New Roles Page in Office 365 Admin Center

Understand What Accounts Hold Administrative Roles

Viewing the holders of the Teams Admin role
Figure 1: Viewing the holders of the Teams Admin role

Office 365 Notification MC183135 (Roadmap item 52624) informs us about a new Roles page added to the modern (opt-in) Office 365 Admin Center. Tenants often have difficulty tracking exactly what account holds what administrative role, and the new page is designed to help. The change is now rolling out across Office 365.

A Mixture of Roles

The roles listed in the Office 365 Admin Center are each given a category:

  • Billing: Users who deal with billing and license allocation.
  • Collaboration: The three roles assigned for Teams, Skype for Business Online admin, SharePoint Online admin, and so on.
  • Devices: Cloud device admin and Desktop Analytics admin.
  • Global: Global tenant administrators.
  • Identity: Roles like Privileged role admin and User admin.
  • Mailflow: Exchange admin.
  • Read-only: Roles like Reports reader and Message Center reader.
  • Security and Compliance: Roles defined for use with the Security and Compliance Center, like Compliance admin and Azure Information Protection admin.

Some, but not all, of the roles align with the roles defined in Azure Active Directory that you can see with the Get-AzureADDirectoryRole cmdlet.

Get-AzureADDirectoryRole | Sort DisplayName | Format-Table DisplayName, Description

DisplayName                           Description
-----------                           -----------
Billing Administrator                 Can perform common billing related tasks like updating ...
Company Administrator                 Can manage all aspects of Azure AD and Microsoft servic...
Compliance Administrator              Can read and manage compliance configuration and report...
Customer LockBox Access Approver      Can approve Microsoft support requests to access custom...
Device Administrators                 Device Administrators
Directory Readers                     Can read basic directory information. For granting acce...
Directory Writers                     Can read and write basic directory information. For gra...
Exchange Service Administrator        Can manage all aspects of the Exchange product.
Helpdesk Administrator                Can reset passwords for non-administrators and Helpdesk...
License Administrator                 Can manage product licenses on users and groups.
Lync Service Administrator            Can manage all aspects of the Skype for Business product.
Message Center Reader                 Can read messages and updates for their organization in...
Power BI Service Administrator        Can manage all aspects of the Power BI product.
Reports Reader                        Can read sign-in and audit reports.
Security Reader                       Can read security information and reports in Azure AD a...
Service Support Administrator         Can read service health information and manage support ...
SharePoint Service Administrator      Can manage all aspects of the SharePoint service.
Teams Communications Administrator    Can manage calling and meetings features within the Mic...
Teams Communications Support Engineer Can troubleshoot communications issues within Teams usi...
Teams Service Administrator           Can manage the Microsoft Teams service.
User Account Administrator            Can manage all aspects of users and groups, including r...

Managing Roles

After you select a role, you see a page with three tabs:

  • The General tab gives some information about the purpose of the role and what holders of the role can do. It also tells you how many accounts currently hold the role.
  • The Assigned Admins tab reveals the accounts that hold the role. You can remove accounts from the role or add new accounts to the role.
  • The Permissions tab tells you the permissions held by the role. For example, the Report reader role has permissions to read all properties on audit logs in Azure Active Directory and Office 365 usage reports.

You can also export the complete set of admin role assignments to a CSV file and edit them with Excel (Figure 2) or even import the data into Power BI.

Viewing Office 365 role assignments in Excel
Figure 2: Viewing Office 365 role assignments in Excel

Good Change

Adding the Roles page to the Admin Center will help tenants manage roles better because it makes the holders of privileged roles more visible. It’s also easier to remove roles from people who no longer need to hold a role, which should reduce the number of privileged accounts within a tenant. It’s a good change.

Read lots more about Office 365 Admin in the Office 365 for IT Pros eBook. This update is a classic example of the kind of change that happens in the service all the time. We track these changes and include them in the monthly updates issued for Office 365 for IT Pros.

One Reply to “New Roles Page in Office 365 Admin Center”

  1. Thanks for the update above Tony. Please note that your spreadsheet export has the category of “mailflow” while your bulleted description says the category is “mailbox.” I checked my role page, and mailflow is correct.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.