Assigning multiple administrative roles to a user in Office 365

This question popped up on Experts Exchange recently. The answer is that you can indeed assign multiple roles to the same user, however you will need to use the WAAD module for PowerShell to do so. Here are the steps:

  • Login to the service using Connect-MsolService
  • Get the Role object Id, which you will need to grant the permissions:
PS C:\> Get-MsolRole

ObjectId                               Name                             Description
--------                               ----                             -----------
17315797-102d-40b4-93e0-432062caca18   Compliance Administrator         Compliance administrator.
29232cdf-9323-42fd-ade2-1d097af3e4de   Exchange Service Administrator   Exchange Service Administrator.
4ba39ca4-527c-499a-b93d-d9b492c50246   Partner Tier1 Support            Allows ability to perform tier1 support tasks.
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Company Administrator role has full access to perform any operation in the company scope.
729827e3-9c14-49f7-bb1b-9608f156bbb8   Helpdesk Administrator           Helpdesk Administrator has access to perform common helpdesk related tasks.
75941009-915a-4869-abe7-691bff18279e   Lync Service Administrator       Lync Service Administrator.
88d8e3e3-8f55-4a1e-953a-9b9898b8876b   Directory Readers                Allows access to various read only tasks in the directory.
9360feb5-f418-4baa-8175-e2a00bac4301   Directory Writers                Allows access read tasks and a subset of write tasks in the directory.
9c094953-4995-41c8-84c8-3ebb9b32c93f   Device Join                      Device Join
9f06204d-73c1-4d4c-880a-6edb90606fd8   Device Administrators            Device Administrators
b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator            Billing Administrator has access to perform common billing related tasks.
c34f683f-4d5a-4403-affd-6615e00e3a7f   Workplace Device Join            Workplace Device Join
d405c6df-0af8-4e3b-95e4-4d06e542189e   Device Users                     Device Users
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8   Partner Tier2 Support            Allows ability to perform tier2 support tasks.
f023fd81-a637-4b56-95fd-791ac0226033   Service Support Administrator    Service Support Administrator has access to perform common support tasks.
f28a1f50-f6e7-4571-818b-6a12f2af6b6c   SharePoint Service Administrator SharePoint Service Administrator.
fe930be7-5e62-47db-91af-98c3a49a38b1   User Account Administrator       User Account Administrator has access to perform common user management related tasks.
  • To grant access to a specific role, use the Add-MsolRoleMember cmdlet
PS C:\> Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberEmailAddress user@domain.com
  • Repeat the process for any of the other roles
  • To verify that the correct roles have been assigned, use the Get-MsolUserRole cmdlet
PS C:\> Get-MsolUserRole -UserPrincipalName user@domain.com

ObjectId                               Name                             Description
--------                               ----                             -----------
b0f54661-2d74-4c50-afa3-1ec803f12efe   Billing Administrator            Billing Administrator has access to perform common billing related tasks.
fe930be7-5e62-47db-91af-98c3a49a38b1   User Account Administrator       User Account Administrator has access to perform common user management related tasks.
  • One thing to be careful about – granting access via PowerShell does not populate the Alternate email address and phone details for the user. This field is mandatory when granting access via the O365 Portal, so you can use this as workaround 🙂

Here’s how the permissions will look from the Portal:

Note the warning: This user has multiple admin roles: Billing administrator, User management administrator. Any changes you make on this page to this user’s role will overwrite the existing roles. 

This entry was posted in Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *