PowerShell Basics: List and Export Admin Roles Assigned to Office 365 Users


One questions I frequently get asked: ”How do I list all the users that have global admin access to my tenant?”

The information is viewable in the Office 365 Admin portal, by filtering the users by role. That way works for some clients, but other need the data to be exported and kept for compliance reasons. I have built a number of scripts for clients to automate the listing and exporting of this information, which the organization’s developer staff have then used to populate webpages. This is done with the Get-MsolRoleMember command in PowerShell.

Office365_PowerShell

Prerequisites:

  1. The Microsoft Online Services Sign-In Assistant 7.0 is a prerequisite for installing the Microsoft Online Services Module for Windows PowerShell.
     
  2. Once you have the Microsoft Online Services Sign-In Assistant 7.0 installed, now you can install the Microsoft Online Services Module for Windows PowerShell.
     
  3. Once you have those two pieces installed, open Windows Azure AD Module for PowerShell as an administrator and enter the following commands:
     
    $cred = Get-Credential
     
    (Enter Credentials)
     
    Connect-MsolService -credential $cred

 
Listing and Exporting Admin Roles: 

  1. Enter the command:
     
    $role = Get-MsolRole -RoleName "Company Administrator"
     
  2. Enter the command:
     
    Get-MsolRoleMember -RoleObjectId $role.ObjectId | Export-CSV c:\directory\filename.csv
     
    This will export all the members of the Company Administrator (Global Admin) group.

If you want to export from the other built-in groups, a list is provided below. You can always view the roles by entering the command Get-MsolRole
 

Name

Description

Compliance Administrator

Compliance administrator.

Exchange Service Administrator

Exchange Service Administrator.

Partner Tier1 Support

Allows ability to perform tier1 support tasks.

Company Administrator

Company Administrator role has full access to perform any operation in the company scope.

Helpdesk Administrator

Helpdesk Administrator has access to perform common helpdesk related tasks.

Lync Service Administrator

Lync Service Administrator.

Directory Readers

Allows access to various read only tasks in the directory.

Directory Writers

Allows access read tasks and a subset of write tasks in the directory.

Device Join

Device Join

Device Administrators

Device Administrators

Billing Administrator

Billing Administrator has access to perform common billing related tasks.

Workplace Device Join

Workplace Device Join

Directory Synchronization Accounts

Directory Synchronization Accounts

Device Users

Device Users

Partner Tier2 Support

Allows ability to perform tier2 support tasks.

Service Support Administrator

Service Support Administrator has access to perform common support tasks.

SharePoint Service Administrator

SharePoint Service Administrator.

User Account Administrator

User Account Administrator has access to perform common user management related tasks.

Comments (0)

Skip to main content