Manage Office 365 Roles membership

Hello, I’am sharing with you how to  manage Roles in Office 365 using PowerShell. It can be helpful for Office 365 administrators. The topics covered in this post are :

  • List all administrative roles of your Office 365 tenant
  • Find a user administrative role
  • List a role members
  • Add members to a role
  • Remove members from a role
  • Export Role member in a csv file

Ready, let’s go now…

First of all, connect to your Office 365 tenant

PS C:\> Connect-MsolService

If you don’t have PowerShell Module for Office 365 installed, follow this link.

List all administrative roles of your Office 365 tenant

PS C:\> Get-MsolRole

ObjectId                               Name                             Description                                                                                                         
--------                               ----                             -----------                                                                                                         
729827e3-9c14-49f7-bb1b-9608f156bbb8   Helpdesk Administrator           Can reset passwords for non-administrators and Helpdesk Administrators.                                             
f023fd81-a637-4b56-95fd-791ac0226033   Service Support Administrator    Can read service health information and manage support tickets.                                                     
b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator            Can perform common billing related tasks like updating payment information.                                         
4ba39ca4-527c-499a-b93d-d9b492c50246   Partner Tier1 Support            Do not use - not intended for general use.                                                                          
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8   Partner Tier2 Support            Do not use - not intended for general use.                                                                          
88d8e3e3-8f55-4a1e-953a-9b9898b8876b   Directory Readers                Can read basic directory information. For granting access to applications, not intended for users.                  
29232cdf-9323-42fd-ade2-1d097af3e4de   Exchange Service Administrator   Can manage all aspects of the Exchange product.                                                                     
75941009-915a-4869-abe7-691bff18279e   Lync Service Administrator       Can manage all aspects of the Skype for Business product.                                                           
fe930be7-5e62-47db-91af-98c3a49a38b1   User Account Administrator       Can manage all aspects of users and groups, including resetting passwords for limited admins.                       
9360feb5-f418-4baa-8175-e2a00bac4301   Directory Writers                Can read and write basic directory information. For granting access to applications, not intended for users.        
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.                             
f28a1f50-f6e7-4571-818b-6a12f2af6b6c   SharePoint Service Administrator Can manage all aspects of the SharePoint service.                                                                   
d405c6df-0af8-4e3b-95e4-4d06e542189e   Device Users                     Device Users                                                                                                        
9f06204d-73c1-4d4c-880a-6edb90606fd8   Device Administrators            Device Administrators                                                                                               
9c094953-4995-41c8-84c8-3ebb9b32c93f   Device Join                      Device Join                                                                                                         
c34f683f-4d5a-4403-affd-6615e00e3a7f   Workplace Device Join            Workplace Device Join                                                                                               
17315797-102d-40b4-93e0-432062caca18   Compliance Administrator         Can read and manage compliance configuration and reports in Azure AD and Office 365.                                
d29b2b05-8046-44ba-8758-1e26182fcf32   Directory Synchronization Acc... Only used by Azure AD Connect service.                                                                              
2b499bcd-da44-4968-8aec-78e1674fa64d   Device Managers                  Deprecated - Do Not Use.                                                                                            
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3   Application Administrator        Can create and manage all aspects of app registrations and enterprise apps.                                         
cf1c38e5-3621-4004-a7cb-879624dced7c   Application Developer            Can create application registrations independent of the 'Users can register applications' setting.                  
5d6b6bb7-de71-4623-b4af-96380a352509   Security Reader                  Can read security information and reports in Azure AD and Office 365.                                               
194ae4cb-b126-40b2-bd5b-6091b380977d   Security Administrator           Security Administrator allows ability to read and manage security configuration and reports.                        
e8611ab8-c189-46e8-94e1-60213ab1f814   Privileged Role Administrator    Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.                         
3a2c62db-5318-420d-8d74-23affee5d9d5   Intune Service Administrator     Can manage all aspects of the Intune product.                                                                       
158c047a-c907-4556-b7ef-446551a6b5f7   Cloud Application Administrator  Can create and manage all aspects of app registrations and enterprise apps except App Proxy.                        
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91   Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data.                                      
44367163-eba1-44c3-98af-f5787879f96a   CRM Service Administrator        Can manage all aspects of the Dynamics 365 product.                                                                 
a9ea8996-122f-4c74-9520-8edcd192826c   Power BI Service Administrator   Can manage all aspects of the Power BI product.                                                                     
95e79109-95c0-4d8e-aee3-d01accf2d47b   Guest Inviter                    Can invite guest users independent of the 'members can invite guests' setting.                                      
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9   Conditional Access Administrator Can manage conditional access capabilities.                                                                         
4a5d8f65-41da-4de4-8968-e035b65339cf   Reports Reader                   Can read sign-in and audit reports.                                                                                 
790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b   Message Center Reader            Can read messages and updates for their organization in Office 365 Message Center only.                             
7495fdc4-34c4-4d15-a289-98788ce399fd   Information Protection Admini... Can manage all aspects of the Azure Information Protection product.                                                 
4d6ac14f-3453-41d0-bef9-a3e0c569773a   License Administrator            Can manage product licenses on users and groups.                                                                    
7698a772-787b-4ac8-901f-60d6b08affd2   Cloud Device Administrator       Full access to manage devices in Azure AD.                                                                          
10dae51f-b6af-4016-8d66-8c2a99b929b3   Guest User                       Default role for guest users. Can read a limited set of directory information.

Find a user administrative role

PS C:\> Get-MsolUserRole -UserPrincipalName user1@mydomain.com

ObjectId                               Name                             Description                                                                                                         
--------                               ----                             -----------                                                                                                         
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.

List a role members

Get the role objectId

PS C:\> $role = Get-MsolRole -RoleName "User account Administrator"
PS C:\> $role.ObjectId 
Guid                                
----                                
fe930be7-5e62-47db-91af-98c3a49a38b1

Get role members

PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId

RoleMemberType EmailAddress                   DisplayName                        isLicensed
-------------- ------------                   -----------                        ----------
User           user2@mydomain.com             user2                      	 True      
User           user3@mydomain.com             user3                    		 True      
User           user4@mydomain.com             user4                    		 False

Add member to a role

PS C:\> Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberEmailAddress user5@mydomain.com

Remove member from a Role

PS C:\> Remove-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberEmailAddress user3@mydomain.com

Check member removal

PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId

RoleMemberType EmailAddress                   DisplayName                        isLicensed
-------------- ------------                   -----------                        ----------
User           user2@mydomain.com             user2                      	 True      
User           user4@mydomain.com             user4                    		 False      
User           user5@mydomain.com             user5                   		 False

To export Role member in a csv file, use the below command

PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId | Export-Csv -Path C:\MyRoleMembers.csv -Encoding UTF8 -Delimiter ";"

Voilà 🙂