| author | DougKirschner |
|---|---|
| ms.topic | include |
Important
For delegated access using work or school accounts, the signed-in user must be a member user or be assigned a supported Microsoft Entra role or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
- Directory Readers - Read basic properties and members of administrative units
- Global Reader - Read all properties of administrative units, including members
- Privileged Role Administrator - Fully manage administrative units, including members, but excluding restricted administrative units. For more information, see Restricted management administrative units in Microsoft Entra ID