Sadly, there is still (not yet) an easy graphical way of listing who in your organization is enjoying administrator roles in Office 365, but there is a way using PowerShell. I had my hopes up when we received an Azure AD Content package for PowerBI, but not yet, so I asked for it and it has been added to a backlog atleast.
Step 1 – We are using the Azure AD PowerShell module, which stores all the built-in roles for our tenant, even if they are invisible to our graphical interfaces. First we need to catch the role with this kind of command:
$AdminRole = Get-MsolRole -RoleName "Company Administrator"
Company Administrator is equal to Global Administrator, but if your looking for any other built-in role, change the RoleName to SharePoint Service Administrator, Exchange Service Administrator, Compliance Administrator, Lync Service Administrator, Billing Administrator, User Account Administrator, Service Support Administrator, etc.
See the full list and description of the roles here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles
Step 2 – Use the Role Object ID to get the members of that role.
Get-MsolRoleMember -RoleObjectId $AdminRole.ObjectId
This should create an output of all Global/Company Administrators like this:
If you would like to export the results, add export to CSV:
Get-MsolRoleMember -RoleObjectId $AdminRole.ObjectId | Export-Csv C:\temp\adminroles.csv
Also, remember this is available to every user in your Azure AD tenant, so feel free to connect using PowerShell and see if your own organization isn’t giving away administrator roles to a very large amount of users.
In case, I would suggest looking into Azure AD Privileged Identity Management, an Azure AD Premium P2/EMS E5 feature. Giving temporary privileged access upon approval. Which also gives a graphical list of Azure AD administrators, but it unnecessary to pay for Azure AD Premium P2 to only list out built-in role members.
Leave a Reply
You must be logged in to post a comment.