Conditional Access Administrator

Privilegiada
Control PlaneSecurity
Role Actions
13
Control Plane
9
Management Plane
4
User Access
0
Não classificadas
0
Template ID
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
Categoria
Security
EAM Tier
Control Plane (Tier 0)
Enterprise Access Model: Control Plane

Controle total do tenant. Comprometimento leva a takeover completo. Isole de planos inferiores.

Descrição

Users with this role have the ability to manage Microsoft Entra Conditional Access settings. Note: To deploy Exchange ActiveSync Conditional Access policy in Azure, the user must also be Global Administrator.

Permissões completas

Todas as 13 role actions desta role, classificadas por tier do EAM.

Role ActionCategoriaTier
microsoft.directory/conditionalAccessPolicies/basic/update
Conditional AccessTier 0
microsoft.directory/conditionalAccessPolicies/create
Conditional AccessTier 0
microsoft.directory/conditionalAccessPolicies/delete
Conditional AccessTier 0
microsoft.directory/conditionalAccessPolicies/owners/update
Conditional AccessTier 0
microsoft.directory/conditionalAccessPolicies/tenantDefault/update
Conditional AccessTier 0
microsoft.directory/namedLocations/basic/update
Conditional AccessTier 0
microsoft.directory/namedLocations/create
Conditional AccessTier 0
microsoft.directory/namedLocations/delete
Conditional AccessTier 0
microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update
Conditional AccessTier 0
microsoft.directory/conditionalAccessPolicies/owners/read
Tenant Configuration (Reader)Tier 1
microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read
Tenant Configuration (Reader)Tier 1
microsoft.directory/conditionalAccessPolicies/standard/read
Tenant Configuration (Reader)Tier 1
microsoft.directory/namedLocations/standard/read
Tenant Configuration (Reader)Tier 1

13 de 13 role actions

PowerShell

Get-MgRoleManagementDirectoryRoleDefinition `
  -UnifiedRoleDefinitionId "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"

Microsoft Graph

GET https://graph.microsoft.com/v1.0/
  roleManagement/directory/
  roleDefinitions/b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
Ver documentação oficial na Microsoft Learn

Roles relacionadas