--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Would you like to sponsor this site?
Or buy me a beer?:

Recently Changed Pages:

View All Pages
View All Q Pages

View All Tags

Sign up for Q to post comments.

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Terms And Conditions for Q users

Pages with comments

2019/06/22 10:36 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 3 Comments
2017/04/20 15:28 1 Comment
2017/04/20 15:23 1 Comment
2017/04/19 14:44 1 Comment
2017/04/17 20:10 1 Comment
2017/04/17 20:07 1 Comment
2017/04/17 19:58 1 Comment
2017/04/17 19:52 1 Comment

View All Comments


Manage Global Admins in Office 365

One of the biggest mistakes in Office 365 management is the assignment of the Global Admin permission to user accounts. Because, even though you manage Office 365 from your browser which automatically signs you in with your user account, you should always perform administration with your admin account. So, change it, and fast.

List and Export Global Admins in Office 365

First step is to know

PS C:\Users\sjoerd\Desktop> Connect-MsolService
PS C:\Users\sjoerd\Desktop> Get-MsolUser
WARNING: More results are available. Please specify one of the All or MaxResults parameters.
PS C:\Users\sjoerd\Desktop> Get-MsolRole -RoleName "Company Administrator"
ObjectId                               Name                             Description
--------                               ----                             -----------
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Company Administrator role has full access t...
PS C:\Users\sjoerd\Desktop> $role = Get-MsolRole -RoleName "Company Administrator"
PS C:\Users\sjoerd\Desktop> Get-MsolRoleMember -RoleObjectId $role.ObjectId
RoleMemberType EmailAddress                       DisplayName                  isLicensed
-------------- ------------                       -----------                  ----------
User              Sjoerd Hooft                 False
User         Sjoerd Hooft (Admin)         True
PS C:\Users\sjoerd\Desktop>

- Do you need to be licenses - export data

Get All Admins

foreach ($role in (Get-MsolRole)){$; Get-MsolRoleMember -RoleObjectId $role.objectid | Format-Table}

Export All Admins to CSV File

This script exports all admin roles and additional info about the admin accounts to a csv file:

$startdir = "D:\admin"
$csvfile = "$startdir\roles.csv"
# Define csv table
$arrPermissions = @()
# Define a start number for easy counting
$roles = Get-MsolRole
foreach ($role in $roles) {
    $members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid
    #if (!$members) { continue }
    foreach ($member in $members) {
        $objPermissions = New-Object PSObject
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed
        if ($member.RoleMemberType -ne "ServicePrincipal") {
            Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}})
            Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}})
            # Because we enable MFA using a location based access rule teh MFA setting is not set so the the line below does not work as expected
            # Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}})
            # So instead we check if the StrongAuthenticationMethods is empty, as this one is filled after configuring MFA by the user
            Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationMethods) {"True"} Else {"False"}})
    $arrPermissions += $objPermissions
$arrPermissions | Export-Csv -NoTypeInformation $csvfile


You could leave a comment if you were logged in.
o365globaladmins.txt · Last modified: 2018/07/06 13:21 by sjoerd