New Entra ID Role Highlights Need to Manage Role Assignments

The announcement in MC1215071 (8 January 2026) that a new Entra ID administrative role called Teams External Collaboration Administrator will roll out in late January 2026 made me wonder if too many administrative roles are now available for Microsoft 365 tenants.

Conceptually, I don’t have anything against the idea of creating a special role to assign to people who manage the external collaboration settings for Teams. However, on a practical level, I question whether the role will get much use. I mean, how often does a tenant need to update its external collaboration settings? The changes that are normally made to external collaboration, such as adding an external domain to the list permitted for federated chat and meetings, are hardly so earth shatteringly onerous that a “normal” Teams administrator can’t perform the task in a few minutes (using the newly simplified Teams admin center interface for external collaboration, of course).

The other thing is that the majority of Microsoft 365 tenants are not large enough to have the need for a dedicated administrative role to handle Teams external collaboration. One person (called the global administrator) probably does everything. In short, the change described in MC1215071 is for very large enterprise tenants with big administrative staffs and clearly delineated areas of responsibility. That’s fine too – large tenants should get some love.

Entra ID Roles Assigned in a Tenant

Getting back to my original thought, the number of directory role templates in my tenant is currently 133, soon to be 134 when the Teams external collaboration administrator role arrives. A role template defines what rights a role holds and the set of templates defined by Entra ID are called built-in roles. The first time a role is assigned within a tenant (by an administrator or when configuring an application), it becomes an assigned role. My tenant only uses 39 assigned roles:

$Roles = Get-MgDirectoryRoleTemplate -All
$Roles.Count
133
$AssignedRoles = Get-MgDirectoryRole -All
$AssignedRoles.count
39

$AssignedRoles | Sort-Object DisplayName | Format-Table DisplayName, id

For the record, the tenant reported 31 assigned roles in March 2022 when I reviewed how to assign roles to user accounts with the Microsoft Graph PowerShell SDK.

Unwanted or Disused Entra ID Roles

Some of the roles are present due to testing, and some belong to now-deprecated solutions. For example, the Knowledge administrator and Knowledge manager roles are associated with Viva Topics, introduced in March 2021 and retired in February 2025. These roles and their assignments live on as tombstones for the departed solution.

In a rush to embrace granular management, my tenant has roles that probably don’t get much use and many of the roles are utterly devoid of members. Message Center reader for instance, or Hybrid identity administrator (the tenant left hybrid status a long time ago). Skype for Business administrator is another belonging to a retired application, and I suspect that Yammer administrator (Viva Engage) doesn’t get much use. The Insights administrator and Insights Business leader roles were never used because the tenant doesn’t use Viva Insights. However, I probably looked at the application in the past and that was probably enough to cause the roles to appear in the tenant.

The point is that a small set of roles is enough to segregate administrative tasks for many Microsoft 365 tenants. My guess is that ten roles are sufficient in most cases:

• Global administrator.
• Teams administrator.
• SharePoint administrator.
• Exchange administrator.
• User administrator.
• Groups administrator.
• Reports reader.
• Compliance administrator.
• Device managers.
• Billing administrator.

These are highly privileged roles. Many of the other 124 roles that exist are there to allow work to be done without a high level of permissions. Assigning very precise roles to user accounts works great in large tenants but might be overkill in smaller establishments.

Audit Roles and Role Membership

Elsewhere, I made the case that January is a great time to audit the subscriptions and licenses for Microsoft 365 tenants. The same is true for Entra ID roles and assignments. Check the roles that are in use and the users who are members of the role groups. This is simple to do with the PowerShell script referenced in this article, which handles both direct and PIM role assignments. Figure 1 shows some sample output from the script.

After reviewing current assignments, consider removing members from roles:

• That are no longer in active use.
• When the member no longer needs to use the role.

For example, I ran this code to find the current assigned members for the Knowledge manager role.

[array]$Members = Get-MgDirectoryRoleMember -DirectoryRoleId ea669ded-edb0-4c95-a340-d7c2ae58ba3b
$Members.additionalProperties.displayName
Ben Owens (DCPG)
Sean Landy

You can’t delete a built-in Entra ID role. However, you can remove all the members from a role through the Entra admin center or with PowerShell. Scripting is easier when a role has many members. Here’s how:

$Template = Get-MgDirectoryRole -Filter "displayName eq 'Knowledge Manager'"
$TemplateId = $Template.Id
[array]$Members = Get-MgDirectoryRoleMember -DirectoryRoleId $TemplateId

ForEach ($Member in $Members) {
  $UserId = $Member.Id
  $Uri = ("https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId={0}/members/{1}" -f $TemplateId, $UserId)
  Invoke-MgGraphRequest -Uri $uri -Method Delete
}

The Microsoft Graph PowerShell SDK includes a Remove-MgDirectoryRoleMemberByRef cmdlet, but the cmdlet isn’t working so well in V2.34. However, the Remove-MgRoleManagementDirectoryRoleAssignment cmdlet does work, but in this case I chose to show how the Invoke-MgGraph cmdlet proves its usefulness by executing the underlying Graph API request when a cmdlet isn’t available or a cmdlet doesn’t work as expected.

In addition to Entra ID roles, consider auditing the assignments for Purview (compliance) role groups.

Power and Responsibility

I question the number of available Entra ID roles only to raise awareness about role management. It’s good to have the ability to manage access to functionality at a granular level, but with great power comes great responsibility, which means that tenants should keep an eye on role membership.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.