Background
As organizations move more services to Office 365, we recommend they use checklists to perform daily, weekly, quarterly, and yearly tasks. One of the items that should be part of your quarterly checklist is validating administrator permissions. Permission validation is a bit different for each Office 365 service. Each of the sections below provides an independent script to export current permissions for a given Office 365 service.
Perform the following steps before executing the script.
- Download SharePoint Online module: https://www.microsoft.com/en-us/download/details.aspx?id=35588
- Download Skype for Business Online module: https://www.microsoft.com/en-us/download/details.aspx?id=39366
- Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW
- Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell: Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
Office 365 Permissions
There are two ways to retrieve the list of the accounts that have been granted elevated privileges in Office. The primary method is through the admin page in Office 365. Under Users > Active Users select the drop down next to Views. Under views you will find a list of pre-canned views showing members of specific admin roles.
The other method to find who has admin rights in Office 365 is by using Azure PowerShell. To get a list of users with admin roles, run the command below in PowerShell.
$cred = Get-Credential
Connect-MsolService -credential
$cred
$role = Get-MsolRole
|
select Name
foreach ($Group in $role)
{
$Name = $group.name
$Admin = Get-MsolRole -RoleName
$name
#write-host $admin.ObjectId
$GroupName = Get-MsolRoleMember -RoleObjectId
$admin.ObjectId
$Name
$GroupName
}SharePoint Permissions
To find the administrators of all SharePoint sites, run the command below in PowerShell.
Note: Update the second line with your tenant name
$cred = Get-Credential
Connect-SPOService -credential
$cred -Url https://domain-admin.sharepoint.com
$URL = Get-SPOSite
|
select URL
foreach ($Site in $URL)
{
$Name = $Site.Url
#$Admin = Get-MsolRole -RoleName $name
#write-host $admin.ObjectId
#$GroupName = Get-MsolRoleMember -RoleObjectId $admin.ObjectId
write-host
$Name
Get-SPOUser -site
$Name
|
FT -AutoSize -Wrap
#$GroupName
}Exchange Permissions
To find the administrators that have access to Exchange Online, run the command below in PowerShell.
$UserCredential = Get-Credential
$Session = New-PSSession
-ConfigurationName Microsoft.Exchange
-ConnectionUrl https://outlook.office365.com/powershell-liveid/
-Credential $UserCredential
-Authentication Basic
-AllowRedirection
Import-PSSession
$Session
$role = Get-RoleGroup
|
select
Name
foreach ($Group in $role)
{
$Name = $group.name
$Admin = Get-RoleGroupMember -Identity
$name
|
select
name
|
Out-String
Write-host
"$Name"
Write-host
"$admin"
}Compliance Management Permissions
To find administrators that have access to the Compliance and Security Center, run the command below in PowerShell.
$UserCredential =Get -Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic -AllowRedirection
Import-PSSession
$Session
Import-PSSession
$Session
$role = Get-RoleGroup
|
select
Name
foreach ($Group in $role)
{
$Name = $group.name
$Admin = Get-RoleGroupMember -Identity
$name
|
select
name
|
Out-String
Write-host "$Name"
Write-host "$admin"
}