| author | sandeo-MSFT |
|---|---|
| ms.topic | include |
Important
For delegated access using work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
- Users
- Directory Readers
- Directory Writers
- Compliance Administrator
- Device Managers
- Application Administrator
- Security Reader
- Security Administrator
- Privileged Role Administrator
- Cloud Application Administrator
- Customer LockBox Access Approver
- Dynamics 365 Administrator
- Power BI Administrator
- Desktop Analytics Administrator
- Microsoft Managed Desktop Administrator
- Teams Communications Administrator
- Teams Communications Support Engineer
- Teams Communications Support Specialist
- Teams Administrator
- Compliance Data Administrator
- Security Operator
- Kaizala Administrator
- Global Reader
- Directory Reviewer
- Windows 365 Administrator