Microsoft’s Entra ID includes the ability to designate separate administrators for different functions. These administrators have access to various features and capabilities, including the ability to read or change objects related to Entra ID.
Microsoft provides documentation about this topic at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles.
Entra ID roles primarily support the Microsoft Infrastructure and MSCA service, so are primarily held by members of those service teams. However, it is possible for others outside those service teams to hold Entra ID roles.
Microsoft Infrastructure manages the Entra ID roles in the UW’s enterprise tenant and requests for a role can be sent to help@uw.edu for consideration. Please note that given the broad span of access associated with many Entra ID roles, we may not be able to grant all requests and that very careful consideration is given before granting requests.
Accounts granted Entra ID roles do not automatically have the role at each sign in. They will need to activate the role before they can leverage the elevated privileges associated with the role. To do so, the user will need to take either the interactive step or the programmatic step documented at https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role. This is a bit more work for the user granted these elevated privileges, but it helps protect the UW and it also provides us with more information about how much use of the role is actually happening. You can read more about Entra ID Privileged Identity Management.
Entra ID Roles are also only granted in concert with an Entra ID Access Review. Individuals who can properly ascertain whether the role is still needed when the automatic periodic review is generated will be chosen at the time the role is initially granted. Failure to respond to the automated review will result in automatic loss of privileges.
Some limited further information about use of specific Entra ID roles are available as child pages.