Microsoft Teams Admin Roles (RBAC)

Matt Ellis
Sep 20, 2018 · 4 min read

Microsoft has finally put some structure around the administration of Teams and this arrives in the form of 4 brand new admin roles.

While the Global Admin role still asserts its dominance over the Office 365 tenant, this was difficult for companies with a delegation model to work with as the Global Admin role is too powerful for most support circumstances. The addition of these roles are likely to help organisations where greater control of rights and permissions is required…

New roles in Azure AD portal…
New roles in PowerShell…

Here’s a lowdown of the new roles:

Teams Service Administrator

This is the most powerful of the new roles. It enables you to manage the whole of your Microsoft Teams environment from org-wide settings plus all configuration and policies. It also allows you to manage and create the underlying Office 365 Groups in the tenant (this feature is due in October 2018). As well as everything in Microsoft Teams, it also allows the management of associated policies and settings within Skype for Business Online. Admins with this role will see all the available tools and features within the Teams & Skype Admin Center.

An interesting note, is that accounts assigned this role will be able to exceed the 250 team creation limit specified here.

Teams Communications Administrator

This is the second most powerful of the new roles. It allows the administrator to manage all calling and meetings features within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online too. As for tools, you get access to Call Analytics as well as access to anything that involves calling. This includes things like the assigning of phone numbers or configuration of the new Direct Routing feature. In this role you do not get access to non-calling features such as messaging or guest access controls etc.

Teams Communications Support Engineer

This role gets you full access to the Call Analytics features in the Teams and Skype Admin Center in order to troubleshoot and diagnose issues. From what I can see so far, the Engineer role has the benefit of seeing all personally identifiable information (PII) in calls. So, names, phone numbers etc. It can also see ‘advanced’ and ‘debug’ level statistics. The specialist role cannot.

Teams Communications Support Specialist

This is the least powerful of the new roles. Like the engineer role above, it gets you access to the Call Analytics features in the Teams & Skype Admin Center but gives you less information. You get no PII data or advanced statistics. Whether this is enough to troubleshoot issues is up for debate — time will tell if this role is actually used that much.

Not sure if this is just me but in my opinion, ‘specialist’ implies a higher level of expertise than ‘engineer’ does. This doesn’t seem the right way round for me? Anyway, it’s no big deal.

As an example, below is what you’ll see as an ‘Engineer’ versus a ‘Specialist’ when viewing the details of a call.

Engineer (left) vs Specialist (right)

I’m not sure when the ability to assign these roles will hit the Office 365 Admin Portal and actually, whether it will or not. It might only be available via Azure AD and PowerShell. We’ll see.

The official Microsoft documentation can be found here:

365 UC

Stories from the world of UC by a bunch of UC professionals…

Matt Ellis

Written by

Unified Communications Architect, Pompey fan, burger eater, coffee drinker...

365 UC

365 UC

Stories from the world of UC by a bunch of UC professionals…

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade