In Office 365 we have the option to give some of our users an administrative role, but what role(s) can we give them?

This post will be an overview of the available roles within the portal and PowerShell.

What roles do we have in the portal?

Within the portal we have the following roles available

  • Global administrator
  • Billing administrator
  • Exchange administrator
  • Password administrator
  • Skype for Business administrator
  • Service administrator
  • SharePoint administrator
  • User management administrator

Microsoft did a great job outlining what each of these roles can do. https://support.office.com/en-US/client/results?Shownav=true&lcid=1033&ns=O365ENTADMIN&version=15&omkt=en-US&ver=15&HelpID=O365E_AssignAdminRoles and scroll down to “Choose which Office 365 admin role to delegate”

What roles do we have in PowerShell?

The above roles are the basic roles that you can set thru the UI. But when we go to PowerShell we see a lot more roles (Get-MsolRole).

In the above image you see all the administrator roles that are available within your tenant even when you do not have an subscription to the application that services the administrator role.
For instance you see the “CRM Service Administrator” or the “Intune Service Administrator”. I do not have an subscription for both of these services.
You also see some old names like “Lync Service Administrator”.

Who has been assigned to these roles?

If you want a quick overview of which user is assigned to what role, you can use the command below.

Get-MsolRole |ForEach-Object {Write-Output $_.Name; Get-MsolRoleMember -RoleObjectId $_.ObjectId}

As you can see in the above image my tenant only has the Company Administrator role assigned to one user and some applications can read my Azure Active Directory.

I hope this gave you some insight in the available administrative roles and option within Office 365.

Leave a Reply

%d bloggers like this: