ASD's Blueprint for Secure Cloud

Role Based Access Control

This section describes the design decisions associated with Role Based Access Control within Microsoft 365 Services for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Role Based Access Control (RBAC) is not a new concept. Microsoft’s implementation of RBAC in the context of Microsoft 365 is the process and mechanism of maintaining the principal of least privilege within an environment. Roles therefore define what the role holder can do, who is granted the role, and where the scope of the role is valid. The following list provides an overview of the concepts associated with RBAC:

  • Security Principal: The identity assigned a role and given permissions for a specific task
  • Role Group: A collection of permissions
  • Management Role: A specific permission defined for a particular workload such as Exchange Online or Teams
  • Role Assignment: Assignment of a Role Group to a Security Principal
  • Scoping: Restricting the Role Assignment to a defined set of resources or objects

Many of the workloads within Microsoft 365 can be managed through use of one or more default administrative roles defined within Entra ID; however, there are a lot of Microsoft 365 workloads that employ their own RBAC concepts as well as maintaining some overlap with Entra ID. This overlap varies according to the workload. Roles supported by each product are outlined below:

Microsoft 365 ServiceMicrosoft 365 / Service Role Descriptions
Admin roles in MicrosoftMicrosoft 365 admin roles
Exchange OnlineExchange role-based access control
SharePoint OnlineSharePoint admin role in Microsoft 365
TeamsTeams Administrator roles
Defender for Office 365 and PurviewDefender for Office 365 roles
Azure Information ProtectionEntra built-in roles
Microsoft Defender for Cloud AppsRole-based access control
Azure Advanced Threat ProtectionAzure ATP role groups
Windows Defender Advanced Threat ProtectionWindows Defender ATP role-based access control
IntuneIntune role-based access control
Power PlatformPower Platform Service Admin Roles
Dataverse Security Roles
System and Application (Built In) Users

Privileged Identity Management

Privileged Identity Management (PIM) can be leveraged to enhance the RBAC model for Entra ID role-based management access and other workloads. PIM requests are made through the Entra portal for elevated access only when required, and for a defined period of time.

PIM enables assignment of the following default Microsoft 365 roles:

  • Exchange administrator
  • Exchange recipient administrator
  • SharePoint administrator
  • Teams administrator
  • Teams Communications administrator
  • Teams Communications support engineer
  • Teams Communications support specialist
  • Power BI Administrator
  • Power Platform administrator
  • Customer Lockbox Administrator
  • Intune administrator
  • Office Apps administrator
  • Message Center Privacy Reader
  • Message Center Reader
  • Security administrator
  • Security reader

Security & Governance




Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra