Deep Dive Into Office 365 PowerShell Cmdlets (Part 6)

By /

If you would like to be notified when Nirmal Sharma releases the next part in this article series please sign up to our VirtualizationAdmin.com Real-Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

In the part 5 of this article series, we explained various Get-MsolUser PowerShell commands that you can use to collect Office 365 user licensing information, collect a list of Office 365 users based on their department, and collecting user password expiry information.

Office 365 provides various admin roles that you can use to manage different aspects of an Office 365 Tenant. For example, when a user is part of Password Administrator admin role, he/she can reset passwords of Office 365 users. Similarly, members of Company Administrators can manage everything in an Office 365 Tenant. A brief overview of admin roles in Office 365 is given below:

  • Company Administrator: Members of Company Administrator admin role have access to all features in Office 365. When you sign up for an Office 365, you become the Global Administrator.
  • Billing Administrator: Billing Administrators are responsible for making Office 365 service purchases, managing subscriptions, monitoring Office 365 services health and managing support tickets with Microsoft.
  • Password Administrator: Members of Password Administrator admin role are limited to resetting passwords of Office 365 users, but they can also monitor Office 365 services health.
  • Service Administrator: Service Administrators are responsible for managing service requests with Microsoft.
  • User Management Administrator: This role is designed to manage users in an Office 365 Tenant. Members of User Management Administrator admin role can manage user accounts, reset passwords, monitor Office 365 services health, and manage user groups and service requests. Remember that members of this user role are limited to managing normal Office 365 users. They cannot delete Global Administrators, create other admin roles or reset the password of users as those are part of other user admin roles. Although Get-MsolUser cmdlet doesn’t provide a property that you can use to get a list of users in a particular user role, but you can use Get-MsolUser with Get-MsolUserRole cmdlet to get this information.

Other than admin roles explained above, Office 365 also provides other admin roles to manage other services of Office 365 such as Exchange Administrators to manage Exchange Online service through Exchange Admin Center, SharePoint Administrators to manage SharePoint Online via SharePoint Online admin center, and Skype for Business Administrators to manage Skype for Business through Skype for Business Admin center.

It is necessary for every Office 365 administrators to ensure that only designated people are part of admin roles. Apart from collecting Office 365 user licensing information, the other common task you might want to perform is getting a list of users that are assigned to a particular admin role. You may not want several people to act as Company Administrators as it might increase the risk to your business. Get-MsolUserRole cmdlet can help you to get the user roles assigned to a particular or all Office 365 users. Let me give you some examples of using Get-MsolUserRole cmdlet.

To check role of a particular user, you can execute below command:

Output resulted from above command is shown below:

Image

The above command returns the user role for a particular user. However, you might want to generate a list that returns all users with their admin role membership. To get all users and their roles in the Office 365, you can use Get-MsolUserRole cmdlet with Get-MsolUser cmdlet as shown in the command below:

  • Get-MsolUser –All | Get-MsolUserRole | FT -AutoSize

The first command gets all users and second command Get-MsolUserRole separated by a pipe operator checks the role membership of the user retrieved in the first command and the output that the command returns is something similar to output shown below:

Image

You might have noticed that although the above command displays the admin roles assigned to each user, it only displays the ObjectID of the user instead of displaying the User Principal Name of the user. This is the default behavior of Get-MsolUserRole cmdlet. Get-MsolUserRole cmdlet doesn’t provide any property that you can use to show user principal name of the user instead of displaying ObjectID of the user. You can also confirm by running the “Get-MsolUserRole –UserPrincipalName [email protected] | Get-Member” command. As you can see in the output below there are no properties available that you can use to display the user principal name of the user.

Image

So how do you display the user principal name of users when retrieving admin roles for all Office 365 users? What you can do is write a series of PowerShell commands by using Get-MsolUser and Get-MsolUserRole cmdlets as shown below:

  • $AllUsers = Get-MsolUser
  • ForEach ($MSUsers in $AllUsers)
  • {
  • $UserNameNow = $MSUsers.UserPrincipalName
  • $GetUserRole = Get-MsolUserRole –UserPrincipalName $UserNameNow
  • Write-Host “User” $UserNameNow “Is a member of” $GetUserRole.Name
  • }

When you run the above series of PowerShell commands in Azure PowerShell Window, you will see output as shown in the screenshot below:

Image

And if you wish to export the output to a CSV file, execute below PowerShell commands:

  • RoleCSVFile=C:\Temp\RoleCSVFile.CSV
  • $STR = “User Principal Name, Member Of”
  • Add-Content $RoleCSVFile $STR
  • $AllUsers = Get-MsolUser
  • ForEach ($MSUsers in $AllUsers)
  • {
  • $UserNameNow = $MSUsers.UserPrincipalName
  • $GetUserRole = Get-MsolUserRole –UserPrincipalName $UserNameNow
  • $Str = $UserNameNow+”,”+$GetUserRole.Name
  • Add-Content $RoleCSVFile $STR
  • }

As we explained in this article, Office 365 provides various Admin roles to manage different aspects of an Office 365 Tenant. The members of Company Administrator can manage every aspect of an Office 365 Tenant and you may not want to put your business at risk by adding unnecessary people to Company Administrator role. Get-MsolUserRole cmdlet when used in conjunction with Get-MsolUser cmdlet provides you a list of users that are assigned to admin roles.

In next part, we will continue to look at some more examples of Get-MsolUser cmdlet.

If you would like to be notified when Nirmal Sharma releases the next part in this article series please sign up to our VirtualizationAdmin.com Real-Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top