Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft Releases Teams Administrative Roles

Teams Roles Now Available

In a surprise move because we expect Microsoft to keep all announcements until the Ignite conference rolls around next week, Microsoft released four new administrative roles to help Office 365 tenants to manage Teams more effectively, especially when the complexity of the Teams infrastructure for video and audio meetings and calling scales up.

Four New Roles

This move is to help organizations move from Skype for Business Online to Teams. Office 365 tenant administrators already have the necessary rights to manage Teams through the Teams and Skype for Business Admin Center or PowerShell. In small tenants, it’s likely that the tenant administrator will manage Teams along with all the other workloads. However, if you run a larger tenant, you can assign the new administrative roles to users to allow them to perform specific management actions for Teams. The new roles are:

Teams Service Administrator: This role can perform every action available in the Teams and Skype for Business Admin Center. Anyone assigned the role can also run the equivalent PowerShell cmdlets.
Teams Communications Administrator: Anyone assigned this role can manage the meetings and voice settings for Teams, including the ability to troubleshoot call quality problems. This role is typically given to those responsible for managing the video and audio meeting infrastructure for a tenant, something that often needs specialized knowledge and experience that might not be possessed by the average Office 365 tenant admin.
Teams Communications Support Engineer: This role is intended for people who use Call Analytics to monitor and address issues in call quality. People with this role access user information to see call data, but they have no access to policies, org-wide settings, or meeting configuration.
Teams Communications Support Specialist: This role allows a specialist to perform basic troubleshooting for calls for a specific user and is intended for first-level support staff.

The four roles might appear to complicate administration. However, the full set is designed to accommodate the needs of the most complex Office 365 tenants and you do not have to use any of these roles if you don’t see the need. Documentation explaining the details of what each role can do is available online.

Assignment Through Azure Active Directory

Unlike other Office 365 custom roles, the Teams roles do not yet appear in the Office 365 Admin Center. This is probably just a timing issue and I expect Microsoft will close this gap soon. For now, to assign a Teams administrative role, go to the Azure Active Directory portal, select the target user, then Directory role, and then pick the role or roles you want to assign (Figure 1).

Teams Admin Role — Figure 1: Assigning a Teams administrative role (image credit: Tony Redmond)

Checking with PowerShell

Behind the scenes, Azure Active Directory adds the user to a directory role group. To see details of the role groups in your tenant, connect to PowerShell with the Azure Active Directory module and run:

Get-AzureADDirectoryRole | Sort DisplayName | Format-Table DisplayName, ObjectId

DisplayName                        ObjectId
-----------                        --------
Billing Administrator              07308ce7-381b-4fb1-b31e-398b8a66c946
Company Administrator              36333bfe-4ff2-452a-a4a0-d11a668b44c7
Compliance Administrator           88b6939a-ef4b-4e8e-9aba-00f4f8447e66
Customer LockBox Access Approver   1402c923-f478-4a9c-82b1-0511726c43bd
Device Administrators              268030c9-556f-47a6-a167-5970cb734558
Directory Readers                  387f95ae-e47f-4156-b5d3-2d9150fdea7e
Directory Writers                  c7ba418f-9d1e-4bd2-b770-dba1cbc2c336
Exchange Service Administrator     53add08e-5b0c-4276-a582-9ce02fb6c947
Helpdesk Administrator             7ae4b349-1f17-429c-8795-dcc56096c0c7
Lync Service Administrator         432e4ce3-ed50-4406-aeb6-1794283ad211
Power BI Service Administrator     64503181-13d0-4ef6-8ee2-a08a7b690168
Reports Reader                     4e0cabe2-fe25-49e1-8538-61a8b8422517
Service Support Administrator      57122a2b-cd95-4370-a84b-4e90ec8e722a
SharePoint Service Administrator   f35c2f36-b60d-4b17-b261-0de8af7da552
Teams Communications Administrator 8d50de14-19b3-4578-b588-6a3c8929d766
Teams Service Administrator        4c962061-2581-417f-938a-7cc1b38fc2a2
User Account Administrator         0f3a91cd-4fdd-436e-97ed-f2a01b19bfe2

Many of these role groups are familiar because they underpin the custom administrative roles assigned in the Office 365 Admin Center.
Notice that only two of the four Teams administrative roles are present. This is because Azure Active Directory only creates the role the first time someone is assigned it.
To see who holds a certain role, use the Get-AzureADDirectoryRoleMember cmdlet and pass the object identifier of the role. For example.

Get-AzureADDirectoryRoleMember -ObjectId  4c962061-2581-417f-938a-7cc1b38fc2a2

ObjectId                             DisplayName UserPrincipalName              UserType
--------                             ----------- -----------------              --------
cad05ccf-a359-4ac7-89e0-1e33bf37579e James Ryan  [email protected] Member

If you want to see the cmdlets assigned to a role, run PowerShell and log in as someone holding the role you want to examine. Connect to the Skype for Business PowerShell module and create a new session. PowerShell gives the session a name and you can run the Get-Command cmdlet to see the list of cmdlets available in the session.

Import-Module SkypeOnlineConnector
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.0        tmp_b045gmiy.trd                    {Clear-CsOnlineTelephon...}

Get-Command -Module tmp_b045gmiy.trd

Maturing Teams

Custom administrative roles are not a new concept, but it’s nice to see them arriving for Teams as it marks an increasing maturity in the administrative processes surrounding the product. The next thing you know, we’ll get an enhanced PowerShell module for Teams…

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

by Tony Redmond
Sep 20, 2018

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

GET-IT: Submit Your Questions for Microsoft Teams Product Manager Anupam Pattnaik

Nov 16, 2023
Microsoft Will Make Teams 2.0 the Default Client Later This Year

May 30, 2023
How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.