Microsoft Teams Users
For this blog post we will review admin Role management for Teams, with PowerShell, as well as the interconnects with Azure AD. In terms of users in Teams, there are a few levels of users that we can deal with and some of what is exposed in Teams is visible in PowerShell for backend configuration. First, let’s look at the different types of roles and then we can work with the PowerShell backend to manage these roles.
Administrator: Overall Teams Administrator
Owners: Able to perform operations either on all teams, some Teams or maybe at a channel level.
Users: Regular users that are granted access to Teams, Channels and other features within Teams.
Guest Users: Users that reside outside of the organization and have been invited into Teams to access one or more Teams.
Administrator Roles
An administrator in Office 365 can assume many roles. With respect to Microsoft Teams, there are two Management Roles that matter and those are Global Admin and Teams Service Admin. These roles can be assigned to a user in the Microsoft 365 Admin console under a users properties here:
Teams PowerShell [004]
As we can see there are a few roles here. Now, there are other roles that can be assigned to, with reduced permissions compared to those Administrator roles:
Where Can We Add Users in Teams?
In the Microsoft Teams client, if we are an administrator or owner of a Team, we have places that users can be added and granted visibility too. For example, we can add a user to an existing Team. This user can be either a guest or a user with a full Azure AD Account. We can do this in the web console as shown above or we can do this by connecting to Azure AD with the Connect-MSOLOnline cmdlet.
For the rest of this article we will concentrate on PowerShell and Teams specific admin roles..
Like many workloads in Office 365, there are specific admin roles for Microsoft Teams as well. We can see these in the Microsoft 365 Admin Center when editing a user’s Admin Roles.
We can read more about these Teams-centric roles here:
https://docs.microsoft.com/en-us/MicrosoftTeams/using-admin-roles
PowerShell for assigning roles can be found here: (not the most obvious article …)
https://docs.microsoft.com/en-us/office365/enterprise/powershell/assign-roles-to-user-accounts-with-office-365-powershell
List all Roles accessible with PowerShell:
Get-MsolRole | Sort Name | Select Name,Description
(partial list)
Scripting Role Addition
If we want, we can add a user to a single role or multiple roles. Single is easier.
Add-MsolRoleMember -RoleMemberEmailAddress Damian@PracticalPowerShell.Com -RoleName 'Teams Communications Administrator'
If we want to populate all the Teams roles, we can use code like this:
$UPN = (get-msoluser -UserPrincipalName damian@practicalpowershell.com).UserPrincipalName
$Roles = (Get-MsolRole | Where {$_.Name -like 'Teams*'} | Sort Name | Select Name)
Foreach ($Role in $Roles) {
# Add User to Teams Admin group:
Add-MsolRoleMember -RoleMemberEmailAddress $UPN -RoleName $Role.Name
}
Let’s see if we can validate each step of this code block:
And then run the whole script:
… and no feedback. How do we verify this worked?
Foreach ($Role in $Roles) {
# Report who is in each Teams role
$Name = $Role.Name
Write-Host "$Name" -ForegroundColor Green
Get-MsolRoleMember -RoleObjectId $Role.ObjectId.Guid |Fw EmailAddress
}
Notice that the user is now in each Teams Role Group.
Removing a User from the Roles
Removing a user from one of the Teams roles requires the use of the Remove-MsolRoleMember cmdlet. We simply need to provide a group name and email address of the user to remove:
Remove-MsolRoleMember -RoleName 'Teams Communications Administrator' -RoleMemberEmailAddress $UPN
No feedback is provided unless there is an issue with the removal.
