Many Office 365 deployments struggle with delegating permissions to specific actions or areas of administration inside the tenant.
Many simple administrative activities such as reading licensing and service plan information at the tenant and user level, require administrative access to the tenant. What Office 365 Administrator Role should be used for specific delegation scenarios?
This depends on #1) what resource is being accessed (e.g. a user, group, tenant configuration), and #2) the type of access is required (i.e. read vs write). The role used for many simple administrative tasks such as access to license information is the Service Administrator role (“Service Support Administrator” in Azure AD PowerShell). Note, the Microsoft documentation for the Office 365 Admin Roles is here: https://support.office.com/en-ie/article/about-office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d.
So what exactly can a user with this Administrator Role do?
In a nutshell, a user holding the Service Administrator role can login to the Office 365 and can view (read access only) to most areas, however they cannot create and new objects (i.e. resources) except for opening support tickets. It’s worth pointing out that a user with this role cannot access to reports in the Office 365 Admin Portal.
Important: a user holding this role can also connect with the Office 365 PowerShell Module (Azure AD V1), and run most of the “Get” cmdlet’s which allow them to view a wide range of tenant configuration and user level details, even though some of it is restricted in the Admin Portal. They will not have access to the “Set” cmdlet’s to write any settings.
This means a Service Administrator can see a listing of resources such as Users and Groups and even the configuration details of users and groups.
However, a Service Administrator is restricted in the ability to see any Service Settings as shown here:
This Admin role does not have access to the default Reporting as shown here:
A Service Administrator can connect with the MSOnline PowerShell module and run most Get cmdlet’s, but they will get an error if they attempt to use a Set cmdlet as shown here:
If you are interested in what the “Password Administrator” / “Helpdesk Administrator” role can do, see the next blog entry:
‘What can the Office 365 “Password Administrator” / “Helpdesk Administrator” role do?‘.