SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

o365globaladmins

Manage Global Admins in Office 365

One of the biggest mistakes in Office 365 management is the assignment of the Global Admin permission to user accounts. Because, even though you manage Office 365 from your browser which automatically signs you in with your user account, you should always perform administration with your admin account. So, change it, and fast.

List and Export Global Admins in Office 365

First step is to know

PS C:\Users\sjoerd\Desktop> Connect-MsolService
PS C:\Users\sjoerd\Desktop> Get-MsolUser
WARNING: More results are available. Please specify one of the All or MaxResults parameters.
PS C:\Users\sjoerd\Desktop> Get-MsolRole -RoleName "Company Administrator"
 
ObjectId                               Name                             Description
--------                               ----                             -----------
62e90394-69f5-4237-9190-012177145e10   Company Administrator            Company Administrator role has full access t...
 
 
PS C:\Users\sjoerd\Desktop> $role = Get-MsolRole -RoleName "Company Administrator"
PS C:\Users\sjoerd\Desktop> Get-MsolRoleMember -RoleObjectId $role.ObjectId
 
RoleMemberType EmailAddress                       DisplayName                  isLicensed
-------------- ------------                       -----------                  ----------
User           sjoerd@getshifting.com             Sjoerd Hooft                 False
User           sjoerdadmin@getshifting.com        Sjoerd Hooft (Admin)         True
 
 
 
PS C:\Users\sjoerd\Desktop>

- Do you need to be licenses - export data

Get All Admins

foreach ($role in (Get-MsolRole)){$role.name; Get-MsolRoleMember -RoleObjectId $role.objectid | Format-Table}

Export All Admins to CSV File

This script exports all admin roles and additional info about the admin accounts to a csv file:

$startdir = "D:\admin"
$csvfile = "$startdir\roles.csv"
 
# Define csv table
$arrPermissions = @()
# Define a start number for easy counting
$i=0;
 
$roles = Get-MsolRole
 
foreach ($role in $roles) {
    $members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid
    #if (!$members) { continue }
    foreach ($member in $members) {
        $objPermissions = New-Object PSObject
        $i++;
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed
        if ($member.RoleMemberType -ne "ServicePrincipal") {
            Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}})
            Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}})
            # Because we enable MFA using a location based access rule teh MFA setting is not set so the the line below does not work as expected
            # Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}})
            # So instead we check if the StrongAuthenticationMethods is empty, as this one is filled after configuring MFA by the user
            Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationMethods) {"True"} Else {"False"}})
        }
    $arrPermissions += $objPermissions
    }
}
 
$arrPermissions | Export-Csv -NoTypeInformation $csvfile

Resources

You could leave a comment if you were logged in.
o365globaladmins.txt · Last modified: 2021/09/24 00:25 (external edit)