Back to Implement and Manage User Identities

Microsoft Entra Built-in and Custom Roles

5 minutes 5 Questions

Microsoft Entra Built-in and Custom Roles are fundamental components of Role-Based Access Control (RBAC) within Microsoft Entra ID (formerly Azure AD), enabling administrators to delegate permissions efficiently and securely. **Built-in Roles:** Microsoft Entra ID provides over 80 predefined built…

Microsoft Entra Built-in and Custom Roles: A Complete SC-300 Exam Guide

Why Microsoft Entra Built-in and Custom Roles Matter

Role-based access control (RBAC) in Microsoft Entra ID (formerly Azure Active Directory) is the backbone of identity governance and security in any Microsoft 365 and Azure environment. Understanding built-in and custom roles is critical because they determine who can do what within your directory. Misconfigured roles can lead to privilege escalation, data breaches, or operational failures. For the SC-300 exam, this topic is a foundational pillar under the Implement and Manage User Identities domain.

What Are Microsoft Entra Built-in Roles?

Microsoft Entra ID provides a set of predefined (built-in) roles that cover the most common administrative tasks. These roles follow the principle of least privilege, allowing administrators to assign only the permissions necessary for a specific job function.

Key Built-in Roles You Must Know for the SC-300 Exam:

• Global Administrator – Has access to all administrative features in Microsoft Entra ID and services that use Entra ID identities. The first person who signs up for the tenant becomes a Global Administrator. Only Global Administrators can assign other administrator roles. It is recommended to have no more than 5 Global Administrators in an organization.

• User Administrator – Can create and manage all aspects of users and groups, including resetting passwords for limited admins. Cannot manage Global Administrators.

• Privileged Role Administrator – Can manage role assignments in Microsoft Entra ID and all aspects of Privileged Identity Management (PIM). This is a highly sensitive role.

• Global Reader – Can read everything that a Global Administrator can but cannot make any changes. Useful for auditing and compliance.

• Security Administrator – Can read security information and reports, and manage configuration in Microsoft Entra ID, Identity Protection, PIM, and Microsoft 365 Security Center.

• Security Reader – Read-only access to security features, Identity Protection, and Privileged Identity Management.

• Conditional Access Administrator – Can create and manage Conditional Access policies. Cannot manage MFA settings directly.

• Authentication Administrator – Can set or reset non-password authentication methods for non-admin users. Can force users to re-register against existing non-password credentials.

• Privileged Authentication Administrator – Can set or reset authentication methods for any user, including Global Administrators. Can delete and restore any user account.

• Application Administrator – Can create and manage all aspects of app registrations and enterprise apps, including application proxy.

• Cloud Application Administrator – Same as Application Administrator except cannot manage Application Proxy.

• Groups Administrator – Can create and manage groups and group settings like naming and expiration policies.

• License Administrator – Can manage product licenses on users and groups.

• Helpdesk Administrator – Can reset passwords for non-administrators and Helpdesk Administrators. Cannot reset passwords for higher-privileged roles.

• Exchange Administrator – Has administrative access to Exchange Online.

• SharePoint Administrator – Has administrative access to SharePoint Online.

• Teams Administrator – Can manage the Microsoft Teams service.

• Billing Administrator – Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

What Are Microsoft Entra Custom Roles?

When built-in roles do not precisely match your organization's needs, you can create custom roles. Custom roles allow you to pick specific permissions from a predefined list and bundle them into a new role definition.

Key Facts About Custom Roles:

• Custom roles require a Microsoft Entra ID P1 or P2 license (Premium license).
• Custom roles are created using the Microsoft Entra admin center, Microsoft Graph API, or PowerShell.
• A custom role definition includes a name, description, and a set of permissions (actions and conditions).
• Permissions are defined as resource action strings (e.g., microsoft.directory/applications/credentials/update).
• Custom roles support scoping: you can assign them at the tenant-wide scope or at an administrative unit scope or at an app registration scope.
• The maximum number of custom role definitions per tenant is 5,000.
• Custom roles can be assigned via Privileged Identity Management (PIM) for just-in-time access.

How Microsoft Entra Roles Work – The Assignment Model

Role assignments in Microsoft Entra ID follow a three-part model:

1. Role Definition – The collection of permissions (built-in or custom).
2. Security Principal – The user, group, or service principal being assigned the role.
3. Scope – The boundary within which the role applies (entire directory, an administrative unit, or a specific app registration).

This is often expressed as: Who (principal) gets what access (role definition) over which scope (scope).

Role Assignment Types:

• Direct assignment – Permanently assigned to a user.
• Eligible assignment (via PIM) – User must activate the role before using it. Supports time-limited access, approval workflows, and MFA enforcement at activation.
• Group-based assignment – Roles can be assigned to role-assignable groups. These are special groups that are locked down and can only be managed by privileged roles. The group must be created with the isAssignableToRole property set to true at creation time (this cannot be changed later).

Administrative Units and Role Scoping

Administrative units allow you to restrict the scope of a role assignment to a specific portion of your organization:

• An administrative unit can contain users, groups, and devices.
• Roles assigned at the administrative unit scope only grant permissions over the objects within that administrative unit.
• For example, a Helpdesk Administrator scoped to an administrative unit for the Sales department can only reset passwords for users within that unit.
• Administrative units support dynamic membership rules (similar to dynamic groups).
• Only certain roles can be scoped to administrative units (not all built-in roles support this).

How Built-in and Custom Roles Differ

Feature	Built-in Roles	Custom Roles
Predefined	Yes	No – you define them
License Requirement	Free tier (most roles)	Entra ID P1 or P2
Modifiable Permissions	No	Yes – fully customizable
Scope Options	Tenant or AU (some roles)	Tenant, AU, or app registration
PIM Support	Yes (with P2)	Yes (with P2)
Maximum Count	~80+ predefined	Up to 5,000 per tenant

Best Practices for Role Management

• Follow the principle of least privilege – assign the minimum permissions necessary.
• Limit the number of Global Administrators (recommended: fewer than 5; ideally 2-4).
• Use Privileged Identity Management (PIM) for just-in-time, time-limited, and approval-based role activation.
• Enable access reviews for privileged role assignments.
• Use administrative units to scope permissions for delegated administration.
• Prefer role-assignable groups over direct user assignments for easier management.
• Monitor role assignments using Entra ID audit logs and sign-in logs.
• Use custom roles only when no built-in role provides the required granularity.

Common Scenarios in the SC-300 Exam

Scenario 1: You need to allow a helpdesk team to reset passwords only for users in a specific department.
Solution: Create an administrative unit for that department, then assign the Helpdesk Administrator role scoped to that administrative unit.

Scenario 2: A developer needs to manage only app registrations but should not have access to any other directory resources.
Solution: Assign the Application Developer role, or create a custom role with only app registration permissions.

Scenario 3: You want a security analyst to view all security-related configurations but not make changes.
Solution: Assign the Security Reader built-in role.

Scenario 4: You need to allow a team lead to manage group memberships for their team's groups only.
Solution: Create an administrative unit containing those groups, then assign the Groups Administrator role scoped to that administrative unit.

Scenario 5: You need to ensure that Global Administrator access is only activated when needed and requires approval.
Solution: Configure PIM with an eligible assignment for the Global Administrator role, requiring approval and MFA at activation.

Exam Tips: Answering Questions on Microsoft Entra Built-in and Custom Roles

1. Know the role hierarchy for password resets: Helpdesk Administrators can reset passwords for non-admins. User Administrators can reset passwords for Helpdesk Admins and non-admins. Authentication Administrators can reset non-password credentials for non-admins. Privileged Authentication Administrators can reset credentials for ANY user, including Global Administrators. This hierarchy is heavily tested.

2. Remember licensing requirements: Custom roles require Entra ID P1 or P2. PIM requires Entra ID P2. If a question involves custom roles and the scenario mentions only a free or basic license, it is NOT a valid solution.

3. Distinguish between Application Administrator and Cloud Application Administrator: The only difference is that Cloud Application Administrator cannot manage Application Proxy. If the scenario involves Application Proxy, the answer must include Application Administrator (not Cloud Application Administrator).

4. Understand administrative unit scoping: Not all roles can be scoped to administrative units. Questions may try to trick you by scoping a role that does not support AU scoping. Common roles that support AU scoping include User Administrator, Helpdesk Administrator, Groups Administrator, License Administrator, and Authentication Administrator.

5. Watch for "least privileged" language: When a question asks for the role that meets requirements with the least privilege, always pick the most restrictive role that still fulfills all requirements. Do not choose Global Administrator unless explicitly required.

6. Role-assignable groups are immutable in their role-assignable property: The isAssignableToRole property must be set at group creation and cannot be changed later. If a question states that an existing group needs to become role-assignable, the answer is to create a new group with the property enabled.

7. Custom role permission format: Know that permissions follow the pattern microsoft.directory/resource/action. Questions may test whether you can identify valid permission strings or select the correct permission for a scenario.

8. PIM eligible vs. active assignments: Eligible means the user must activate the role (just-in-time). Active means the role is permanently assigned. Exam questions often present scenarios where the correct answer is to use eligible assignments for security best practices.

9. Global Reader is read-only: It cannot make any changes. If a scenario requires both reading and modifying configurations, Global Reader alone is insufficient.

10. Conditional Access Administrator cannot manage MFA server settings: This role manages Conditional Access policies only. For MFA configuration, you may need Authentication Policy Administrator or Security Administrator.

11. Maximum custom roles per tenant is 5,000: This is a factual detail that may appear in a question about limits or planning.

12. Privileged Role Administrator vs. Global Administrator: The Privileged Role Administrator manages PIM and role assignments but does NOT have the full set of Global Administrator permissions. Exam questions may test whether you confuse these two roles.

13. Read every answer option carefully: Microsoft often includes role names that sound similar but have different scopes. Pay attention to words like "Cloud," "Privileged," "Authentication," and "Security" as prefixes that significantly change the role's capabilities.

14. When in doubt about scope: Remember the three components – who (principal), what (role definition), and where (scope). Make sure all three match the requirements in the scenario.

15. Emergency access accounts: Best practice recommends having at least two break-glass (emergency access) accounts with Global Administrator roles that are excluded from Conditional Access policies. These should be cloud-only accounts. This concept often appears alongside role management questions.

By mastering these concepts, understanding the differences between built-in and custom roles, knowing the licensing requirements, and applying the principle of least privilege, you will be well-prepared to answer any SC-300 exam question on Microsoft Entra Built-in and Custom Roles.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Identity and Access Administrator + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3060 Superior-grade Microsoft Identity and Access Administrator practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-300: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Microsoft Entra Built-in and Custom Roles questions

45 questions (total)

Start 45 question test