Platform (category) roles and permissions
Cloud Commander end of life (EOL)
Cloud Commander will be decommissioned and stop functioning on May 13, 2026. You can use the product until that date.
Review and update workflows to remove any dependencies before the product is decommissioned.
Support, bug fixes, and security patches will be available until April 13, 2026.
| Role | Permission | Description |
|---|---|---|
| Administrators Can manage administrative features such as onboardings and configurations based on the purchased plan. |
customerrelationship.read | Can read customer relationships |
| customerrelationship.readbasic | Can read customer relationships | |
| customerrelationship.write | Can write customer relationships | |
| group.readbasic | Can read all basic group properties (list) | |
| locale.read | Can read all locales (list) | |
| organization.plan.read | Can read organization plans | |
| organization.plan.write | Can write organization plans | |
| organization.readbasic | Can read all basic organization properties (list) | |
| organizationplan.read | Can read organization plans | |
| organizationplan.write | Can write organization plans | |
| partnerrelationship.delete | Can delete partner relationships | |
| partnerrelationship.readbasic | Can read partner relationships | |
| plans.readbasic | Can read plans | |
| relationship.readbasic | Can read basic relationships (list) | |
| solution.read | Can read all solutions (list) | |
| solution.write | Can write solutions | |
| user.readbasic | Can read all basic user properties (list) | |
| user.sync | Can sync all users | |
| Command Platform Role Reader
Can read all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelroles.read | Can read all assignments and scopes | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Command Platform Role Writer
Can read and execute all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelroles.read | Can read all assignments and scopes | |
| command.cmdspinpanelroles.write | Can write all assignments and scopes | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| DelegateAccessGroup Readers
Can read all Delegate Access Groups. |
delegateaccessgroup.readbasic | Can read all basic group properties (list) |
| organization.readbasic | Can read all basic organization properties (list) | |
| partnerrelationship.readbasic | Can read partner relationships | |
| Group Reader
Can read all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelgroups.read | Can read all Group Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| command.schedules.read | Can read all schedules Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Group Writer
Can read and execute all management Command Blocks. |
command.category.read | Can read all corresponding Command Block categories |
| command.cmdspinpanelgroups.read | Can read all Group Command Blocks and jobs | |
| command.cmdspinpanelgroups.write | Can write all Group Command Blocks and jobs | |
| command.jobs.read | Can read related Command Block jobs | |
| command.read | Can read all related Command Blocks | |
| command.schedules.read | Can read all schedules Command Blocks and jobs | |
| command.schedules.write | Can write all schedules Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| report.accesstoken.read | Can read Power BI report access token (list) | |
| report.read | Can read Power BI reports (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all basic user properties (list) | |
| Microsoft Invoices Administrators
Can manage invoice related features. |
msftinvoice.read | Can manage invoice related features |
| Product and Price Consumer Management
Can manage product and price consumer. |
command.cmdproductplan.consumer.read | Can read all Product Plan consumer Command Blocks and jobs |
| command.cmdproductplan.consumer.write | Can write all Product Plan consumer Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| productplan.consumer.write | Can manage consumers of a product plan | |
| Product and Price Management Reader
Can read available product and price plans. |
csp.region.read | Can read CSP regions |
| command.cmdproductplan.read | Can read all Product Plan Command Blocks and job | |
| organization.readbasic | Can read all basic organization properties (list) | |
| productplan.read | Can read all product and price plans | |
| productprice.read | Can read product price information | |
| Product and Price Management Writer
Can manage product and price plans. |
csp.region.read | Can read CSP regions |
| command.cmdproductplan.read | Can read all Product Plan Command Blocks and job | |
| command.cmdproductplan.write | Can write all Product Plan Command Blocks and jobs | |
| organization.readbasic | Can read all basic organization properties (list) | |
| productplan.read | Can read all product and price plans | |
| productplan.write | Can write all product and price plans | |
| productprice.read | Can read product price information | |
| Report Essentials Reader
Can read reports. |
report.accesstoken.read | Can read Power BI report access token (list) |
| report.read | Can read Power BI reports (list) | |
| Role Administrators
Can manage all role-related features. |
customerrelationship.readbasic | Can read customer relationships |
| organization.readbasic | Can read all basic organization properties (list) | |
| partnerrelationship.readbasic | Can read partner relationships | |
| role.actions.read | Can read all role actions (list) | |
| role.read | Can read all basic role properties (list) | |
| role.roletemplate.write | ||
| role.scopes.delete | Can delete all scopes | |
| role.scopes.read | Can read all scopes | |
| role.scopes.write | Can write all organization scopes | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all domain properties (list) | |
| User Administrators
Can manage all user-related features. |
domain.graph.read | Can read all domain properties (list) |
| locale.read | Can read all locales (list) | |
| organization.graph.read | Can read all basic Graph organization properties (list) | |
| organization.readbasic | Can read all basic organization properties (list) | |
| user.delete | Can delete all properties of a user (details) | |
| user.graph.delete | Can delete all Microsoft Graph properties of a user (details) | |
| user.graph.read | Can read all Microsoft Graph properties of a user (details) | |
| user.graph.readbasic | Can read all basic Microsoft Graph user properties (list) | |
| user.graph.write | Can read and write all Microsoft Graph properties of a user (details) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all domain properties (list) | |
| user.sync | Can sync all users | |
| user.write | Can read and write all properties of a user (details) | |
| User Group Administrators
Can manage all user group-related features. |
group.readbasic | Can read all basic group properties (list) |
| organization.readbasic | Can read all basic organization properties (list) | |
| usergroup.delete | Can delete all properties of a group (details) | |
| usergroup.read | Can read all properties of a group (details) | |
| usergroup.write | Can read and write and delete all properties of a group (details) | |
| usergroupmember.delete | Can remove members from a group | |
| usergroupmember.read | Can read members from a group | |
| usergroupmember.write | Can add members to a group | |
| user.readbasic | Can read all domain properties (list) | |
| Users Reader
Can read all users. |
domain.graph.read | Can read all domain properties (list) |
| locale.read | Can read all locales (list) | |
| organization.graph.read | Can read all basic Graph organization properties (list) | |
| organization.readbasic | Can read all basic organization properties (list) | |
| user.graph.read | Can read all Microsoft Graph properties of a user (details) | |
| user.graph.readbasic | Can read all basic Microsoft Graph user properties (list) | |
| user.read | Can read all properties of a user (details) | |
| user.readbasic | Can read all domain properties (list) | |
| user.sync | Can sync all users |
Related articles
Updated: Jan 09, 2026