Skip to Content

MC1245636: AI Admin RBAC updates

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1245636: AI Admin RBAC updates

Summary

  • The AI Administrator role will be updated to support Agent 365, enabling efficient day-to-day agent management without needing Global Administrator involvement for routine actions.
  • AI Administrators will have new permissions to manage agent lifecycles, grant tenant-wide admin consent for most apps and agents, and perform CRUD operations on agents.
  • Administrators can view risky agents flagged by Microsoft Entra Identity Protection, enhancing compliance and visibility.
  • The change aims to streamline operational processes, mitigate risks, and maintain clear separation of duties in managing agents.
  • Existing capabilities and role assignments for AI Administrators should be reviewed to ensure appropriate access is maintained.

Admin Impact: Medium
User Impact: Low
Release Start: 01 Mar 2026
Release End: 31 Mar 2026
Services: Entra
Category: Stay informed
Tags: Feature Update, Admin Action

History

3/6/2026 Item Added to Message Center

Microsoft Message

Introduction

We are updating the AI Administrator role to support Agent 365. This update enables delegated, day-to-day agent management while preserving enterprise security and least-privilege principles.

The AI Admin role is designed for managing agent lifecycles and agentic users. By removing the dependency on Global Administrators for routine, agent-scoped actions, this change helps eliminate operational bottlenecks, supports scale, and maintains clear separation of duties. Global Admin elevation remains required only for rare, high-risk scenarios.

When this will happen

General Availability: Rollout begins early March 2026; expected completion by late March 2026

How this affects your organization

Who is affected

  • Microsoft 365 tenants using Agent 365
  • Administrators assigned the AI Administrator role
  • Organizations that currently require Global Administrator involvement for routine agent management

What will happen

  • AI Administrators can grant tenant-wide admin consent for apps and agents requesting permissions, except Microsoft Graph application permissions
  • AI Admins can view basic subscription properties
  • AI Admins can view agents flagged as risky through Microsoft Entra Identity Protection. Learn more: ID Protection for agents (Preview) (this article will be updated soon).
  • To review existing capabilities of the AI Admin, visit AI Administrator.
  • AI Admins can perform full CRUD (create, read, update, delete) operations on agents
  • This includes adding, deleting, and managing agent credentials
  • Agent management is available through the Microsoft 365 admin center, Microsoft Entra admin center, PowerShell, and APIs

What is not included

Apps or agents requiring Microsoft Graph application permissions will continue to require Privileged Role Administrator or Global Administrator approval

What you can do to prepare

  • Review existing assignments for the AI Administrator role to ensure only appropriate users have access
  • If you want to opt out, remove the AI Admin role from users who should not grant tenant-wide consent or manage agents

Review or update role assignments

  1. Sign in to the Microsoft 365 admin center at admin.cloud.microsoft using a Global Administrator or User Administrator account.
  2. Go to Roles > Role assignments.
  3. Select AI Administrator.
  4. Review the list of users assigned to the role.
  5. If needed, remove the role from users or add users who should legitimately manage AI agents.

Learn more: About administrator roles in the Microsoft 365 admin center – Microsoft 365 admin | Microsoft Learn

Compliance considerations

Question: Does the change alter how existing customer data is processed, stored, or accessed?

Explanation: AI Administrators gain expanded permissions to manage agents and agent credentials, which may indirectly affect how agents access tenant data.

Question: Does the change introduce or significantly modify AI or agent capabilities that interact with customer data?

Explanation: The update expands AI Administrator authority over agent lifecycles and tenant-wide consent, increasing control over agent behavior and data access.

Question: Does the change alter how admins can monitor or demonstrate compliance activities?

Explanation: AI Administrators can now view agents flagged as risky through Identity Protection, improving visibility and compliance monitoring.

Question: Does the change include an admin control, and can it be controlled through Entra ID role membership?

Explanation: All new capabilities are governed by assignment of the AI Administrator role in Microsoft Entra ID.