Microsoft Cloud Access roles and permissions
| Role | Permission | Description |
|---|---|---|
| Microsoft Cloud Access Administrators
Can onboard tenants, add users to default platform user groups, receive Microsoft Cloud Access notifications, and schedule Secure Score and Available Licenses reports. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdpartnercentercustomer.read | Can read all Partner Center customer Command Blocks and jobs | |
| command.cmdpartnercentercustomer.write | Can write all Partner Center customer Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| command.schedules.read | Can read all schedules Command Blocks and jobs | |
| command.schedules.write | Can write all schedules Command Blocks and jobs | |
| customerrelationship.read | Can read customer relationships | |
| customerrelationship.readbasic | Can read customer relationships | |
| customerrelationship.write | Can write customer relationships | |
| domain.graph.read | Can read all domain properties (list) | |
| group.readbasic | Can read all basic group properties (list) | |
| locale.read | Can read all locales (list) | |
| organization.graph.read | Can read all basic Graph organization properties (list) | |
| organization.plan.read | Can read organization plans | |
| organization.plan.write | Can write organization plans | |
| organization.readbasic | Can read all basic organization properties (list) | |
| organizationplan.read | Can read organization plans | |
| organizationplan.write | Can read organization plans | |
| partnerrelationship.delete | Can delete partner relationships | |
| partnerrelationship.readbasic | Can read partner relationships | |
| plans.readbasic | Can read plans | |
| relationship.readbasic | Can read basic relationships (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| role.actions.read | Can read all role actions (list) | |
| role.read | Can read all basic role properties (list) | |
| role.roletemplate.write | ||
| role.scopes.delete | Can delete all scopes | |
| role.scopes.read | Can read all scopes | |
| role.scopes.write | Can write all organization scopes | |
| solution.read | Can read all solutions (list) | |
| solution.write | Can write solutions | |
| user.delete | Can delete all properties of a user (details) | |
| user.graph.delete | Can delete all Microsoft Graph properties of a user (details) | |
| user.graph.read | Can read all Microsoft Graph properties of a user (details) | |
| user.graph.readbasic | Can read all basic Microsoft Graph user properties (list) | |
| user.graph.write | Can read and write all Microsoft Graph properties of a user (details) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| user.sync | Can sync all users | |
| user.write | Can read and write all properties of a user (details) | |
| usergroup.delete | Can delete all properties of a group (details) | |
| usergroup.read | Can read all properties of a group (details) | |
| usergroup.write | Can read and write and delete all properties of a group (details) | |
| usergroupmember.delete | Can remove members from a group | |
| usergroupmember.read | Can read members from a group | |
| usergroupmember.write | Can add members to a group |
Related articles
Updated: Jan 31, 2025