EAM Role Catalog
Every built-in Microsoft Entra directory role, mapped to its Enterprise Access Model (EAM) plane, its Securing Privileged Access (SPA) security level, and a recommended PIM activation policy. Use it to decide what expectedConfig each role should have before you author access-model files.
Every value carries a label showing how far you can trust it, from "Microsoft says so" down to "derived by rule". Nothing here is invented silently. The legend below explains the labels.
Rows are planes (blast radius), columns are levels (strictness). Click a cell to filter both, or a header to filter one.
| level →plane ↓ | Privileged | Specialized | Enterprise | Σ |
|---|---|---|---|---|
| Control | 29 | 17 | 16 | 62 |
| Management | 14 | 47 | 1 | 62 |
| Data | 1 | 0 | 19 | 20 |
| Σ | 44 | 64 | 36 | 144 |
144 / 144 roles
| Role↑ | Plane⇅ | Level⇅ | isPriv⇅ | Max activation⇅ | Details |
|---|---|---|---|---|---|
| Agent ID Administrator | Control | Privileged | yes | 1 hour | |
| Agent ID Developernote | Control | Specialized | no | 4 hours | |
| Agent Registry Administratornote | Control | Specialized | no | 4 hours | |
| AI Administrator | Management | Privileged | yes | 1 hour | |
| AI Readernote | Data | Privileged | yes | 1 hour | |
| Application Administrator | Control | Privileged | yes | 1 hour | |
| Application Developer | Control | Privileged | yes | 1 hour | |
| Attack Payload Author | Management | Specialized | no | 4 hours | |
| Attack Simulation Administrator | Management | Specialized | no | 4 hours | |
| Attribute Assignment Administrator | Control | Specialized | no | 4 hours | |
| Attribute Assignment Reader | Control | Enterprise | no | 8 hours | |
| Attribute Definition Administratornote | Control | Specialized | no | 4 hours | |
| Attribute Definition Reader | Control | Enterprise | no | 8 hours | |
| Attribute Log Administrator | Control | Enterprise | no | 8 hours | |
| Attribute Log Reader | Control | Enterprise | no | 8 hours | |
| Attribute Provisioning Administrator | Control | Privileged | yes | 1 hour | |
| Attribute Provisioning Readernote | Control | Privileged | yes | 1 hour | |
| Authentication Administrator | Control | Privileged | yes | 1 hour | |
| Authentication Extensibility Administrator | Control | Privileged | yes | 1 hour | |
| Authentication Extensibility Password Administrator | Control | Privileged | yes | 1 hour | |
| Authentication Policy Administrator | Control | Specialized | no | 4 hours | |
| Azure AD Joined Device Local Administratornote | Management | Specialized | no | 4 hours | |
| Azure DevOps Administratornote | Management | Privileged | no* | 1 hour | |
| Azure Information Protection Administrator | Management | Specialized | no | 4 hours | |
| B2C IEF Keyset Administrator | Control | Privileged | yes | 1 hour | |
| B2C IEF Policy Administrator | Control | Specialized | no | 4 hours | |
| Billing Administrator | Management | Specialized | no | 4 hours | |
| Cloud App Security Administrator | Control | Specialized | no | 4 hours | |
| Cloud Application Administrator | Control | Privileged | yes | 1 hour | |
| Cloud Device Administrator | Management | Privileged | yes | 1 hour | |
| Compliance Administrator | Management | Specialized | no | 4 hours | |
| Compliance Data Administrator | Management | Specialized | no | 4 hours | |
| Conditional Access Administrator | Control | Privileged | yes | 1 hour | |
| Customer Delegated Admin Relationship Administratornote | Control | Specialized | no | 4 hours | |
| Customer LockBox Access Approver | Control | Enterprise | no | 8 hours | |
| Desktop Analytics Administrator | Management | Specialized | no | 4 hours | |
| Device Join | Data | Enterprise | no | 8 hours | |
| Device Managersnote | Management | Specialized | no | 4 hours | |
| Device Users | Data | Enterprise | no | 8 hours | |
| Directory Readers | Control | Enterprise | no | 8 hours | |
| Directory Synchronization Accountsnote | Control | Specialized | no | 4 hours | |
| Directory Writers | Control | Privileged | yes | 1 hour | |
| Domain Name Administrator | Control | Privileged | yes | 1 hour | |
| Dragon Administrator | Management | Specialized | no | 4 hours | |
| Dynamics 365 Administratornote | Management | Privileged | no* | 1 hour | |
| Dynamics 365 Business Central Administrator | Management | Specialized | no | 4 hours | |
| Edge Administrator | Management | Specialized | no | 4 hours | |
| Entra Backup Administrator | Management | Specialized | no | 4 hours | |
| Entra Backup Reader | Data | Enterprise | no | 8 hours | |
| Entra Customer Lockbox Approver | Control | Enterprise | no | 8 hours | |
| Exchange Administratornote | Management | Privileged | no* | 1 hour | |
| Exchange Backup Administrator | Management | Specialized | no | 4 hours | |
| Exchange Recipient Administrator | Management | Specialized | no | 4 hours | |
| Extended Directory User Administratornote | Control | Specialized | no | 4 hours | |
| External ID User Flow Administrator | Control | Specialized | no | 4 hours | |
| External ID User Flow Attribute Administratornote | Control | Specialized | no | 4 hours | |
| External Identity Provider Administrator | Control | Privileged | yes | 1 hour | |
| Fabric Administratornote | Management | Privileged | no* | 1 hour | |
| Global Administrator | Control | Privileged | yes | 1 hour | |
| Global Readernote | Control | Privileged | yes | 1 hour | |
| Global Secure Access Administratornote | Control | Specialized | no | 4 hours | |
| Global Secure Access Log Reader | Data | Enterprise | no | 8 hours | |
| Groups Administrator | Control | Specialized | no | 4 hours | |
| Guest Inviter | Control | Enterprise | no | 8 hours | |
| Guest User | Control | Enterprise | no | 8 hours | |
| Helpdesk Administratornote | Control | Privileged | yes | 1 hour | |
| Hybrid Identity Administrator | Control | Privileged | yes | 1 hour | |
| Identity Governance Administrator | Control | Privileged | yes | 1 hour | |
| Insights Administrator | Management | Specialized | no | 4 hours | |
| Insights Analyst | Data | Enterprise | no | 8 hours | |
| Insights Business Leader | Data | Enterprise | no | 8 hours | |
| Intune Administrator | Management | Privileged | yes | 1 hour | |
| IoT Device Administrator | Management | Specialized | no | 4 hours | |
| Kaizala Administrator | Management | Specialized | no | 4 hours | |
| Knowledge Administratornote | Management | Privileged | no* | 1 hour | |
| Knowledge Managernote | Management | Privileged | no* | 1 hour | |
| License Administrator | Management | Specialized | no | 4 hours | |
| Lifecycle Workflows Administrator | Control | Privileged | yes | 1 hour | |
| Message Center Privacy Reader | Data | Enterprise | no | 8 hours | |
| Message Center Reader | Data | Enterprise | no | 8 hours | |
| Microsoft 365 Backup Administrator | Management | Specialized | no | 4 hours | |
| Microsoft 365 Migration Administrator | Management | Specialized | no | 4 hours | |
| Microsoft Graph Data Connect Administrator | Management | Specialized | no | 4 hours | |
| Microsoft Hardware Warranty Administrator | Management | Specialized | no | 4 hours | |
| Microsoft Hardware Warranty Specialist | Data | Enterprise | no | 8 hours | |
| Network Administrator | Management | Specialized | no | 4 hours | |
| Office Apps Administrator | Management | Specialized | no | 4 hours | |
| On Premises Directory Sync Accountnote | Control | Specialized | no | 4 hours | |
| Organizational Branding Administrator | Control | Enterprise | no | 8 hours | |
| Organizational Data Source Administrator | Management | Specialized | no | 4 hours | |
| Organizational Messages Approvernote | Management | Enterprise | no | 8 hours | |
| Organizational Messages Writernote | Management | Specialized | no | 4 hours | |
| Partner Tier1 Supportnote | Control | Privileged | yes | 1 hour | |
| Partner Tier2 Supportnote | Control | Privileged | yes | 1 hour | |
| Password Administrator | Control | Privileged | yes | 1 hour | |
| People Administratornote | Management | Specialized | no | 4 hours | |
| Permissions Management Administratornote | Control | Specialized | no | 4 hours | |
| Places Administrator | Management | Specialized | no | 4 hours | |
| Power Platform Administratornote | Management | Privileged | no* | 1 hour | |
| Printer Administrator | Management | Specialized | no | 4 hours | |
| Printer Technician | Data | Enterprise | no | 8 hours | |
| Privileged Authentication Administrator | Control | Privileged | yes | 1 hour | |
| Privileged Role Administrator | Control | Privileged | yes | 1 hour | |
| Purview Workload Content Administratornote | Management | Specialized | no | 4 hours | |
| Purview Workload Content Readernote | Data | Enterprise | no | 8 hours | |
| Purview Workload Content Writernote | Management | Specialized | no | 4 hours | |
| Reports Reader | Data | Enterprise | no | 8 hours | |
| Restricted Guest User | Control | Enterprise | no | 8 hours | |
| Search Administrator | Management | Specialized | no | 4 hours | |
| Search Editor | Data | Enterprise | no | 8 hours | |
| Security Administrator | Control | Privileged | yes | 1 hour | |
| Security Operator | Control | Privileged | yes | 1 hour | |
| Security Readernote | Control | Privileged | yes | 1 hour | |
| Service Support Administrator | Management | Specialized | no | 4 hours | |
| SharePoint Administratornote | Management | Privileged | no* | 1 hour | |
| SharePoint Advanced Management Administrator | Management | Specialized | no | 4 hours | |
| SharePoint Backup Administrator | Management | Specialized | no | 4 hours | |
| SharePoint Embedded Administrator | Management | Specialized | no | 4 hours | |
| Skype for Business Administrator | Management | Specialized | no | 4 hours | |
| Teams Administratornote | Management | Privileged | no* | 1 hour | |
| Teams Communications Administrator | Management | Specialized | no | 4 hours | |
| Teams Communications Support Engineer | Data | Enterprise | no | 8 hours | |
| Teams Communications Support Specialist | Data | Enterprise | no | 8 hours | |
| Teams Devices Administratornote | Management | Specialized | no | 4 hours | |
| Teams External Collaboration Administrator | Management | Specialized | no | 4 hours | |
| Teams Reader | Data | Enterprise | no | 8 hours | |
| Teams Telephony Administrator | Management | Specialized | no | 4 hours | |
| Tenant Creator | Control | Enterprise | no | 8 hours | |
| Tenant Governance Administratornote | Control | Specialized | no | 4 hours | |
| Tenant Governance Reader | Control | Enterprise | no | 8 hours | |
| Tenant Governance Relationship Administrator | Control | Enterprise | no | 8 hours | |
| Tenant Governance Relationship Reader | Control | Enterprise | no | 8 hours | |
| Usage Summary Reports Reader | Data | Enterprise | no | 8 hours | |
| User | Control | Enterprise | no | 8 hours | |
| User Administrator | Control | Privileged | yes | 1 hour | |
| User Experience Success Managernote | Data | Enterprise | no | 8 hours | |
| Virtual Visits Administrator | Management | Specialized | no | 4 hours | |
| Viva Glint Tenant Administrator | Management | Specialized | no | 4 hours | |
| Viva Goals Administrator | Management | Specialized | no | 4 hours | |
| Viva Pulse Administrator | Management | Specialized | no | 4 hours | |
| Windows 365 Administratornote | Management | Privileged | no* | 1 hour | |
| Windows Update Deployment Administrator | Management | Specialized | no | 4 hours | |
| Workplace Device Join | Data | Enterprise | no | 8 hours | |
| Yammer Administratornote | Management | Privileged | no* | 1 hour |
How this catalog is built
Every role on this page gets three things:
- an EAM plane: how much damage a compromise could do (Control, Management, or Data);
- a security level: how strictly its use should be protected (Privileged, Specialized, or Enterprise);
- a recommended PIM activation policy: the concrete settings to enforce.
Microsoft publishes exactly one of these per role: the isPrivileged flag. The plane and the level we derive from what the role can actually do, its rolePermissions.allowedResourceActions, not its name. The policy then follows from the level. So every value wears a plain-language label that tells you where it came from.
Where each value comes from
| Label | What it means |
|---|---|
| from Microsoft | Published by Microsoft for this exact role. The isPrivileged flag is the only such value. |
| reviewed | Assigned by reading the role's permissions and checked against the grounding rubric before landing here. |
| by rule | Calculated by a rule from the level, with no per-role judgement. See Recommended PIM activation policy below. |
EAM plane: blast radius
Microsoft does not hand out a plane per role, so we derive one from the role's permissions (allowedResourceActions) against Microsoft's Enterprise Access Model. The name and description are only context; the actions decide. The plane describes a role's function (does it govern identity, administer a workload, or touch data), not its blast radius; the blast radius is captured by the level.
| Plane | Permissions govern | Examples |
|---|---|---|
| Control | Identity, authentication, and authorization itself. A compromise changes who can access what tenant-wide. | Global Admin, Conditional Access Admin, Privileged Role Admin |
| Management | One workload or the hosting infrastructure, bounded to a service. | Intune, Exchange, SharePoint, Teams, Defender |
| Data | Mostly reading or serving business data, telemetry, or end-user support. | Reports Reader, Message Center Reader, Search Editor |
Identity and security actions always outrank workload actions: if a role's permissions touch authentication, authorization, or the security posture, it is Control even when it also touches a workload. Read-only does not lower the plane (a reader of identity configuration is still Control); it lowers the level instead.
Security level: how strict
A role's level is derived from the depth and breadth of its permissions, with two deterministic guardrails applied first:
- isPrivileged floor. Microsoft marks it
isPrivileged, so it is at least Privileged, and nothing can lower it. This signal comes straight from the role definition in your inventory. Some read-only roles count here too (Global Reader, Security Reader, AI Reader): reading the full security configuration still hands an attacker a tactical advantage, so read-only is not the same as low-impact. - Blast-radius escalation. The permissions grant full data-plane control over an entire workload (all mailboxes, all sites, all source code), so it is Privileged even when Microsoft does not flag it. This is derived from the permissions, not a fixed list, so a new workload admin is covered automatically. Today it raises Exchange, SharePoint, Teams, Yammer, Power Platform, Dynamics 365, Fabric, Azure DevOps, Windows 365, and Knowledge, while their scoped sub-admins (for example Exchange Recipient Administrator) stay Specialized.
- Otherwise, the permissions decide the level. Actions that administer a bounded service or modify identity, security, or access configuration are Specialized. Read-only, end-user, default, or low-impact support actions are Enterprise.
The three levels (Privileged / Specialized / Enterprise) come from Microsoft's Securing privileged access security levels. Where a call is contentious, the role's own note explains the trade-off.
Recommended PIM activation policy
Microsoft publishes no per-role activation values, so these take its general guidance and pin it to a level. Activation runs from 1 to 24 hours; MFA, approval, and justification are per-role switches. See Configure Microsoft Entra role settings in PIM.
| Level | Max activation | MFA | Approval | Justification | Auth context |
|---|---|---|---|---|---|
| Privileged | 1 hour | Yes | Yes | Yes | Phishing-resistant + sign-in frequency |
| Specialized | 4 hours | Yes | Yes | Yes | Phishing-resistant |
| Enterprise | 8 hours | Yes | No | Yes | Standard MFA |
From catalog to enforcement
The copy accessmodel json buttons turn this page into something the scanner can act on. Each one emits a ready-to-use access-model file for a level: a name, the securityLevel, the roles[] at that level, and an expectedConfig that matches the recommendations above. The scanner derives the notification severity from the securityLevel, so severity never appears as a concept on this page. Drop the file into your repository's AccessModel/ directory, and the next scan checks every role's live PIM policy against it. The copy role json button inside a row does the same for one role, and also records its plane.
Treat the numbers as a starting point, not a verdict. They are defensible, but your tenant is yours: weigh them against your own risk posture before you enforce, and read the per-role notes where a different call makes sense.
Want to watch one role go the whole way, from this table to an enforced policy? Follow the worked example.