Roles for Delegated Authentication

  • Last update on November 25th, 2024

To run Configuration Manager with Delegated Authentication, the Sync must authenticate with an Entra ID non-guest user. This user can be assigned any roles. The roles assigned to this user will determine Configuration Manager's access to the configurations in the tenant:

  • If you would like to Sync all configurations in the tenant, the user account used for Delegated Authentication should be assigned the Global Administrator role and the Exchange Online Admin role (with permissions for Address lists). 
  • If you would prefer not to use a Global Administrator with Configuration Manager, you can Sync most configurations in the tenant by applying the following minimum roles:

Minimum required roles to Sync all configurations without a Global Administrator:

  • Authentication Policy Administrator
    • Required to manage Authentication policy settings
  • Intune administrator
    • Required to manage Intune/Endpoint
  • Compliance administrator
    • Required to manage security compliance center
  • Exchange administrator
    • Require to manage Exchange Online settings
  • User administrator
    • Required to create users and groups
  • Teams administrator
    • Required to manage Teams settings
  • Application administrator
    • Required to manage app registrations and service principles
  • Groups administrator
    • Required to manage groups
  • Security administrator
    • Required to manage configurations in Azure AD
  • Cloud device administrator
    • Required to read/write Device registration policy
  • SharePoint administrator
    • Required to read/write SharePoint settings
  • Assign an Exchange Online Admin role with the following permissions:
    • Address lists
      • Required for Exchange Online settings

Without the Global Administrator Role, you can read but cannot apply changes to Azure Active Directory user settings.

 

Read-Only permission instructions

For backup-only access, the user account should be assigned the following permissions:

  • Global reader: this role allows users to view all resources and settings across the organization without the ability to make any changes.
  • Reports reader: this role enables users to view reports and analytics without any editing capabilities.

By granting both the Global Reader and Reports Reader roles, users will have sufficient access to perform their backup duties while maintaining the integrity of the system.