This question popped up on Experts Exchange recently. The answer is that you can indeed assign multiple roles to the same user, however you will need to use the WAAD module for PowerShell to do so. Here are the steps:
-
Login to the service using Connect-MsolService
-
Get the Role object Id, which you will need to grant the permissions:
PS C:\> Get-MsolRole ObjectId Name Description -------- ---- ----------- 17315797-102d-40b4-93e0-432062caca18 Compliance Administrator Compliance administrator. 29232cdf-9323-42fd-ade2-1d097af3e4de Exchange Service Administrator Exchange Service Administrator. 4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier1 Support Allows ability to perform tier1 support tasks. 62e90394-69f5-4237-9190-012177145e10 Company Administrator Company Administrator role has full access to perform any operation in the company scope. 729827e3-9c14-49f7-bb1b-9608f156bbb8 Helpdesk Administrator Helpdesk Administrator has access to perform common helpdesk related tasks. 75941009-915a-4869-abe7-691bff18279e Lync Service Administrator Lync Service Administrator. 88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Readers Allows access to various read only tasks in the directory. 9360feb5-f418-4baa-8175-e2a00bac4301 Directory Writers Allows access read tasks and a subset of write tasks in the directory. 9c094953-4995-41c8-84c8-3ebb9b32c93f Device Join Device Join 9f06204d-73c1-4d4c-880a-6edb90606fd8 Device Administrators Device Administrators b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Billing Administrator has access to perform common billing related tasks. c34f683f-4d5a-4403-affd-6615e00e3a7f Workplace Device Join Workplace Device Join d405c6df-0af8-4e3b-95e4-4d06e542189e Device Users Device Users e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Partner Tier2 Support Allows ability to perform tier2 support tasks. f023fd81-a637-4b56-95fd-791ac0226033 Service Support Administrator Service Support Administrator has access to perform common support tasks. f28a1f50-f6e7-4571-818b-6a12f2af6b6c SharePoint Service Administrator SharePoint Service Administrator. fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator User Account Administrator has access to perform common user management related tasks.
-
To grant access to a specific role, use the Add-MsolRoleMember cmdlet
PS C:\> Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberEmailAddress user@domain.com
-
Repeat the process for any of the other roles
-
To verify that the correct roles have been assigned, use the Get-MsolUserRole cmdlet
PS C:\> Get-MsolUserRole -UserPrincipalName user@domain.com ObjectId Name Description -------- ---- ----------- b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Billing Administrator has access to perform common billing related tasks. fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator User Account Administrator has access to perform common user management related tasks.
-
One thing to be careful about – granting access via PowerShell does not populate the Alternate email address and phone details for the user. This field is mandatory when granting access via the O365 Portal, so you can use this as workaround 🙂
Here’s how the permissions will look from the Portal:
Note the warning: This user has multiple admin roles: Billing administrator, User management administrator. Any changes you make on this page to this user’s role will overwrite the existing roles.