Using PowerShell to assign service admin roles in Azure AD

Do you remember the times when you couldn’t assign service admin roles in Office 365? Those times are not gone for a long time, but however, it was not possible to add an Exchange Online Administrator, or a SharePoint Administrator. So, in most cases, companies used Global Administrators to manage Exchange, for instance, but the same admins had also access to SharePoint. It’s clear that this was odd.

The reason why this was not possible is that users and correspondent administrative roles are handled in Azure AD. So each Office 365 organization also has an Azure AD, only that many don’t know. And back then, administrative roles weren’t properly integrated across different services. However, this is possible now and we can also use PowerShell do handle everything.

To start with, we can use Get-MsolRole to check what administrative roles are available in Azure AD.

Get-MsolRole

So, what we notice is that we have both roles that are specific for Office 365 and roles that are specific for Azure, like Device Join and so on.

Now let’s say that you would like to add a user to the Exchange Service Administrator role. First wise thing to do is to define a variable to hold the Exchange Service Administrator role. Here’s how to do this!

$exchangeAdministrator = Get-MsolRole -RoleName “Exchange Service Administrator”

Now, before adding a user, let’s check who is already an Exchange Administrator. We can do this using following cmdlet:

Get-MsolRoleMember -RoleObjectId $exchangeAdministrator.ObjectId

Output:

Get-MsolRoleMember

So, we see that Stephen Curry is my Exchange Online Administrator. That’s because if he troubleshoots Exchange problems the same way he shoots the ball right now, I think he would be a good fit for my virtual company 🙂

Now, I wouldn’t like Steph Curry to feel alone, so I would like to bring in some good company. So here’s how I would add a new user to the Exchange Service Administrator role:

Add-MsolRoleMember -RoleName “Exchange Service Administrator” -RoleMemberEmailAddress user@contoso.onmicrosoft.com 

Well, you won’t see any output after you run this cmdlet, but you can run the previous one to check the new role membership. And the result would be as follows:

New group membership

I brought some good company, like Kevin Durant and of course a User 10 that should kind of keep an eye on what Steph and Kevin are doing 🙂

If you want to remove a user from this administrative role, than you should run the following cmdlet:

Remove-MsolRoleMember -RoleName “Exchange Service Administrator” -RoleMemberEmailAddress user@contoso.onmicrosoft.com 

So, that’s easy as 1, 2, 3. These are the basics of working with PowerShell and Azure AD admin roles. Feel free to play around and to create than complexer scripts by also adding some logic, depending on scenarios that you may face. As always please share your own experiences using the comments of this blog post.

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *