EAM Role Catalog
Every built-in Microsoft Entra directory role, mapped to its Enterprise Access Model (EAM) plane, its Securing Privileged Access (SPA) security level, and a recommended PIM activation policy. Use it to decide what expectedConfig each role should have before you author access-model files.
Every value carries a label showing how far you can trust it, from "Microsoft says so" down to "an automated first guess". Nothing here is invented silently. The legend below explains the labels.
Rows are planes (blast radius), columns are levels (strictness). Click a cell to filter both, or a header to filter one.
| level →plane ↓ | Privileged | Specialized | Enterprise | Σ |
|---|---|---|---|---|
| Control | 29 | 9 | 27 | 65 |
| Management | 14 | 45 | 0 | 59 |
| Data | 1 | 0 | 19 | 20 |
| Σ | 44 | 54 | 46 | 144 |
144 / 144 roles
| Role↑ | Plane⇅ | Level⇅ | isPriv⇅ | Max activation⇅ | Details |
|---|---|---|---|---|---|
| Agent ID Administrator | Control | Privileged | yes | 1 hour | |
| Agent ID Developer | Control | Enterprise | no | 8 hours | |
| Agent Registry Administrator | Control | Enterprise | no | 8 hours | |
| AI Administrator | Management | Privileged | yes | 1 hour | |
| AI Readernote | Data | Privileged | yes | 1 hour | |
| Application Administrator | Control | Privileged | yes | 1 hour | |
| Application Developer | Control | Privileged | yes | 1 hour | |
| Attack Payload Author | Management | Specialized | no | 4 hours | |
| Attack Simulation Administrator | Management | Specialized | no | 4 hours | |
| Attribute Assignment Administrator | Control | Specialized | no | 4 hours | |
| Attribute Assignment Reader | Control | Enterprise | no | 8 hours | |
| Attribute Definition Administrator | Control | Enterprise | no | 8 hours | |
| Attribute Definition Reader | Control | Enterprise | no | 8 hours | |
| Attribute Log Administrator | Control | Enterprise | no | 8 hours | |
| Attribute Log Reader | Control | Enterprise | no | 8 hours | |
| Attribute Provisioning Administrator | Control | Privileged | yes | 1 hour | |
| Attribute Provisioning Readernote | Control | Privileged | yes | 1 hour | |
| Authentication Administrator | Control | Privileged | yes | 1 hour | |
| Authentication Extensibility Administrator | Control | Privileged | yes | 1 hour | |
| Authentication Extensibility Password Administrator | Control | Privileged | yes | 1 hour | |
| Authentication Policy Administrator | Control | Specialized | no | 4 hours | |
| Azure AD Joined Device Local Administrator | Management | Specialized | no | 4 hours | |
| Azure DevOps Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Azure Information Protection Administrator | Management | Specialized | no | 4 hours | |
| B2C IEF Keyset Administrator | Control | Privileged | yes | 1 hour | |
| B2C IEF Policy Administrator | Control | Specialized | no | 4 hours | |
| Billing Administrator | Management | Specialized | no | 4 hours | |
| Cloud App Security Administrator | Control | Specialized | no | 4 hours | |
| Cloud Application Administrator | Control | Privileged | yes | 1 hour | |
| Cloud Device Administrator | Management | Privileged | yes | 1 hour | |
| Compliance Administrator | Management | Specialized | no | 4 hours | |
| Compliance Data Administrator | Management | Specialized | no | 4 hours | |
| Conditional Access Administrator | Control | Privileged | yes | 1 hour | |
| Customer Delegated Admin Relationship Administratornote | Control | Enterprise | no | 8 hours | |
| Customer LockBox Access Approver | Control | Enterprise | no | 8 hours | |
| Desktop Analytics Administrator | Management | Specialized | no | 4 hours | |
| Device Join | Data | Enterprise | no | 8 hours | |
| Device Managers | Data | Enterprise | no | 8 hours | |
| Device Users | Data | Enterprise | no | 8 hours | |
| Directory Readers | Control | Enterprise | no | 8 hours | |
| Directory Synchronization Accountsnote | Control | Specialized | no | 4 hours | |
| Directory Writers | Control | Privileged | yes | 1 hour | |
| Domain Name Administrator | Control | Privileged | yes | 1 hour | |
| Dragon Administrator | Management | Specialized | no | 4 hours | |
| Dynamics 365 Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Dynamics 365 Business Central Administrator | Management | Specialized | no | 4 hours | |
| Edge Administrator | Management | Specialized | no | 4 hours | |
| Entra Backup Administrator | Management | Specialized | no | 4 hours | |
| Entra Backup Reader | Data | Enterprise | no | 8 hours | |
| Entra Customer Lockbox Approver | Control | Enterprise | no | 8 hours | |
| Exchange Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Exchange Backup Administrator | Management | Specialized | no | 4 hours | |
| Exchange Recipient Administrator | Management | Specialized | no | 4 hours | |
| Extended Directory User Administrator | Control | Enterprise | no | 8 hours | |
| External ID User Flow Administrator | Control | Specialized | no | 4 hours | |
| External ID User Flow Attribute Administrator | Control | Enterprise | no | 8 hours | |
| External Identity Provider Administrator | Control | Privileged | yes | 1 hour | |
| Fabric Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Global Administratornote | Control | Privileged | yes | 1 hour | |
| Global Readernote | Control | Privileged | yes | 1 hour | |
| Global Secure Access Administrator | Management | Specialized | no | 4 hours | |
| Global Secure Access Log Reader | Data | Enterprise | no | 8 hours | |
| Groups Administrator | Control | Specialized | no | 4 hours | |
| Guest Inviter | Control | Enterprise | no | 8 hours | |
| Guest User | Control | Enterprise | no | 8 hours | |
| Helpdesk Administrator | Control | Privileged | yes | 1 hour | |
| Hybrid Identity Administrator | Control | Privileged | yes | 1 hour | |
| Identity Governance Administrator | Control | Privileged | yes | 1 hour | |
| Insights Administrator | Management | Specialized | no | 4 hours | |
| Insights Analyst | Data | Enterprise | no | 8 hours | |
| Insights Business Leader | Data | Enterprise | no | 8 hours | |
| Intune Administratornote | Management | Privileged | yes | 1 hour | |
| IoT Device Administrator | Management | Specialized | no | 4 hours | |
| Kaizala Administrator | Management | Specialized | no | 4 hours | |
| Knowledge Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Knowledge Managerreviewnote | Management | Privileged | no* | 1 hour | |
| License Administrator | Management | Specialized | no | 4 hours | |
| Lifecycle Workflows Administrator | Control | Privileged | yes | 1 hour | |
| Message Center Privacy Reader | Data | Enterprise | no | 8 hours | |
| Message Center Reader | Data | Enterprise | no | 8 hours | |
| Microsoft 365 Backup Administrator | Management | Specialized | no | 4 hours | |
| Microsoft 365 Migration Administrator | Management | Specialized | no | 4 hours | |
| Microsoft Graph Data Connect Administrator | Management | Specialized | no | 4 hours | |
| Microsoft Hardware Warranty Administrator | Management | Specialized | no | 4 hours | |
| Microsoft Hardware Warranty Specialist | Data | Enterprise | no | 8 hours | |
| Network Administrator | Management | Specialized | no | 4 hours | |
| Office Apps Administrator | Management | Specialized | no | 4 hours | |
| On Premises Directory Sync Accountnote | Control | Specialized | no | 4 hours | |
| Organizational Branding Administrator | Control | Enterprise | no | 8 hours | |
| Organizational Data Source Administrator | Management | Specialized | no | 4 hours | |
| Organizational Messages Approver | Control | Enterprise | no | 8 hours | |
| Organizational Messages Writer | Control | Specialized | no | 4 hours | |
| Partner Tier1 Supportnote | Control | Privileged | yes | 1 hour | |
| Partner Tier2 Supportnote | Control | Privileged | yes | 1 hour | |
| Password Administrator | Control | Privileged | yes | 1 hour | |
| People Administrator | Control | Enterprise | no | 8 hours | |
| Permissions Management Administratornote | Control | Enterprise | no | 8 hours | |
| Places Administrator | Management | Specialized | no | 4 hours | |
| Power Platform Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Printer Administrator | Management | Specialized | no | 4 hours | |
| Printer Technician | Data | Enterprise | no | 8 hours | |
| Privileged Authentication Administrator | Control | Privileged | yes | 1 hour | |
| Privileged Role Administrator | Control | Privileged | yes | 1 hour | |
| Purview Workload Content Administrator | Management | Specialized | no | 4 hours | |
| Purview Workload Content Reader | Data | Enterprise | no | 8 hours | |
| Purview Workload Content Writer | Management | Specialized | no | 4 hours | |
| Reports Reader | Data | Enterprise | no | 8 hours | |
| Restricted Guest User | Control | Enterprise | no | 8 hours | |
| Search Administrator | Management | Specialized | no | 4 hours | |
| Search Editor | Data | Enterprise | no | 8 hours | |
| Security Administrator | Control | Privileged | yes | 1 hour | |
| Security Operatornote | Control | Privileged | yes | 1 hour | |
| Security Readernote | Control | Privileged | yes | 1 hour | |
| Service Support Administrator | Management | Specialized | no | 4 hours | |
| SharePoint Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| SharePoint Advanced Management Administrator | Management | Specialized | no | 4 hours | |
| SharePoint Backup Administrator | Management | Specialized | no | 4 hours | |
| SharePoint Embedded Administrator | Management | Specialized | no | 4 hours | |
| Skype for Business Administrator | Management | Specialized | no | 4 hours | |
| Teams Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Teams Communications Administrator | Management | Specialized | no | 4 hours | |
| Teams Communications Support Engineer | Data | Enterprise | no | 8 hours | |
| Teams Communications Support Specialist | Data | Enterprise | no | 8 hours | |
| Teams Devices Administrator | Management | Specialized | no | 4 hours | |
| Teams External Collaboration Administrator | Management | Specialized | no | 4 hours | |
| Teams Reader | Data | Enterprise | no | 8 hours | |
| Teams Telephony Administrator | Management | Specialized | no | 4 hours | |
| Tenant Creatornote | Control | Enterprise | no | 8 hours | |
| Tenant Governance Administrator | Control | Enterprise | no | 8 hours | |
| Tenant Governance Reader | Control | Enterprise | no | 8 hours | |
| Tenant Governance Relationship Administrator | Control | Enterprise | no | 8 hours | |
| Tenant Governance Relationship Reader | Control | Enterprise | no | 8 hours | |
| Usage Summary Reports Reader | Data | Enterprise | no | 8 hours | |
| User | Control | Enterprise | no | 8 hours | |
| User Administrator | Control | Privileged | yes | 1 hour | |
| User Experience Success Manager | Control | Enterprise | no | 8 hours | |
| Virtual Visits Administrator | Management | Specialized | no | 4 hours | |
| Viva Glint Tenant Administrator | Management | Specialized | no | 4 hours | |
| Viva Goals Administrator | Management | Specialized | no | 4 hours | |
| Viva Pulse Administrator | Management | Specialized | no | 4 hours | |
| Windows 365 Administratorreviewnote | Management | Privileged | no* | 1 hour | |
| Windows Update Deployment Administrator | Management | Specialized | no | 4 hours | |
| Workplace Device Join | Data | Enterprise | no | 8 hours | |
| Yammer Administratorreviewnote | Management | Privileged | no* | 1 hour |
How this catalog is built
Every role on this page gets three things:
- an EAM plane: how much damage a compromise could do (Control, Management, or Data);
- a security level: how strictly its use should be protected (Privileged, Specialized, or Enterprise);
- a recommended PIM activation policy: the concrete settings to enforce.
Microsoft publishes exactly one of these per role: the isPrivileged flag. The plane we review by hand; the level and its policy we work out from the rules in Security level: how strict and Recommended PIM activation policy further down. So every value wears a plain-language label that tells you where it came from, no guessing about the guesses.
Where each value comes from
| Label | What it means |
|---|---|
| from Microsoft | Published by Microsoft for this exact role. The isPrivileged flag is the only such value. |
| reviewed | Assigned by hand and checked against Microsoft's model before landing here. |
| unreviewed | A keyword guess, based on the role's name, for a role nobody has reviewed yet. Always flagged review needed. |
| by rule | Calculated by a rule, with no per-role judgement. See Security level: how strict below. |
EAM plane: blast radius
Microsoft does not hand out a plane per role, so we assign one ourselves: reviewed by hand for the roles we know, an unreviewed keyword guess for anything new or unfamiliar. We judge it from the role's name and description against Microsoft's Enterprise Access Model.
| Plane | Controls | Examples |
|---|---|---|
| Control | Identity, authentication, authorization. Compromise can lead to full tenant takeover. | Global Admin, Conditional Access Admin, Privileged Role Admin |
| Management | Workload, device, and service configuration. | Intune, Exchange, SharePoint, Teams, Defender |
| Data | End-user data and business processes (mostly read-only roles). | Reports Reader, Message Center Reader, Search Editor |
Security level: how strict
A role's level follows three rules, in order. The first that matches wins:
- Microsoft marks it
isPrivileged, so it is Privileged. This signal comes straight from the role definition in your inventory. Some read-only roles count here too (Global Reader, Security Reader, AI Reader): reading the full security configuration still hands an attacker a tactical advantage, so read-only is not the same as low-impact. - It owns a whole M365 workload with direct data impact, so it is Privileged even when Microsoft does not flag it. This covers Exchange, SharePoint, Teams, Yammer, Power Platform, Dynamics 365, Fabric, Azure DevOps, Windows 365, and Knowledge. Full control over a workload is too much blast radius for anything less.
- Otherwise, the level follows the plane. The Management plane and Control-plane writers become Specialized; everything else (Control-plane readers, governance, default roles, and the Data plane) becomes Enterprise.
The three levels (Privileged / Specialized / Enterprise) come from Microsoft's Securing privileged access security levels. Where rule 1 is contentious, the role's own note explains the trade-off.
Recommended PIM activation policy
Microsoft publishes no per-role activation values, so these take its general guidance and pin it to a level. Activation runs from 1 to 24 hours; MFA, approval, and justification are per-role switches. See Configure Microsoft Entra role settings in PIM.
| Level | Max activation | MFA | Approval | Justification | Auth context |
|---|---|---|---|---|---|
| Privileged | 1 hour | Yes | Yes | Yes | Phishing-resistant + sign-in frequency |
| Specialized | 4 hours | Yes | Yes | Yes | Phishing-resistant |
| Enterprise | 8 hours | Yes | No | Yes | Standard MFA |
From catalog to enforcement
The copy accessmodel json buttons turn this page into something the scanner can act on. Each one emits a ready-to-use access-model file for a level: a name, the securityLevel, the roles[] at that level, and an expectedConfig that matches the recommendations above. The scanner derives the notification severity from the securityLevel, so severity never appears as a concept on this page. Drop the file into your repository's AccessModel/ directory, and the next scan checks every role's live PIM policy against it. The copy role json button inside a row does the same for one role, and also records its plane.
Treat the numbers as a starting point, not a verdict. They are defensible, but your tenant is yours: weigh them against your own risk posture before you enforce, and read the per-role notes where a different call makes sense.
Want to watch one role go the whole way, from this table to an enforced policy? Follow the worked example.