Easily manage access to Azure AD resources

Distribute identity management tasks with Azure Active Directory (Azure AD) roles.

What are roles in Azure AD?

Role-based access control allows organizations to grant admins granular permissions in one of three role categories: Azure AD-specific roles, service-specific roles, and cross-service roles.

Azure AD roles are not only a means to manage permissions to identity resources, but also a foundation to control privileged access to many Microsoft security and productivity services. Common Azure AD admin roles manage permissions for users, groups, and apps. Other service roles manage permissions to Exchange, Intune, SharePoint, Microsoft Teams, and security tools like Microsoft Cloud App Security and the Microsoft Security Center.

Roles in Azure AD

Manage access to Azure AD resources with Azure AD role-based access controls. Choose from a set of built-in roles or customize roles to support your business needs.

Understanding Azure AD role-based access control

Azure AD supports two types of identity service role definitions: built-in and custom roles. Built-in roles include a fixed set of permissions. Custom roles include permissions you can select and personalize.

Roles and permissions

Grant users limited privileges to perform identity tasks such as adding and changing users, assigning admin roles, managing user licenses, and managing domain names.

Custom roles

Learn how to create a custom role in Azure AD to suit your organizational needs and assign the role at the directory level or an app-specific level.

Take a deep dive into Azure AD roles

Additional Azure AD role resources


Discover roles in Azure AD and how to use them to delegate permissions.

How-to guides

See step-by-step guides on how to create a custom role in Azure AD.


Learn how to assign and remove user role assignments in Azure AD.