Microsoft announces in Azure AD new 16 new built-in roles are included also highly requested Global Reader role is now in public preview. Most of the daily tasks are run by the global administrator and another system administrator cannot do any tasks these new roles can help to reduce the global administrator tasks. These roles are available globally for all subscriptions
Global reader is the read-only counterpart to Global administrator. Assign Global reader instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. The global reader works with Microsoft 365 admin center, Exchange admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.
Global reader role has a few limitations right now –
- SharePoint admin center – SharePoint admin center does not support the Global reader role. You won’t see ‘SharePoint’ in left pane under Admin Centers in Microsoft 365 admin center.
- OneDrive admin center – OneDrive admin center does not support the Global reader role.
- Azure AD portal – Global reader can’t read the provisioning mode of an enterprise app.
- M365 admin center – Global reader can’t read customer lockbox requests. You won’t find the Customer lockbox requests tab under Support in the left pane of M365 Admin Center.
- M365 Security center – Global reader can’t read sensitivity and retention labels. You won’t find Sensitivity labels, Retention labels, and Label analytics tabs in the left pane of the M365 Security center.
- Teams admin center – Global reader cannot read Teams lifecycle, Analytics & reports, IP phone device management and App catalog.
- Privileged Access Management (PAM) doesn’t support the Global reader role.
- Azure Information Protection – Global reader is supported for central reporting only, and when your tenant isn’t on the unified labeling platform.
These features are currently in development.
| Role name | Description |
| Authentication administrator | View, set, and reset authentication method information and passwords for any non-admin user. |
| Azure DevOps administrator | Manage Azure DevOps organization policy and settings. |
| B2C user flow administrator | Create and manage all aspects of user flows. |
| B2C user flow attribute administrator | Create and manage the attribute schema available to all user flows. |
| B2C IEF Keyset administrator | Manage secrets for federation and encryption in the Identity Experience Framework. |
| B2C IEF Policy administrator | Create and manage trust framework policies in the Identity Experience Framework. |
| Compliance data administrator | Create and manage compliance data and alerts. |
| External Identity Provider administrator | Configure identity providers for use in direct federation. |
| Global reader | View everything a Global administrator can view without the ability to edit or change. |
| Kaizala administrator | Manage settings for Microsoft Kaizala. |
| Message center privacy reader | Read Message center posts, data privacy messages, groups, domains and subscriptions. |
| Password administrator | Reset passwords for non-administrators and Password administrators. |
| Privileged authentication administrator | View, set, and reset authentication method information for any user (admin or non-admin). |
| Security operator | Creates and manages security events. |
| Search administrator | Create and manage all aspects of Microsoft Search settings. |
| Search editor | Create and manage editorial content such as bookmarks, Q & As, locations, floorplan. |
