Understanding the roles within Office 365 administration

Understanding the roles within Office 365 administration

Are you Office 365 Global Administrator? Do you understand the roles available within Office 365 Administrator for granting access?

The answer is probably no, as in my experience customers or Global Administrators don’t really understand the options that are available without Professor Google.

The below table lists all the available roles that are currently in action within Office 365. So whether you are a Helpdesk Admin or a dedicated Exchange Admin, Office 365 has the correct roles that fits your needs.

Global admin Global administrator

Accesses all administrative features in the Office 365 suite of services in your plan, including Skype for Business. By default the person who signs up to buy Office 365 becomes a global admin.

Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. As a best practice we recommend that only a few people in your company have this role. It reduces the risk to your business.

Tip: Make sure everyone who is a global admin in your organization has a mobile phone number and alternate email address in their contact info. Check out Change your organization’s address, technical contact email, and other information for more details.

Credit card Billing administrator Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Exchange OnlineExchange administrator Manages mailboxes and anti-spam policies for your business, using the Exchange admin center. Can view all the activity reports in the Office 365 admin center.

Someone with BOTH the Exchange admin role and the user management role can create and manage Office 365 groups in the Office 365 admin center.

To learn more, see About the Exchange Online admin role.

SharePoint adminSharePoint administrator Manages file storage for your organization in SharePoint Online and OneDrive. They do this in the SharePoint admin center. They can also assign other people to be site collection administrators and term store administrators.

Permissions assigned to SharePoint sites are completely separate from the Office 365 global admin role. You can be a global admin without access to a SharePoint site if you weren’t added to it or didn’t create the site.

People in this role can also can view all the activity reports in the Office 365 admin center.

To learn more, see About the SharePoint admin role.

Key, permissions Password administrator Resets passwords, manages support tickets, and monitors service health. Password admins are limited to resetting passwords for users.
Skype for Business OnlineSkype for Business administrator (Also includes Microsoft Teams) Configures Skype for Business/Microsoft Teams for your organization and can view all the activity reports in the Office 365 admin center.

To learn more, see About the Skype for Business admin role.

Headset Service administrator Opens support tickets with Microsoft, and views the service dashboard and message center. They have “view only” permissions except for opening support tickets and reading them.

Tip: People who are assigned to the Exchange Online, SharePoint Online, and Skype for Business admin roles should also be assigned to the Service admin role. This way they can see important information in the Office 365 admin center, such as the health of the service, and change and release notifications.

User User management administrator Resets passwords, monitors service health, adds and deletes user accounts, manages support tickets, adds and removes members from Office 365 groups. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for global, billing, Exchange, SharePoint, Compliance and Skype for Business admins.

Someone with BOTH the Exchange admin role and the user management role can create and manage Office 365 groups in the Office 365 admin center.

Reporting reader admin Reports reader Can view all the activity reports in the Office 365 admin center and any reports exposed through the reporting APIs.
Security and Compliance center roles If you have an Office 365 E3 or E5 business subscription, it includes security and compliance tools. In that case, you have access to these additional roles: Compliance administrator, eDiscovery Manager, Organization management, Reviewer, Security Administrator, Security Reader, Service Assurance User, Supervisory Review.

To learn more about them, see Permissions in the Office 365 Security & Compliance Center.

Icon for Dynamics 365Dynamics 365 (online) When a person is assigned to the Office 365 global administrator role, they are automatically assigned to the System Administrator security role in Dynamics 365 (online).

A person assigned to the System Administrator security role in Dynamics 365 can assign other people to Dynamics 365 security roles. With the System Administrator security role, you can manage all aspects of Dynamics 365. For more information about Dynamics 365 security roles, check out Manage subscriptions, licenses, and user accounts.

Icon for Dynamics 365

Dynamics 365 service administrator

Use this new role to assign users to manage Dynamics 365 at the tenant level without having to assign the more powerful Office 365 global admin privileges. A Dynamics 365 service admin can sign in to the Dynamics 365 admin center to manage instances. A person with this role cannot do functions restricted to the Office 365 global admin such as manage user accounts, manage subscriptions, access settings for Office 365 apps like Exchange or SharePoint.

Check out Use the Dynamics 365 service admin role to manage your tenant to learn more.

Power BI administrator A person assigned to the Power BI admin role will have access to Office 365 Power BI usage metrics. They’ll also be able to control your organization’s usage of Power BI features. For more information about administering Power BI, see Administering Power BI in your organization.
Message Center reader

Monitors changes to the service and can view all posts to the Message center in Office 365 and share Message center posts with others through email. Users assigned this role also have read-only access to some admin center resources, such as users, groups, domains, and subscriptions

The above information has been taken from Microsoft and reposted for public awareness.

Regards,
The Author

Granting permissions to users based on Group Membership with PowerShell

Granting permissions to users based on Group Membership with PowerShell

Hello,

Question: Have you ever had to perform a task for multiple users like granting a permission, policy or something else? and did you do it manually?

I can honestly say I have and it was so time consuming, especially when we have free tools available to use to perform theses actions within seconds/minutes instead of hours/days.

I have generated a script below which I have created to grant a Skype for Business Online policy to a number of users based on their Group Membership. Before you run this script the following assumputions will be made.

  • You have a basic understanding of PowerShell Scripting
  • You have modified all locations shown with ‘#########’ to your requirements

For the below script I have left in ‘IMOnly’ to show exactly what this script is designed to achieve. If a User doesnt have the IMOnly policy they will be granted the policy but if a User already has IMOnly granted. The script will skip the user and generate an output on screen plus to a definited .txt file before moving onto the next user.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
clear-host
# Define Service Account
$username = '#########'
$password = '#########'
$pass = Convertto-Securestring -String $password -asPlaintext -Force
$credential = New-Object -TypeName System.Management.Automation.PScredential -ArgumentList ($username, $pass)

# Connect to Office 365
Import-Module MSOnline
Connect-MsolService -Credential $credential

# Connect to Skype for Business Online
Import-Module -Name SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $credential
Import-PSSession -Session $sfboSession -AllowClobber

# Get Group Members
Get-MsolGroupMember -GroupObjectId '#########' | export-csv -Path $env:HOMEDRIVE\INSTALL\#########.csv

# Import Users
$csv = Import-Csv -Path $env:HOMEDRIVE\#########\#########.csv

# Assign CsClientPolicy
Foreach ($row in $csv) {
If(Get-CsOnlineUser -Identity $row.EmailAddress | Where-object {$_.ClientPolicy -notcontains 'IMOnly'})
{
Grant-CsClientPolicy -Identity $row.EmailAddress -PolicyName 'IMOnly'
}
else
{
Write-Host -ForegroundColor Yellow $row.EmailAddress "Skipped User"
get-csonlineuser -id $row.EmailAddress | Where-object {$_.ClientPolicy -contains 'IMOnly'} | select-object DisplayName,ClientPolicy | out-file -FilePath $env:HOMEDRIVE\INSTALL\groupuserenbled.txt
}
}

You can also complete this command for On-Premises users by modifying the script to use Get-ADGroupMember as shown below.


1
2
# Get Group Members
Get-ADGroupMember -Identity '#########' | export-csv -Path $env:HOMEDRIVE\INSTALL\#########.csv

This script can be modified to complete other provisioning based on Group Membership, just copy and paste into PowerShell ISE and make the necessary changes

Regards

The Author

Working with PowerShell Global Variables

Working with PowerShell Global Variables

Hello,

I have been recently working on a number of PowerShell scripts which have several different “Functions” and found that I need to use variables that may have been previous set in a previous Function action. If a variable has been set in a function we are not able to just use the $Variable name in the following function so, as we don’t want to be prompting for the same information over and over again we can get around this issue by using Global Variables.

Example script without a global variable.

The following script shows that $accountname prompt has been specified in both functions increase the manual input require to action this script. This is an acceptable method if you wanted to be prompted but in a scripting scenario PowerShell can do a lot more to reduce the need for manual input.


1
2
3
4
5
6
7
8
9
10
Function Get-Mailbox {
$accountname = Read-Host -Prompt 'Please enter - Account Name'
Get-Mailbox -Name $AccountName
}

Function Set-Mailbox{
$accountname = Read-Host -Prompt 'Please enter - Account Name'
$password = Read-Host -Prompt 'Please enter - Password'
Set-Mailbox -Name $accountname -Password $password
}

Example script a global variable.

The following script is now using $Global:AccounName which sits outside of the Function blocks and looks at the $accountname variable when it has been specified or called into action. So any other functions within the script which require the $accountname variable will now be defined as $Global:AccountName as shown below.


1
2
3
4
5
6
7
8
9
10
11
$Global:AccountName = $accountname

Function Get-Mailbox {
$accountname = Read-Host -Prompt 'Please enter - Account Name'
Get-Mailbox -Name $AccountName
}

Function Set-Mailbox {
$password = Read-Host -Prompt 'Please enter - Password'
Set-Mailbox -Name $Global:AccountName -Password $password
}

This concludes how to use a Global Variable within your PowerShell script.

Remember: PowerShell is one of the most powerful tools available to all IT Professional and the best of it…. It’s FREE. It only requires you to launch the PowerShell Consoles whether that maybe PowerShell or PowerShell ISE. Start your PowerShell journey today and script actions you complete on a day to day basis to reduce the time and effort required.

Regards

The Author – Blogabout.Cloud

Notes from the Field: KB298200 – The update is not applicable to your computer

Notes from the Field: KB298200 – The update is not applicable to your computer

Hello Reader,

In this “Notes from the Field” post we will look at a common Skype for Business error which you may encounter when installing a Skype for Business Front End for the first time.

As you can see from the image below we have encountered an error during the the deployment wizard when installing a Skype for Business Front End for the first time on a newly built Windows 2012 R2 Server.

After downloading KB298200 and attempting to install the required Windows Update the following error occurs;

In order to resolve this issue effectively we need to download the latest Skype for Business Server Cumulative Update. This error was resolved in Skype for Business Server cumulative update Janaury 2018. A good point of reference for all Skype for Business Server CU, head over to https://blogs.technet.microsoft.com/uclobby/2015/06/22/skype-for-business-2015-cumulative-update-list/ 

First of all, you will need to stop all Skype for Business Service and this can be done easily using the following PowerShell cmdlet:

Stop-CSWindowsService

Launch the Skype for Business Update Installer and click ‘Install Updates’

Once the installation has been completed you will be able to complete the deployment wizard process with a successful outcome.

Please Note: You will need to re-run the Skype for Business Update Installer to patch the rest of the Skype for Business services.

Regards

Author – Blogabout.Cloud

Windows 10 Fall Creator Update 1709 – Sysprep was not able to validate your Windows installation

Windows 10 Fall Creator Update 1709 – Sysprep was not able to validate your Windows installation

Hello Reader,

In this post, we will look at a known bug within the Windows 10 Fall Creators Update 1709, where you are unable to perform a sysprep of a Windows 10 workstation running update 1709. This is a little annoying bug which prevents sysprep from running.

The error messages as shown below provides you with a bit of detail and a UNC Folder to check the log file for more information.
Sysprep was not able to validate your Windows installation.
Review the log file at:
%WINDIR%\Systems32\Sysprep\Panther\setupact.log for details. After resolving this issue, use sysprep to valiate your installation again.

This error seems to be caused by Windows 10 Store Apps updating within the background, we can prevent this from happening by adding the following reg key either by using regedit or Powershell. As I am a big avodate of PowerShell I will using show the deployment and removal of this key using PowerShell.

Identifiying the Windows 10 Applications.

Using the path provided within the sysprep error message you will be able to easily identify the problem application, this is case the problem was being caused by the SketchBook application. Once removing SketchBook app the problem persisted as a number of other apps needs to be removed also.

Video demostration.

You can find a video of each application being removed until sysprep was able to successfully execute.

We hope that this post has helped your issue.

Regards
Author