Platform (category) roles and permissions
| Role | Permission | Description |
|---|---|---|
| Administrators Can manage administrative features such as onboardings and configurations based on the purchased plan. |
customerrelationship.read | Can read customer relationships |
| customerrelationship.readbasic | Can read customer relationships | |
| customerrelationship.write | Can write customer relationships | |
| group.readbasic | Can read all basic group properties (list) | |
| locale.read | Can read all locales (list) | |
| organization.plan.read | Can read organization plans | |
| organization.plan.write | Can write organization plans | |
| organization.readbasic | Can read all basic organization properties (list) | |
| organizationplan.read | Can read organization plans | |
| organizationplan.write | Can write organization plans | |
| partnerrelationship.delete | Can delete partner relationships | |
| partnerrelationship.readbasic | Can read partner relationships | |
| plans.readbasic | Can read plans | |
| relationship.readbasic | Can read basic relationships (list) | |
| solution.read | Can read all solutions (list) | |
| solution.write | Can write solutions | |
| user.readbasic | Can read all basic user properties (list) | |
| user.sync | Can sync all users | |
| Command Platform Role Reader
Can read all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelroles.read | Can read all assignments and scopes | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Command Platform Role Writer
Can read and execute all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelroles.read | Can read all assignments and scopes | |
| command.cmdspinpanelroles.write | Can write all assignments and scopes | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| DelegateAccessGroup Readers
Can read all Delegate Access Groups. |
delegateaccessgroup.readbasic | Can read all basic group properties (list) |
| organization.readbasic | Can read all basic organization properties (list) | |
| partnerrelationship.readbasic | Can read partner relationships | |
| Group Reader
Can read all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelgroups.read | Can read all Group Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| command.schedules.read | Can read all schedules Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Group Writer
Can read and execute all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelgroups.read | Can read all Group Command Blocks and jobs | |
| command.cmdspinpanelgroups.write | Can write all Group Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| command.schedules.read | Can read all schedules Command Blocks and jobs | |
| command.schedules.write | Can write all schedules Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Invoices Administrators
Can manage invoice related features. |
msftinvoice.read | Can manage invoice related features |
| Product and Price Consumer Management
Can manage product and price consumer. |
command.cmdproductplan.consumer.read | Can read all Product Plan consumer Command Blocks and jobs |
| command.cmdproductplan.consumer.write | Can write all Product Plan consumer Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| productplan.consumer.write | Can manage consumers of a product plan | |
| Product and Price Management Reader
Can read available product and price plans. |
csp.region.read | Can read CSP regions |
| command.cmdproductplan.read | Can read all Product Plan Command Blocks and job | |
| organization.readbasic | Can read all basic organization properties (list) | |
| productplan.read | Can read all product and price plans | |
| productprice.read | Can read product price information | |
| Product and Price Management Writer
Can manage product and price plans. |
csp.region.read | Can read CSP regions |
| command.cmdproductplan.read | Can read all Product Plan Command Blocks and job | |
| command.cmdproductplan.write | Can write all Product Plan Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| productplan.read | Can read all product and price plans | |
| productplan.write | Can write all product and price plans | |
| productprice.read | Can read product price information | |
| Report Essentials Reader
Can read reports. |
report.accesstoken.read | Can read Power BI report access token (list) |
| report.read | Can read Power BI reports (list) | |
| Role Administrators
Can manage all role-related features. |
customerrelationship.readbasic | Can read customer relationships |
| organization.readbasic | Can read all basic organization properties (list) | |
| partnerrelationship.readbasic | Can read partner relationships | |
| role.actions.read | Can read all role actions (list) | |
| role.read | Can read all basic role properties (list) | |
| role.roletemplate.write | ||
| role.scopes.delete | Can delete all scopes | |
| role.scopes.read | Can read all scopes | |
| role.scopes.write | Can write all organization scopes | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all domain properties (list) | |
| User Administrators
Can manage all user-related features. |
domain.graph.read | Can read all domain properties (list) |
| locale.read | Can read all locales (list) | |
| organization.graph.read | Can read all basic Graph organization properties (list) | |
| organization.readbasic | Can read all basic organization properties (list) | |
| user.delete | Can delete all properties of a user (details) | |
| user.graph.delete | Can delete all Microsoft Graph properties of a user (details) | |
| user.graph.read | Can read all Microsoft Graph properties of a user (details) | |
| user.graph.readbasic | Can read all basic Microsoft Graph user properties (list) | |
| user.graph.write | Can read and write all Microsoft Graph properties of a user (details) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all domain properties (list) | |
| user.sync | Can sync all users | |
| user.write | Can read and write all properties of a user (details) | |
| User Group Administrators
Can manage all user group-related features. |
group.readbasic | Can read all basic group properties (list) |
| organization.readbasic | Can read all basic organization properties (list) | |
| usergroup.delete | Can delete all properties of a group (details) | |
| usergroup.read | Can read all properties of a group (details) | |
| usergroup.write | Can read and write and delete all properties of a group (details) | |
| usergroupmember.delete | Can remove members from a group | |
| usergroupmember.read | Can read members from a group | |
| usergroupmember.write | Can add members to a group | |
| user.readbasic | Can read all domain properties (list) | |
| Users Reader
Can read all users. |
domain.graph.read | Can read all domain properties (list) |
| locale.read | Can read all locales (list) | |
| organization.graph.read | Can read all basic Graph organization properties (list) | |
| organization.readbasic | Can read all basic organization properties (list) | |
| user.graph.read | Can read all Microsoft Graph properties of a user (details) | |
| user.graph.readbasic | Can read all basic Microsoft Graph user properties (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all domain properties (list) | |
| user.sync | Can sync all users |
Related articles
Updated: Aug 01, 2025