Azure AD administrator roles allow you to delegate various parts of Azure Active Directory management.
As an example you can delegate the Global Reader role to anyone who needs to investigate or audit your resources but don’t need to make any changes.
In large organizations it makes sense to delegate the authority to manage Azure AD elements to specialized admins. And even minor organizations with just a few admins may find Azure AD administrator roles to be useful.
This article shows you how to do the following using PowerShell:
- List all Azure Administrator Roles
- List all users with a specific Azure Administrator Role
- List all assigned Azure Administrator Role for all identities
- List all Azure Administrator Roles for a specific user
But first let’s take a look at the GUI to get a visual on the information.
Managing Azure Administrator Roles Using the Azure Portal
To view all roles and see what users or groups are assigned to the roles, log in to the Azure Portal, go to Azure Active Directory and click on Roles and Administrators:
To view what roles are assigned to an individual user go to Users, select the user and click Assigned Roles:
Managing Azure Administrator Roles Using PowerShell
In many cases you may want to uses PowerShell to manage Administrator Roles in Azure Active Directory. PowerShell has two prominent modules for managing Azure:
- Azure AD PowerShell for Graph
- Azure Active Directory Module for Windows PowerShell (MSOnline)
Which one you prefer is up to you. This article will demonstrate the use of the MSOnline module for PowerShell.
All code examples assume that you have a working PowerShell connection to Azure. Read this article to understand how to set up and use the MSOnline module for PowerShell.
Azure Administrator Roles Overview
First of all, let’s get an overview of all the Azure AD Administrator Roles:
Get-MsolRole | Sort-Object Name | ft Name,ObjectID,descriptionNicely formatted in a table, the output will look like this:
Azure AD Administrator Roles
| Role | ObjectId | Description |
|---|---|---|
| Application Administrator | 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 | Can create and manage all aspects of app registrations and enterprise apps. |
| Application Developer | cf1c38e5-3621-4004-a7cb-879624dced7c | Can create application registrations independent of the ‘Users can register applications’ setting. |
| Authentication Administrator | c4e39bd9-1100-46d3-8c65-fb160da0071f | Allowed to view, set and reset authentication method information for any non-admin user. |
| Azure DevOps Administrator | e3973bdf-4987-49ae-837a-ba8e231c7286 | Can manage Azure DevOps organization policy and settings. |
| Azure Information Protection Administrator | 7495fdc4-34c4-4d15-a289-98788ce399fd | Can manage all aspects of the Azure Information Protection product. |
| B2C IEF Keyset Administrator | aaf43236-0c0d-4d5f-883a-6955382ac081 | Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). |
| B2C IEF Policy Administrator | 3edaf663-341e-4475-9f94-5c398ef6c070 | Can create and manage trust framework policies in the Identity Experience Framework (IEF). |
| B2C User Flow Administrator | 6e591065-9bad-43ed-90f3-e9424366d2f0 | Can create and manage all aspects of user flows. |
| B2C User Flow Attribute Administrator | 0f971eea-41eb-4569-a71e-57bb8a3eff1e | Can create and manage the attribute schema available to all user flows. |
| Billing Administrator | b0f54661-2d74-4c50-afa3-1ec803f12efe | Can perform common billing related tasks like updating payment information. |
| Cloud Application Administrator | 158c047a-c907-4556-b7ef-446551a6b5f7 | Can create and manage all aspects of app registrations and enterprise apps except App Proxy. |
| Cloud Device Administrator | 7698a772-787b-4ac8-901f-60d6b08affd2 | Full access to manage devices in Azure AD. |
| Company Administrator | 62e90394-69f5-4237-9190-012177145e10 | Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. |
| Compliance Administrator | 17315797-102d-40b4-93e0-432062caca18 | Can read and manage compliance configuration and reports in Azure AD and Office 365. |
| Compliance Data Administrator | e6d1a23a-da11-4be4-9570-befc86d067a7 | Creates and manages compliance content. |
| Conditional Access Administrator | b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 | Can manage conditional access capabilities. |
| CRM Service Administrator | 44367163-eba1-44c3-98af-f5787879f96a | Can manage all aspects of the Dynamics 365 product. |
| Customer LockBox Access Approver | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 | Can approve Microsoft support requests to access customer organizational data. |
| Desktop Analytics Administrator | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 | Can access and manage Desktop management tools and services. |
| Device Administrators | 9f06204d-73c1-4d4c-880a-6edb90606fd8 | Device Administrators |
| Device Join | 9c094953-4995-41c8-84c8-3ebb9b32c93f | Device Join |
| Device Managers | 2b499bcd-da44-4968-8aec-78e1674fa64d | Deprecated – Do Not Use. |
| Device Users | d405c6df-0af8-4e3b-95e4-4d06e542189e | Device Users |
| Directory Readers | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b | Can read basic directory information. Commonly used to grant directory read access to applications and guests. |
| Directory Synchronization Accounts | d29b2b05-8046-44ba-8758-1e26182fcf32 | Only used by Azure AD Connect service. |
| Directory Writers | 9360feb5-f418-4baa-8175-e2a00bac4301 | Can read and write basic directory information. For granting access to applications, not intended for users. |
| Exchange Service Administrator | 29232cdf-9323-42fd-ade2-1d097af3e4de | Can manage all aspects of the Exchange product. |
| External Identity Provider Administrator | be2f45a1-457d-42af-a067-6ec1fa63bc45 | Can configure identity providers for use in direct federation. |
| Global Reader | f2ef992c-3afb-46b9-b7cf-a126ee74c451 | Can read everything that a global admin can read but not update anything. |
| Groups Administrator | fdd7a751-b60b-444a-984c-02652fe8fa1c | Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. |
| Guest Inviter | 95e79109-95c0-4d8e-aee3-d01accf2d47b | Can invite guest users independent of the ‘members can invite guests’ setting. |
| Helpdesk Administrator | 729827e3-9c14-49f7-bb1b-9608f156bbb8 | Can reset passwords for non-administrators and Helpdesk Administrators. |
| Intune Service Administrator | 3a2c62db-5318-420d-8d74-23affee5d9d5 | Can manage all aspects of the Intune product. |
| Kaizala Administrator | 74ef975b-6605-40af-a5d2-b9539d836353 | Can manage settings for Microsoft Kaizala. |
| License Administrator | 4d6ac14f-3453-41d0-bef9-a3e0c569773a | Can manage product licenses on users and groups. |
| Lync Service Administrator | 75941009-915a-4869-abe7-691bff18279e | Can manage all aspects of the Skype for Business product. |
| Message Center Privacy Reader | ac16e43d-7b2d-40e0-ac05-243ff356ab5b | Can read security messages and updates in Office 365 Message Center only. |
| Message Center Reader | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b | Can read messages and updates for their organization in Office 365 Message Center only. |
| Office Apps Administrator | 2b745bdf-0803-4d80-aa65-822c4493daac | Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish ‘what’s new’ feature content to end-user’s devices. |
| Partner Tier1 Support | 4ba39ca4-527c-499a-b93d-d9b492c50246 | Do not use – not intended for general use. |
| Partner Tier2 Support | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 | Do not use – not intended for general use. |
| Password Administrator | 966707d0-3269-4727-9be2-8c3a10f19b9d | Can reset passwords for non-administrators and Password Administrators. |
| Power BI Service Administrator | a9ea8996-122f-4c74-9520-8edcd192826c | Can manage all aspects of the Power BI product. |
| Power Platform Administrator | 11648597-926c-4cf3-9c36-bcebb0ba8dcc | Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow. |
| Printer Administrator | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f | Can manage all aspects of printers and printer connectors. |
| Printer Technician | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 | Can manage all aspects of printers and printer connectors. |
| Privileged Authentication Administrator | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 | Allowed to view, set and reset authentication method information for any user (admin or non-admin). |
| Privileged Role Administrator | e8611ab8-c189-46e8-94e1-60213ab1f814 | Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. |
| Reports Reader | 4a5d8f65-41da-4de4-8968-e035b65339cf | Can read sign-in and audit reports. |
| Search Administrator | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 | Can create and manage all aspects of Microsoft Search settings. |
| Search Editor | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 | Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. |
| Security Administrator | 194ae4cb-b126-40b2-bd5b-6091b380977d | Security Administrator allows ability to read and manage security configuration and reports. |
| Security Operator | 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f | Creates and manages security events. |
| Security Reader | 5d6b6bb7-de71-4623-b4af-96380a352509 | Can read security information and reports in Azure AD and Office 365. |
| Service Support Administrator | f023fd81-a637-4b56-95fd-791ac0226033 | Can read service health information and manage support tickets. |
| SharePoint Service Administrator | f28a1f50-f6e7-4571-818b-6a12f2af6b6c | Can manage all aspects of the SharePoint service. |
| Teams Communications Administrator | baf37b3a-610e-45da-9e62-d9d1e5e8914b | Can manage calling and meetings features within the Microsoft Teams service. |
| Teams Communications Support Engineer | f70938a0-fc10-4177-9e90-2178f8765737 | Can troubleshoot communications issues within Teams using advanced tools. |
| Teams Communications Support Specialist | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 | Can troubleshoot communications issues within Teams using basic tools. |
| Teams Service Administrator | 69091246-20e8-4a56-aa4d-066075b2a7a8 | Can manage the Microsoft Teams service. |
| User Account Administrator | fe930be7-5e62-47db-91af-98c3a49a38b1 | Can manage all aspects of users and groups, including resetting passwords for limited admins. |
| Workplace Device Join | c34f683f-4d5a-4403-affd-6615e00e3a7f | Workplace Device Join |
For a detailed description of all Administrator Roles and the permissions included in them, please refer to the official documentation from Microsoft.
List All Users With a Specific Azure Administrator Role
The Get-MsolRoleMember cmdlet will list members of a given role. It uses RoleObjectId to identify the Role GUID so you need to find the role GUID first using the Get-MsolRole cmdlet (or use the above table as reference).
To list all the users that have the Global Administrator (which is actually called ‘Company Administrator’!) role assigned, use the following PowerShell command:
Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10Output from this command may look like this:
PS C:\> Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10 RoleMemberType EmailAddress DisplayName isLicensed -------------- ------------ ----------- ---------- User tycho.brahe@observatory.dk Tycho Brahe True User jens.m.knudsen@observatory.dk Jens Martin Knudsen True
List All Assigned Azure Administrator Role For All Identities
To list all assigned Azure Administrator Roles you can use the next script. To format the output nicely with the “real” Role name instead of the Guid requires some logic:
$RolesCollection = @()
$Roles = Get-MsolRole
ForEach ($Role In $Roles){
$Members = Get-MsolRoleMember -RoleObjectId $Role.ObjectId
ForEach ($Member In $Members) {
$obj = New-Object PSObject -Property @{
RoleName = $Role.Name
MemberName = $Member.DisplayName
MemberType = $Member.RoleMemberType
}
$RolesCollection += $obj
}
}
Write-Output $RolesCollection | Sort-Object RoleName,MemberName | ft RoleName,MemberName,MemberTypeThe output from this code is going to look similar to this:
RoleName MemberName MemberType -------- ---------- ---------- Company Administrator Tycho Brahe User Application Administrator Jens Martin Knudsen User Directory Synchronization Accounts On-Premises Directory Synchronization Service Account User License Administrator Ole Roemer User
List All Azure Administrator Roles For a Specific User
To view Azure Administrator Roles assigned to an individual user (or group), add some filtering to the output by replacing the last line of code in the previous script with the following:
Write-Output $RolesCollection | Where-Object MemberName -eq 'Tycho Brahe' | Sort-Object RoleName | ft RoleName,MemberName,MemberTypeSummary
I hope you now have a good grip on PowerShell’ing your way through Azure Administrator Roles. Hopefully the above building blocks can help you put together some awesome automation to make your daily admin tasks easier and less error prone.
Check our PowerShell section for more ideas on automation.