AI Admin RBAC updates

The AI Administrator role is updated to support Agent 365, enabling delegated agent management without Global Admin involvement for routine tasks. Rollout starts March 2026. AI Admins gain expanded permissions for agent lifecycle management, tenant-wide consent (excluding Microsoft Graph app permissions), and risk monitoring via Identity Protection, enhancing security and compliance.

[Introduction]

We are updating the AI Administrator role to support Agent 365. This update enables delegated, day-to-day agent management while preserving enterprise security and least-privilege principles.

The AI Admin role is designed for managing agent lifecycles and agentic users. By removing the dependency on Global Administrators for routine, agent-scoped actions, this change helps eliminate operational bottlenecks, supports scale, and maintains clear separation of duties. Global Admin elevation remains required only for rare, high-risk scenarios.

[When this will happen:]

General Availability: Rollout begins early March 2026; expected completion by late March 2026

[How this affects your organization:]

Who is affected

• Microsoft 365 tenants using Agent 365
• Administrators assigned the AI Administrator role
• Organizations that currently require Global Administrator involvement for routine agent management

What will happen

• AI Administrators can grant tenant-wide admin consent for apps and agents requesting permissions, except Microsoft Graph application permissions
• AI Admins can view basic subscription properties
• AI Admins can view agents flagged as risky through Microsoft Entra Identity Protection. Learn more: ID Protection for agents (Preview) (this article will be updated soon).
• To review existing capabilities of the AI Admin, visit AI Administrator.
• AI Admins can perform full CRUD (create, read, update, delete) operations on agents
• This includes adding, deleting, and managing agent credentials
• Agent management is available through the Microsoft 365 admin center, Microsoft Entra admin center, PowerShell, and APIs

What is not included

• Apps or agents requiring Microsoft Graph application permissions will continue to require Privileged Role Administrator or Global Administrator approval

[What you can do to prepare:]

• Review existing assignments for the AI Administrator role to ensure only appropriate users have access
• If you want to opt out, remove the AI Admin role from users who should not grant tenant-wide consent or manage agents

Review or update role assignments

1. Sign in to the Microsoft 365 admin center at admin.cloud.microsoft using a Global Administrator or User Administrator account.
2. Go to Roles > Role assignments.
3. Select AI Administrator.
4. Review the list of users assigned to the role.
5. If needed, remove the role from users or add users who should legitimately manage AI agents.

Learn more: About administrator roles in the Microsoft 365 admin center - Microsoft 365 admin | Microsoft Learn

[Compliance considerations]

Question	Explanation
Does the change alter how existing customer data is processed, stored, or accessed?	AI Administrators gain expanded permissions to manage agents and agent credentials, which may indirectly affect how agents access tenant data.
Does the change introduce or significantly modify AI or agent capabilities that interact with customer data?	The update expands AI Administrator authority over agent lifecycles and tenant-wide consent, increasing control over agent behavior and data access.
Does the change alter how admins can monitor or demonstrate compliance activities?	AI Administrators can now view agents flagged as risky through Identity Protection, improving visibility and compliance monitoring.
Does the change include an admin control, and can it be controlled through Entra ID role membership?	All new capabilities are governed by assignment of the AI Administrator role in Microsoft Entra ID.