Recommended Roles
Last updated
Was this helpful?
Last updated
Was this helpful?
As CIPP is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for CIPP, but you may experiment with less permissive groups at your own risk.
Please note that any relationship that contains the Global Administrator/Company Administrator role will NOT be eligible for auto extend.
The table below outlines the recommended roles for use in CIPP, describing what each role enables. Click on the Role Name to navigate to Microsoft's page for detailed information about each specific role.
Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.
Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.
Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.
Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.
Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.
Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.
Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.
Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.
Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.
Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.
Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.
Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.
These roles are not currently configured with functionality within CIPP but will begin to be incorporated over time. These are the roles that Microsoft recommends in addition to the 12 above to give MSPs the most similar experience of a global administrator without needing global administrator access. Currently these are helpful for enabling them to do things in the native Microsoft portals.
Can manage domain names in cloud and on-premises.
Can read everything that a Global Administrator can but not update anything.
Can perform common billing related tasks like updating payment information.
These roles will begin to be alerted as missing when running GDAP checks. It is recommended that these be added to your and add these three roles to your .