Recommended Roles
As CIPP is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for CIPP, but you may experiment with less permissive groups at your own risk.
Please note that any relationship that contains the Global Administrator/Company Administrator role will NOT be eligible for auto extend.
The table below outlines the recommended roles for use in CIPP, describing what each role enables. Click on the Role Name to navigate to Microsoft's Azure AD built-in roles page for detailed information about each specific role.
Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.
Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.
Can perform common billing related tasks like updating payment information.
Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.
Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.
Can manage domain names in cloud and on-premises.
Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.
Can read everything that a Global Administrator can but not update anything.
Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.
Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.
Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.
Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.
Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.
Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.
Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.
*- A previous version of this document merely suggested that these roles were recommended. CIPP is transitioning to requiring these as part of your baseline GDAP deployment given the depth of features being added to the product that require them. It is recommended that these be added to your GDAP Role Mapping and add these three roles to your Role Template. A future update to the application will include these in the standard Role Template.
Last updated
Was this helpful?