Introduction

Eden Akers uses the Microsoft Partner Center to Setup Admin Relationship where the roles mentioned below will be added to the AdminAgents and HelpDeskAgents Security Groups.


The below Entra ID Roles will be granted permissions via the AdminAgents and HelpDeskAgents Entra ID groups by means of sending the customer a link that needs to be accepted by a Global Admin signed in to the Tenant where these permissions need to be applied.


User Entra ID Roles

Identity

  • Helpdesk administrator
  • License administrator
  • Privileged authentication administrator
  • Privileged role administrator
  • User administrator


Other

  • Service support administrator
  • Directory writers


Read Only

  • Directory readers
  • Global reader


Roles added to which Group

AdminAgents

  • Directory Readers
  • Directory Writers
  • License Administrator
  • Service Support Administrator
  • User Administrator
  • Priviliged Role Administrator
  • Helpdesk Administrator
  • Priviliged Authentication Administrator
  • Global Reader

HelpDeskAgents

  • Service Support Administrator
  • Helpdesk Administrator


Short explanation of the permissions

  • Helpdesk administrator - Can reset passwords for non-administrators and Helpdesk administrators.
  • License administrator -Ability to assign, remove and update license assignments.
  • Privileged authentication administrator - Allowed to view, set and reset authentication method information for any user (admin or non-admin).
  • Privileged role administrator - Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management.
  • User administrator - Can manage all aspects of users and groups, including resetting passwords for limited admins.
  • Service support administrator - Can read service health information and manage support tickets.
  • Directory writers - Can read and write basic directory information. For granting access to applications, not intended for users.
  • Directory readers - Can read basic directory information. Commonly used to grant directory read access to applications and guests.
  • Global reader - Can read everything that a global administrator can, but not update anything.