# Recommended Roles As CIPP is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for CIPP, but you may experiment with less permissive groups at your own risk. {% hint style="warning" %} Please note that any relationship that contains the `Global Administrator`/`Company Administrator` role will NOT be eligible for auto extend. {% endhint %} The table below outlines the recommended roles for use in CIPP, describing what each role enables. Click on the Role Name to navigate to Microsoft's [Entra ID built-in roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-app-security-administrator) page for detailed information about each specific role. ## Roles

Role Name	What it allows for
Application Administrator	Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.
Authentication Policy Administrator	Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.
Billing Administrator*	Can perform common billing related tasks like updating payment information.
Cloud App Security Administrator	Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.
Cloud Device Administrator	Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.
Domain Name Administrator*	Can manage domain names in cloud and on-premises.
Exchange Administrator	Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.
Global Reader*	Can read everything that a Global Administrator can but not update anything.
Intune Administrator	Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.
Privileged Authentication Administrator	Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.
Privileged Role Administrator	Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.
Security Administrator	Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.
SharePoint Administrator	Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.
Teams Administrator	Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.
User Administrator	Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.

{% hint style="warning" %} \*- A previous version of this document merely suggested that these roles were recommended. CIPP is transitioning to requiring these as part of your baseline GDAP deployment given the depth of features being added to the product that require them. It is recommended that these be added to your [GDAP Role Mapping](https://docs.cipp.app/user-documentation/tenant/gdap-management/roles/add) and add these three roles to your [Role Template](https://docs.cipp.app/user-documentation/tenant/gdap-management/role-templates). {% endhint %} ## Handling the Additional Recommended Roles With v10.1, CIPP added the three previously suggested roles to the core recommended roles as part of the code. This is causing many who have been using CIPP for a while to show the missing roles when doing a permission check. Here's our recommended way to best handle resolving these issues: {% stepper %} {% step %} #### Map the Additional Roles Go to `Tenant Administration` > `GDAP Management` > `Role Mappings` and click `Map GDAP Roles`. Select `Billing Administrator`, `Domain Name Administrator`, and `Global Reader` in the dropdown. Hit `Submit` and CIPP will create the `M365 GDAP` groups. {% endstep %} {% step %} #### Add the CIPP Service Account to the New Role Groups If you've added your partner/internal tenant to CIPP, use `Identity Management` > `Administration` > `Users` to add the service account to the three additional security groups. If not, manually complete this in Entra or the Microsoft 365 Admin portal. {% endstep %} {% step %} #### Recreate the CIPP Defaults Role Template In `Tenant Administration` > `GDAP Management` > `Role Templates`, locate your CIPP Defaults role template and delete it. A prompt will show asking if you would like to create the CIPP Defaults template. Click the button to create the defaults. This new template will include all 15 roles. {% endstep %} {% step %} #### Generate New GDAP Relationships {% hint style="warning" %} You cannot add GDAP roles to an existing relationship and there is no supported way to automate this. {% endhint %} From the `Invites` tab, use the `New Invite` action to generate enough invite links with the new CIPP Defaults template to establish new relationships with all your GDAP clients. {% endstep %} {% step %} #### Consent to New GDAP Relationships A Global Administrator in each client tenant will need to consent to the new relationship. {% endstep %} {% step %} #### (Optional) Terminate Old GDAP Relationships From `Tenant Administration` > `GDAP Management` > `Relationships`, select your old relationships and use the action `Terminate Relationship`. This can either be done one by one or using the check boxes and bulk actions. {% endstep %} {% endstepper %}