{"description":"Entra ID role tier classification based on Microsoft Enterprise Access Model. Tier-0 roles can compromise the entire directory. Tier-1 roles have significant blast radius over specific services. Tier-2 is everything else with an active assignment.","version":"1.0.0","tiers":{"0":{"label":"Control Plane","description":"Roles that can compromise the entire Entra ID directory or escalate to full control","roles":{"62e90394-69f5-4237-9190-012177145e10":"Global Administrator","e8611ab8-c189-46e8-94e1-60213ab1f814":"Privileged Role Administrator","7be44c8a-adaf-4e2a-84d6-ab2649e08a13":"Privileged Authentication Administrator","d29b2b05-8046-44ba-8758-1e26182fcf32":"Directory Synchronization Accounts"}},"1":{"label":"Management Plane","description":"Roles with significant blast radius over specific M365 services or user populations","roles":{"29232cdf-9323-42fd-ade2-1d097af3e4de":"Exchange Administrator","f28a1f50-f6e7-4571-818b-6a12f2af6b6c":"SharePoint Administrator","194ae4cb-b126-40b2-bd5b-6091b380977d":"Security Administrator","3a2c62db-5318-420d-8d74-23affee5d9d5":"Intune Administrator","fe930be7-5e62-47db-91af-98c3a49a38b1":"User Administrator","9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3":"Application Administrator","158c047a-c907-4556-b7ef-446551a6b5f7":"Cloud Application Administrator","c4e39bd9-1100-46d3-8c65-fb160da0071f":"Authentication Administrator","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9":"Conditional Access Administrator","fdd7a751-b60b-444a-984c-02652fe8fa1c":"Groups Administrator","966707d0-3269-4727-9be2-8c3a10f19b9d":"Password Administrator","8835291a-918c-4fd7-a9ce-faa49f0cf7d9":"Teams Administrator","11648597-926c-4cf3-9c36-bcebb0ba8dcc":"Power Platform Administrator","729827e3-9c14-49f7-bb1b-9608f156bbb8":"Helpdesk Administrator","b0f54661-2d74-4c50-afa3-1ec803f12efe":"Billing Administrator","112f9a7f-7249-4951-bd88-c42b60cebe72":"Fabric Administrator"}}}}
|