Systems Admin

2 Ways to Assign Microsoft Entra Admin Roles to a User Account

4 min read Part of pathway: Microsoft Entra ID Security

Two ways to assign Microsoft Entra admin roles to a user. Method 1 is role-first — pick a role, add users to it. Method 2 is user-first — pick a user, add roles to them. Both end up in the same place. Both should default to Eligible assignments, not Active.

Prerequisites

Sign in to entra.microsoft.com as Global Administrator or Privileged Role Administrator. Anyone less can’t assign roles.

Method 1 — Roles & Admins menu (role-first)

Use when you know which role you want to assign and want to add one or more users to it.

Microsoft Entra admin centre Roles and admins > All roles page with the Attribute Definition Administrator role being clicked as the example role for assignment” /><figcaption>Method 1: Roles & admins > All roles > click the role (e.g. <strong>Attribute Definition Administrator</strong>). Always least-privilege — pick the most specific role, not Global Admin.</figcaption></figure> <p>Left nav > <strong>Roles & admins</strong> > <strong>All roles</strong>. Find the role and click its name. Demo here uses <code>Attribute Definition Administrator</code> — pick the most specific role for the task, never Global Admin unless absolutely required.</p> <figure class=Role detail page with + Add assignments button highlighted at the top, the entry point for adding users to this role
+ Add assignments.

+ Add assignments.

Add assignments wizard Membership tab with No member selected link being clicked to open the user picker
Membership tab > No member selected > pick user.
User picker panel with the test user jdoe being searched and selected from the directory list
Search for the user (jdoe) and Select.

Membership tab > No member selected. Search for and pick the user (jdoe in this demo). Select > Next.

Settings tab of the Add assignments wizard with default Eligible option visible and Permanently eligible checkbox visible
Settings tab. Default: Eligible + Permanently eligible.
Same Settings tab with Permanently eligible ticked and the Assign button at the bottom ready to commit
Click Assign. Done.

Settings tab. Default values: Eligible assignment type + Permanently eligible. Click Assign.

Method 2 — from user profile (user-first)

Use when you’re already looking at a user and want to give them a role.

Users > All users > jdoe profile page with Assigned roles selected in the left navigation, the Method 2 entry for adding roles from the user perspective” /><figcaption>Method 2: Users > All users > jdoe > <strong>Assigned roles</strong> in left nav > + Add assignments.</figcaption></figure> <p>Users > All users > click jdoe > left nav <strong>Assigned roles</strong> > + Add assignments.</p> <figure class=Add role panel sliding out from Assigned roles with role checkboxes available for selection
Tick role(s) > Next.

Tick role(s) > Next.

Settings step in Method 2 mirroring Method 1 with Eligible + Permanently eligible options before clicking Assign
Same Eligible + Permanent > Assign.

Same Settings: Eligible + Permanently eligible > Assign.

Eligible vs Active — the load-bearing choice

Eligible (recommended) Active
Permissions User must activate the role each time Permissions are on 24/7
Activation Via Privileged Identity Management (PIM); may require MFA + reason None — just sign in
Audit trail Strong — every activation logged with reason Weak — only role assignment is logged
Risk if account compromised Limited — attacker has no admin access without activation Full admin instantly

Always Eligible unless you have a specific reason. The activation friction is small (one extra click + reason); the security benefit is large (compromised account doesn’t equal compromised admin).

Verify the assignment

Final verification on jdoe’s Assigned roles page showing both roles assigned via Method 1 and Method 2 listed together
Verify on jdoe’s Assigned roles page — both roles from Method 1 and Method 2 appear here. Single source of truth for an account’s admin scope.

Users > All users > jdoe > Assigned roles. Both roles from Method 1 and Method 2 appear here. This page is the single source of truth for an account’s admin scope.

Things that bite people

Assigning Global Admin instead of a specific role

Most common security regression in Entra. Don’t. There are 100+ built-in admin roles — pick the most specific one (User Administrator, Helpdesk Administrator, Application Administrator, etc.). Global Admin should be reserved for genuine emergencies and break-glass accounts.

Active assignments by accident

If you’re used to clicking through wizards quickly, you might leave the default at Active. Always verify Eligible is selected.

Forgetting to remove roles when people leave

The Assigned roles page is also where you remove. Add a quarterly review — for each user, check assigned roles, remove anything they no longer need.

Permanently eligible vs time-bound

Permanently eligible means the user can activate the role indefinitely. For high-risk roles (Global Admin, Privileged Role Administrator), set a time-bound assignment instead so the eligibility itself expires.

What’s next

Other posts in the Entra ID Security pathway cover MFA enforcement, Conditional Access, PIM workflow, device management, and more.

Tags: #Admin Roles #Least Privilege #Microsoft Entra ID #PIM

Leave a Reply