Some problems only reveal themselves at scale. For instance, the get-msoluser commandlet only returns the first 1000 results, a problem that most 999...
On a Roll with Roles
July 15, 2017
Once upon a time in a far far land called Microsoft Online there was only 1 level of admin rights on a tenant. Global Admin. If you wanted to delegate Exchange admin rights you had to also grant full access to SharePoint, Azure AD, Licensing, Lync, etc. This caused great strife in the Microsoft kingdom and one fateful day Microsoft announced management roles. Below are the various roles Microsoft offers as of today and a brief description of the rights each role grants. You can go straight to the horse’s mouth for further details
Global admin: Has full admin access to all aspects of the tenant including but not limited to licensing, credentials, Exchange Online, SharePoint, Lync *cough* Skype for Business, etc.
Billing administrator: Can log in to the admin portal to view invoices, change billing instruments, check for service alerts and manage support cases.
Password administrator: Ability to log into admin portal and reset a user’s password along with check service health alerts.
Service administrator: Can only log in to admin portal to view service health and manage support tickets.
User management administrator: Grants ability to log into admin portal to check service health, manage users accounts (create new accounts, license, rename, etc), can reset passwords for users as long as the user does not have an assigned role.
Exchange administrator: Grants ability to manage Exchange Online, if it’s a menu found in https://outlook.office365.com/ecp then odds are the Exchange Admin role controls it.
SharePoint administrator: Grants ability to manage SharePoint online which includes OneDrive. Abilities include creating site collections, changing resource allocation, assigning site collection admins, etc. By default this role doesn’t directly grant full rights to every site collection but it does grant the ability for the administrator to make themselves the owner of any site collection.
Skype for Business administrator: There are not many options in the Skype for Business control panel but this role grants the ability to control what little is there. This includes federating with external domains and conference settings.
So three you have it, the starting lineup for the Office 365 management team. One problem, you can’t assign these roles. In 95% of the tenants I’ve seen here is what the role assignment page shows. Note the lack of the roles listed above or the ability to grant multiple roles.
To get a list of role names execute the following command. Microsoft often makes changes to Office 365 and more roles may appear through this command long before any KB articles are posted or the GUI is updated.
This will spit out the output pictured below.
Assigning a role to a user is as simple as the command below, just substitute in the desired role name and username.
Add-MsolRoleMember –RoleName ‘Exchange Service Administrator’ –RoleMemberEmailAddress ‘firstname.lastname@example.org’
You can repeat this command as often as you’d like to stack multiple roles on a single member, something the GUI cannot do as of today.