Azure Active Directory Administrator Roles

Azure Administrator Roles

Azure AD administrator roles allow you to delegate various parts of Azure Active Directory management. 

As an example you can delegate the Global Reader role to anyone who needs to investigate or audit your resources but don’t need to make any changes.

In large organizations it makes sense to delegate the authority to manage Azure AD elements to specialized admins. And even minor organizations with just a few admins may find Azure AD administrator roles to be useful.

This article shows you how to do the following using PowerShell:

  • List all Azure Administrator Roles
  • List all users with a specific Azure Administrator Role
  • List all assigned Azure Administrator Role for all identities
  • List all Azure Administrator Roles for a specific user

But first let’s take a look at the GUI to get a visual on the information.

Managing Azure Administrator Roles Using the Azure Portal

To view all roles and see what users or groups are assigned to the roles, log in to the Azure Portal, go to Azure Active Directory and click on Roles and Administrators:

Azure Roles and Administrators

To view what roles are assigned to an individual user go to Users, select the user and click Assigned Roles:

Managing Azure Administrator Roles Using PowerShell

In many cases you may want to uses PowerShell to manage Administrator Roles in Azure Active Directory. PowerShell has two prominent modules for managing Azure:

  • Azure AD PowerShell for Graph
  • Azure Active Directory Module for Windows PowerShell (MSOnline)

Which one you prefer is up to you. This article will demonstrate the use of the MSOnline module for PowerShell.

All code examples assume that you have a working PowerShell connection to Azure. Read this article to understand how to set up and use the MSOnline module for PowerShell.

Azure Administrator Roles Overview

First of all, let’s get an overview of all the Azure AD Administrator Roles:

Get-MsolRole | Sort-Object Name | ft Name,ObjectID,description

Nicely formatted in a table, the output will look like this:

Azure AD Administrator Roles

RoleObjectIdDescription
Application Administrator9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3Can create and manage all aspects of app registrations and enterprise apps.
Application Developercf1c38e5-3621-4004-a7cb-879624dced7cCan create application registrations independent of the ‘Users can register applications’ setting.
Authentication Administratorc4e39bd9-1100-46d3-8c65-fb160da0071fAllowed to view, set and reset authentication method information for any non-admin user.
Azure DevOps Administratore3973bdf-4987-49ae-837a-ba8e231c7286Can manage Azure DevOps organization policy and settings.
Azure Information Protection Administrator7495fdc4-34c4-4d15-a289-98788ce399fdCan manage all aspects of the Azure Information Protection product.
B2C IEF Keyset Administratoraaf43236-0c0d-4d5f-883a-6955382ac081Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).
B2C IEF Policy Administrator3edaf663-341e-4475-9f94-5c398ef6c070Can create and manage trust framework policies in the Identity Experience Framework (IEF).
B2C User Flow Administrator6e591065-9bad-43ed-90f3-e9424366d2f0Can create and manage all aspects of user flows.
B2C User Flow Attribute Administrator0f971eea-41eb-4569-a71e-57bb8a3eff1eCan create and manage the attribute schema available to all user flows.
Billing Administratorb0f54661-2d74-4c50-afa3-1ec803f12efeCan perform common billing related tasks like updating payment information.
Cloud Application Administrator158c047a-c907-4556-b7ef-446551a6b5f7Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
Cloud Device Administrator7698a772-787b-4ac8-901f-60d6b08affd2Full access to manage devices in Azure AD.
Company Administrator62e90394-69f5-4237-9190-012177145e10Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
Compliance Administrator17315797-102d-40b4-93e0-432062caca18Can read and manage compliance configuration and reports in Azure AD and Office 365.
Compliance Data Administratore6d1a23a-da11-4be4-9570-befc86d067a7Creates and manages compliance content.
Conditional Access Administratorb1be1c3e-b65d-4f19-8427-f6fa0d97feb9Can manage conditional access capabilities.
CRM Service Administrator44367163-eba1-44c3-98af-f5787879f96aCan manage all aspects of the Dynamics 365 product.
Customer LockBox Access Approver5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91Can approve Microsoft support requests to access customer organizational data.
Desktop Analytics Administrator38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4Can access and manage Desktop management tools and services.
Device Administrators9f06204d-73c1-4d4c-880a-6edb90606fd8Device Administrators
Device Join9c094953-4995-41c8-84c8-3ebb9b32c93fDevice Join
Device Managers2b499bcd-da44-4968-8aec-78e1674fa64dDeprecated – Do Not Use.
Device Usersd405c6df-0af8-4e3b-95e4-4d06e542189eDevice Users
Directory Readers88d8e3e3-8f55-4a1e-953a-9b9898b8876bCan read basic directory information. Commonly used to grant directory read access to applications and guests.
Directory Synchronization Accountsd29b2b05-8046-44ba-8758-1e26182fcf32Only used by Azure AD Connect service.
Directory Writers9360feb5-f418-4baa-8175-e2a00bac4301Can read and write basic directory information. For granting access to applications, not intended for users.
Exchange Service Administrator29232cdf-9323-42fd-ade2-1d097af3e4deCan manage all aspects of the Exchange product.
External Identity Provider Administratorbe2f45a1-457d-42af-a067-6ec1fa63bc45Can configure identity providers for use in direct federation.
Global Readerf2ef992c-3afb-46b9-b7cf-a126ee74c451Can read everything that a global admin can read but not update anything.
Groups Administratorfdd7a751-b60b-444a-984c-02652fe8fa1cMembers of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.
Guest Inviter95e79109-95c0-4d8e-aee3-d01accf2d47bCan invite guest users independent of the ‘members can invite guests’ setting.
Helpdesk Administrator729827e3-9c14-49f7-bb1b-9608f156bbb8Can reset passwords for non-administrators and Helpdesk Administrators.
Intune Service Administrator3a2c62db-5318-420d-8d74-23affee5d9d5Can manage all aspects of the Intune product.
Kaizala Administrator74ef975b-6605-40af-a5d2-b9539d836353Can manage settings for Microsoft Kaizala.
License Administrator4d6ac14f-3453-41d0-bef9-a3e0c569773aCan manage product licenses on users and groups.
Lync Service Administrator75941009-915a-4869-abe7-691bff18279eCan manage all aspects of the Skype for Business product.
Message Center Privacy Readerac16e43d-7b2d-40e0-ac05-243ff356ab5bCan read security messages and updates in Office 365 Message Center only.
Message Center Reader790c1fb9-7f7d-4f88-86a1-ef1f95c05c1bCan read messages and updates for their organization in Office 365 Message Center only.
Office Apps Administrator2b745bdf-0803-4d80-aa65-822c4493daacCan manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish ‘what’s new’ feature content to end-user’s devices.
Partner Tier1 Support4ba39ca4-527c-499a-b93d-d9b492c50246Do not use – not intended for general use.
Partner Tier2 Supporte00e864a-17c5-4a4b-9c06-f5b95a8d5bd8Do not use – not intended for general use.
Password Administrator966707d0-3269-4727-9be2-8c3a10f19b9dCan reset passwords for non-administrators and Password Administrators.
Power BI Service Administratora9ea8996-122f-4c74-9520-8edcd192826cCan manage all aspects of the Power BI product.
Power Platform Administrator11648597-926c-4cf3-9c36-bcebb0ba8dccCan create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow.
Printer Administrator644ef478-e28f-4e28-b9dc-3fdde9aa0b1fCan manage all aspects of printers and printer connectors.
Printer Techniciane8cef6f1-e4bd-4ea8-bc07-4b8d950f4477Can manage all aspects of printers and printer connectors.
Privileged Authentication Administrator7be44c8a-adaf-4e2a-84d6-ab2649e08a13Allowed to view, set and reset authentication method information for any user (admin or non-admin).
Privileged Role Administratore8611ab8-c189-46e8-94e1-60213ab1f814Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
Reports Reader4a5d8f65-41da-4de4-8968-e035b65339cfCan read sign-in and audit reports.
Search Administrator0964bb5e-9bdb-4d7b-ac29-58e794862a40Can create and manage all aspects of Microsoft Search settings.
Search Editor8835291a-918c-4fd7-a9ce-faa49f0cf7d9Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
Security Administrator194ae4cb-b126-40b2-bd5b-6091b380977dSecurity Administrator allows ability to read and manage security configuration and reports.
Security Operator5f2222b1-57c3-48ba-8ad5-d4759f1fde6fCreates and manages security events.
Security Reader5d6b6bb7-de71-4623-b4af-96380a352509Can read security information and reports in Azure AD and Office 365.
Service Support Administratorf023fd81-a637-4b56-95fd-791ac0226033Can read service health information and manage support tickets.
SharePoint Service Administratorf28a1f50-f6e7-4571-818b-6a12f2af6b6cCan manage all aspects of the SharePoint service.
Teams Communications Administratorbaf37b3a-610e-45da-9e62-d9d1e5e8914bCan manage calling and meetings features within the Microsoft Teams service.
Teams Communications Support Engineerf70938a0-fc10-4177-9e90-2178f8765737Can troubleshoot communications issues within Teams using advanced tools.
Teams Communications Support Specialistfcf91098-03e3-41a9-b5ba-6f0ec8188a12Can troubleshoot communications issues within Teams using basic tools.
Teams Service Administrator69091246-20e8-4a56-aa4d-066075b2a7a8Can manage the Microsoft Teams service.
User Account Administratorfe930be7-5e62-47db-91af-98c3a49a38b1Can manage all aspects of users and groups, including resetting passwords for limited admins.
Workplace Device Joinc34f683f-4d5a-4403-affd-6615e00e3a7fWorkplace Device Join

For a detailed description of all Administrator Roles and the permissions included in them, please refer to the official documentation from Microsoft.

List All Users With a Specific Azure Administrator Role

The Get-MsolRoleMember cmdlet will list members of a given role. It uses RoleObjectId to identify the Role GUID so you need to find the role GUID first using the Get-MsolRole cmdlet (or use the above table as reference).

To list all the users that have the Global Administrator (which is actually called ‘Company Administrator’!) role assigned, use the following PowerShell command:

Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10

Output from this command may look like this:

PS C:\> Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10

RoleMemberType EmailAddress                              DisplayName          isLicensed
-------------- ------------                              -----------          ----------
User           tycho.brahe@observatory.dk                Tycho Brahe          True
User           jens.m.knudsen@observatory.dk             Jens Martin Knudsen  True

List All Assigned Azure Administrator Role For All Identities

To list all assigned Azure Administrator Roles you can use the next script. To format the output nicely with the “real” Role name instead of the Guid requires some logic:

$RolesCollection = @()
$Roles = Get-MsolRole
ForEach ($Role In $Roles){
  $Members = Get-MsolRoleMember -RoleObjectId $Role.ObjectId
  ForEach ($Member In $Members) {
    $obj = New-Object PSObject -Property @{
      RoleName = $Role.Name
      MemberName = $Member.DisplayName
      MemberType = $Member.RoleMemberType
    }
    $RolesCollection += $obj
  }
}
Write-Output $RolesCollection | Sort-Object RoleName,MemberName | ft RoleName,MemberName,MemberType

The output from this code is going to look similar to this:

RoleName                           MemberName                                            MemberType
--------                           ----------                                            ----------
Company Administrator              Tycho Brahe                                                 User
Application Administrator          Jens Martin Knudsen                                         User
Directory Synchronization Accounts On-Premises Directory Synchronization Service Account       User
License Administrator              Ole Roemer                                                  User

List All Azure Administrator Roles For a Specific User

To view Azure Administrator Roles assigned to an individual user (or group), add some filtering to the output by replacing the last line of code in the previous script with the following:

Write-Output $RolesCollection | Where-Object MemberName -eq 'Tycho Brahe' | Sort-Object RoleName | ft RoleName,MemberName,MemberType

Summary

I hope you now have a good grip on PowerShell’ing your way through Azure Administrator Roles. Hopefully the above building blocks can help you put together some awesome automation to make your daily admin tasks easier and less error prone.

Check our PowerShell section for more ideas on automation.