Appearance
Recommended Roles 🔐
As Triggr is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for Triggr, but you may experiment with less permissive groups at your own risk.
The table below lists the suggested Azure roles for use with Triggr, along with a brief explanation of what each role allows the platform to do. You can click on any Role Name to view Microsoft's official documentation for more details about that specific Azure AD role.
| Role Name | Description |
|---|---|
| Application Administrator | Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups. |
| Cloud Application Administrator | Required for Triggr. Can manage application registrations and enterprise applications, including programmatic admin consent for the Triggr app within each client's environment. This is critical for seamless deployment and enables effortless rollout without manual intervention. |
| Authentication Policy Administrator | Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings. |
| Cloud App Security Administrator | Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations. |
| Cloud Device Administrator | Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device. |
| Exchange Administrator | Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD. |
| Intune Administrator | Manages all aspects of Intune, including all related resources, policies, configurations, and tasks. |
| User Administrator | Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects. |
| Privileged Authentication Administrator | Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal. |
| Privileged Role Administrator | Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator. |
| Security Administrator | Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365. |
| SharePoint Administrator | Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources. |
| Teams Administrator | Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health. |
Role Assignment Strategy
🎯 Recommended Approach
Assign all recommended roles to ensure Triggr has the necessary permissions to function properly across all Microsoft 365 services. This comprehensive permission set enables Triggr to automate a wide range of tasks without encountering permission issues.
🔑 Cloud Application Administrator - Critical for Deployment
The Cloud Application Administrator role is essential for Triggr's seamless deployment across client environments. This role enables Triggr to programmatically provide admin consent within each client's Microsoft 365 environment, eliminating the need for manual intervention during rollout. Without this role, you would need to manually configure admin consent for each client, significantly slowing down deployment and creating additional administrative overhead.
Common Triggr Workflows and Required Roles
📧 Email Management
- Exchange Administrator - Required for mailbox operations
- User Administrator - Required for user management
👥 User Management
- User Administrator - Core user management operations
- Authentication Policy Administrator - Password and MFA management
🔒 Security Operations
- Security Administrator - Security policy management
- Cloud App Security Administrator - Advanced security features
📱 Device Management
- Intune Administrator - Device enrollment and management
- Cloud Device Administrator - Basic device operations
🏢 SharePoint & Teams
- SharePoint Administrator - SharePoint site management
- Teams Administrator - Teams workspace management
Troubleshooting Role Issues
Common Problems
"Triggr workflow fails with permission error"
- Check if the required role is assigned to the service account
- Verify the role is active and not expired
- Ensure the role applies to the correct scope (tenant vs. specific resources)
"Cannot access certain Microsoft 365 features"
- Review the role descriptions above
- Check if additional roles are needed for specific features
- Verify GDAP relationship is properly configured
"Role assignments not taking effect"
- Allow time for role propagation (can take up to 15 minutes)
- Check for conflicting Conditional Access policies
- Verify the service account is in the correct groups
Related Documentation
- GDAP Service Account Setup - Initial service account creation
- Conditional Access Best Practices - Security policy configuration
Need help? Your account manager can assist with role configuration and help determine the optimal permission set for your specific Triggr workflows.