Hello, I’am sharing with you how to manage Roles in Office 365 using PowerShell. It can be helpful for Office 365 administrators. The topics covered in this post are :
- List all administrative roles of your Office 365 tenant
- Find a user administrative role
- List a role members
- Add members to a role
- Remove members from a role
- Export Role member in a csv file
Ready, let’s go now…
First of all, connect to your Office 365 tenant
PS C:\> Connect-MsolService
If you don’t have PowerShell Module for Office 365 installed, follow this link.
List all administrative roles of your Office 365 tenant
PS C:\> Get-MsolRole
ObjectId Name Description
-------- ---- -----------
729827e3-9c14-49f7-bb1b-9608f156bbb8 Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators.
f023fd81-a637-4b56-95fd-791ac0226033 Service Support Administrator Can read service health information and manage support tickets.
b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Can perform common billing related tasks like updating payment information.
4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier1 Support Do not use - not intended for general use.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Partner Tier2 Support Do not use - not intended for general use.
88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Readers Can read basic directory information. For granting access to applications, not intended for users.
29232cdf-9323-42fd-ade2-1d097af3e4de Exchange Service Administrator Can manage all aspects of the Exchange product.
75941009-915a-4869-abe7-691bff18279e Lync Service Administrator Can manage all aspects of the Skype for Business product.
fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins.
9360feb5-f418-4baa-8175-e2a00bac4301 Directory Writers Can read and write basic directory information. For granting access to applications, not intended for users.
62e90394-69f5-4237-9190-012177145e10 Company Administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
f28a1f50-f6e7-4571-818b-6a12f2af6b6c SharePoint Service Administrator Can manage all aspects of the SharePoint service.
d405c6df-0af8-4e3b-95e4-4d06e542189e Device Users Device Users
9f06204d-73c1-4d4c-880a-6edb90606fd8 Device Administrators Device Administrators
9c094953-4995-41c8-84c8-3ebb9b32c93f Device Join Device Join
c34f683f-4d5a-4403-affd-6615e00e3a7f Workplace Device Join Workplace Device Join
17315797-102d-40b4-93e0-432062caca18 Compliance Administrator Can read and manage compliance configuration and reports in Azure AD and Office 365.
d29b2b05-8046-44ba-8758-1e26182fcf32 Directory Synchronization Acc... Only used by Azure AD Connect service.
2b499bcd-da44-4968-8aec-78e1674fa64d Device Managers Deprecated - Do Not Use.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 Application Administrator Can create and manage all aspects of app registrations and enterprise apps.
cf1c38e5-3621-4004-a7cb-879624dced7c Application Developer Can create application registrations independent of the 'Users can register applications' setting.
5d6b6bb7-de71-4623-b4af-96380a352509 Security Reader Can read security information and reports in Azure AD and Office 365.
194ae4cb-b126-40b2-bd5b-6091b380977d Security Administrator Security Administrator allows ability to read and manage security configuration and reports.
e8611ab8-c189-46e8-94e1-60213ab1f814 Privileged Role Administrator Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
3a2c62db-5318-420d-8d74-23affee5d9d5 Intune Service Administrator Can manage all aspects of the Intune product.
158c047a-c907-4556-b7ef-446551a6b5f7 Cloud Application Administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data.
44367163-eba1-44c3-98af-f5787879f96a CRM Service Administrator Can manage all aspects of the Dynamics 365 product.
a9ea8996-122f-4c74-9520-8edcd192826c Power BI Service Administrator Can manage all aspects of the Power BI product.
95e79109-95c0-4d8e-aee3-d01accf2d47b Guest Inviter Can invite guest users independent of the 'members can invite guests' setting.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 Conditional Access Administrator Can manage conditional access capabilities.
4a5d8f65-41da-4de4-8968-e035b65339cf Reports Reader Can read sign-in and audit reports.
790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only.
7495fdc4-34c4-4d15-a289-98788ce399fd Information Protection Admini... Can manage all aspects of the Azure Information Protection product.
4d6ac14f-3453-41d0-bef9-a3e0c569773a License Administrator Can manage product licenses on users and groups.
7698a772-787b-4ac8-901f-60d6b08affd2 Cloud Device Administrator Full access to manage devices in Azure AD.
10dae51f-b6af-4016-8d66-8c2a99b929b3 Guest User Default role for guest users. Can read a limited set of directory information.
Find a user administrative role
PS C:\> Get-MsolUserRole -UserPrincipalName user1@mydomain.com ObjectId Name Description -------- ---- ----------- 62e90394-69f5-4237-9190-012177145e10 Company Administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
List a role members
Get the role objectId
PS C:\> $role = Get-MsolRole -RoleName "User account Administrator" PS C:\> $role.ObjectId Guid ---- fe930be7-5e62-47db-91af-98c3a49a38b1
Get role members
PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId RoleMemberType EmailAddress DisplayName isLicensed -------------- ------------ ----------- ---------- User user2@mydomain.com user2 True User user3@mydomain.com user3 True User user4@mydomain.com user4 False
Add member to a role
PS C:\> Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberEmailAddress user5@mydomain.com
Remove member from a Role
PS C:\> Remove-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberEmailAddress user3@mydomain.com
Check member removal
PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId RoleMemberType EmailAddress DisplayName isLicensed -------------- ------------ ----------- ---------- User user2@mydomain.com user2 True User user4@mydomain.com user4 False User user5@mydomain.com user5 False
To export Role member in a csv file, use the below command
PS C:\> Get-MsolRoleMember -RoleObjectId $role.ObjectId | Export-Csv -Path C:\MyRoleMembers.csv -Encoding UTF8 -Delimiter ";"
Jean-Marie AGBO
agbo.blog 
Leave a Reply