🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Export Admin Roles Report in Microsoft 365

Microsoft 365 admin role users are crucial for handling sensitive tasks, such as assigning licenses, managing user accounts, and troubleshooting user issues. However, tracking their activities is as vital as assigning necessary roles to users. Thus, we are here to help you explore methods to understand various admin roles, monitor Entra ID role assignments, and track administrative activities within Office 365.

Solution 1
Solution 2
Solution 3
Solution 4
Solution 5
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft 365 Admin Center

Microsoft 365 Permission Required
Global Admin, Global Reader or a Privileged Role Administrator.
  • Sign-in to the Microsoft 365 admin center.
  • Navigate to Roles»Role assignments.
  • Click on 'Export admin list' at the top of the page to export all the users assigned with admin roles.
Using Microsoft 365 Admin Center

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Global Admin, Global Reader or a Privileged Role Administrator.
  • Login to the Microsoft Entra admin center.
  • Navigate to Identity»Roles & admins. Now, select Roles & admins to list all admin roles.
  • Select 'Download assignments' to download a CSV file detailing role assignment for users.
Using Microsoft Entra Admin Center

Using Windows PowerShell

Microsoft 365 Permission Required
Global Admin, Global Reader or a Privileged Role Administrator.
  • Run the below cmdlets to list all the administrative roles assigned to a Microsoft 365 user.
  • Connect-MgGraph

Get-MgUserMemberOf -UserId <UserPrincipalName> | select -ExpandProperty AdditionalProperties |?{$_.'@odata.type' -eq '#microsoft.graph.directoryRole'}
  • Replace <UserPrincipalName> with the UPN of the Microsoft 365 user. Below is the output.
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Global Admin, Global Reader or a Privileged Role Administrator.
  • Since, it is difficult to retrieve all users with admin roles using cmdlets, we have prepared a PS script to retrieve the list of all users with admin roles along with their details, such as display name, user principal name, and admin license status.
Using PowerShell Script
AdminReport.ps1
AdminDroid Entra ID Admins Reporting

Efficiently manage the admin role permissions with just a few clicks!

AdminDroid Microsoft 365 admin management tool offers a comprehensive solution to view admin roles assigned to users within your organization. You can also generate reports on various admin activities, including admin-forced password resets, admin login failures, recently created admins, and even failed MFA challenges.

Gain Centralized Visibility into Admins

Monitor and manage the Microsoft 365 users with admin access and set up a quick schedule that keeps you informed about the admin users.

Check the Management Role Assignment Type

Analyze users with management roles to obtain a detailed overview of their role assignments in your Microsoft 365 organization.

Get Alerts on the Role Scope Changes

Receive real-time Microsoft 365 alerts and promptly detect any admin role scope changes through AdminDroid's advanced alerting.

Comprehensive Administrative Units

Monitor all activities of Azure AD administrative units and report on their operations performed by the Microsoft 365 users in your organization.

In-depth Admin Operation Analysis

Monitor and streamline your admin role operations in Azure AD, accessing consolidated Microsoft 365 information for an organized and efficient approach.

Streamline Admin Role Modifications

Efficiently track with real-time admin role changes monitoring, ensuring streamlined governance and accountability within your organization.

AdminDroid simplifies the Microsoft 365 admin auditing, providing seamless access to details like admin roles, admin sign-in attempts, and risky activities. Thus, you can gain complete control of your organization's admins and effortlessly manage admin role assignments.

Explore a full range of reporting options
Download Live Demo

Important Tips

Implement RBAC to streamline your Microsoft Entra ID admin role assignments and service administration to avoid unnecessary admin portal accesses.

Setup multi-factor authentication through Conditional Access to strengthen your admin accounts and secure your Microsoft 365 environment.

Monitor Microsoft 365 admin login failures to identify malicious sign-ins from unfamiliar locations to strengthen your organization's security.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while dealing with Microsoft 365 admin roles management.

Error Access Denied. You do not have permission to call this cmdlet.

This error may occur in PowerShell when trying to execute the New-MgRoleManagementDirectoryRoleAssignment cmdlet without having the necessary permissions.

Fix To resolve this error, set the required permissions to run the cmdlet, usually requiring Global Admin or Privileged Role Administrator access.

Error Microsoft Graph Beta module is unavailable. It is mandatory to have this module installed in the system to run the script successfully.

This error message occurs when you try to run the PowerShell script without the Microsoft Graph Beta module.

Fix To resolve this error, you must install the Microsoft Graph Beta module of PowerShell. 
Install-Module Microsoft.Graph.Beta -Scope CurrentUser –AllowClobber

Error New-MgRoleManagementDirectoryRoleAssignment : Must specify valid property scope of entity RoleAssignment.

This error message occurs when you try to run the PowerShell cmdlet with deprecated role ID.

Fix To resolve this error, you must enter a valid role ID. To list all admin roles with their description, use the below cmdlet. 
Get-MgRoleManagementDirectoryRoleDefinition

Error .\AdminReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when trying to run the script. The execution policy is set to "strict" by default to prevent scripts from running.

Fix To resolve this error, you can set the execution policy to run the script. 
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Error New-MgRoleManagementDirectoryRoleAssignment : Must specify valid property scope of entity RoleAssignment.

This error message occurs when you try to run the PowerShell cmdlet without giving the directory scope.

Fix To resolve this error, you must specify the directory role scope in the cmdlet. 
New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <role Id> -PrincipalId <user Id>

1. How to assign admin roles in Entra ID?

Assigning admin roles to users in Microsoft 365 is crucial for managing and securing organizational data. It allows them to perform tasks such as user management, security enforcement, service configuration, and monitoring compliance.

Follow the below steps to assign admin roles in Microsoft Entra admin center:

  • Login to the Microsoft Entra admin center using an admin credentials.
  • Navigate to Roles & admins page residing under Identity»Roles & admins.
  • Select the specific admin role from the list. Now, click + Add assignment to start assigning a role to a user.
  • Configure the Scope type and select the user or groups to assign admin roles.
  • Provide the Assignment type on the Settings page. Also, you can delegate roles to the user for only a certain period.
  • Click Assign to set a role for users or groups. You’ll receive a confirmation message, indicating the role has been assigned.

When assigning admin roles, it is important to consider the level of access that you want to give the user. Implementing least privilege access ensures that users only have the necessary permissions designated for their tasks, minimizing potential security risks.

You can also create a custom role in Microsoft 365 and set custom permissions to the role by using the ‘New custom role’ option in the ‘Roles & admins’ page. The custom role provides flexibility in aligning roles with unique organizational requirements to ensure a fine-tuned and secure environment.

Assign admin roles to a user using Graph PowerShell:

  • Connect Microsoft Graph before running the below cmdlets.
  • Assign a role to a user with the help of the below cmdlet. 
    New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <role ID> -PrincipalId <user ID>
    Replace the <role ID> and <user ID> with the role template ID and user object ID respectively. Role Id can be retrieved by running the below cmdlet.
  • Get all admin roles with role ID by executing the following cmdlet. 
    Get-MgRoleManagementDirectoryRoleDefinition

Simplify the oversight of Microsoft 365 admin roles assigned in your environment!

With AdminDroid, you can seamlessly audit users added to admin roles from the dedicated section ‘User Added as Admins’. To view the users added with administrative roles,

  • Navigate to Audit» Security» User Added as Admins.
  • Under the 'User Added as admin' section, you’ll find Microsoft 365 users assigned with various admin roles that shows activities, such as added time, added by, and result status.
users-added-as-administrator

You can export user lists with diverse admin roles, to facilitate effective Microsoft 365 users monitoring with the help of AdminDroid.

2. What are the security risks associated with Microsoft 365 admin roles?

Users with administrative roles have the highest level of access to an organization's systems and data, which makes them a prime target for cyberattacks. Some of the security risks associated with Microsoft 365 admin roles include:

  • Password Security Concerns: If admins reuse passwords, it creates an opportunity for attackers to compromise their accounts, particularly in the event of a password breach.
  • Phishing Vulnerabilities: Microsoft admins are often targeted by phishing emails that look legitimate. Admins may click malicious links or open harmful attachments, which can lead to their account compromise.

    Quick Tip: Admins can create safe attachments policies in Microsoft 365 Defender and stay away from these attacks.

  • Malware Exposure: Admins face malware risks from phishing, infected websites, or other sources, leading to unauthorized access and posing a serious security threat to their computers and sensitive files.
  • Insider threats: Insider threats can be intentional or unintentional. Employees may illicitly access data for personal gain or inadvertently click malicious links, exposing the Microsoft 365 organization to cybersecurity risks.

Microsoft 365 organizations should take steps to mitigate the security risks with protected actions. This includes implementing strong password policies, educating employees on phishing and malware, and using Conditional Access in Privileged Identity Management (PIM).

Securing the Microsoft 365 environment is not just an option; it's an absolute necessity!

Keeping valuable data secure in the Microsoft 365 environment is essential for safeguarding against potential threats. Some of the key points are listed below.

  • Leverage Entra ID's protected actions feature to tighten Microsoft 365 security. This functionality ensures a fortified defense against unauthorized access and potential threats, offering a robust solution to safeguard sensitive Microsoft 365 activities.
  • Exchange Online mailbox security is critical for admins since it serves as a crucial defense in protecting sensitive data. So, it's essential for Microsoft 365 admins to learn and implement email security practices for a more robust Microsoft 365 security.

3. What are the security guidelines for admin roles in Microsoft 365?

Here is the list of best practices for Microsoft 365 admin roles that every organization should use to mitigate security.

  • Use strong passwords and multi-factor authentication: Admins should use strong passwords for their accounts and enable multi-factor authentication. This will make it more difficult for attackers to gain access to their accounts.

    Note: By default, Microsoft sets up Conditional Access policies for admins, requiring them to activate multi-factor authentication (MFA).

  • Use a Privileged Access Management (PAM) solution: A PAM solution can help to manage and control access to privileged accounts, which can help to reduce the risk of unauthorized access.
  • Educate employees on security risks: Organizations should educate all employees and delegated admins, on security risks & best practices. This will raise awareness and help employees protect themselves as well as the organization's assets.

By following these best practices, organizations can help to protect their users with admin roles and enhance overall Microsoft 365 management.

Elevation of Microsoft Entra ID admin role is a critical security event that must be monitored!

With the help of AdminDroid’s default alert policy template – Elevation of Administrative privilege, you will be on track with your users when they have been elevated to admin role.

  • You can find the Alert policies under Alerts»Policy Templates.
  • Search Elevation of administrative privilege and select Preview and Deploy.
  • Set the alert frequency and add recipient address to receive the alert mail.
  • Utilize the Alert preview option to view the recently triggered events for your alert.
default-alert-policy-elevation-to-admin

4. How to manage admin roles in Microsoft 365?

Managing admin roles in Microsoft 365 involves assigning, reviewing, and removing them to ensure proper access control and security. You can use the below PowerShell approach to manage Entra ID admin roles, that proves to be a powerful and efficient method.

  • Execute the below command to check the admin roles in Microsoft 365. 
    Get-MgBetaDirectoryRole
    #Before running the cmdlet, make sure to install Micrsoft Graph PowerShell
  • Run the below cmdlet to assign a user with admin role. 
    New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId <roleId> -PrincipalId <userId>
    #Replace the <roleId> and <userId> with role definition ID and user object ID respectively.
  • To remove a user from admin role using Graph PowerShell, execute the following cmdlet. 
    Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId <roleId> -DirectoryObjectId <userId>
    #Replace the <roleId> and <userId> with role definition ID and user object ID respectively.
  • Execute the below command to check whether the user has been assigned with admin roles. 
    Get-MgDirectoryRoleMemberAsUser -DirectoryRoleId <roleId>
    #Replace the <roleId> with the admin role you want to report.

However, managing users with admin roles involves regular review to establish a strong and secure Microsoft 365 organization.

Stay in control and monitor the Azure AD role removals from a user!

Utilize AdminDroid's default alert policy template to receive alerts on Users Removed from Admin Roles, simplifying the task for Microsoft 365 admins to monitor users removed from administrative roles.

default-alert-policy-list

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Export Admin Roles Report in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo