Understand What Accounts Hold Administrative Roles
Figure 1: Viewing the holders of the Teams Admin role
Office 365 Notification MC183135 (Roadmap item 52624) informs us about a new Roles page added to the modern (opt-in) Office 365 Admin Center. Tenants often have difficulty tracking exactly what account holds what administrative role, and the new page is designed to help. The change is now rolling out across Office 365.
A Mixture of Roles
The roles listed in the Office 365 Admin Center are each given a category:
Billing: Users who deal with billing and license allocation.
Devices: Cloud device admin and Desktop Analytics admin.
Global: Global tenant administrators.
Identity: Roles like Privileged role admin and User admin.
Mailflow: Exchange admin.
Read-only: Roles like Reports reader and Message Center reader.
Security and Compliance: Roles defined for use with the Security and Compliance Center, like Compliance admin and Azure Information Protection admin.
Some, but not all, of the roles align with the roles defined in Azure Active Directory that you can see with the Get-AzureADDirectoryRole cmdlet.
Get-AzureADDirectoryRole | Sort DisplayName | Format-Table DisplayName, Description
DisplayName Description
----------- -----------
Billing Administrator Can perform common billing related tasks like updating ...
Company Administrator Can manage all aspects of Azure AD and Microsoft servic...
Compliance Administrator Can read and manage compliance configuration and report...
Customer LockBox Access Approver Can approve Microsoft support requests to access custom...
Device Administrators Device Administrators
Directory Readers Can read basic directory information. For granting acce...
Directory Writers Can read and write basic directory information. For gra...
Exchange Service Administrator Can manage all aspects of the Exchange product.
Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk...
License Administrator Can manage product licenses on users and groups.
Lync Service Administrator Can manage all aspects of the Skype for Business product.
Message Center Reader Can read messages and updates for their organization in...
Power BI Service Administrator Can manage all aspects of the Power BI product.
Reports Reader Can read sign-in and audit reports.
Security Reader Can read security information and reports in Azure AD a...
Service Support Administrator Can read service health information and manage support ...
SharePoint Service Administrator Can manage all aspects of the SharePoint service.
Teams Communications Administrator Can manage calling and meetings features within the Mic...
Teams Communications Support Engineer Can troubleshoot communications issues within Teams usi...
Teams Service Administrator Can manage the Microsoft Teams service.
User Account Administrator Can manage all aspects of users and groups, including r...
Managing Roles
After you select a role, you see a page with three tabs:
The General tab gives some information about the purpose of the role and what holders of the role can do. It also tells you how many accounts currently hold the role.
The Assigned Admins tab reveals the accounts that hold the role. You can remove accounts from the role or add new accounts to the role.
The Permissions tab tells you the permissions held by the role. For example, the Report reader role has permissions to read all properties on audit logs in Azure Active Directory and Office 365 usage reports.
You can also export the complete set of admin role assignments to a CSV file and edit them with Excel (Figure 2) or even import the data into Power BI.
Figure 2: Viewing Office 365 role assignments in Excel
Good Change
Adding the Roles page to the Admin Center will help tenants manage roles better because it makes the holders of privileged roles more visible. It’s also easier to remove roles from people who no longer need to hold a role, which should reduce the number of privileged accounts within a tenant. It’s a good change.
Read lots more about Office 365 Admin in the Office 365 for IT Pros eBook. This update is a classic example of the kind of change that happens in the service all the time. We track these changes and include them in the monthly updates issued for Office 365 for IT Pros.
One Reply to “New Roles Page in Office 365 Admin Center”
Thanks for the update above Tony. Please note that your spreadsheet export has the category of “mailflow” while your bulleted description says the category is “mailbox.” I checked my role page, and mailflow is correct.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Thanks for the update above Tony. Please note that your spreadsheet export has the category of “mailflow” while your bulleted description says the category is “mailbox.” I checked my role page, and mailflow is correct.