Platform roles required for specific tasks
The following table lists the Cloud Commander platform roles required to perform individual Cloud Commander tasks.
A platform role is a set of permissions and privileges that you assign to users and groups in Cloud Commander scoped to a specific set of customers. These roles determine what actions users and groups can see and perform in Cloud Commander. See Assign platform roles for instructions to assign platform roles to groups and users.
| Cloud Commander task |
Required platform role(s) |
|---|---|
| Add a group | User Groups Administrators |
| Add a user | User Administrators |
| Add or remove group members | User Groups Administrators |
| Add subscriptions | License Administrator Subscription Management Product and Subscription Administrators |
| Add users to groups | Users reader or User Administrators
User Group Administrators |
| Apply compliance policies | Microsoft Endpoint Manager Device Configuration and Policies Writer |
| Apply configuration profiles | Microsoft Endpoint Manager Device Configuration and Policies Writer |
| Assign Microsoft Entra ID roles to users | Users reader
or User Administrators Role Administrators Microsoft Entra Role Writer |
| Assign licenses | License Administrators or a customer assigned delegated license administration |
| Azure Management Audit Logs | Audit Administrators |
| Command logs | Command Block Job Log Reader |
| Configure delegated license administration | Administrators |
| Configure email forwarding for a mailbox | Microsoft Exchange Online Writer |
| Configure Hybrid Identity environment | Administrators |
| Convert a mailbox | Microsoft Exchange Online Writer |
| Create a shared mailbox | Microsoft Exchange Online Writer |
| Delete groups | User Groups Administrators |
| Delete shared mailboxes | Microsoft Exchange Online Writer |
| Delete users | User Administrators |
| Edit group details | User Groups Administrators |
| Edit mailbox details | Microsoft Exchange Online Writer |
| Edit subscriptions | License Administrator Subscription Management Product and Subscription Administrators |
| Edit user licenses | License Administrators or a customer assigned delegated license administration |
| Edit users | User Administrators |
| Manage mailbox delegation | Microsoft Exchange Online Writer |
| Manage platform roles (view, assign, remove) |
User Administrators or User Groups Administrators Role Administrators |
| Manage platform user groups | User Administrators or User Groups Administrators Role Administrators |
| Manage risky users | Identity Protection Writer |
| Microsoft Available Licenses report | Partner Center Customer Reader or a customer assigned delegated license administration |
| Microsoft Secure Score report | Microsoft Secure Scores Reader |
| Offboard customers | Administrators Partner Center Administrators |
| Offboard your organization | Administrators Partner Center Administrators |
| Onboard CSP customers | Administrators Partner Center Administrators |
| Perform actions on Intune managed devices | Microsoft Endpoint Manager Device Writer |
| Perform actions on virtual machines | Start, Restart, Stop: Azure Management Resource Writer or Admin Deallocate: Azure Management Resource Admin |
| Perform actions on Windows 365 Cloud PCs | Microsoft Windows 365 Writer |
| Reauthenticate your organization | Administrators Partner Center Administrators |
| Remove Microsoft Entra ID role assignments | Users reader
or User Administrators
Microsoft Entra Role Writer |
| Remove users from groups | Users reader
or User Administrators
User Group Administrators |
| Reset all multi-factor authentications for user | Users reader
or User Administrators Microsoft Entra ID Authentication Methods Writer |
| Reset authentication methods | Microsoft Entra ID Authentication Methods Writer |
| Reset user password | User Administrators |
| Revoke user sessions from Authentication Methods section | User Administrators Identity Protection Writer |
| Revoke user sessions from User section | User Administrators Identity Protection Writer |
| Run user actions | Users reader
or User Administrators Plus the role for action type:
|
| Show or hide a mailbox | Microsoft Exchange Online Writer |
| Unassign user licenses | License Administrators or a customer assigned delegated license administration |
| View Azure Alerts | Azure Management Resource Reader or Writer or Admin |
| View Azure Dashboard | Azure Management Resource Reader or Writer or Admin |
| View Azure resources and details | Azure Management Resource Reader or Writer or Admin |
| View Azure subscriptions | Azure Management Resource Reader or Writer or Admin |
| View groups and group details | User Groups Administrators |
| View Intune managed devices and details | Microsoft Endpoint Manager Device Reader or Writer |
| View mailboxes and details | Microsoft Exchange Online Reader or Writer |
| View performance for virtual machines | Azure Management Resource Reader or Writer or Admin |
| View product licenses and user assignments | License Administrator |
| View risky users | Identity Protection Writer or Reader |
| View subscriptions and subscription details | License Administrator Subscription Management |
| View Windows 365 Cloud PCs and details | Microsoft Endpoint Manager Device Reader or Writer |
| View user authentication methods | Microsoft Entra ID Authentication Methods Reader or Writer |
| View users and user details | Users reader |
| View virtual machines | Azure Management Resource Reader or Writer or Admin |
Updated: Jul 12, 2024