Assign admin roles to users in Microsoft 365
Microsoft 365 uses administrator roles to assign specific administrative functions to users. Each administrator role maps to common business functions and gives users permissions to do specific tasks in the Microsoft 365 admin center. Administrators manage the Microsoft 365 admin roles using the Microsoft 365 admin center or Windows PowerShell.
Individual service administrators can administer their services on the highest level, while the Global administrator role simply includes all these service administrator roles. The following diagram shows this relationship.
Note
All service administrator roles are included in the Global administrator role, not just the four service admin roles shown here. The purpose of the following diagram is to illustrate the relationship between all service administrator roles and the Global administrator role.
Assign admin roles in Microsoft 365
The Microsoft 365 administrator roles aren't mutually exclusive. An administrator can optionally combine them by assigning multiple admin roles to a user, such as the Exchange admin, SharePoint admin, and User Management admin roles.
Admin roles are based on groups held in Microsoft Entra ID. Even though the Microsoft Entra admin center doesn't display these groups, an administrator can assign them in either the Microsoft 365 admin center or Windows PowerShell.
To assign admin roles in Microsoft 365 admin center, you must sign in using a Global admin account and follow these steps:
- In the Microsoft 365 admin center, select Users, and then select Active Users.
- On the Active users page, choose the user whose administrator role you want to change. The Properties page for the user opens.
- Next to Roles, select Edit.
- On the Edit user roles page, choose one of the following options:
- User (no administrator access)
- Global administrator
- Customized administrator (to see a list of admin roles)
- You use the Alternative email address field for important notifications, including resetting your administrator password. You can enter an email address that's not connected to Microsoft 365.
- To close the Edit user roles page, select Save.
Assign admin roles in Windows PowerShell
Microsoft 365 administrators who prefer to use Windows PowerShell to perform Microsoft 365 tenant maintenance can use the Microsoft Graph PowerShell module to assign administrator roles. An administrator needs to following pieces of data to assign an admin role to a user:
- The object ID of the user.
- The object ID of the directory role.
You can get the object ID of the user by using the Get-MgUser cmdlet to get a list of all the users. For example:
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Connect-MgGraph -Scopes 'User.Read.All', 'RoleManagement.ReadWrite.Directory'
Get-MgUser -All | Format-List ID, DisplayName, Mail, UserPrincipalName
Id : e4e2b110-8d4f-434f-a990-7cd63e23aed6
DisplayName : Joni Sherman
Mail : JoniS@contoso.com
UserPrincipalName : JoniS@contoso.com
Id : dba12422-ac75-486a-a960-cd7cb3f6963f
DisplayName : Adele Vance
Mail : AdeleV@contoso.com
UserPrincipalName : AdeleV@contoso.com
To retrieve the object ID of the role, it's important to note that Microsoft Graph PowerShell only displays the admin roles that are "activated" (another term for activated roles is "enabled" roles). The system activates a role when you perform one of the following tasks:
- You manually activate the role (even if it has no users assigned to it).
- You assign one or more active users to the role.
To view the activated roles, run the Get-MgDirectoryrole cmdlet. If the role you want to assign appears in this list, then you can add the activated role to a user account. However, if you don't see the role in the list, you must activate it first before assigning it to a user.
To retrieve the object ID of a particular role, you can run the following command to display a list of all activated directory roles:
Get-MgDirectoryRole | Format-List
DeletedDateTime :
Description : Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.
DisplayName : Global Administrator
Id : a2d10e79-df32-47fc-86ef-64d199860810
Members :
RoleTemplateId : 1f12db9c-dbb3-410d-a893-4c0bc322bf85
ScopedMembers :
AdditionalProperties : {}
Assign an activated role to a user account
In the prior example, only one activated role exists - the Global Administrator role. Let's assume you want to assign Joni Sherman to this role. Since you now have the object ID for both the user and the role, you can assign the user to the role by running the following commands.
Note
The first command sets the value of the variable $UserObjectId to the user's object ID. The second command uses the New-MgDirectoryRoleMemberRef cmdlet to assign the value of this variable to the Global Administrator role, which is the directory role defined by the DirectoryRoleId.
$UserObjectId = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/e4e2b110-8d4f-434f-a990-7cd63e23aed6" }
New-MgDirectoryRoleMemberByRef -DirectoryRoleId 'a2d10e79-df32-47fc-86ef-64d199860810' -BodyParameter $UserObjectId
Activate a role using the role's template and then add the role to a user
In the prior example, only the Global Administrator role appeared in the list of activated roles when you ran the Get-MgDirectoryRole command. Let's assume you now want to assign Adele Vance to the Helpdesk Administrator role. Since the role isn't in the list, it's not active. As such, you can't assign Adele to the role. To resolve this issue, you must first activate the Helpdesk Administrator role by using its corresponding directory role template ID.
To do so, you must acquire the object ID of both the role and the role's template. You can then activate the role from the role template by running the New-MgDirectoryRole cmdlet. The following example displays the PowerShell commands required to complete these steps.
# Run the following steps to activate the Helpdesk Administrator role.
# Step 1 - Run the Get-MgDirectoryRoleTemplate command to display the list of templates for all Microsoft Entra roles. Since you plan to activate the Helpdesk Administrator role from the Helpdesk Administrator role template, you must run the command to get the object Id of this role template.
Get-MgDirectoryRoleTemplate -All | Format-List ID, DisplayName
Id : a2d10e79-df32-47fc-86ef-64d199860810
DisplayName : Global Administrator
Id : fe930be7-5e62-47db-91af-98c3a49a38b1
DisplayName : User Administrator
Id : 95e79109-95c0-4d8e-aee3-d01accf2d47b
DisplayName : Helpdesk Administrator
and so on...
# Step 2 - Activate the directory role that's based on the Helpdesk Administrator role template. Copy and paste the object Id of the Helpdesk Administrator role template from the prior command into this New-MgDirectoryRole command.
New-MgDirectoryRole -roleTemplateId '95e79109-95c0-4d8e-aee3-d01accf2d47b'
# Step 3 - Verify the Helpdesk Administrator role now appears in the list of activated roles. When you ran the Get-MgDirectoryRole command in the prior example, only the Global Administrator role appeared. After activating the Helpdesk Administrator role from its template, this role should now appear along with the Global Administrator role.
Get-MgDirectoryRole | Format-List
DeletedDateTime :
Description : Can reset passwords for non-administrators and Helpdesk Administrators.
DisplayName : Helpdesk Administrator
Id : 227ec638-37b9-4eb7-a661-2773dcce2b36
Members :
RoleTemplateId : 95e79109-95c0-4d8e-aee3-d01accf2d47b
ScopedMembers :
AdditionalProperties : {}
DeletedDateTime :
Description : Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities.
DisplayName : Global Administrator
Id : a2d10e79-df32-47fc-86ef-64d199860810
Members :
RoleTemplateId : 1f12db9c-dbb3-410d-a893-4c0bc322bf85
ScopedMembers :
AdditionalProperties : {}
After you verified that you activated the Helpdesk Administrator role in Step 3, you must run the following commands to assign Adele Vance to the role.
- The first command sets the value of the variable $UserObjectId to Adele Vance's object ID.
- The second command uses the New-MgDirectoryRoleMemberRef cmdlet to assign the value of this variable to the Helpdesk Administrator role. This role is the directory role defined by the DirectoryRoleId.
$UserObjectId = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/dba12422-ac75-486a-a960-cd7cb3f6963f" }
New-MgDirectoryRoleMemberByRef -DirectoryRoleId '227ec638-37b9-4eb7-a661-2773dcce2b36' -BodyParameter $UserObjectId