🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Export Admin Roles Report in Microsoft 365

Microsoft 365 admin role users are crucial for handling sensitive tasks, such as assigning licenses, managing user accounts, and troubleshooting user issues. However, tracking their activities is as vital as assigning necessary roles to users. Thus, we are here to help you explore methods to understand various admin roles, monitor Entra ID role assignments, and track administrative activities within Office 365.

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Global Reader or a Privileged Role Administrator.

Option 1 Using Microsoft 365 Admin Center

  • Sign-in to the Microsoft 365 admin center.
  • Navigate to Roles»Role assignments.
  • Click on 'Export admin list' at the top of the page to export all the users assigned with admin roles.
Using Microsoft 365 Admin Center

Option 2 Using Microsoft Entra Admin Center

  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Roles & admins. Now, select Roles & admins to list all admin roles.
  • Select 'Download assignments' to download a CSV file detailing role assignment for users.
Using Microsoft Entra Admin Center

Option 3 Using Windows PowerShell

  • Run the below cmdlets to list all the administrative roles assigned to a Microsoft 365 user.
  • Connect-MgGraph

Get-MgUserMemberOf -UserId <UserPrincipalName> | select -ExpandProperty AdditionalProperties |?{$_.'@odata.type' -eq '#microsoft.graph.directoryRole'}
  • Replace <UserPrincipalName> with the UPN of the Microsoft 365 user. Below is the output.
Using Windows PowerShell

Option 4 Using PowerShell Script

  • Since, it is difficult to retrieve all users with admin roles using cmdlets, we have prepared a PS script to retrieve the list of all users with admin roles along with their details, such as display name, user principal name, and admin license status.
AdminReport.ps1
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Login to the AdminDroid Office 365 portal.
  • Navigate to the Admin Roles by Users report resided under Reports» Security»Admin Reports.
Using AdminDroid

Review a list of all users with their admin roles, including properties, such as department, job title, and usage location for effective user management in Microsoft 365.

chart
  • Use the built-in charts to check the Microsoft users count with admin roles, providing a comprehensive visibility on the Entra ID role assignments.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Monitor Microsoft 365 Users with Admin Roles Effectively!

Say goodbye to the conventional way of tracking Microsoft 365 admin roles! Effortlessly track and generate comprehensive reports to elevate your admin role capabilities with AdminDroid.

Witness the report in action using the

Live Demo

Azure ADFind Out All Users with Admin Roles in Microsoft 365

Showing 1 of 4
How to assign admin roles in Entra ID? What are the security risks associated with Microsoft 365 admin roles? What are the security guidelines for admin roles in Microsoft 365? How to manage admin roles in Microsoft 365?

How to assign admin roles in Entra ID?

Assigning admin roles to users in Microsoft 365 is crucial for managing and securing organizational data. It allows them to perform tasks such as user management, security enforcement, service configuration, and monitoring compliance.

Follow the below steps to assign admin roles in Microsoft Entra admin center:

  • Login to the Microsoft Entra admin center using an admin credentials.
  • Navigate to Roles & admins page residing under Identity»Roles & admins.
  • Select the specific admin role from the list. Now, click + Add assignment to start assigning a role to a user.
  • Configure the Scope type and select the user or groups to assign admin roles.
  • Provide the Assignment type on the Settings page. Also, you can delegate roles to the user for only a certain period.
  • Click Assign to set a role for users or groups. You’ll receive a confirmation message, indicating the role has been assigned.

When assigning admin roles, it is important to consider the level of access that you want to give the user. Implementing least privilege access ensures that users only have the necessary permissions designated for their tasks, minimizing potential security risks.

You can also create a custom role in Microsoft 365 and set custom permissions to the role by using the ‘New custom role’ option in the ‘Roles & admins’ page. The custom role provides flexibility in aligning roles with unique organizational requirements to ensure a fine-tuned and secure environment.

Assign admin roles to a user using Graph PowerShell:

  • Connect Microsoft Graph before running the below cmdlets.
  • Assign a role to a user with the help of the below cmdlet. 
    New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <role ID> -PrincipalId <user ID>
    Replace the <role ID> and <user ID> with the role template ID and user object ID respectively. Role Id can be retrieved by running the below cmdlet.
  • Get all admin roles with role ID by executing the following cmdlet. 
    Get-MgRoleManagementDirectoryRoleDefinition

Simplify the oversight of Microsoft 365 admin roles assigned in your environment!

With AdminDroid, you can seamlessly audit users added to admin roles from the dedicated section ‘User Added as Admins’. To view the users added with administrative roles,

  • Navigate to Audit» Security» User Added as Admins.
  • Under the 'User Added as admin' section, you’ll find Microsoft 365 users assigned with various admin roles that shows activities, such as added time, added by, and result status.
users-added-as-administrator

You can export user lists with diverse admin roles, to facilitate effective Microsoft 365 users monitoring with the help of AdminDroid.

What are the security risks associated with Microsoft 365 admin roles?

Users with administrative roles have the highest level of access to an organization's systems and data, which makes them a prime target for cyberattacks. Some of the security risks associated with Microsoft 365 admin roles include:

  • Password Security Concerns: If admins reuse passwords, it creates an opportunity for attackers to compromise their accounts, particularly in the event of a password breach.
  • Phishing Vulnerabilities: Microsoft admins are often targeted by phishing emails that look legitimate. Admins may click malicious links or open harmful attachments, which can lead to their account compromise.

    Quick Tip: Admins can create safe attachments policies in Microsoft 365 Defender and stay away from these attacks.

  • Malware Exposure: Admins face malware risks from phishing, infected websites, or other sources, leading to unauthorized access and posing a serious security threat to their computers and sensitive files.
  • Insider threats: Insider threats can be intentional or unintentional. Employees may illicitly access data for personal gain or inadvertently click malicious links, exposing the Microsoft 365 organization to cybersecurity risks.

Microsoft 365 organizations should take steps to mitigate the security risks with protected actions. This includes implementing strong password policies, educating employees on phishing and malware, and using Conditional Access in Privileged Identity Management (PIM).

Securing the Microsoft 365 environment is not just an option; it's an absolute necessity!

Keeping valuable data secure in the Microsoft 365 environment is essential for safeguarding against potential threats. Some of the key points are listed below.

  • Leverage Entra ID's protected actions feature to tighten Microsoft 365 security. This functionality ensures a fortified defense against unauthorized access and potential threats, offering a robust solution to safeguard sensitive Microsoft 365 activities.
  • Exchange Online mailbox security is critical for admins since it serves as a crucial defense in protecting sensitive data. So, it's essential for Microsoft 365 admins to learn and implement email security practices for a more robust Microsoft 365 security.

What are the security guidelines for admin roles in Microsoft 365?

Here is the list of best practices for Microsoft 365 admin roles that every organization should use to mitigate security.

  • Use strong passwords and multi-factor authentication: Admins should use strong passwords for their accounts and enable multi-factor authentication. This will make it more difficult for attackers to gain access to their accounts.

    Note: By default, Microsoft sets up Conditional Access policies for admins, requiring them to activate multi-factor authentication (MFA).

  • Use a Privileged Access Management (PAM) solution: A PAM solution can help to manage and control access to privileged accounts, which can help to reduce the risk of unauthorized access.
  • Educate employees on security risks: Organizations should educate all employees and delegated admins, on security risks & best practices. This will raise awareness and help employees protect themselves as well as the organization's assets.

By following these best practices, organizations can help to protect their users with admin roles and enhance overall Microsoft 365 management.

Elevation of Microsoft Entra ID admin role is a critical security event that must be monitored!

With the help of AdminDroid’s default alert policy template – Elevation of Administrative privilege, you will be on track with your users when they have been elevated to admin role.

  • You can find the Alert policies under Alerts»Policy Templates.
  • Search Elevation of administrative privilege and select Preview and Deploy.
  • Set the alert frequency and add recipient address to receive the alert mail.
  • Utilize the Alert preview option to view the recently triggered events for your alert.
default-alert-policy-elevation-to-admin

How to manage admin roles in Microsoft 365?

Managing admin roles in Microsoft 365 involves assigning, reviewing, and removing them to ensure proper access control and security. You can use the below PowerShell approach to manage Entra ID admin roles, that proves to be a powerful and efficient method.

  • Execute the below command to check the admin roles in Microsoft 365. 
    Get-MgBetaDirectoryRole
    #Before running the cmdlet, make sure to install Micrsoft Graph PowerShell
  • Run the below cmdlet to assign a user with admin role. 
    New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <roleId> -PrincipalId <userId>
    #Replace the <roleId> and <userId> with role definition ID and user object ID respectively.
  • To remove a user from admin role using Graph PowerShell, execute the following cmdlet. 
    Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId <roleId> -DirectoryObjectId <userId>
    #Replace the <roleId> and <userId> with role definition ID and user object ID respectively.
  • Execute the below command to check whether the user has been assigned with admin roles. 
    Get-MgDirectoryRoleMemberAsUser -DirectoryRoleId <roleId>
    #Replace the <roleId> with the admin role you want to report.

However, managing users with admin roles involves regular review to establish a strong and secure Microsoft 365 organization.

Stay in control and monitor the Azure AD role removals from a user!

Utilize AdminDroid's default alert policy template to receive alerts on Users Removed from Admin Roles, simplifying the task for Microsoft 365 admins to monitor users removed from administrative roles.

default-alert-policy-list

AdminDroid Entra ID Admins ReportingEfficiently manage the admin role permissions with just a few clicks!

AdminDroid Microsoft 365 admin management tool offers a comprehensive solution to view admin roles assigned to users within your organization. You can also generate reports on various admin activities, including admin-forced password resets, admin login failures, recently created admins, and even failed MFA challenges.

Empower Microsoft 365 admins with seamless insights for efficient user admin roles management

The Admin Roles by Users report under Reports »Security»Admin Reports provides a detailed breakdown of admin roles assigned to users. This includes user properties such as sign-in status, department, usage location, and Microsoft 365 licenses assigned to the respective user.

A Quick Summary

Gain Centralized Visibility into Admins

Monitor and manage the Microsoft 365 users with admin access and set up a quick schedule that keeps you informed about the admin users.

Check the Management Role Assignment Type

Analyze users with management roles to obtain a detailed overview of their role assignments in your Microsoft 365 organization.

Get Alerts on the Role Scope Changes

Receive real-time Microsoft 365 alerts and promptly detect any admin role scope changes through AdminDroid's advanced alerting.

Comprehensive Administrative Units

Monitor all activities of Azure AD administrative units and report on their operations performed by the Microsoft 365 users in your organization.

In-depth Admin Operation Analysis

Monitor and streamline your admin role operations in Azure AD, accessing consolidated Microsoft 365 information for an organized and efficient approach.

Streamline Admin Role Modifications

Efficiently track with real-time admin role changes monitoring, ensuring streamlined governance and accountability within your organization.

AdminDroid simplifies the Microsoft 365 admin auditing, providing seamless access to details like admin roles, admin sign-in attempts, and risky activities. Thus, you can gain complete control of your organization's admins and effortlessly manage admin role assignments.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps while Managing Admin Role Operations Performed in your Organization

The following are possible errors and troubleshooting hints while dealing with Microsoft 365 admin roles management.

Error: Access Denied. You do not have permission to call this cmdlet.

This error may occur in PowerShell when trying to execute the New-MgRoleManagementDirectoryRoleAssignment cmdlet without having the necessary permissions.

Troubleshooting hint :To resolve this error, set the required permissions to run the cmdlet, usually requiring Global Admin or Privileged Role Administrator access.

Error: Microsoft Graph Beta module is unavailable. It is mandatory to have this module installed in the system to run the script successfully.

This error message occurs when you try to run the PowerShell script without the Microsoft Graph Beta module.

Troubleshooting hint :To resolve this error, you must install the Microsoft Graph Beta module of PowerShell. 

Install-Module Microsoft.Graph.Beta -Scope CurrentUser –AllowClobber

Error: New-MgRoleManagementDirectoryRoleAssignment : Must specify valid property scope of entity RoleAssignment.

This error message occurs when you try to run the PowerShell cmdlet with deprecated role ID.

Troubleshooting hint :To resolve this error, you must enter a valid role ID. To list all admin roles with their description, use the below cmdlet. 

Get-MgRoleManagementDirectoryRoleDefinition

Error: .\AdminReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when trying to run the script. The execution policy is set to "strict" by default to prevent scripts from running.

Troubleshooting hint :To resolve this error, you can set the execution policy to run the script. 

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Error: New-MgRoleManagementDirectoryRoleAssignment : Must specify valid property scope of entity RoleAssignment.

This error message occurs when you try to run the PowerShell cmdlet without giving the directory scope.

Troubleshooting hint :To resolve this error, you must specify the directory role scope in the cmdlet. 

New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <role Id> -PrincipalId <user Id>