| author | psignoret |
|---|---|
| ms.topic | include |
Important
For delegated access using work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
- Directory Synchronization Accounts - for Microsoft Entra Connect and Microsoft Entra Cloud Sync services
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator - the least privileged role supported for Microsoft Graph and Azure AD Graph app roles
- User Administrator
- Application Administrator
- Cloud Application Administrator
- Agent ID Administrator - For agent users only