Skip to main content

Microsoft 365 | Alert Triggered for ‘Places Administrator’ Role

Places Administrator, Roles, Microsoft 365, 365 roles, Alert, Actionable Alerts, Security

Updated over 3 weeks ago

🔍 Overview

This article addresses alerts triggered in Liongard when the "Places Administrator" role is detected as newly assigned in Microsoft Entra ID. Partners may be unfamiliar with this role, especially since it is relatively new and may not yet be reflected in all Microsoft documentation or environments. Liongard's alert logic surfaced this role based on changes in the enabled role definitions retrieved via Microsoft Graph API.

The "Places Administrator" role is part of Microsoft's rollout of Microsoft Places, a workspace management solution within Microsoft 365. This role supports centralized administration of physical locations like buildings, rooms, and desks, enhancing hybrid work infrastructure.

Liongard users may receive alerts under titles like:

  • Azure Active Directory | Enabled Administrative Roles List Modified

  • With detected changes like: Changes Detected: ["Places Administrator"]


🧬 Why Does This Happen?

Microsoft Places introduces Role-Based Access Control (RBAC) to delegate responsibilities for physical workspace management. As part of this, the "Places Administrator" role is now available in Microsoft Entra ID. This role may appear suddenly in environments due to:

  • Microsoft completing backend rollout to tenants

  • Admins enabling Microsoft Places or assigning related permissions

  • Third-party integrations or syncs with Microsoft Places service


🔓 What Is the "Places Administrator" Role?

The Places Administrator role in Entra ID allows users to:

  • Manage all aspects of the Microsoft Places service

  • Onboard or offboard buildings, spaces, desks

  • Enable/disable Places features

  • Assign local administrators (Building or Desk Admins)

Note: This role is managed via Entra Admin Center and integrates with Exchange Online and the Microsoft Places infrastructure.

Privileges: This role is not classified as a privileged role in Microsoft Entra. It won't appear under the standard privileged role definitions but is still a high-trust role depending on the scale of implementation.


📊 How to Check If This Role Exists and Who Has It

In Microsoft Entra Admin Center:

  1. Go to https://entra.microsoft.com

  2. Navigate to Entra ID > Roles & Admins

  3. In the search bar, type: places

  4. Locate Places Administrator

  5. Click the role to view:

    • Description

    • Assignments (who has the role)

    • Assignment scope (user, group, or service principal)

Using PowerShell (for scriptable validation):

Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleDefinition | Where-Object {$_.DisplayName -eq "Places Administrator"} | Get-MgRoleManagementDirectoryRoleAssignment

⚠️ Security Considerations

While "Places Administrator" is not a privileged role by Microsoft's technical classification, it:

  • Grants access to manage room metadata, desk assignments, and physical layout

  • Could be exploited for location misconfiguration or misassignment

  • May reveal sensitive information about organizational space planning

What to Watch For:

  • Sudden assignment of this role without clear change history

  • Role assigned to unrecognized accounts or service principals

  • Assignment done outside a change control window

Recommended Actions:

  • Review audit logs for the user who assigned the role

  • Use Liongard to track when the role was added

  • Revoke role if assigned unintentionally or by mistake

  • Review Microsoft Places documentation for onboarding security steps


📊 How Liongard Helps | Alerting & Monitoring

Liongard monitors role definitions and assignments via Microsoft Graph API. When a new administrative role appears (like Places Administrator), it can:

  • Trigger alerts when role definitions change

  • Help identify users or systems assigned to new roles

  • Provide historic visibility into when the change occurred

  • Enable creation of actionable alerts

Relevant Metrics:

  • RoleDefinitions[?isEnabled == true].displayName (used in standard alerting)

  • To identify assignments/current members assigned with this role, use:

    Roles[?displayName == 'Places Administrator'].Members[]

Pro Tip: Create a Liongard Actionable Alert using the above metric to:

  • Monitor when and who is assigned to the "Places Administrator" role.


📆 Additional Resources

Did this answer your question?