With an Office 365 Skype for Business Online (SfB Online) tenant that has several SfB Administrators, I frequently need to review who has Administrator access – that is – who has the ability to see, and change, SfB settings. This includes everything from SfB service settings, user settings, to permission changes. This blog entry explains the basics for Skype for Business Online administrator permissions and how to easily review them.
SfB Online Administrator permissions leverage the default Office 365 Admin Roles and their associated Permissions in Office 365. Office 365 has predefined administrator roles, and each role has a set of permissions which allow the Office 365 user with that Admin role to do specific actions in SfB online (i.e. access to specific objects or configuration data).
The question then becomes, which Office 365 Admin Roles grant Skype for Business administrator access?
In the Office 365 Admin Center, these O365 admin roles have SfB admin permissions:
- Global administrator
- User management administrator
- Password administrator
- Skype for Business administrator
You can use either the Office 365 Admin Center or PowerShell (via the Skype for Business Online Connector module) to set these permissions.
- One of the big surprises I learned is that all of the above o365 roles grant full access to Skype for Business Online! In other words, there is no difference in administrative access between those roles; any user that has one of the those roles assigned has full administrative access to Skype for Business Online settings.
- Another key point is that those first 3 roles default O365 admin roles grant access to other parts of the O365 tenant, whereas the Skype for Business administrator role limits the administrator assigned to this role to read/write to SfB Online settings, and only read-only to the other Office 365 organization and user information.
- The above pre-defined Office 365 administrator role names in the O365 Admin Center differ slightly from the equivalent role names used when using PowerShell (more information on this later).
Using the Office 365 Admin Center
To view and set SfB Online Administrator permissions in the Office 365 portal roles navigate to “Users | Active Users” node (as of March 2016). This provides the ability to view which O365 users have been assigned predefined O365 Administrator roles. The available views are shown here:
In this view, any O365 user that has been assigned either the “Global admins”, “User management admins”, or “Password admins” roles will have SfB Online Administrator access.
To confuse matters, there is a “Skype for Business administrator” role, but it is not available in this view; however you can view whether a user has this role and assign or remove it by editing the individual O365 user and and selecting Roles as show here:
You can also see this by selecting “EDIT USER ROLES” in the the right-hand pane when you have selected a specific user.
As you can see, trying to answer the question “Who has SfB Administrator access” is cumbersome in the O365 Admin Center. PowerShell to the rescue.
To administer SfB Online via PowerShell you use the Skype for Business Online Connector Module and establish a session to your corresponding O365 tenant. This process is described here: Connecting to Skype for Business Online by using Windows PowerShell.
In PowerShell, SfB Online admin access for a user equates to having one of these 4 roles assigned to their O365 user account:
- “Company Administrator” = the role name representing Global Administrators
- “Lync Service Administrator” = the role name representing Skype for Business Administrators
- “User Account Administrator” = the role name representing User Management
- “Helpdesk Administrator” = this corresponds to the O365 Admin center role “Password administrator”
If you frequently need to see who holds any of these Administrator roles, you are best to script it in PowerShell so that it is easily accessible.
Unfortunately there is no one cmdlet which lists all of the O365 admin roles assigned to a particular office 365 user, so we are going to have to enumerate the membership of the four O365 Admin roles that correspond to SfB administrative permissions.
I wrote a PowerShell script to do that here:
[Parameter(Mandatory = $true)]
$o365AdminRole = Get-MsolRole -RoleName $AdminRole
$o365Admins = Get-MsolRoleMember -RoleObjectId $o365AdminRole.ObjectId
$o365Admins | Select-Object DisplayName, EmailAddress, IsLicensed, RoleMemberType
$cred = Get-Credential
Connect-MsolService -Credential $cred
Enumerate_SfBAdminRole -AdminRole "Company Administrator"
Enumerate_SfBAdminRole -AdminRole "User Account Administrator"
Enumerate_SfBAdminRole -AdminRole “Lync Service Administrator”
Enumerate_SfBAdminRole -AdminRole “Helpdesk Administrator”