Summary: How to get all global admins roles assigned to used in Office 365
Date: Around 2015
Refactor: 3 January 2025: Checked links and formatting.
One of the biggest mistakes in Office 365 management is the assignment of the Global Admin permission to user accounts. Because, even though you manage Office 365 from your browser which automatically signs you in with your user account, you should always perform administration with your admin account. So, change it, and fast.
You can use the powershell commands below to list all global admins in Office 365.
PS C:\Users\sjoerd\Desktop> Connect-MsolService PS C:\Users\sjoerd\Desktop> Get-MsolUser WARNING: More results are available. Please specify one of the All or MaxResults parameters. PS C:\Users\sjoerd\Desktop> Get-MsolRole -RoleName "Company Administrator" ObjectId Name Description -------- ---- ----------- 62e90394-69f5-4237-9190-012177145e10 Company Administrator Company Administrator role has full access t... PS C:\Users\sjoerd\Desktop> $role = Get-MsolRole -RoleName "Company Administrator" PS C:\Users\sjoerd\Desktop> Get-MsolRoleMember -RoleObjectId $role.ObjectId RoleMemberType EmailAddress DisplayName isLicensed -------------- ------------ ----------- ---------- User sjoerd@getshifting.com Sjoerd Hooft False User sjoerdadmin@getshifting.com Sjoerd Hooft (Admin) True
This script will list all roles and the members of the roles:
foreach ($role in (Get-MsolRole)){$role.name; Get-MsolRoleMember -RoleObjectId $role.objectid | Format-Table}
This script exports all admin roles and additional info about the admin accounts to a csv file:
$startdir = "D:\admin" $csvfile = "$startdir\roles.csv" # Define csv table $arrPermissions = @() # Define a start number for easy counting $i=0; $roles = Get-MsolRole foreach ($role in $roles) { $members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid #if (!$members) { continue } foreach ($member in $members) { $objPermissions = New-Object PSObject $i++; Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed if ($member.RoleMemberType -ne "ServicePrincipal") { Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}}) Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}}) # Because we enable MFA using a location based access rule teh MFA setting is not set so the the line below does not work as expected # Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}}) # So instead we check if the StrongAuthenticationMethods is empty, as this one is filled after configuring MFA by the user Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationMethods) {"True"} Else {"False"}}) } $arrPermissions += $objPermissions } } $arrPermissions | Export-Csv -NoTypeInformation $csvfile