How to create custom roles in Microsoft Entra ID
Microsoft Entra ID plays a crucial role in managing user access and permissions within organizations. It offers a range of built-in roles designed to streamline user administration, each with a fixed set of permissions tailored for specific tasks. However, as organizations grow in size and complexity, these predefined roles often fall short of meeting diverse operational needs. Large enterprises may require more granular and customized control over user permissions to delegate specific administrative tasks effectively.
This is where custom roles come into play, allowing organizations to create tailored role definitions to help achieve use cases like targeted access to a select set of objects, such as specific applications or service principals. Custom roles can also provide the ability to view only the audit logs, which enables specific users to monitor activities without granting any additional administrative privileges. For example, you can create a role that gives some of your IT admins access to audit logs to check license usage, enabling them to modify the license assignments, while only limiting this to the devices in your environment.
Let's see how to create and assign custom roles in Microsoft Entra ID, and discover how to streamline the process using ManageEngine M365 Manager Plus, a comprehensive tool for reporting, managing, monitoring, auditing. M365 Manager Plus is an all-inclusive solution that empowers you to create alerts for crucial activities in your Microsoft 365 environments, assign administrative roles to users without elevating their Microsoft 365 privileges, and more.
How to create custom admin roles in Microsoft Entra ID and M365 Manager Plus
Microsoft Entra ID
- Log in to the Microsoft Entra admin center with a user account that has at least the Privileged Role Administrator role assigned to it.
- Navigate to Identity > Roles & Admins > Roles & Admins and click New Custom Role.
- Type in a Name and Description for your custom role and choose from the Baseline permissions field if you want to Start from scratch or Clone from a custom role. If you choose the latter, select the role you want to use as a template from the Role to clone dropdown. After filling in the fields, click Next to proceed.
- Select the permissions that you would like to assign to the role by clicking on the check box next to it. You can also confirm if a certain permission is considered privileged by checking the Privileged tag next to it in the Privileged column. For this example, we will select the applications.aIIProperties/update and auditLogs/allProperties/read permissions. When done, click Next.
- Review your custom role's name, description, and selected permissions. Then, click Create.
M365 Manager Plus
- Log in to M365 Manager Plus, navigate to Delegation > Help Desk Roles, and click Create New Role.
- Enter the Role Name and Description in the respective text boxes.
- Select the tasks you want to delegate. You can select any number of reports and tasks that you want to delegate.
- Click Save.
How to assign administrative roles in Microsoft Entra ID
This table compares how to assign the custom roles you created in Microsoft Entra ID and M365 Manager Plus.
Microsoft Entra ID
- In the Roles and Administrators page, search for the custom role you created and click it.
- Click Add Assignments.
- Select the members you want to assign the role to, under the Select Members field, and click Next.
- You can select any of the two assignment types; Eligible for when you want the user to activate the role or perform another action to use it, such as requesting an approval, and Active when you want to assign the role directly.
- You can configure how long the role can be assigned to the user using the Assignment starts and Assignment ends field. If you wish to assign the role without any time limit, click on the Permanently assigned check box.
M365 Manager Plus
- Navigate to Delegation > Help Desk Technicians and click Add New Technician.
- Select the Authentication Type from the drop-down menu as Microsoft 365 Authentication or Active Directory Authentication.
- For Microsoft 365 Authentication, select the Microsoft 365 Tenant, and you can add users from the selected tenant.
- For Active Directory Authentication, select the AD Domain and enter the Domain User Name in the User Principal Name format. You can also add multiple usernames separated by commas.
- Add the users you wish to assign the role to in the Select Microsoft 365 Users field.
- Choose the role you created from the Help Desk Roles drop-down.
- From the Delegate Microsoft 365 Tenants drop-down, select the Microsoft 365 tenants which you wish to delegate the selected help desk roles.
- Click Add to finish creating new Help Desk Technicians.
How M365 Manager Plus' custom role creation is safer and intuitive than Microsoft Entra ID
Custom roles in Microsoft Entra ID provide organizations with the ability to tailor user permissions for enhanced security and compliance, allowing for precise access to resources like audit logs or specific applications. However, these roles can pose risks if misconfigured, potentially leading to over-permissioning and security vulnerabilities.
In contrast, ManageEngine M365 Manager Plus's admin role delegation mitigates these risks by enabling administrators to assign tasks without elevating user privileges across the broader Microsoft 365 environment. You can also delegate granular access permissions, individual tasks, and reports to technicians without elevating their Microsoft 365 privileges.
Here are the benefits M365 Manager Plus provides compared to those in Microsoft Entra ID's role administration process.
- By limiting access strictly to the M365 Manager Plus admin cente r, users can perform necessary functions—such as password resets and account unlocks—without needing full administrative rights to Microsoft 365. This controlled approach simplifies delegation while maintaining tighter security since even if you get a hold of the user's credentials, you will still need access to the M365 Manager Plus admin center to make any changes to the environment.
- With the Technician Audit Log feature of M365 Manager Plus, track what a technician did with their delegated rights. For example, discover what audit reports were generated, which alerts were created, and more.
- You can create virtual tenants to house user objects that satisfy certain conditions under a single point of control, just like an administrative unit. Consolidate all your privileged accounts in one location for easy report generation, task execution, and frequent auditing—without the need to process other accounts.
Benefits of using M365 Manager Plus for Microsoft 365 administration
- Gain access to detailed and critical Microsoft 365 reports without requiring any exclusive licenses.
- Export reports generated in M365 Manager Plus in CSV as well as HTML, PDF, and XLSX.
- Filter your reports once and save them as custom reports that you can access in just a few clicks.
- Keep tabs on risky sign-ins and other activities for Microsoft Entra ID and other services such as Exchange Online, SharePoint Online, and Microsoft Teams, all from a single console.
- Manage users, mailboxes, groups, sites, and contacts effortlessly in bulk without PowerShell scripting.
- Efficiently monitor the health and performance of Microsoft 365 features and endpoints around the clock.
Effortlessly schedule and export reports on your Microsoft 365 environment.
Try now for freeStreamline your Microsoft 365 governance and administration with M365 Manager Plus
Get Your Free TrialRelated Resources
-
Entra ID administration
- How to create custom roles in Microsoft Entra ID
- How to setup SSO in Microsoft Entra ID
- How to configure Conditional Access in Microsoft Entra ID
- What is Microsoft Entra ID?
- What are Microsoft Entra ID administrative units
- How to configure external authentication methods in Microsoft Entra ID
- How to set up self-service group management in Entra ID
- How to takeover unmanaged directory as administrator
- How to change authentication type of subdomain
- What is self-service signup in Entra ID
- Delete a tenant in Microsoft Entra ID
- Manage custom domain names in Microsoft Entra ID
- Multi-tenant organization interaction
-
Entra ID auditing and reporting
-
Entra ID bulk user management
-
Entra ID dynamic groups
-
Entra ID group management
- How to enforce naming policy on Microsoft 365 groups in Entra ID
- How to clean up resources related to all user groups
- How to create basic groups and add members in Entra ID
- Group management cmdlets
- How to add group to another group in Entra ID
- How to delete a group in Entra ID
- How to remove a group from another group in Entra ID
- Check import status
- Edit group settings in Entra ID
- Migrate users with individual licenses to groups
- Restore deleted groups in Microsoft Entra ID
- Set expiration for Microsoft 365 groups in Entra ID
-
Entra ID group membership
- How to utilize Microsoft Entra groups in Entra ID
- How to add group members in Entra ID
- How to add group owners in Microsoft Entra ID
- How to add or remove group member automatically in Entra ID
- How to create group of guest users using native admin center
- How to manage groups and group memberships in Entra ID
- How to remove guests from all user groups in Entra ID
- How to utilize groups and administrator roles in Entra ID
- Add or remove a group from another group in Entra ID
- Bulk group members addition in Entra ID
- Bulk remove group members from Entra ID groups
- How to remove members/owners of a group in Entra ID
-
Entra ID group reports
-
Entra ID license management
- How to automate inactive license management for Entra ID users
- How to change license assignments for user in Entra ID
- How to assign licenses to groups in Entra ID
- How to leverage group-based licensing for optimizing license management in Entra ID
- License assignment troubleshooting
- Assign licenses in Microsoft Entra ID
- Azure AD license membership modification
- Remove licenses in Microsoft Entra ID
- View license plans and details in Microsoft Entra ID
-
Entra ID User management
- How to manage permissions using access reviews in Microsoft Entra ID
- How to restrict guest access permissions in Entra ID
- How to clean up unmanaged Microsoft Entra accounts
- How to assign custom security attributes to users in Entra ID
- How to clean up stale accounts using access reviews
- How to share accounts with Entra ID
- How to update custom security attributes to users in Entra ID
- Add guest users
- Add users to Azure AD
- Assign user roles with Entra ID
- Close user account in an unmanaged Microsoft Entra organization
- How to revoke user access in Microsoft Entra ID using PowerShell
- Microsoft 365 delete users
- Remove custom security attribute assignments from users
-
Entra ID user reports
- How to monitor risky sign-ins in Microsoft Entra ID
- License usage reports in Microsoft Entra ID
- How to get the last logon date of users in Microsoft Entra ID
- How to view Microsoft 365 login attempts using PowerShell and Microsoft Entra ID
- How to report the MFA status for users in Microsoft Entra ID
- How to monitor recently created users in Entra ID
- Track password changes by admins in Microsoft Entra ID
- How to monitor user role changes in Entra ID
- How to track self-service password resets in Microsoft Entra ID
- How to create custom sign-in reports in Entra ID
- How to find deleted users in Entra ID
- How to verify deleted users in Entra ID
- Filter users based on custom security attributes
- Download Microsoft 365 user list
-
Entra ID workbooks
- How to create custom Microsoft Entra ID workbooks
- What are Microsoft Entra ID workbooks
- How to handle privilege escalation in Microsoft Entra ID
- How to monitor risky sign-ins using Microsoft Entra ID workbooks
- How to monitor your Microsoft 365 MFA setup using Entra ID workbooks
- How to audit for app permission threats with Microsoft Entra workbooks
- Conditional Access Gap Analyzer workbook in Microsoft Entra ID
-
Exchange Online administration
- How to change deleted items retention for Exchange Online mailboxes
- How to change the branding of clutter notifications in Exchange Online
- How to configure message delivery restrictions for Exchange Online mailboxes
- How to configure moderated recipients in Exchange Online
- How to create user mailboxes in Exchange Online
- How to enable and disable MAPI for a mailbox in Exchange Online
- How to enable or disable Outlook on the web for a mailbox in Exchange Online
- How to manage mail contacts in Exchange Online
- How to manage permissions for recipients in Exchange Online
- How to manage resource mailbox in Exchange Online
- How to save sent items in a delegators mailbox in Exchange Online
- How to create and edit shared mailboxes in Exchange Online
- How to add or remove email address for a mailbox in Exchange Online
- How to configure email forwarding for a mailbox in Exchange Online
- How to convert a mailbox in Exchange Online
- How to delete or restore user mailboxes in Exchange Online
- How to manage user mailboxes in Exchange Online
-
Exchange Online groups
- Create and manage groups in Exchange admin center in Exchange Online
- How to create and manage distribution list groups in Exchange Online
- How to create and manage dynamic distribution list groups in Exchange Online
- How to create distribution group naming policy in Exchange Online
- How to manage guest access to Microsoft 365 groups in Exchange Online
- How to manage role groups in Exchange Online
- How to override the distribution group naming policy in Exchange Online
- How to view members of a distribution group in Exchange Online
-
Microsoft Teams
-
Public Folders
- Create public folder calendar in Exchange Online
- How to restore deleted public folder in Exchange Online
- How to setup public folders in new organization
- Migrate public folders to Microsoft 365 groups in Exchange Online
- Recover deleted public folder mailbox in Exchange Online
- How to mail-enable and mail-disable public folders in Exchange Online