Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihaxblk7fputpjjqfz4m6j2qxejfhszt33b52222mrbnhv3pjwnwy",
    "uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mggmtbo75br2"
  },
  "description": "The AI Administrator role is updated to support Agent 365, enabling delegated agent management without Global Admin involvement for routine tasks. Rollout starts March 2026. AI Admins gain expanded permissions for agent lifecycle management, tenant-wide consent (excluding Microsoft Graph app perm...",
  "path": "/m365-message-center/message/mc1245636/",
  "publishedAt": "2026-03-07T01:00:17.000Z",
  "site": "https://blog.tophhie.cloud",
  "tags": [
    "ID Protection for agents (Preview)",
    "AI Administrator",
    "admin.cloud.microsoft",
    "About administrator roles in the Microsoft 365 admin center - Microsoft 365 admin | Microsoft Learn"
  ],
  "textContent": "**[Introduction]**\n\nWe are updating the **AI Administrator** role to support **Agent 365**. This update enables delegated, day-to-day agent management while preserving enterprise security and least-privilege principles.\n\nThe AI Admin role is designed for managing agent lifecycles and agentic users. By removing the dependency on **Global Administrators** for routine, agent-scoped actions, this change helps eliminate operational bottlenecks, supports scale, and maintains clear separation of duties. Global Admin elevation remains required only for rare, high-risk scenarios.\n\n**[When this will happen:]**\n\n\n\n\nGeneral Availability: Rollout begins **early March 2026** ; expected completion by **late March 2026**\n\n\n\n\n**[How this affects your organization:]**\n\n**Who is affected**\n\n  * Microsoft 365 tenants using Agent 365\n  * Administrators assigned the **AI Administrator role**\n  * Organizations that currently require **Global Administrator** involvement for routine agent management\n\n\n\n**What will happen**\n\n  * **AI Administrators** can grant tenant-wide admin consent for apps and agents requesting permissions, except Microsoft Graph application permissions\n  * AI Admins can view basic subscription properties\n  * AI Admins can view agents flagged as risky through Microsoft Entra Identity Protection. Learn more: ID Protection for agents (Preview) (this article will be updated soon).\n  * To review existing capabilities of the AI Admin, visit AI Administrator.\n  * AI Admins can perform full CRUD (create, read, update, delete) operations on agents\n  * This includes adding, deleting, and managing agent credentials\n  * Agent management is available through the Microsoft 365 admin center, Microsoft Entra admin center, PowerShell, and APIs\n\n\n\n**What is not included**\n\n  * Apps or agents requiring Microsoft Graph application permissions will continue to require **Privileged Role Administrator** or **Global Administrator** approval\n\n\n\n**[What you can do to prepare:]**\n\n  * Review existing assignments for the **AI Administrator** role to ensure only appropriate users have access\n  * If you want to opt out, remove the AI Admin role from users who should not grant tenant-wide consent or manage agents\n\n\n\n**Review or update role assignments**\n\n  1. Sign in to the Microsoft 365 admin center at admin.cloud.microsoft using a **Global Administrator** or **User Administrator** account.\n  2. Go to **Roles** > **Role assignments**.\n  3. Select **AI Administrator**.\n  4. Review the list of users assigned to the role.\n  5. If needed, remove the role from users or add users who should legitimately manage AI agents.\n\n\n\n**Learn more:**About administrator roles in the Microsoft 365 admin center - Microsoft 365 admin | Microsoft Learn\n\n**[Compliance considerations]**\n\nQuestion | Explanation\n---|---\nDoes the change alter how existing customer data is processed, stored, or accessed? | AI Administrators gain expanded permissions to manage agents and agent credentials, which may indirectly affect how agents access tenant data.\nDoes the change introduce or significantly modify AI or agent capabilities that interact with customer data? | The update expands AI Administrator authority over agent lifecycles and tenant-wide consent, increasing control over agent behavior and data access.\nDoes the change alter how admins can monitor or demonstrate compliance activities? | AI Administrators can now view agents flagged as risky through Identity Protection, improving visibility and compliance monitoring.\nDoes the change include an admin control, and can it be controlled through Entra ID role membership? | All new capabilities are governed by assignment of the AI Administrator role in Microsoft Entra ID.",
  "title": "MC1245636: AI Admin RBAC updates",
  "updatedAt": "2026-03-07T01:00:17.955Z"
}