Least privilege increases operational friction. Microsoft 365 does not have a single role assignment model. Defender, Purview, Intune, and Exchange each maintain their own RBAC systems, entirely separate from Entra ID. Correctly scoping a consultant means navigating four or five admin portals and assigning roles independently in each one.<\/p>\n\n\n\n
Global Administrator removes that friction in one click. That is why it gets assigned, not because anyone genuinely believes the consultant needs access to billing, licence management, and every security setting in the tenant. The shortcut is chosen to avoid the complexity of doing it correctly.<\/p>\n\n\n\n
This post exists to make the correct path as low-friction as possible.<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
Common Anti-Patterns<\/strong><\/p>\n\n\n\n Before the tables, it is worth naming the mistakes this reference is designed to prevent:<\/p>\n\n\n\n How to Use These Tables<\/strong><\/p>\n\n\n\n The tables are organised in three sections:<\/p>\n\n\n\n Read-only engagements<\/strong>: assessment, audit, and review work where the consultant must see configuration but must not be able to change anything. RBAC systems: Microsoft 365 does not have a single role assignment model. Roles assigned in the Entra admin centre do not automatically grant access inside the Defender portal, the Intune admin centre, or the Purview portal. Where the assignment must be made in a workload-specific RBAC system, the table says so explicitly.<\/p>\n\n\n\n The \u26a0\ufe0f marker on a role name indicates that permanently assigning this role to an external consultant account is not advisable. These roles should be configured as PIM-eligible with an approval workflow and a time-bound activation window. The final section of this post covers this in more detail.<\/p>\n\n\n\n Key notes column: this is where the practical detail lives. Every row includes at least one limitation or gotcha that is not obvious from the role name and that will affect how the engagement is scoped or executed.<\/p>\n\n\n\n <\/p>\n\n\n\n Read-Only Engagements<\/strong><\/p>\n\n\n\n Change Engagements: Single Workload<\/strong><\/p>\n\n\n\n Change Engagements: Combined Workloads<\/strong><\/p>\n\n\n\n <\/p>\n\n\n\n These are project types that naturally span more than one workload. The role combinations below represent the minimum required for each. In every case, roles from each workload must be assigned independently. Membership of a role in one RBAC system does not carry over to another.<\/p>\n\n\n\n Permanent role assignment for external consultant accounts should be treated as a misconfiguration, not a default. All Entra ID roles in this post are PIM-eligible. The recommended configuration is eligible assignment with an approval workflow and a time-bound activation window matched to the engagement duration or sprint cycle.<\/p>\n\n\n\n\n
\n\n\n\n
Change engagements (single workload)<\/strong>: active project work scoped to one workload.
Change engagements (combined workloads)<\/strong>: project types that naturally span more than one workload and where the role combination is not obvious.
<\/p>\n\n\n\n
\n\n\n\n
These roles are appropriate when the engagement scope is assessment, audit, tenant review, or pre-project discovery. The consultant must be able to see configuration but must not be able to make changes.<\/p>\n\n\n\n![\"\"](\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2026\/04\/table1.png\")
<\/a><\/figure>\n\n\n\n
\n\n\n\n
These role combinations apply to active project work scoped to one primary workload. Where the engagement naturally spans multiple workloads, refer to the combined engagements section below.<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\n
\n\n\n\n<\/a><\/figure>\n\n\n\n
\n\n\n\nPIM and Least Privilege: Summary Reference<\/strong><\/h2>\n\n\n\n