Platform roles required for specific tasks

The following table lists the Cloud Commander platform roles required to perform individual Cloud Commander tasks.

A platform role is a set of permissions and privileges that you assign to users and groups in Cloud Commander. These roles determine what actions users and groups can see and perform in Cloud Commander. See Assign platform roles for instructions to assign platform roles to groups and users.

Cloud Commander task
Required platform role(s)
Add a group User Groups Administrators
Add a user User Administrators
Add or remove group members User Groups Administrators
Add subscriptions License Administrator

Subscription Management

Product and Subscription Administrators

Add users to groups Users reader or User Administrators

User Group Administrators

Apply compliance policies Microsoft Endpoint Manager Device Configuration and Policies Writer
Apply configuration profiles Microsoft Endpoint Manager Device Configuration and Policies Writer
Assign Microsoft Entra ID roles Users reader or User Administrators

Role Administrators

Microsoft Entra Role Writer

Assign Microsoft Entra ID roles to users Users reader or User Administrators

Role Administrators

Microsoft Entra Role Writer

Assign licenses for users License Administrators or a customer assigned delegated license administration
Assign platform roles to groups User Groups Administrators

Role Administrators

Assign platform roles to users Users reader or User Administrators

Role Administrators

Azure Management Audit Logs Audit Administrators
Command logs Command Block Job Log Reader
Configure delegated license administration Administrators
Configure Hybrid Identity environment Administrators
Delete groups User Groups Administrators
Delete users User Administrators
Edit group details User Groups Administrators
Edit subscriptions License Administrator

Subscription Management

Product and Subscription Administrators

Edit user licenses License Administrators or a customer assigned delegated license administration
Edit users User Administrators
Manage platform roles

(view, assign, remove)

User Administrators or User Groups Administrators

Role Administrators

Manage platform user groups User Administrators or User Groups Administrators

Role Administrators

Manage risky users Identity Protection Writer
Microsoft Available Licenses report Partner Center Customer Reader or a customer assigned delegated license administration
Microsoft Secure Score report Microsoft Secure Scores Reader
Offboard customers Administrators

Partner Center Administrators

Offboard your organization Administrators

Partner Center Administrators

Onboard CSP customers Administrators

Partner Center Administrators

Perform actions on Intune managed devices Microsoft Endpoint Manager Device Writer
Perform actions on virtual machines Start, Restart, Stop: Azure Management Resource Writer or Admin

Deallocate: Azure Management Resource Admin

Perform actions on Windows 365 Cloud PCs

Microsoft Windows 365 Writer

Reauthenticate your organization Administrators

Partner Center Administrators

Remove Microsoft Entra ID role assignments

Users reader or User Administrators

Microsoft Entra Role Writer

Remove group role assignments User Groups Administrators

Role Administrators

Remove user role assignments Users reader or User Administrators

Role Administrators

Remove users from groups Users reader or User Administrators

User Group Administrators

Reset all multi-factor authentications for user Users reader or User Administrators

Microsoft Entra ID Authentication Methods Writer

Reset authentication methods Microsoft Entra ID Authentication Methods Writer
Reset user password User Administrators
Revoke user sessions User Administrators

Identity Protection Writer

Revoke user sessions for user User Administrators

Identity Protection Writer

Run user actions Users reader or User Administrators

Plus the role for action type:

  • Exchange Writer
  • Microsoft Exchange Online PowerShell Writer
  • Microsoft OneDrive for Business Writer
  • Microsoft SharePoint Online Writer
  • Microsoft Teams Writer
Unassign user licenses License Administrators or a customer assigned delegated license administration
View Azure Alerts Azure Management Resource Reader or Writer or Admin
View Azure resources and details Azure Management Resource Reader or Writer or Admin
View Intune managed devices and details Microsoft Endpoint Manager Device Reader or Writer
View groups and group details User Groups Administrators
View performance for virtual machines Azure Management Resource Reader or Writer or Admin
View risky users Identity Protection Writer or Reader
View subscriptions and subscription details License Administrator

Subscription Management

View Windows 365 Cloud PCs and details Microsoft Endpoint Manager Device Reader or Writer
View the Azure Dashboard Azure Management Resource Reader or Writer or Admin
View user authentication methods Microsoft Entra ID Authentication Methods Reader or Writer
View users and user details Users reader
View virtual machines Azure Management Resource Reader or Writer or Admin

Updated: Jun 07, 2024