Maintaining monitor of customers with admin roles in Microsoft 365 is essential to make sure that no consumer has extra permissions than required. What I typically see when a consumer wants entry to the Microsoft 365 Admin Heart is that the International Admin permission is given manner too simply.
With regards to permissions, it’s at all times essential to observe the precept of least privilege. That is the place you grant a consumer the minimal quantity of permissions required to do its work.
On this article, I’ll present you three strategies how one can view and export all customers with an admin position in Microsoft 365
Methodology 1 – Utilizing the Admin Heart
We are able to view the position task within the Microsoft 365 Admin Heart beneath Roles > Position task. The one drawback is that you will want to open every particular person position to view which customers have the position assigned.
Nonetheless, we are able to export an inventory of customers with the roles assigned to them from the admin heart. That is by far the simplest solution to shortly view all of the assignments. Observe the steps beneath to open the Position Project web page within the admin heart or use this direct hyperlink.
- Open the M365 Admin Heart
- Increase Roles and open the Position task
- Click on on Export Admin Lists
Methodology 2 – Utilizing Microsoft Entra
We are able to additionally view and handle the roles and admins in Microsoft Entra after all. Similar to within the admin heart, we are able to obtain an inventory of all assignments:
- Open Microsoft Entra
- Below Id develop Roles and Admins
- Open Roles & Admins
- Click on on Obtain Project
Methodology 3 – Utilizing PowerShell
One other choice to view all customers with an admin position in your tenant is through the use of PowerShell. The benefit of PowerShell is that you would be able to modify the outcomes to your wants. For instance, if you wish to record the division of supervisor of the customers within the outcomes as nicely.
The script beneath is a straightforward model that permits you to prolong it additional to your wants. We can be utilizing Microsoft Graph and the RoleManagement.Learn.Listing and Consumer.Learn.All scopes.
We are going to first get all accessible roles after which lookup which customers have the position assigned. The outcomes are sorted by consumer so that you could simply see when a consumer has a number of roles.
param (
[Parameter(
Mandatory = $false,
HelpMessage = "Get only users with an admin role"
)]
[switch]$usersOnly = $true,
[Parameter(
Mandatory = $false,
HelpMessage = "Enter path to save the CSV file"
)]
[string]$path = ".Customers-with-admin-role-$((Get-Date -format "MMM-dd-yyyy").ToString()).csv"
)
# Test if MS Graph module is put in
if (Get-InstalledModule Microsoft.Graph) {
# Hook up with MS Graph
Join-MgGraph -Scopes "RoleManagement.Learn.Listing", "Consumer.Learn.All" -NoWelcome
}else{
Write-Host "Microsoft Graph module not discovered - please set up it" -ForegroundColor Black -BackgroundColor Yellow
exit
}
# Initialize an array to retailer the outcomes
$outcomes = @()
# Get all listing roles and Loop by way of every position
Get-MgDirectoryRole | ForEach {
# Get members of the present position
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id
# Course of every member
foreach ($member in $members) {
# Solely course of consumer objects (skip teams or service principals)
if ($usersOnly -and ($member.AdditionalProperties.'@odata.sort' -ne '#microsoft.graph.consumer')) {
proceed
}
# Get detailed consumer data together with sign-in exercise
$consumer = Get-MgUser -UserId $member.Id -Property "Id,UserPrincipalName,DisplayName,AccountEnabled"
# Create new entry for every user-role mixture
$outcomes += [PSCustomObject]@{
DisplayName = $consumer.DisplayName
Position = $_.DisplayName
AccountEnabled = $consumer.AccountEnabled
UserPrincipalName = $consumer.UserPrincipalName
}
}
}
# Export outcomes to CSV
$outcomes | Kind-Object UserPrincipalName, Position | Out-GridView # Export-Csv -Path $path -NoTypeInformation -Encoding Utf8
You will get the whole script right here from my GitHub repository.
Wrapping Up
It’s essential to maintain monitor of which roles customers have. When assigning roles to a consumer, just be sure you assign a job with the least privileges wanted.
I’ve you any questions simply drop a remark beneath.
