Understand What Accounts Hold Administrative Roles
Office 365 Notification MC183135 (Roadmap item 52624) informs us about a new Roles page added to the modern (opt-in) Office 365 Admin Center. Tenants often have difficulty tracking exactly what account holds what administrative role, and the new page is designed to help. The change is now rolling out across Office 365.
A Mixture of Roles
The roles listed in the Office 365 Admin Center are each given a category:
- Billing: Users who deal with billing and license allocation.
- Collaboration: The three roles assigned for Teams, Skype for Business Online admin, SharePoint Online admin, and so on.
- Devices: Cloud device admin and Desktop Analytics admin.
- Global: Global tenant administrators.
- Identity: Roles like Privileged role admin and User admin.
- Mailflow: Exchange admin.
- Read-only: Roles like Reports reader and Message Center reader.
- Security and Compliance: Roles defined for use with the Security and Compliance Center, like Compliance admin and Azure Information Protection admin.
Some, but not all, of the roles align with the roles defined in Azure Active Directory that you can see with the Get-AzureADDirectoryRole cmdlet.
Get-AzureADDirectoryRole | Sort DisplayName | Format-Table DisplayName, Description
Billing Administrator Can perform common billing related tasks like updating ...
Company Administrator Can manage all aspects of Azure AD and Microsoft servic...
Compliance Administrator Can read and manage compliance configuration and report...
Customer LockBox Access Approver Can approve Microsoft support requests to access custom...
Device Administrators Device Administrators
Directory Readers Can read basic directory information. For granting acce...
Directory Writers Can read and write basic directory information. For gra...
Exchange Service Administrator Can manage all aspects of the Exchange product.
Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk...
License Administrator Can manage product licenses on users and groups.
Lync Service Administrator Can manage all aspects of the Skype for Business product.
Message Center Reader Can read messages and updates for their organization in...
Power BI Service Administrator Can manage all aspects of the Power BI product.
Reports Reader Can read sign-in and audit reports.
Security Reader Can read security information and reports in Azure AD a...
Service Support Administrator Can read service health information and manage support ...
SharePoint Service Administrator Can manage all aspects of the SharePoint service.
Teams Communications Administrator Can manage calling and meetings features within the Mic...
Teams Communications Support Engineer Can troubleshoot communications issues within Teams usi...
Teams Service Administrator Can manage the Microsoft Teams service.
User Account Administrator Can manage all aspects of users and groups, including r...
After you select a role, you see a page with three tabs:
- The General tab gives some information about the purpose of the role and what holders of the role can do. It also tells you how many accounts currently hold the role.
- The Assigned Admins tab reveals the accounts that hold the role. You can remove accounts from the role or add new accounts to the role.
- The Permissions tab tells you the permissions held by the role. For example, the Report reader role has permissions to read all properties on audit logs in Azure Active Directory and Office 365 usage reports.
You can also export the complete set of admin role assignments to a CSV file and edit them with Excel (Figure 2) or even import the data into Power BI.
Adding the Roles page to the Admin Center will help tenants manage roles better because it makes the holders of privileged roles more visible. It’s also easier to remove roles from people who no longer need to hold a role, which should reduce the number of privileged accounts within a tenant. It’s a good change.
Read lots more about Office 365 Admin in the Office 365 for IT Pros eBook. This update is a classic example of the kind of change that happens in the service all the time. We track these changes and include them in the monthly updates issued for Office 365 for IT Pros.