettingTemplates/standard/read
microsoft.directory/groups/memberOf/read
microsoft.directory/groups/members/read
microsoft.directory/groups/owners/read
microsoft.directory/groups/settings/read
microsoft.directory/groups/standard/read
microsoft.directory/oAuth2PermissionGrants/standard/read
microsoft.directory/organization/standard/read
microsoft.directory/organization/trustedCAsForPasswordlessAuth/read
microsoft.directory/roleAssignments/standard/read
microsoft.directory/roleDefinitions/standard/read
microsoft.directory/servicePrincipals/appRoleAssignedTo/read
microsoft.directory/servicePrincipals/appRoleAssignments/read
microsoft.directory/servicePrincipals/memberOf/read
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read
microsoft.directory/servicePrincipals/ownedObjects/read
microsoft.directory/servicePrincipals/owners/read
microsoft.directory/servicePrincipals/policies/read
microsoft.directory/servicePrincipals/standard/read
microsoft.directory/subscribedSkus/standard/read
microsoft.directory/users/appRoleAssignments/read
microsoft.directory/users/deviceForResourceAccount/read
microsoft.directory/users/directReports/read
microsoft.directory/users/invitedBy/read
microsoft.directory/users/licenseDetails/read
microsoft.directory/users/manager/read
microsoft.directory/users/memberOf/read
microsoft.directory/users/oAuth2PermissionGrants/read
microsoft.directory/users/ownedDevices/read
microsoft.directory/users/ownedObjects/read
microsoft.directory/users/photo/read
microsoft.directory/users/registeredDevices/read
microsoft.directory/users/scopedRoleMemberOf/read
microsoft.directory/users/sponsors/read
microsoft.directory/users/standard/read
|
d2562ede-74db-457e-a7b6-544e236ebb61 |
| SharePoint Advanced Management Administrator |
Manage all aspects of SharePoint Advanced Management. |
microsoft.azure.serviceHealth/allEntities/allTasks
microsoft.azure.supportTickets/allEntities/allTasks
microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks
microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks
microsoft.backup/restorePoints/sites/allProperties/allTasks
microsoft.backup/restorePoints/userDrives/allProperties/allTasks
microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks
microsoft.backup/sharePointRestoreSessions/allProperties/allTasks
microsoft.backup/siteProtectionUnits/allProperties/allTasks
microsoft.backup/siteRestoreArtifacts/allProperties/allTasks
microsoft.backup/userDriveProtectionUnits/allProperties/allTasks
microsoft.backup/userDriveRestoreArtifacts/allProperties/allTasks
microsoft.directory/groups/hiddenMembers/read
microsoft.directory/groups.unified/assignedLabels/update
microsoft.directory/groups.unified/basic/update
microsoft.directory/groups.unified/create
microsoft.directory/groups.unified/delete
microsoft.directory/groups.unified/members/update
microsoft.directory/groups.unified/owners/update
microsoft.directory/groups.unified/restore
microsoft.office365.migrations/allEntities/allProperties/allTasks
microsoft.office365.network/performance/allProperties/read
microsoft.office365.serviceHealth/allEntities/allTasks
microsoft.office365.sharePointAdvancedManagement/allEntities/allProperties/allTasks
microsoft.office365.sharePoint/allEntities/allTasks
microsoft.office365.supportTickets/allEntities/allTasks
microsoft.office365.usageReports/allEntities/allProperties/read
microsoft.office365.webPortal/allEntities/standard/read
microsoft.directory/administrativeUnits/members/read
microsoft.directory/administrativeUnits/standard/read
microsoft.directory/applicationPolicies/standard/read
microsoft.directory/applications/owners/read
microsoft.directory/applications/policies/read
microsoft.directory/applications/standard/read
microsoft.directory/contacts/memberOf/read
microsoft.directory/contacts/standard/read
microsoft.directory/contracts/standard/read
microsoft.directory/devices/memberOf/read
microsoft.directory/devices/registeredOwners/read
microsoft.directory/devices/registeredUsers/read
microsoft.directory/devices/standard/read
microsoft.directory/directoryRoles/eligibleMembers/read
microsoft.directory/directoryRoles/members/read
microsoft.directory/directoryRoles/standard/read
microsoft.directory/domains/standard/read
microsoft.directory/groups/appRoleAssignments/read
microsoft.directory/groupSettings/standard/read
microsoft.directory/groupSettingTemplates/standard/read
microsoft.directory/groups/memberOf/read
microsoft.directory/groups/members/read
microsoft.directory/groups/owners/read
microsoft.directory/groups/settings/read
microsoft.directory/groups/standard/read
microsoft.directory/oAuth2PermissionGrants/standard/read
microsoft.directory/organization/standard/read
microsoft.directory/organization/trustedCAsForPasswordlessAuth/read
microsoft.directory/roleAssignments/standard/read
microsoft.directory/roleDefinitions/standard/read
microsoft.directory/servicePrincipals/appRoleAssignedTo/read
microsoft.directory/servicePrincipals/appRoleAssignments/read
microsoft.directory/servicePrincipals/memberOf/read
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read
microsoft.directory/servicePrincipals/ownedObjects/read
microsoft.directory/servicePrincipals/owners/read
microsoft.directory/servicePrincipals/policies/read
microsoft.directory/servicePrincipals/standard/read
microsoft.directory/subscribedSkus/standard/read
microsoft.directory/users/appRoleAssignments/read
microsoft.directory/users/deviceForResourceAccount/read
microsoft.directory/users/directReports/read
microsoft.directory/users/invitedBy/read
microsoft.directory/users/licenseDetails/read
microsoft.directory/users/manager/read
microsoft.directory/users/memberOf/read
microsoft.directory/users/oAuth2PermissionGrants/read
microsoft.directory/users/ownedDevices/read
microsoft.directory/users/ownedObjects/read
microsoft.directory/users/photo/read
microsoft.directory/users/registeredDevices/read
microsoft.directory/users/scopedRoleMemberOf/read
microsoft.directory/users/sponsors/read
microsoft.directory/users/standard/read
|
99009c4a-3b3f-4957-82a9-9d35e12db77 |
