Admin roles are the key of your kingdom
Office 365 allows organizations to granularly delegate administrative privileges.
Office 365 contains a lot of built-in aministrative roles. Among them we find Global Administrator, Exchange administrator, User Account Administrator, Billing Administrator, Global reader, etc.
Those privileges must be audited regularly.
When you have few IT guys, it is pretty straightforward to identify the admin roles. But when you have a big tenant or/and a lot of admins, it becomes hard to track the changes. Indeed, the Office 365 portal or Azure AD portal does not provide any admin role report.
This post provides you two scripts:
- one script to track the admin roles changes during the last 90 days
- one script to get a report about Microsoft 365 admin roles and their members
Track the Office 365 admin roles changes
The following PowerShell script t generates report about all the changes regarding the admin roles (add or remove member). You can find the latest version of this script on my GitHub :
Get report about Microsoft 365 roles group member
The following PowerShell script generates report about all the Microsoft 365 admin roles and members, included Privileged Identity Management assignments.
Get the last version on my Github: