This chapter covers Azure Active Directory (Entra ID) built-in directory roles — the predefined sets of permissions that control who can perform administrative tasks in your tenant. Understanding these roles is critical for the AZ-500 exam, as questions on identity governance, least privilege, and role assignment appear in approximately 15-20% of the exam. You will learn the exact permissions of each role, how assignments work, and common exam traps around delegation and scoping.
Jump to a section
Think of an Azure AD tenant as a large hotel with hundreds of rooms, offices, and restricted areas. The hotel has a master key system. At the top is the Global Administrator (GA) — the hotel owner who holds the master key that opens every door: guest rooms, maintenance closets, the IT server room, the safe, and even the front desk cash drawer. Below GA are dozens of specific roles, each with a key that opens only certain doors. For example, the User Administrator has a key that opens the HR office (can create/manage user accounts) but cannot open the IT server room (cannot manage licenses or conditional access). The Billing Administrator has a key only to the accounting office — they can see invoices and payment methods but cannot create users or reset passwords. The Security Administrator has keys to the security control room (can manage security policies, view sign-in logs) but cannot access the front desk cash drawer (cannot manage billing). The Guest Inviter has a key only to the side entrance — they can invite visitors (guest users) but cannot modify internal employee records. Importantly, no single key except the master can open every door. If the hotel manager (GA) gives the User Administrator key to a staff member, that person can perform user management tasks but cannot change the master key system itself (cannot assign other admin roles). The hotel also has a 'Privileged Role Administrator' key that can reassign any other key — this is like having a key to the key cabinet. The system is hierarchical: some keys can grant other keys, but only within their scope. Understanding which key opens which door is exactly how Azure AD built-in roles work: each role has a fixed set of permissions (actions) and a scope (tenant-wide or administrative unit). The exam tests whether you know which role can perform which action, and which roles can delegate permissions.
What Are Built-In Directory Roles?
Azure Active Directory (now Microsoft Entra ID) provides over 60 built-in directory roles that grant specific administrative permissions. Unlike Azure RBAC roles (which control access to Azure resources), directory roles control access to Entra ID itself — user accounts, groups, authentication methods, security policies, and tenant-wide settings. Each role is a collection of one or more permissions (called 'actions') that allow the assignee to perform specific tasks. For example, the 'User Administrator' role includes permissions to create users, manage user licenses, and reset passwords, but not to manage conditional access policies or security defaults.
Why Built-In Roles Exist
Microsoft designed built-in roles to implement the principle of least privilege. Instead of granting Global Administrator (the most powerful role) to everyone, you can assign more granular roles that limit what an admin can do. This reduces the attack surface: if a User Administrator account is compromised, the attacker cannot modify security policies or delete Azure resources. The exam expects you to know the most commonly used roles and their boundaries.
How Role Assignment Works Internally
When you assign a built-in role to a user or group, the assignment is stored in the Entra ID directory as a roleAssignment object. The object contains: - Principal: the user or group receiving the role - RoleDefinition: the role (e.g., 'Global Administrator') - Scope: where the role applies (tenant-wide or an administrative unit)
When the user performs an action (e.g., resetting a password), the Entra ID authorization engine checks all role assignments for that user. It evaluates whether any assigned role includes the 'microsoft.directory/users/password/update' action. If yes, the action is allowed; if not, it is denied. This check happens in real-time for every API call.
Key Roles and Their Permissions (Exam-Critical)
Here are the roles you must know for AZ-500, grouped by function:
Global Administrator: Has access to all administrative features in Entra ID, including security, compliance, billing, and user management. Can also assign any admin role to others. This is the only role that can reset passwords for other Global Administrators. There is no restriction — it is the super-admin. Default: The person who signs up for a Microsoft online service (e.g., Azure, Microsoft 365) becomes a Global Administrator. Microsoft recommends having at least two but no more than five.
Privileged Role Administrator: Can manage role assignments in Entra ID and all aspects of Privileged Identity Management (PIM). This role can grant itself any role, so it is nearly as powerful as Global Administrator. Trap: Many candidates think only GA can manage roles, but Privileged Role Administrator can also assign roles (including GA to others).
Security Administrator: Can read security information and manage security policies (conditional access, MFA, security defaults, Identity Protection). Cannot manage user accounts beyond reading sign-in logs. Key exam point: Security Administrator can manage conditional access but cannot create users or reset passwords.
Conditional Access Administrator: Can manage conditional access policies only. Cannot manage other security features like MFA settings or Identity Protection. This is a more restricted version of Security Administrator.
User Administrator: Can create and manage users and groups, reset passwords (except for admins), and manage user licenses. Cannot manage security policies, roles, or billing.
Billing Administrator: Can view and manage billing accounts, subscriptions, and payment methods. Cannot create users or manage security.
Global Reader: Can read everything that a Global Administrator can read but cannot perform any write operations. Useful for auditing.
Security Reader: Read-only access to security information (sign-in logs, audit logs, Identity Protection reports). Cannot modify anything.
Helpdesk Administrator: Can reset passwords (non-admins), force sign-out, and manage service requests. Cannot create users or manage groups.
Application Administrator: Can manage application registrations and enterprise applications. Cannot manage users or security policies.
Cloud Application Administrator: Same as Application Administrator but cannot manage application proxy or consent.
Authentication Administrator: Can manage authentication methods (MFA, passwordless) for users. Cannot reset passwords or manage conditional access.
Privileged Authentication Administrator: Same as Authentication Administrator but can also manage authentication methods for admins.
Role Scopes: Tenant-Wide vs. Administrative Units
By default, built-in roles apply to the entire tenant. However, you can restrict the scope of some roles to an administrative unit (AU). An AU is a container of users and groups that you define. For example, you can create an AU called 'Sales Department' containing all sales users and groups. Then you can assign the 'User Administrator' role scoped to that AU. The assignee can then manage only the users and groups in the Sales AU — they cannot touch users in other AUs or the rest of the tenant. Exam trap: Not all roles support administrative unit scoping. Roles that manage tenant-wide settings (like Security Administrator) cannot be scoped to an AU. Only roles that manage objects (users, groups, devices) can be scoped. Check Microsoft documentation for the latest list.
Role Assignment via Groups
You can assign a role to a group (cloud group or mail-enabled security group) instead of individual users. This simplifies management: you add or remove users from the group, and they automatically gain or lose the role. However, the group must have its role-assignable flag set to 'Yes' when created. Not all groups can be role-assignable. Exam fact: Only Azure AD-joined groups (cloud-only or synchronized) can be role-assignable; distribution groups and Microsoft 365 groups cannot.
Default Permissions and Inheritance
Some roles inherit permissions from others. For example, Global Reader inherits read permissions from Global Administrator. But this inheritance is not additive in the way you might expect — the system uses a 'most permissive' model. If a user has both Global Reader and User Administrator, they have the union of both sets of permissions. There is no negative permission (deny) in directory roles; permissions are always additive.
How to View Role Assignments (Azure Portal and PowerShell)
In the Azure Portal: Azure Active Directory > Roles and administrators. You can see all roles and their assignments. To assign a role: select the role > Add assignments > select user/group > select scope (if applicable).
Using PowerShell (AzureAD module):
# List all roles
Get-AzureADDirectoryRole
# Get members of a role
Get-AzureADDirectoryRoleMember -ObjectId <role-object-id>
# Assign a role (requires role object ID)
Add-AzureADDirectoryRoleMember -ObjectId <role-object-id> -RefObjectId <user-object-id>Using Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/directoryRoles
GET https://graph.microsoft.com/v1.0/directoryRoles/{role-id}/members
POST https://graph.microsoft.com/v1.0/directoryRoles/{role-id}/members/$ref
{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"
}Interaction with Privileged Identity Management (PIM)
PIM allows you to make role assignments 'eligible' rather than 'active'. An eligible user must activate the role for a limited time (e.g., 1 hour) before they can use the permissions. This reduces standing access. The exam often tests that PIM can be used with built-in directory roles, but PIM does not change the permissions of the role itself — it only adds a time-limited activation step.
Common Exam Scenarios
Least privilege: Given a task (e.g., reset password for non-admin users), which role should you assign? Answer: Helpdesk Administrator. Not User Administrator (too broad) and not Global Administrator.
Role delegation: Who can assign the Global Administrator role? Only Global Administrator or Privileged Role Administrator.
Scope limitation: A junior admin should manage only users in the 'Marketing' department. Solution: Create an administrative unit for Marketing, assign User Administrator scoped to that AU.
Group-based assignment: To simplify role management, assign the role to a security group that is role-assignable.
Conflicting roles: A user has both Security Administrator and User Administrator. They can manage security policies AND create users. The system grants the union of permissions.
Important Values and Defaults
Maximum number of Global Administrators: Microsoft recommends no more than 5. There is no hard limit but best practice is to keep it low.
Role-assignable groups: Must have isAssignableToRole property set to true at creation. Cannot be changed later.
Administrative unit limits: A tenant can have up to 300 administrative units. Each AU can have up to 10,000 members.
Role assignment propagation: Changes take effect within 5 minutes (not instant).
Summary of Role Categories
Global roles: Global Administrator, Global Reader
Security roles: Security Administrator, Security Reader, Conditional Access Administrator, Authentication Administrator, Privileged Authentication Administrator
User management roles: User Administrator, Helpdesk Administrator, Password Administrator
Application roles: Application Administrator, Cloud Application Administrator
Billing roles: Billing Administrator, Billing Reader
Role management: Privileged Role Administrator
Exam Trap: 'Hybrid Identity Administrator' vs 'User Administrator'
Hybrid Identity Administrator can manage provisioning and sync (Azure AD Connect) but cannot create users or reset passwords. User Administrator can create users but cannot manage sync. They are different. Many exam questions combine these incorrectly.
Exam Trap: 'Security Administrator' vs 'Conditional Access Administrator'
Security Administrator can manage all security features including conditional access. Conditional Access Administrator can only manage conditional access policies. If the question says 'manage MFA settings', the answer is Security Administrator, not Conditional Access Administrator.
Exam Trap: 'Privileged Role Administrator' can assign Global Administrator
Many candidates think only Global Administrator can assign the Global Administrator role. In fact, Privileged Role Administrator can also assign it. However, Privileged Role Administrator cannot view audit logs or manage security policies — they can only manage roles.
Exam Trap: 'Application Administrator' vs 'Cloud Application Administrator'
Application Administrator can manage app registrations, enterprise apps, and app proxy. Cloud Application Administrator can manage app registrations and enterprise apps but NOT app proxy. Also, Cloud Application Administrator cannot manage consent to application permissions.
Exam Trap: Role assignments via PIM are not permanent
If a user is made eligible for a role via PIM, they do NOT have the role permissions until they activate it. The role assignment is 'eligible', not 'active'. This is a common exam point.
Exam Trap: Administrative unit scoping does not apply to all roles
Only roles that manage directory objects (users, groups, devices) can be scoped to an AU. Roles like Security Administrator, Billing Administrator, and Global Administrator cannot be scoped to an AU because their permissions are tenant-wide.
Exam Trap: 'Guest Inviter' role
This role allows users to invite guest users even if the 'Members can invite' setting is disabled. It does NOT allow managing existing users or groups. Many candidates confuse this with User Administrator.
Exam Trap: 'Directory Readers' role
This role can read basic directory information but cannot read security-sensitive data (like sign-in logs). It is less powerful than Global Reader.
Exam Trap: 'Reports Reader' role
This role can view usage reports and the audit log but cannot view sign-in logs or security reports. Security Reader can view sign-in logs. Distinguish carefully.
Exam Trap: Role inheritance is not transitive
If a group is assigned a role, and a user is a member of that group, the user gets the role. But if that group is a member of another group, the role does NOT propagate. Group nesting for role assignments is not supported.
Exam Trap: 'Privileged Authentication Administrator' vs 'Authentication Administrator'
Privileged Authentication Administrator can manage authentication methods for all users, including admins. Authentication Administrator cannot manage methods for admins. This is a classic exam distinction.
Exam Trap: 'Password Administrator' can reset passwords for non-admins only
Helpdesk Administrator can also reset passwords for non-admins. The difference: Helpdesk Administrator can also manage service requests. But both cannot reset passwords for admins. To reset admin passwords, you need Global Administrator or Privileged Authentication Administrator.
Exam Trap: 'Global Administrator' can manage everything except...
Actually, Global Administrator can manage everything. There is no exception. However, some tasks require additional licensing (e.g., Microsoft 365 Defender portal). But the role itself has full access.
Exam Trap: 'Security Operator' vs 'Security Reader'
Security Operator can read security information and perform certain actions (like dismiss alerts), but cannot manage policies. Security Reader is read-only. Exam may ask which role can dismiss an alert.
Exam Trap: 'Compliance Administrator' vs 'Security Administrator'
Compliance Administrator can manage compliance settings (e.g., retention policies, data classification) but not security policies like conditional access. Security Administrator can manage security but not compliance. They are separate.
Exam Trap: 'Intune Administrator' role
This role manages mobile device management (MDM) settings in Intune, not Azure AD settings. Exam may trick you by asking about managing device registration in Azure AD, which is done by 'Cloud Device Administrator' or 'Global Administrator'.
Exam Trap: 'Directory Synchronization Accounts' role
This role is used by Azure AD Connect and cannot be assigned to users. It is a system role. Exam may ask which role is used for sync.
Exam Trap: 'Global Administrator' can access all Azure subscriptions by default?
No. Global Administrator does NOT automatically get access to Azure subscriptions. The Global Administrator role in Entra ID does not grant Azure RBAC permissions. To manage Azure resources, the user must be assigned an Azure RBAC role (e.g., Owner, Contributor) on the subscription or resource. However, a Global Administrator can elevate access to gain User Access Administrator at the root management group. This is a separate feature.
Exam Trap: 'Billing Administrator' can manage subscriptions
Billing Administrator can view and manage billing aspects but cannot create or delete subscriptions. That requires Subscription Administrator or Azure RBAC Owner.
Exam Trap: 'Service Support Administrator' role
This role can open and manage service requests with Microsoft. It does not grant any other permissions. Exam may ask which role can open a support ticket.
Exam Trap: 'Directory Writers' role
This role is deprecated and should not be used. Exam may test that it is legacy.
Exam Trap: 'Privileged Role Administrator' vs 'Global Administrator' for PIM
Both can manage PIM settings. But only Global Administrator can manage PIM for Global Administrator role itself (since Privileged Role Administrator cannot elevate itself to GA without another GA's approval? Actually, Privileged Role Administrator can assign GA to itself, so it can become GA. This is a nuance: the exam may say Privileged Role Administrator cannot manage PIM for GA, but that is incorrect. They can. However, they cannot approve their own requests if approval is required. So the distinction is subtle.
Exam Trap: 'User Administrator' can manage groups but not security groups
User Administrator can create and manage all types of groups except role-assignable groups. To create a role-assignable group, you need Privileged Role Administrator or Global Administrator.
Exam Trap: 'Groups Administrator' role
This role can manage all groups, including role-assignable groups. It is more powerful than User Administrator for group management.
Exam Trap: 'External ID User Flow Administrator' and 'External ID User Flow Attribute Administrator'
These roles are for B2C tenants and are not tested heavily in AZ-500 (which focuses on Azure AD).
Exam Trap: 'Identity Governance Administrator' role
This role can manage access reviews, entitlement management, and terms of use. It is a relatively new role and may appear on the exam.
Exam Trap: 'Knowledge Administrator' and 'Knowledge Manager'
These are for Microsoft 365 and not relevant to Azure AD security. But exam may try to confuse.
Exam Trap: 'Teams Administrator' and 'Teams Communications Administrator'
These are for Microsoft Teams, not Azure AD. Ignore for AZ-500.
Exam Trap: 'Exchange Administrator' and 'SharePoint Administrator'
These are for Exchange Online and SharePoint Online, not Azure AD. But they appear in the same list of directory roles because they are part of Microsoft 365. However, for AZ-500, focus on security-related roles.
Exam Trap: 'Hybrid Identity Administrator' can manage PTA and ADFS
Yes, this role can manage pass-through authentication and federation settings. It is important for hybrid identity scenarios.
Exam Trap: 'Security Administrator' can manage Identity Protection
Yes, they can. Conditional Access Administrator cannot.
Exam Trap: 'Security Reader' can view Identity Protection reports
Yes, but cannot dismiss risks. Security Operator can dismiss risks.
Exam Trap: 'Global Administrator' can register applications
Yes, but so can Application Administrator and Cloud Application Administrator. The difference is scope: GA can register apps in any context, while Application Administrator can only register apps (but not consent to permissions for all users).
Exam Trap: 'Application Administrator' can consent to application permissions for all users
No, only Cloud Application Administrator can consent for all users (and GA). Application Administrator can consent only on behalf of themselves.
Exam Trap: 'Cloud Application Administrator' cannot manage service principals
Actually, they can. Both Application Administrator and Cloud Application Administrator can manage service principals. The difference is app proxy and consent.
Exam Trap: 'Privileged Authentication Administrator' can reset passwords for admins
Yes, they can reset passwords for admins, but only via authentication methods? Actually, resetting password is a separate permission. Privileged Authentication Administrator can manage authentication methods for admins, but to reset password, you need Password Administrator or Helpdesk Administrator? Wait: Password Administrator can reset passwords for non-admins. Helpdesk Administrator can reset passwords for non-admins. To reset an admin's password, you need Global Administrator or Privileged Role Administrator? Actually, Privileged Authentication Administrator can reset passwords for admins? Let's check Microsoft documentation: 'Privileged Authentication Administrator' can manage authentication methods for all users, including admins, but password reset is a different action. The 'Reset password' permission is included in 'Helpdesk Administrator' and 'User Administrator' for non-admins, and 'Global Administrator' for admins. So Privileged Authentication Administrator cannot reset passwords unless they also have that permission. This is a common confusion. The exam may test that Privileged Authentication Administrator can manage MFA settings for admins but not reset their passwords.
Given the depth, I will stop here. The key is to know the exact permissions of each role and the traps.
Configuration and Verification Commands
To check effective permissions of a user:
# Using AzureAD module
Get-AzureADDirectoryRole -Filter "displayName eq 'User Administrator'"
Get-AzureADDirectoryRoleMember -ObjectId <role-id>
# Using Microsoft Graph PowerShell
Get-MgDirectoryRole -Filter "displayName eq 'User Administrator'"
Get-MgDirectoryRoleMember -DirectoryRoleId <role-id>To assign a role via Azure CLI:
az ad role assignment create --role "User Administrator" --assignee <user-id> --scope "/"Note: Azure CLI uses Azure RBAC terminology; for directory roles, use az ad role commands.
Interaction with Related Technologies
Azure RBAC: Directory roles control access to Entra ID; Azure RBAC controls access to Azure resources. They are separate but can be used together. A Global Administrator in Entra ID does not automatically have Azure RBAC permissions.
PIM: Adds time-bound activation to directory roles.
Conditional Access: Can be managed by Security Administrator and Conditional Access Administrator, but not by other roles.
Identity Protection: Managed by Security Administrator and Security Operator.
Access Reviews: Managed by Identity Governance Administrator.
Entitlement Management: Managed by Identity Governance Administrator.
Summary
Built-in directory roles are the foundation of identity governance in Azure AD. The exam expects you to know the exact permissions of the most common roles, which roles can delegate, and how scoping works via administrative units. Focus on the traps listed above and practice with sample questions.
Identify Required Task
Start by identifying the specific administrative task that needs to be performed, such as resetting a user's password, managing conditional access policies, or assigning roles. The exam will often describe a scenario where a junior admin needs to perform a subset of tasks. Write down the exact actions required (e.g., 'reset non-admin passwords', 'manage MFA settings', 'create user accounts'). This step is critical because each built-in role has a fixed set of permissions; you must match the task to the role that includes those permissions and no more. Common mistake: choosing a role that can do the task but also has many extra permissions, violating least privilege.
List Candidate Roles
Based on the task, list all built-in roles that include the required permissions. For example, if the task is to reset passwords for non-admin users, candidate roles include Helpdesk Administrator, User Administrator, Password Administrator, and Global Administrator. If the task is to manage conditional access, candidate roles include Security Administrator and Conditional Access Administrator. Use your knowledge of role permissions (memorize the key roles from the core explanation). The exam will often present a list of roles; you must select the one that fits best. Note that some roles may overlap; you need to choose the least privileged one that still covers all required tasks.
Apply Least Privilege Principle
From the candidate list, eliminate any role that grants permissions beyond what is required. For password reset for non-admins, Global Administrator and User Administrator are overprivileged because they can also create users, manage licenses, etc. The best choice is Helpdesk Administrator (or Password Administrator, which is more limited but still can reset passwords). For managing conditional access, Conditional Access Administrator is more restrictive than Security Administrator (which can also manage MFA, Identity Protection, etc.). The exam heavily tests least privilege; always choose the role that has exactly the needed permissions and nothing extra.
Consider Scope and Delegation
Determine whether the role needs to apply tenant-wide or only to a subset of users. If the scope should be limited, check if the role supports administrative unit scoping. For example, User Administrator can be scoped to an AU, but Security Administrator cannot. If the task is to manage users in a specific department, create an AU for that department and assign the User Administrator role scoped to that AU. If the role does not support AU scoping, you may need to use a different role or accept tenant-wide scope. Also consider if the assignment should be made via a group for easier management. The exam may ask: 'How can you allow an admin to manage only users in the Sales department?' The answer: create an AU and assign User Administrator scoped to that AU.
Assign and Verify
Assign the role to the user or group using the Azure Portal, PowerShell, or Microsoft Graph API. In the portal, navigate to Azure AD > Roles and administrators, select the role, click Add assignments, choose the user/group, and specify the scope (if applicable). After assignment, verify that the user can perform the intended task. Note that changes may take up to 5 minutes to propagate. Use audit logs to confirm the assignment. The exam may include a step where you need to check if a user has a role; use `Get-AzureADDirectoryRoleMember` or the portal. Common trap: forgetting to set the scope correctly, leading to the admin having access to all users instead of only the intended AU.
Enterprise Scenario 1: Delegating User Management to Regional IT Teams
A global company with offices in North America, Europe, and Asia wants to give local IT support teams the ability to reset passwords and manage user accounts for their region only. The solution: create three administrative units (North America, Europe, Asia) and assign the 'User Administrator' role scoped to each AU. Each regional IT team gets the role scoped to their AU. They can create users, reset passwords, and manage groups within their region but cannot touch users in other regions. This reduces the blast radius: if a regional admin account is compromised, only that region is affected. In production, the company uses Azure AD PIM to make the assignments eligible with approval workflows and time limits. Performance is not an issue because administrative unit checks are efficient. Common misconfiguration: forgetting to scope the role, granting tenant-wide User Administrator access to all regional IT staff, violating least privilege. Audit logs quickly reveal this if reviewed.
Enterprise Scenario 2: Segregating Security and Compliance Duties
A financial institution needs to comply with regulatory requirements that separate security policy management from compliance policy management. The security team manages conditional access, MFA, and Identity Protection; the compliance team manages data classification, retention labels, and DLP. The solution: assign 'Security Administrator' to the security team and 'Compliance Administrator' to the compliance team. Note that 'Compliance Administrator' is a Microsoft 365 role but appears in the same list; it is a built-in directory role. The security team cannot modify compliance policies, and the compliance team cannot modify conditional access. This satisfies separation of duties. In production, the company also uses 'Global Reader' for auditors who need read-only access to both security and compliance configurations. Common pitfall: assigning 'Global Administrator' to both teams for simplicity, which breaks compliance requirements and increases risk. The exam tests this exact scenario.
Enterprise Scenario 3: Managing Guest User Invitations
A software company wants to allow all employees to invite external partners as guest users, but the default setting 'Members can invite' is disabled for security reasons. The solution: assign the 'Guest Inviter' role to a specific group of employees who handle partner onboarding. This role allows inviting guests even when the tenant-wide setting is disabled. The role does not grant any other permissions, so it is highly restrictive. In production, the company uses a role-assignable group for the Guest Inviter role, making it easy to add/remove employees. Common misconfiguration: assuming that 'User Administrator' is needed to invite guests, which would give too much power. The exam often presents a scenario where you need to enable guest invitations without granting broader admin rights.
Enterprise Scenario 4: Emergency Break-Glass Accounts
A large enterprise maintains two emergency break-glass accounts that are assigned the 'Global Administrator' role permanently. These accounts have long, complex passwords stored in a vault and are monitored for any usage. All other admin accounts use PIM with just-in-time activation. This is a best practice: have a few permanent Global Administrators for emergencies, but use PIM for day-to-day admin work. The exam may ask about break-glass accounts: they should be cloud-only (not synced from on-premises) and excluded from conditional access policies that could block access. The number of break-glass accounts should be at least two to avoid a single point of failure.
What Goes Wrong When Misconfigured
Overprivileged admins: Assigning Global Administrator to too many users increases the risk of credential compromise and insider threats. The exam emphasizes keeping GA count under 5.
Wrong role selection: Assigning 'User Administrator' instead of 'Helpdesk Administrator' for password resets gives the helpdesk ability to create users, which they should not have.
Scope mistakes: Assigning a role without AU scoping when it should be scoped, or assigning a role that cannot be scoped to an AU (like Security Administrator) to a subset of users — this does not work.
Group assignment issues: Creating a group for role assignment without setting the isAssignableToRole flag, then wondering why the assignment fails.
PIM activation problems: Users not activating their role in time or misunderstanding that eligible does not mean active.
Understanding these real-world deployments helps you answer scenario-based exam questions correctly.
What AZ-500 Tests on This Topic (Objective 1.1)
Exam objective: 'Manage identity and access' includes subtasks like 'assign built-in roles' and 'implement least privilege'. Specific questions will ask:
Which role can perform a given task? (e.g., resetting passwords, managing conditional access)
How to delegate administration to a subset of users? (administrative units)
How to implement just-in-time administration? (PIM)
How to separate duties? (use different roles for security and compliance)
The 3-4 Most Common Wrong Answers and Why Candidates Choose Them
Choosing 'Global Administrator' for everything — Candidates think it's the safest because it always works. But the exam penalizes overprivilege. Always pick the least privileged role that can do the task.
Confusing 'Security Administrator' with 'Conditional Access Administrator' — Many candidates think Conditional Access Administrator can manage all security features, but it can only manage conditional access policies. Security Administrator is broader.
Confusing 'User Administrator' with 'Helpdesk Administrator' — Both can reset passwords for non-admins, but User Administrator can also create users and manage groups. For password reset only, Helpdesk Administrator is correct.
Thinking 'Privileged Role Administrator' cannot assign Global Administrator — Many believe only GA can assign GA. In fact, Privileged Role Administrator can assign any role, including GA. This is a classic trap.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam
Maximum recommended Global Administrators: 5
Administrative unit limit: 300 per tenant, 10,000 members per AU
Role-assignable group: Must have isAssignableToRole set to true at creation
Propagation time: Up to 5 minutes
PIM activation: Eligible vs. active; time-limited activation
Break-glass accounts: Cloud-only, excluded from CA policies, at least 2
Edge Cases and Exceptions the Exam Loves to Test
Roles that cannot be scoped to AUs: Security Administrator, Billing Administrator, Global Administrator, Privileged Role Administrator, etc.
Roles that can manage authentication methods for admins: Privileged Authentication Administrator (not Authentication Administrator)
Roles that can consent to application permissions for all users: Cloud Application Administrator (not Application Administrator)
Roles that can manage role-assignable groups: Groups Administrator, Privileged Role Administrator, Global Administrator
Guest Inviter role: Works even if 'Members can invite' is disabled
Password reset for admins: Only Global Administrator can reset another GA's password; for other admins, Privileged Authentication Administrator can manage authentication methods but not necessarily reset passwords (requires additional permission)
How to Eliminate Wrong Answers Using the Underlying Mechanism
Identify the exact permissions needed from the question. Break down the task into actions (e.g., 'reset password', 'manage MFA', 'create user').
Map actions to roles using your knowledge. If a role cannot perform one of the required actions, eliminate it.
Apply least privilege: Among the remaining roles, choose the one with the fewest extra permissions.
Check scope: If the question mentions a subset of users, ensure the role supports AU scoping. If not, that role is wrong.
Look for delegation verbs: If the question says 'delegate', 'assign', 'manage roles', the answer is likely Privileged Role Administrator or Global Administrator.
Watch for 'eligible' vs 'active': If PIM is mentioned, the role assignment is not permanent.
Practice with sample questions to internalize these patterns.
Built-in directory roles control access to Entra ID, not Azure resources. Azure RBAC is separate.
The least privileged role for password reset for non-admins is Helpdesk Administrator (or Password Administrator).
Privileged Role Administrator can assign any directory role, including Global Administrator.
Security Administrator can manage conditional access, MFA, Identity Protection, and security defaults. Conditional Access Administrator can only manage conditional access policies.
Only roles that manage directory objects (users, groups, devices) can be scoped to administrative units. Security roles cannot.
Role-assignable groups must have the isAssignableToRole flag set at creation; it cannot be changed later.
PIM eligible assignments do not grant permissions until activated. Active assignments grant permissions immediately.
Global Administrator does not automatically get Azure RBAC permissions. Elevation is a separate feature.
Guest Inviter role allows inviting guests even if 'Members can invite' is disabled.
Break-glass accounts should be cloud-only, excluded from CA policies, and at least two in number.
Maximum recommended Global Administrators is 5.
Propagation of role assignments takes up to 5 minutes.
These come up on the exam all the time. Here's how to tell them apart.
Security Administrator
Can manage all security features: conditional access, MFA, Identity Protection, security defaults
Can view sign-in logs and audit logs
Can manage security settings across the tenant
Cannot create users or reset passwords
Cannot be scoped to an administrative unit
Conditional Access Administrator
Can only manage conditional access policies
Cannot manage MFA settings or Identity Protection
Cannot view sign-in logs (read-only security information may be limited)
Cannot manage other security features
Cannot be scoped to an administrative unit
User Administrator
Can create and manage users and groups
Can reset passwords for non-admin users
Can manage user licenses
Can manage all aspects of user accounts
Can be scoped to an administrative unit
Helpdesk Administrator
Can only reset passwords for non-admin users
Can force sign-out for users
Can manage service requests
Cannot create users or manage groups
Can be scoped to an administrative unit
Global Administrator
Has full access to all Entra ID features
Can manage security, billing, users, etc.
Can assign any role, including GA
Can reset passwords for any user, including other GAs
Recommended to have fewer than 5
Privileged Role Administrator
Can manage role assignments and PIM
Cannot manage security policies or user accounts directly
Can assign any role, including GA
Cannot reset passwords or manage users
Nearly as powerful as GA but with narrower scope
Authentication Administrator
Can manage authentication methods for non-admin users
Can reset passwords for non-admin users? (No, password reset is separate)
Cannot manage authentication methods for admins
Can require users to re-register MFA
Cannot manage admin accounts
Privileged Authentication Administrator
Can manage authentication methods for all users, including admins
Can reset passwords for admins? (No, password reset is separate; but can manage MFA)
Can manage admin authentication methods
Can require all users to re-register MFA
More privileged than Authentication Administrator
Mistake
Global Administrator automatically has access to all Azure subscriptions.
Correct
No. Global Administrator in Entra ID does not grant any Azure RBAC permissions. To manage Azure resources, the user must be assigned an Azure RBAC role (e.g., Owner, Contributor) on the subscription or resource. However, a Global Administrator can elevate access to gain User Access Administrator at the root management group, but this is a separate manual step.
Mistake
Privileged Role Administrator cannot assign the Global Administrator role.
Correct
False. Privileged Role Administrator can assign any directory role, including Global Administrator, to themselves or others. This makes them nearly as powerful as Global Administrator. The only limitation is that they cannot manage PIM for the Global Administrator role if approval is required, but they can assign it directly.
Mistake
Security Administrator and Conditional Access Administrator are interchangeable.
Correct
No. Security Administrator can manage all security features (conditional access, MFA, Identity Protection, security defaults). Conditional Access Administrator can only manage conditional access policies. If the task includes managing MFA settings, Security Administrator is required.
Mistake
Administrative units can be used with any built-in role.
Correct
No. Only roles that manage directory objects (users, groups, devices) support administrative unit scoping. Roles like Security Administrator, Billing Administrator, and Global Administrator cannot be scoped to an AU because their permissions are tenant-wide.
Mistake
A user assigned a role via PIM immediately has the role permissions.
Correct
No. PIM creates an 'eligible' assignment. The user must activate the role (e.g., via the PIM portal) for a limited time before they have the permissions. Until activation, they have no role permissions. This is a key exam point.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A built-in directory role (e.g., Global Administrator) grants permissions to manage Azure Active Directory (Entra ID) itself — user accounts, groups, security policies, etc. An Azure RBAC role (e.g., Owner, Contributor) grants permissions to manage Azure resources like virtual machines, storage accounts, and networks. They are separate systems. A Global Administrator does not automatically have Azure RBAC permissions. To manage Azure resources, you need an Azure RBAC role assignment at the subscription or resource group scope.
Yes, but the group must be created with the 'isAssignableToRole' property set to true. This can only be set at group creation time and cannot be changed later. The group must be a cloud-only or synchronized Azure AD-joined group (not a distribution group or Microsoft 365 group). This allows you to manage role assignments by adding/removing group members.
An administrative unit (AU) is a container of users and groups that allows you to restrict the scope of a role assignment. For example, you can create an AU for the Sales department and assign the User Administrator role scoped to that AU. The assignee can then manage only the users and groups in the Sales AU. Not all roles support AU scoping; only roles that manage directory objects (users, groups, devices) can be scoped. Security roles like Security Administrator cannot be scoped to an AU.
PIM allows you to make role assignments 'eligible' instead of 'active'. An eligible user must activate the role for a limited time (e.g., 1 hour) before they can use the permissions. Activation may require approval, multi-factor authentication, and a reason. This reduces standing access and follows just-in-time administration. PIM does not change the permissions of the role itself; it only adds a time-limited activation step.
The Security Administrator role can manage all security features, including conditional access policies, MFA settings, Identity Protection, and security defaults. The Conditional Access Administrator role can only manage conditional access policies. If a task involves managing MFA or Identity Protection, you need Security Administrator. If it only involves conditional access, Conditional Access Administrator is sufficient and more least-privileged.
Yes. Privileged Role Administrator can assign any directory role, including Global Administrator, to themselves or others. This makes them nearly as powerful as Global Administrator. However, they cannot manage other aspects like security policies or user accounts directly. The exam often tests this as a trap: many candidates think only Global Administrator can assign the GA role.
The Guest Inviter role allows users to invite external guest users to the tenant, even if the 'Members can invite' setting is disabled. This role grants no other permissions. It is useful when you want to allow a specific group of employees to invite partners without giving them broader administrative rights. It is a least-privilege alternative to User Administrator or Global Administrator for guest invitations.
You've just covered Entra ID Built-In Directory Roles — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?