🔍 Overview
This article addresses alerts triggered in Liongard when the "Places Administrator" role is detected as newly assigned in Microsoft Entra ID. Partners may be unfamiliar with this role, especially since it is relatively new and may not yet be reflected in all Microsoft documentation or environments. Liongard's alert logic surfaced this role based on changes in the enabled role definitions retrieved via Microsoft Graph API.
The "Places Administrator" role is part of Microsoft's rollout of Microsoft Places, a workspace management solution within Microsoft 365. This role supports centralized administration of physical locations like buildings, rooms, and desks, enhancing hybrid work infrastructure.
Liongard users may receive alerts under titles like:
Azure Active Directory | Enabled Administrative Roles List Modified
With detected changes like:
Changes Detected: ["Places Administrator"]
🧬 Why Does This Happen?
Microsoft Places introduces Role-Based Access Control (RBAC) to delegate responsibilities for physical workspace management. As part of this, the "Places Administrator" role is now available in Microsoft Entra ID. This role may appear suddenly in environments due to:
Microsoft completing backend rollout to tenants
Admins enabling Microsoft Places or assigning related permissions
Third-party integrations or syncs with Microsoft Places service
Roadmap Reference: Microsoft 365 Roadmap ID: 488103
🔓 What Is the "Places Administrator" Role?
The Places Administrator role in Entra ID allows users to:
Manage all aspects of the Microsoft Places service
Onboard or offboard buildings, spaces, desks
Enable/disable Places features
Assign local administrators (Building or Desk Admins)
Note: This role is managed via Entra Admin Center and integrates with Exchange Online and the Microsoft Places infrastructure.
Privileges: This role is not classified as a privileged role in Microsoft Entra. It won't appear under the standard privileged role definitions but is still a high-trust role depending on the scale of implementation.
📊 How to Check If This Role Exists and Who Has It
In Microsoft Entra Admin Center:
Go to
https://entra.microsoft.com
Navigate to Entra ID > Roles & Admins
In the search bar, type:
places
Locate
Places Administrator
Click the role to view:
Description
Assignments (who has the role)
Assignment scope (user, group, or service principal)
Using PowerShell (for scriptable validation):
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleDefinition | Where-Object {$_.DisplayName -eq "Places Administrator"} | Get-MgRoleManagementDirectoryRoleAssignment
⚠️ Security Considerations
While "Places Administrator" is not a privileged role by Microsoft's technical classification, it:
Grants access to manage room metadata, desk assignments, and physical layout
Could be exploited for location misconfiguration or misassignment
May reveal sensitive information about organizational space planning
What to Watch For:
Sudden assignment of this role without clear change history
Role assigned to unrecognized accounts or service principals
Assignment done outside a change control window
Recommended Actions:
Review audit logs for the user who assigned the role
Use Liongard to track when the role was added
Revoke role if assigned unintentionally or by mistake
Review Microsoft Places documentation for onboarding security steps
📊 How Liongard Helps | Alerting & Monitoring
Liongard monitors role definitions and assignments via Microsoft Graph API. When a new administrative role appears (like Places Administrator), it can:
Trigger alerts when role definitions change
Help identify users or systems assigned to new roles
Provide historic visibility into when the change occurred
Enable creation of actionable alerts
Relevant Metrics:
RoleDefinitions[?isEnabled ==
true].displayName
(used in standard alerting)To identify assignments/current members assigned with this role, use:
Roles[?displayName == 'Places Administrator'].Members[]
Pro Tip: Create a Liongard Actionable Alert using the above metric to:
Monitor when and who is assigned to the "Places Administrator" role.