Share via

Teams Admin Read-Only Permissions

Awais Khalid 141 Reputation points
2022-09-21T08:01:06.533+00:00

We would like to give access to someone who is outside our organization and we need to provide the permissions to see the teams created in our Teams Admin center, user, phone number, devices as well as policies, we want to give read-only permissions. I tried to create a Custom Role using below code but that did not worked.

Is there a way which could help us to manage this issue even by using PowerShell or Graph API or any other tool?

Basic role information

$displayName = "Read-Only Permission Teams"
$description = "Can manage basic aspects of application registrations."
$templateId = (New-Guid).Guid

Set of permissions to grant

$allowedResourceAction =
@(
"microsoft.directory/administrativeUnits/standard/read",
"microsoft.directory/administrativeUnits/members/read",
"microsoft.directory/applications/standard/read",
"microsoft.directory/applications/owners/read",
"microsoft.directory/applications/policies/read",
"microsoft.directory/contacts/standard/read",
"microsoft.directory/contacts/memberOf/read",
"microsoft.directory/contracts/standard/read",
"microsoft.directory/devices/standard/read",
"microsoft.directory/devices/memberOf/read",
"microsoft.directory/devices/registeredOwners/read",
"microsoft.directory/devices/registeredUsers/read",
"microsoft.directory/directoryRoles/standard/read",
"microsoft.directory/directoryRoles/eligibleMembers/read",
"microsoft.directory/directoryRoles/members/read",
"microsoft.directory/domains/standard/read",
"microsoft.directory/groups/standard/read",
"microsoft.directory/groups/appRoleAssignments/read",
"microsoft.directory/groups/memberOf/read",
"microsoft.directory/groups/members/read",
"microsoft.directory/groups/owners/read",
"microsoft.directory/groups/settings/read",
"microsoft.directory/groupSettings/standard/read",
"microsoft.directory/groupSettingTemplates/standard/read",
"microsoft.directory/oAuth2PermissionGrants/standard/read",
"microsoft.directory/organization/standard/read",
"microsoft.directory/organization/trustedCAsForPasswordlessAuth/read",
"microsoft.directory/applicationPolicies/standard/read",
"microsoft.directory/roleAssignments/standard/read",
"microsoft.directory/roleDefinitions/standard/read",
"microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
"microsoft.directory/servicePrincipals/appRoleAssignments/read",
"microsoft.directory/servicePrincipals/standard/read",
"microsoft.directory/servicePrincipals/memberOf/read",
"microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
"microsoft.directory/servicePrincipals/owners/read",
"microsoft.directory/servicePrincipals/ownedObjects/read",
"microsoft.directory/servicePrincipals/policies/read",
"microsoft.directory/subscribedSkus/standard/read",
"microsoft.directory/users/standard/read",
"microsoft.directory/users/appRoleAssignments/read",
"microsoft.directory/users/deviceForResourceAccount/read",
"microsoft.directory/users/directReports/read",
"microsoft.directory/users/licenseDetails/read",
"microsoft.directory/users/manager/read",
"microsoft.directory/users/memberOf/read",
"microsoft.directory/users/oAuth2PermissionGrants/read",
"microsoft.directory/users/ownedDevices/read",
"microsoft.directory/users/ownedObjects/read",
"microsoft.directory/users/photo/read",
"microsoft.directory/users/registeredDevices/read",
"microsoft.directory/users/scopedRoleMemberOf/read"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}

Create new custom admin role

$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,807 questions
0 comments
Accepted answer
  1. Vasil Michev 96,836 Reputation points MVP
    2022-09-21T09:56:01.65+00:00

    No, there is no way to do this. The Teams admin center does not support custom RBAC roles, you can only use one of the predefined ones. Moreover, there is no "read only" Teams-specific role, at best you can use the Global Reader role.
    Also, none of this applies to External/Guest users, admin permissions for such are not supported. Create a regular user account instead and grant one of the existing roles.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SokiGuo-MSFT 24,031 Reputation points Microsoft Vendor
    2022-09-22T07:22:21.023+00:00

    Hi @Awais Khalid

    Currently, Teams does not provide read-only administrator permissions.

    It provides several Teams admin roles available: Teams administrator, Teams communications administrator, Teams communications support specialist, Teams communications support engineer,

    and Teams Device Administrator. You could review this article to understand what each role can do, and which tools the admin can use in the Microsoft Teams admin center.

    To get this feature more quickly, I have found a feedback in Teams UserVoice and you could vote for it.

    Microsoft will always focus on customer’s feedback and experience, some new features would be added to the services based on customers' feedback in the future, and your good ideas will be

    very helpful for them to improve the service. Your time, understanding and cooperation will be highly appreciated.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.