Built-in roles

Provides all the powers required to create, modify, delete, and view properties of an Entra ID contact. You can assign this role to all assistant administrators who are responsible for managing Entra ID contacts.

Provides all the powers required to manage Entra ID groups and Entra ID membership.

Provides all the powers required to create, modify, delete, enable, disable, and view properties of an Entra ID user. Assign this role to assistant administrators responsible for managing Entra ID users.

Provides all the powers required to manage an Entra ID guest user. Assign this role to assistant administrators responsible for managing an Entra ID guest user.

Provides all the powers required to create, modify, delete and view properties of an Online Shared Mailbox. Assign this role to assistant administrators responsible for managing Online Shared Mailboxes.

Provides all the powers required to create a new contact, modify contact properties, or delete a contact. Assign this role to assistant administrators responsible for managing contacts.

Provides all powers to an assistant administrator. This role gives a user the permission to perform all administration tasks within DRA. This role is equivalent to the permissions of an administrator. An assistant administrator associated with the DRA Administration role can access all Directory and Resource Administrator nodes.

Provides the powers required to create, modify, delete, and view properties of a group Managed Service Account (gMSA). You can assign this role to all assistant administrators who are responsible for managing a gMSA.

Provides all the powers required to create, manage, and execute custom tools. Assign this role to assistant administrators responsible for managing custom tools.

Provides all the powers required to create and manage clone exceptions.

Provides all the powers required to define policies and automation triggers. Assign this role to assistant administrators responsible for maintaining company policies and automating workflows.

Provides all the powers required to define the Administration rules, including ActiveViews, assistant administrators, and roles. Assign this role to assistant administrators responsible for implementing and maintaining your security model.

Provides all the powers required to create and manage virtual attributes. Assign this role to assistant administrators responsible for managing virtual attributes.

Provides all the powers required to manage organizational units. Assign this role to assistant administrators responsible for managing the Active Directory structure.

Provides the powers to create, modify, delete, enable, or disable mail and view the properties of your Public Folder. You can assign this role to all assistant administrators who are responsible for managing Public Folder.

Provides all the powers required to upload, delete, and modify file information. Assign this role to assistant administrators responsible for replicating files from the primary Administration server to other Administration servers in the MMS and the DRA client computers.

Provides all the powers to reset the local administrator account password and view the name of the computer administrator. Assign this role to assistant administrators responsible for managing the administrator accounts.

Provides all the powers required to modify basic properties, such as telephone numbers, of your own user account. Assign this role to assistant administrators to allow them to manage their own personal information.

Provides all the powers required to execute saved advanced queries. Assign this role to assistant administrators responsible for executing advanced queries.

Provides all the powers required to create, manage, and execute advanced queries. Assign this role to assistant administrators responsible for managing advanced queries.

Provides all the powers required to view properties of objects, policies, and configurations across your enterprise. This role does not allow an assistant administrator to modify properties. Assign this role to assistant administrators responsible for auditing actions across your enterprise. Allows assistant administrators to view all nodes except the Custom Tools node.

Provides powers for all object properties.

Provides all the powers required to view properties of managed resources. Assign this role to assistant administrators responsible for auditing resource objects.

Provides all the powers needed to view user account and group properties, but no powers to modify these properties. Assign this role to assistant administrators responsible for auditing account properties.

Provides all the powers required to modify computer properties. This role allows assistant administrators to add, delete, and shut down computers, as well as synchronize domain controllers. Assign this role to assistant administrators responsible for managing computers in the ActiveView.

Provides all the powers required to create and delete a computer account. Assign this role to assistant administrators responsible for managing computers.

Provides all the powers required to manage all properties for a computer account. Assign this role to assistant administrators responsible for managing computers.

Provides all the powers required to view properties of a computer account. Assign this role to assistant administrators responsible for auditing computers.

Provides all the powers required to clone an existing user account along with the account mailbox. Assign this role to assistant administrators responsible for managing user accounts.

Provides all the powers required to create and delete a mailbox. Assign this role to assistant administrators responsible for managing mailboxes.

Provides all the powers required to manage Microsoft Exchange mailbox properties. If you use Microsoft Exchange, assign this role to assistant administrators responsible for managing Microsoft Exchange mailboxes.

Provides all the powers required to manage security and rights for Microsoft Exchange mailboxes. If you use Microsoft Exchange, assign this role to assistant administrators responsible for managing Microsoft Exchange mailbox permissions.

Provides all the powers required to view, enable, or disable the email address for a group. Assign this role to assistant administrators responsible for managing groups or email addresses for account objects.

Provides all the powers required to manage mailbox move requests.

Provides all the powers required to manage all properties for a mailbox. Assign this role to assistant administrators responsible for managing mailboxes.

Provides all the powers required to view, enable, or disable the email address for a user account. Assign this role to assistant administrators responsible for managing user accounts or email addresses for account objects.

Provides all the powers required to reset Unified Messaging PIN properties for user accounts.

Provides all the powers required to manage resource mailboxes.

Provides all the powers required to create, modify, delete, and view the properties of your shared mailboxes. Assign this role to all assistant administrators responsible for managing shared mailboxes.

Provides all the powers required to view properties for a resource mailbox. Assign this role to assistant administrators responsible for auditing resource mailboxes.

Provides all the powers required to create and delete a group. Assign this role to assistant administrators responsible for managing groups.

Provides all the powers required to manage Active Directory dynamic groups.

Provides all the powers required to manage groups and group memberships, and view corresponding user properties. Assign this role to assistant administrators responsible for managing groups or account and resource objects that are managed through groups.

Provides all the powers required to manage Microsoft Exchange dynamic distribution groups.

Provides all the powers required to designate who can view and modify Microsoft Windows group memberships through Microsoft Outlook

Provides all the powers required to add and remove user accounts or groups from an existing group, and view the primary group of a user or computer account. Assign this role to assistant administrators responsible for managing groups or user accounts.

Provides all the powers required to manage all properties for a group. Assign this role to assistant administrators responsible for managing groups.

Provides all the powers required to create and manage temporary group assignments. Assign this role to assistant administrators responsible for managing groups.

Provides all the powers required to modify the name and description of a group. Assign this role to assistant administrators responsible for managing groups.

Provides all the powers required to view properties for a group. Assign this role to assistant administrators responsible for auditing groups.

Provides all the powers required to manage Active Directory Collectors, DRA Collectors, and Management Reporting Collectors for data collection. Assign this role to assistant administrators responsible for managing reporting configuration.

Provides all the powers required to manage Active Directory Collectors, DRA Collectors, Management Reporting Collectors, and database configuration for data collection. Assign this role to assistant administrators responsible for managing reporting and database configuration.

Provides all the powers required to generate and export Activity Detail reports for users, groups, contacts, computers, organizational units, powers, roles, ActiveViews, containers, published printers, and assistant administrators. Assign this role to assistant administrators responsible for generating reports.

Provides all the powers required to manage database configuration for Management reports. Assign this role to assistant administrators responsible for managing reporting database configuration.

Provides all the powers required to view AD collectors, DRA collectors, management reporting collectors, and database configuration information.

Provides all the powers required to create and delete shares and computer accounts, and clear event logs. Assign this role to assistant administrators responsible for managing resource objects and event logs.

Provides all the powers required to manage printers, print queues, and print jobs. To manage print jobs associated with a user account, the print job and the user account must be included in the same ActiveView. Assign this role to assistant administrators responsible for maintaining printers and managing print jobs.

Provides all the powers required to manage resources associated with specific user accounts. The assistant administrator and the user accounts must be included in the same ActiveView. Assign this role to assistant administrators responsible for managing resource objects.

Provides all the powers required to manage services. Assign this role to assistant administrators responsible for managing services.

Provides all the powers required to manage shared folders. Assign this role to assistant administrators responsible for managing shared folders.

Provides all the powers required to modify properties of managed resources, including resources associated with any user account. Assign this role to assistant administrators responsible for managing resource objects.

Provides all the powers required to pause, start, resume, or stop a service, start or stop a device or printer, shut down a computer, or synchronize your domain controllers. Also provides all the powers required to pause, resume, and start services, stop devices or print queues, and shut down computers. Assign this role to assistant administrators responsible for managing resource objects.

Provides powers to schedule when DRA refreshes the cache.

Provides the powers required to configure, view, and delete application server configurations.

Provides all the powers required to modify Administration server options and managed domains. Also provides powers necessary to configure and manage Microsoft Entra Tenants. Assign this role to assistant administrators responsible for monitoring and maintaining the Administration servers and managing Microsoft Entra Tenants.

Provides the powers required to configure, view, and delete Unified Change History server configurations.

Provides the powers required to configure, view, and delete Workflow Automation server configurations.

Provides all the powers required to create and delete a user account. Assign this role to assistant administrators responsible for managing user accounts.

Provides all the powers required to view user account properties, and to change passwords and password-related properties. This role also allows assistant administrators to disable, enable, and unlock user accounts. Assign this role to assistant administrators responsible for Help Desk duties associated with ensuring users have proper access to their accounts.

Provides all the powers required to modify the dial in properties of user accounts. Assign this role to assistant administrators responsible for managing user accounts that have remote access to the enterprise.

Provides all the powers required to reset the password, specify password settings, and unlock a user account. Assign this role to assistant administrators responsible for maintaining user account access.

Provides all the powers required to manage all properties for a user account, including Microsoft Exchange mailbox properties. Assign this role to assistant administrators responsible for managing user accounts.

Provides all the powers required to modify the name and description of a user account. Assign this role to assistant administrators responsible for managing user accounts.

Provides all the powers required to reset and modify passwords. Assign this role to assistant administrators responsible for password management.

Provides all the powers required to use Secure Password Administrator to reset passwords and unlock user accounts.

Provides all the powers required to add a user to or remove a user from groups found in a template account, including the ability to modify the user's properties while transforming the user.

Provides all the powers required to manage user accounts, associated Microsoft Exchange mailboxes, and group memberships. Assign this role to assistant administrators responsible for managing user accounts.

Provides all the powers required to view properties for a user account. Assign this role to assistant administrators responsible for auditing user accounts.

Provides all the powers required to change the WTS environment properties for a user account. Assign this role to assistant administrators responsible for maintaining the WTS environment or managing user accounts.

Provides all the powers required to change the WTS remote control properties for a user account. Assign this role to assistant administrators responsible for maintaining WTS access or managing user accounts.

Provides all the powers required to change the WTS session properties for a user account. Assign this role to assistant administrators responsible for maintaining WTS sessions or managing user accounts.

Provides all the powers required to change the WTS terminal properties for a user account. Assign this role to assistant administrators responsible for maintaining WTS terminal properties or managing user accounts.

Provides all the powers required to manage Windows Terminal Server (WTS) properties for user accounts in the ActiveView. If you use WTS, assign this role to assistant administrators responsible for maintaining the WTS properties of user accounts.