#Functional Roles

Functional roles are security / mail-enabled security groups in Microsoft 365 or a group in your local Active Directory, designed to manage permissions and license assignments for group members. By assigning customer's tenant users especially administrators to appropriate functional roles with service-specific permissions, you can authorize them to access Elements and manage their tenant’s data utilizing the service.

On the Functional roles page, the number of functional roles within each tenant that you added to the User management module is displayed.

Clicking a tenant name will redirect you to the Functional roles > Functional role list page where you can view and manage functional roles of the tenant.

In a hybrid tenant, the functional role list includes a Source column that explicitly identifies the origin of each functional role.

• Cloud – Indicates that the functional role is stored and managed exclusively within Microsoft Entra ID (cloud-only), with no on-premises association.

• On-premises – Indicates that the functional role is hosted and managed in an on-premises Active Directory (AD) environment, without synchronization to the cloud.

• Hybrid – Indicates that the functional role is synchronized between an on-premises AD and Microsoft Entra ID. This synchronization is typically managed via directory synchronization tools like Azure AD Connect. During Azure AD Connect setup, administrators can choose which organizational units (OU) to synchronize with the cloud. If a newly created functional role resides in an OU designated for synchronization, the functional role will be classified and managed as a hybrid functional role.