AzureAD

Global Admin vs Company Administrator – Naming Standardization Required

Recently, I was trying to list down the Global Administrators on my test tenant. The quick option I had was to query the group membership as we do in on-premise active directory environment. But then, I realized that the tenant admins doesnt have access to these role groups as if we access normal groups.

Office365 provides lot many Role Groups by default. Role Groups are relying on Azure AD groups, but restricted for tenant admins to access directly. So we cannot access them using the same way of accessing groups using Azure AD portal or the commandlet “Get-AzureADGroup”. However, Microsoft has provisioned multiple options to access the role groups as well as role group membership.

Here is the first option using MSOL commandlet Get-MsolRoleMember

Get-MsolRoleMember -RoleObjectId “62e90394-69f5-4237-9190-012177145e10”

We should give the role object ID to list the role group member. The catch here is on the names. If we look for Global Administrators on the result of Get-MsolRole, We cannot see one. On GUI, We have Global Administrators but on PowerShell, Its called as Company Administrators. 🙂

The next option is to query the role through AzureAD module. For that, We use the commandlet Get-AzureADDirectoryRoleMember and pass the objectID of respective role group as the parameter.

Get-AzureADDirectoryRoleMember -ObjectId 2e6d232a-5bbd-4643-9ad2-bfd899258406

The twist here is on the group name. The object ID should be grabbed from Get-AzureADDirectoryRole and we should look for the role group “Global Administrators” here. Not company administrators :D.

I hope Microsoft will eventually standardize the name to Global Administrators everywhere.

Posted by Shabarinath in AzureAd, 0 comments