When adding users to Office 365 either by creating them or by synchronizing to the Azure AD it is possible to specify if these users also belong to a group with Administrative roles and relative permissions. The ability of assigning Administrative Roles can help assisting with the day to day operations especially with large organizations spread across different locations by delegating specific tasks to chosen Admins responsible for their portion of identities in the Azure AD.
In Office 365 there are five different Administrative Roles plus one so six in total! They are:
-
Global Administrator
-
Billing Administrator
-
User Management Administrator
-
Service Administrator
-
Password Administrator
-
Delegated Administrator (can be with Full / Limited rights)
The table below brings a summary of all the permissions based on the Admin Roles:

So for example interestingly enough assuming that we want to promote a user to Administrator but without giving unnecessary rights other than managing other non-privileged users the User Management Admin role is probably the best suited for this task. Similarly is it also possible to identify and promote Admins to open and manage support tickets with regards to the Office 365 Health in addition to review and have access to the billing operations like purchasing, check subscriptions and notifications around these.
Not necessarily all the users promoted with Admin Roles need to belong to the same Office 365 tenancy. Office 365 provides also the ability to create and promote Delegated Administrators belonging to other Office 365 Tenants. There are two levels Full and Limited. Full equals the Global Admin Role which means Full permissions everywhere across the Azure Instance, SharePoint Online, Exchange Online and Skype for Business as well. Limited equals to the User Management Admin Role.
Assigning and changing Admins Roles is an easy step from the Edit User Roles link in the properties of the Active Users.
Can I manage Admins Management Roles with PowerShell? MSOnline PowerShell module comes with built-in cmd-lets fit for the purpose
-
Get-MsolRole
To retrieve a list of available Admin Roles
-
Get-MsolRoleMember
To retrieve a list of Users part of a specific Role
-
Add-MsRoleMemeber
To add a user to a specific Role
-
Remove-MsolRoleMember
To remove a user from a specific Role
References:
Add Comment