SOLVED

Administrative roles and groups

%3CLINGO-SUB%20id%3D%22lingo-sub-216808%22%20slang%3D%22en-US%22%3EAdministrative%20roles%20and%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216808%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20certain%20administrator%20roles%20in%20Azure%20AD%20or%20Office%20365%20that%20have%20to%20be%20assigned%20to%20an%20individual%20as%20opposed%20to%20a%20security%20group%3F%26nbsp%3B%20I've%20found%20we%20can%20add%20a%20security%20group%20as%20a%20member%20to%20a%20role%20in%20Intune%2C%20such%20as%20Help%20Desk%20Administrator%2C%20but%20if%20I%20try%20to%20assign%20a%20security%20group%20as%20a%20member%20to%20the%20Security%20Reader%20role%20in%20Azure%20it%20doesn't%20let%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218026%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20roles%20and%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218026%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20script%20by%20Paul%20is%20a%20good%20starting%20point%3A%20%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fsecurity%2Freporting-office-365-admin-role-group-members%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fsecurity%2Freporting-office-365-admin-role-group-members%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217940%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20roles%20and%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217940%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20one%20script%20though%20to%20export%20a%20list%20of%20all%20admin%20roles%20and%20memberships%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217542%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20roles%20and%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217542%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20easily%20report%20on%20admin%20role%20membership%20via%20PowerShell.%20Or%20you%20can%20use%20Azure%20AD%20Privileged%20Identity%20Management.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217080%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20roles%20and%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217080%22%20slang%3D%22en-US%22%3E%3CP%3EI%20need%20an%20automated%20way%20to%20review%20who%20has%20elevated%20access%20in%20O365.%26nbsp%3B%20We%20have%20on-prem%20security%20groups%20that%20are%20tied%20into%20a%20review%20process%2C%20but%20it%20makes%20it%20difficult%20when%20we%20can't%20use%20groups%20for%20some%20O365%20roles.%26nbsp%3B%20We%20don't%20have%20E5.%26nbsp%3B%20Any%20suggestions%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216999%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20roles%20and%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216999%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20specific%20to%20the%20application.%20None%20of%20the%20Office%20365%20roles%20support%20group%20assignment.%20Some%20of%20the%20workload-specific%20roles%20do%20however%20(intune%20as%20you%20pointed%20out%2C%20Exchange%2C%20etc)%2C%20as%20do%20some%20of%20the%20Azure%20AD%20roles.%20As%20a%20general%20rule%20of%20thumb%2C%20assume%20they%20don't%20support%20group%20assignments...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Are there certain administrator roles in Azure AD or Office 365 that have to be assigned to an individual as opposed to a security group?  I've found we can add a security group as a member to a role in Intune, such as Help Desk Administrator, but if I try to assign a security group as a member to the Security Reader role in Azure it doesn't let me.

5 Replies

That's specific to the application. None of the Office 365 roles support group assignment. Some of the workload-specific roles do however (intune as you pointed out, Exchange, etc), as do some of the Azure AD roles. As a general rule of thumb, assume they don't support group assignments...

I need an automated way to review who has elevated access in O365.  We have on-prem security groups that are tied into a review process, but it makes it difficult when we can't use groups for some O365 roles.  We don't have E5.  Any suggestions to do this?

You can easily report on admin role membership via PowerShell. Or you can use Azure AD Privileged Identity Management.

Is there one script though to export a list of all admin roles and memberships?

best response confirmed by Erin Scupham (Regular Contributor)
Solution