Last Update: Sep 04, 2024 | Published: Sep 20, 2018
In a surprise move because we expect Microsoft to keep all announcements until the Ignite conference rolls around next week, Microsoft released four new administrative roles to help Office 365 tenants to manage Teams more effectively, especially when the complexity of the Teams infrastructure for video and audio meetings and calling scales up.
This move is to help organizations move from Skype for Business Online to Teams. Office 365 tenant administrators already have the necessary rights to manage Teams through the Teams and Skype for Business Admin Center or PowerShell. In small tenants, it’s likely that the tenant administrator will manage Teams along with all the other workloads. However, if you run a larger tenant, you can assign the new administrative roles to users to allow them to perform specific management actions for Teams. The new roles are:
The four roles might appear to complicate administration. However, the full set is designed to accommodate the needs of the most complex Office 365 tenants and you do not have to use any of these roles if you don’t see the need. Documentation explaining the details of what each role can do is available online.
Unlike other Office 365 custom roles, the Teams roles do not yet appear in the Office 365 Admin Center. This is probably just a timing issue and I expect Microsoft will close this gap soon. For now, to assign a Teams administrative role, go to the Azure Active Directory portal, select the target user, then Directory role, and then pick the role or roles you want to assign (Figure 1).
Behind the scenes, Azure Active Directory adds the user to a directory role group. To see details of the role groups in your tenant, connect to PowerShell with the Azure Active Directory module and run:
Get-AzureADDirectoryRole | Sort DisplayName | Format-Table DisplayName, ObjectId DisplayName ObjectId ----------- -------- Billing Administrator 07308ce7-381b-4fb1-b31e-398b8a66c946 Company Administrator 36333bfe-4ff2-452a-a4a0-d11a668b44c7 Compliance Administrator 88b6939a-ef4b-4e8e-9aba-00f4f8447e66 Customer LockBox Access Approver 1402c923-f478-4a9c-82b1-0511726c43bd Device Administrators 268030c9-556f-47a6-a167-5970cb734558 Directory Readers 387f95ae-e47f-4156-b5d3-2d9150fdea7e Directory Writers c7ba418f-9d1e-4bd2-b770-dba1cbc2c336 Exchange Service Administrator 53add08e-5b0c-4276-a582-9ce02fb6c947 Helpdesk Administrator 7ae4b349-1f17-429c-8795-dcc56096c0c7 Lync Service Administrator 432e4ce3-ed50-4406-aeb6-1794283ad211 Power BI Service Administrator 64503181-13d0-4ef6-8ee2-a08a7b690168 Reports Reader 4e0cabe2-fe25-49e1-8538-61a8b8422517 Service Support Administrator 57122a2b-cd95-4370-a84b-4e90ec8e722a SharePoint Service Administrator f35c2f36-b60d-4b17-b261-0de8af7da552 Teams Communications Administrator 8d50de14-19b3-4578-b588-6a3c8929d766 Teams Service Administrator 4c962061-2581-417f-938a-7cc1b38fc2a2 User Account Administrator 0f3a91cd-4fdd-436e-97ed-f2a01b19bfe2
Many of these role groups are familiar because they underpin the custom administrative roles assigned in the Office 365 Admin Center.
Notice that only two of the four Teams administrative roles are present. This is because Azure Active Directory only creates the role the first time someone is assigned it.
To see who holds a certain role, use the Get-AzureADDirectoryRoleMember cmdlet and pass the object identifier of the role. For example.
Get-AzureADDirectoryRoleMember -ObjectId 4c962061-2581-417f-938a-7cc1b38fc2a2 ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- cad05ccf-a359-4ac7-89e0-1e33bf37579e James Ryan [email protected] Member
If you want to see the cmdlets assigned to a role, run PowerShell and log in as someone holding the role you want to examine. Connect to the Skype for Business PowerShell module and create a new session. PowerShell gives the session a name and you can run the Get-Command cmdlet to see the list of cmdlets available in the session.
Import-Module SkypeOnlineConnector $userCredential = Get-Credential $sfbSession = New-CsOnlineSession -Credential $userCredential Import-PSSession $sfbSession ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 tmp_b045gmiy.trd {Clear-CsOnlineTelephon...} Get-Command -Module tmp_b045gmiy.trd
Custom administrative roles are not a new concept, but it’s nice to see them arriving for Teams as it marks an increasing maturity in the administrative processes surrounding the product. The next thing you know, we’ll get an enhanced PowerShell module for Teams…
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.