Platform roles required for specific tasks
The following table lists the Cloud Commander platform roles required to perform individual Cloud Commander tasks.
A platform role is a set of permissions and privileges that you assign to users and groups in Cloud Commander scoped to a specific set of customers. These roles determine what actions users and groups can see and perform in Cloud Commander. See Assign platform roles for instructions to assign platform roles to groups and users.
| Cloud Commander task |
Required platform role(s) |
|---|---|
| Add a group | User Groups Administrators |
| Add a user | User Administrators |
| Add or remove group owners and members | User Groups Administrators |
| Add or remove channel owners and members | Microsoft Teams Writer |
| Add or remove team owners and members | Microsoft Teams Writer |
| Add subscriptions | License Administrator Subscription Management Product and Subscription Administrators |
| Add users to groups | Users reader or User Administrators
User Group Administrators |
| Apply compliance policies | Microsoft Endpoint Manager Device Configuration and Policies Writer |
| Apply configuration profiles | Microsoft Endpoint Manager Device Configuration and Policies Writer |
| Archive or delete teams | Microsoft Teams Writer |
| Assign Microsoft Entra ID roles to users | Users reader
or User Administrators Role Administrators Microsoft Entra Role Writer |
| Assign licenses | License Administrators or a customer assigned delegated license administration |
| Azure Management Audit Logs | Audit Administrators |
| Command logs | Command Block Job Log Reader |
| Configure delegated license administration | Administrators |
| Configure email forwarding for a mailbox | Microsoft Exchange Online Writer |
| Configure Hybrid Identity environment | Administrators |
| Configure Out of Office automatic replies | Microsoft Exchange Online Writer |
| Convert a mailbox | Microsoft Exchange Online Writer |
| Create a shared mailbox | Microsoft Exchange Online Writer |
| Create a channel | Microsoft Teams Writer |
| Create a new team | Microsoft Teams Writer |
| Offboard your MSP organization | Administrators Partner Center Administrators |
| Delete channels | Microsoft Teams Writer |
| Delete groups | User Groups Administrators |
| Delete a shared mailbox | Microsoft Exchange Online Writer |
| Delete users | User Administrators |
| Discover indirect CSP customers' Azure subscriptions | Administrators |
| Edit group details | User Groups Administrators |
| Edit mailbox details | Microsoft Exchange Online Writer |
| Edit subscriptions | License Administrator Subscription Management Product and Subscription Administrators |
| Edit channel details | Microsoft Teams Writer |
| Edit team details | Microsoft Teams Writer |
| Edit users | User Administrators |
| Hide a distribution group from the Global Address List | User Groups Administrators |
| Make a tenant inactive | Administrators |
| Manage mailbox delegation | Microsoft Exchange Online Writer |
| Manage platform roles (view, assign, remove) |
User Administrators or User Groups Administrators Role Administrators |
| Manage platform user groups | User Administrators or User Groups Administrators Role Administrators |
| Manage risky users | Identity Protection Writer |
| Microsoft Available Licenses report | Partner Center Customer Reader or a customer assigned delegated license administration |
| Microsoft Secure Score report | Microsoft Secure Scores Reader |
| Modify service plans | License Administrators or a customer assigned delegated license administration |
| Onboard new tenants | Administrators Partner Center Administrators |
| Perform actions on Intune managed devices | Microsoft Endpoint Manager Device Writer |
| Perform actions on virtual machines | Start, Restart, Stop: Azure Management Resource Writer or Admin Deallocate: Azure Management Resource Admin |
| Perform actions on Windows 365 Cloud PCs | Microsoft Windows 365 Writer |
| Reauthenticate your MSP organization | Administrators Partner Center Administrators |
| Remove Microsoft Entra ID role assignments | Users reader
or User Administrators
Microsoft Entra Role Writer |
| Remove non-CSP tenants | Administrators |
| Remove users from groups | Users reader
or User Administrators
User Group Administrators |
| Request additional permissions for tenants | Administrators |
| Reset all multi-factor authentications for user | Users reader
or User Administrators Microsoft Entra ID Authentication Methods Writer |
| Reset authentication methods | Microsoft Entra ID Authentication Methods Writer |
| Reset user password | User Administrators |
| Revoke user sessions — authentication methods list | User Administrators Identity Protection Writer |
| Revoke user sessions — User list | User Administrators Identity Protection Writer |
| Run user actions | Users reader
or User Administrators Plus the role for action type:
|
| Hide or show a mailbox | Microsoft Exchange Online Writer |
| Remove user licenses | License Administrators or a customer assigned delegated license administration |
| View Azure Alerts | Azure Management Resource Reader or Writer or Admin |
| View Azure Dashboard | Azure Management Resource Reader or Writer or Admin |
| View Azure resources and details | Azure Management Resource Reader or Writer or Admin |
| View Azure subscriptions | Azure Management Resource Reader or Writer or Admin |
| View channels and details | Microsoft Teams Reader or Writer |
| View Conditional Access policies | Administrators
Identity Protection Reader |
| View groups and group details | User Groups Administrators |
| View Intune managed devices and details | Microsoft Endpoint Manager Device Reader or Writer |
| View mailboxes and details | Microsoft Exchange Online Reader or Writer |
| View performance for virtual machines | Azure Management Resource Reader or Writer or Admin |
| View product licenses and user assignments | License Administrator |
| View risky users | Identity Protection Writer or Reader |
| View subscriptions and subscription details | License Administrator Subscription Management |
| View teams and details | Microsoft Teams Reader or Writer |
| View tenant settings | Administrators
Microsoft Endpoint Manager Device Reader or Writer Microsoft SharePoint Online Reader or Writer |
| View user authentication methods | Microsoft Entra ID Authentication Methods Reader or Writer |
| View users and user details | Users reader |
| View virtual machines | Azure Management Resource Reader or Writer or Admin |
| View Windows 365 Cloud PCs and details | Microsoft Endpoint Manager Device Reader or Writer |
Updated: Nov 20, 2024