Microsoft’s Azure Active Directory includes the ability to designate separate administrators for different functions. These administrators have access to various features and capabilities, including the ability to read or change objects related to Azure AD.
Microsoft provides documentation about this topic at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles.
Azure AD roles primarily support the Microsoft Infrastructure and MSCA service, so are primarily held by members of those service teams. However, it is possible for others outside those service teams to hold AAD roles.
Microsoft Infrastructure manages the AAD roles in the UW’s enterprise tenant and requests for a role can be sent to email@example.com for consideration. Please note that given the broad span of access associated with many AAD roles, we may not be able to grant all requests and that very careful consideration is given before granting requests.
Accounts granted Azure AD roles do not automatically have the role at each sign in. They will need to activate the role before they can leverage the elevated privileges associated with the role. To do so, the user will need to take either the interactive step or the programmatic step documented at https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role. This is a bit more work for the user granted these elevated privileges, but it helps protect the UW and it also provides us with more information about how much use of the role is actually happening. You can read more about Azure AD Privileged Identity Management.
Azure AD Roles are also only granted in concert with an Azure AD Access Review. Individuals who can properly ascertain whether the role is still needed when the automatic periodic review is generated will be chosen at the time the role is initially granted. Failure to respond to the automated review will result in automatic loss of privileges.
Some limited further information about use of specific AAD roles are available as child pages.