Hidden Entra roles found in Graph but not in the admin UI

Published21 January 2026

Discover the hidden Microsoft Entra roles that appear in Microsoft Graph but not in the admin portal. Learn what these roles mean and why they matter for RBAC, audits, and identity management.

An image of an Entra role.

TL;DR:

Some Microsoft Entra roles appear in Microsoft Graph but not in the Entra admin portal. This document highlights what they are and why they're hidden.

Summary

Most Entra administrators assume that every directory role can be viewed and managed directly in the Entra admin portal. Unfortunately, that’s not the case. A surprising number of built‑in roles exist only in Microsoft Graph and never appear in the UI - which can cause confusion during audits, access reviews, and troubleshooting.
This article highlights the key Entra roles that are visible in Graph but not exposed in the Entra admin portal, along with a short explanation of what each one represents. If you’ve ever wondered why a user appears to have permissions that "don’t exist", this is why.

Why These Roles Matter

  • They show up in Graph queries, Microsoft Graph PowerShell output, and audit logs

  • They can affect device behaviour, guest access, and directory sync

  • They often appear during incident response or privilege investigations

  • They’re essential for MSPs who need complete visibility across tenants

  • These roles aren’t typically assigned manually, many are system‑managed, but understanding them helps you interpret identity data accurately.

Entra Roles Found in Graph but Not in the Admin UI

The following describes these roles:

Device & Join‑Related Roles

  • Azure AD Joined Device Local Administrator
    Grants local admin rights on Azure AD‑joined devices. This does exist in the Entra admin UI however it has been renamed to "Microsoft Entra Joined Device Local Administrator".

  • Device Join
    Allows a user or system to join devices to Entra ID. This has been deprecated.

  • Device Managers
    System‑managed role for device administration. This has been deprecated.

  • Device Users
    Represents standard device‑level permissions. This has been deprecated.

  • Workplace Device Join
    Used for registering personal devices (Workplace Join). This has been deprecated

Directory Sync & Hybrid Identity Roles

  • Directory Synchronization Accounts
    Accounts used by sync engines such as Azure AD Connect. Can't be used.  

  • On Premises Directory Sync Account
    Legacy sync account type used by older hybrid setups. Can't be used. 

Guest & External Access Roles

  • Guest User
    The baseline role automatically applied to B2B guests. Can't be used. 
  • Restricted Guest User
    A more locked‑down variant used in certain tenants. Can't be used. 

Partner Support Roles

  • Partner Tier1 Support
    Delegated admin privileges for CSP Tier 1 partners. Can't be used.  

  • Partner Tier2 Support
    Elevated delegated admin privileges for CSP Tier 2 partners. Can't be used. 

Purview Workload Roles

Purview uses its own internal RBAC system, separate from Entra’s directory roles.

  • Purview Workload Content Administrator
    Not an Entra role.

  • Purview Workload Content Reader
    Not an Entra role.

  • Purview Workload Content Writer
    Not an Entra role.

General Directory Roles

  • User
    The default role assigned to standard users. Can't be used.   

Why This Matters for Documentation

Hidden roles are one of the reasons Entra documentation often becomes inconsistent across tenants. Tools like XIA Configuration Server help standardise reporting by pulling role data directly from Microsoft Graph, ensuring nothing is missed.

Final Thoughts

If you rely solely on the Entra admin portal, you’re only seeing part of the RBAC picture. Graph exposes the full set of roles, including these hidden ones, which is why MSPs and identity architects should always include Graph ‑based role discovery in their documentation and audits.