| author | yuhko-msft |
|---|---|
| ms.topic | include |
Important
For delegated access using work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
- Read basic properties on setting templates and settings - Microsoft Entra Joined Device Local Administrator, Directory Readers, Global Reader
- Manage all group/directory settings - Directory Writers
- Manage global and local settings for groups; manage
Group.Unified.GuestandGroup.Unifiedsettings - Groups Administrator - Update
Password Rule Settings- Authentication Policy Administrator - Update settings, Read basic properties on setting templates and settings - User Administrator