Microsoft Cloud Access roles and permissions

Cloud Commander end of life (EOL)

Cloud Commander will be decommissioned and stop functioning on May 13, 2026. You can use the product until that date.

Review and update workflows to remove any dependencies before the product is decommissioned.

Support, bug fixes, and security patches will be available until April 13, 2026.

Role Permission Description
Microsoft Cloud Access Administrators

Can onboard tenants, add users to default platform user groups, receive Microsoft Cloud Access notifications, and schedule Secure Score and Available Licenses reports.

 command.category.read Can read all corresponding Command Block categories
command.cmdpartnercentercustomer.read Can read all Partner Center customer Command Blocks and jobs
command.cmdpartnercentercustomer.write Can write all Partner Center customer Command Blocks and jobs
command.jobs.read Can read related Command Block jobs
command.read Can read all related Command Blocks
command.schedules.read Can read all schedules Command Blocks and jobs
command.schedules.write Can write all schedules Command Blocks and jobs
customerrelationship.read Can read customer relationships
customerrelationship.readbasic Can read customer relationships
customerrelationship.write Can write customer relationships
domain.graph.read Can read all domain properties (list)
group.readbasic Can read all basic group properties (list)
locale.read Can read all locales (list)
organization.graph.read Can read all basic Graph organization properties (list)
organization.plan.read Can read organization plans
organization.plan.write Can write organization plans
organization.readbasic Can read all basic organization properties (list)
organizationplan.read Can read organization plans
organizationplan.write Can read organization plans
partnerrelationship.delete Can delete partner relationships
partnerrelationship.readbasic Can read partner relationships
plans.readbasic Can read plans
relationship.readbasic Can read basic relationships (list)
report.accesstoken.read Can read Power BI report access token (list)
report.read Can read Power BI reports (list)
role.actions.read Can read all role actions (list)
role.read Can read all basic role properties (list)
role.roletemplate.write  
role.scopes.delete Can delete all scopes
role.scopes.read Can read all scopes
role.scopes.write Can write all organization scopes
solution.read Can read all solutions (list)
solution.write Can write solutions
user.delete Can delete all properties of a user (details)
user.graph.delete Can delete all Microsoft Graph properties of a user (details)
user.graph.read Can read all Microsoft Graph properties of a user (details)
user.graph.readbasic Can read all basic Microsoft Graph user properties (list)
user.graph.write Can read and write all Microsoft Graph properties of a user (details)
user.read Can read all properties of a user (details)
user.readbasic Can read all basic user properties (list)
user.sync Can sync all users
user.write Can read and write all properties of a user (details)
usergroup.delete Can delete all properties of a group (details)
usergroup.read Can read all properties of a group (details)
usergroup.write Can read and write and delete all properties of a group (details)
usergroupmember.delete Can remove members from a group
usergroupmember.read Can read members from a group
usergroupmember.write Can add members to a group

Related articles

Updated: Jan 09, 2026