Microsoft Teams Admin Roles (RBAC)

Microsoft has finally put some structure around the administration of Teams and this arrives in the form of 4 brand new admin roles.

While the Global Admin role still asserts its dominance over the Office 365 tenant, this was difficult for companies with a delegation model to work with as the Global Admin role is too powerful for most support circumstances. The addition of these roles are likely to help organisations where greater control of rights and permissions is required…

New roles in Azure AD portal…
New roles in PowerShell…

Here’s a lowdown of the new roles:

Teams Service Administrator

This is the most powerful of the new roles. It enables you to manage the whole of your Microsoft Teams environment from org-wide settings plus all configuration and policies. It also allows you to manage the creation and management of the underlying Office 365 Groups in the tenant (this feature is due in October 2018). As well as everything in Microsoft Teams, it also allows the management of associated policies and settings within Skype for Business Online. Admins with this role will see all the available tools and features within the Teams & Skype Admin Center.

An interesting note, is that accounts assigned this role will be able to exceed the 250 team creation limit specified here.

Teams Communications Administrator

This is the second most powerful of the new roles. It allows the administrator to manage all calling and meetings features within Microsoft Teams. This includes the configuration of all calling and meeting policies in Skype for Business Online too. As for tools, you get access to Call Analytics as well as access to anything that involves calling. This includes things like the assigning of phone numbers or configuration of the new Direct Routing feature. In this role you do not get access to non-calling features such as messaging or guest access controls etc.

Teams Communications Support Engineer

This role gets you full access to the Call Analytics features in the Teams and Skype Admin Center in order to troubleshoot and diagnose issues. From what I can see so far, the Engineer role has the benefit of seeing all personally identifiable information (PII) in calls. So, names, phone numbers etc. It can also see ‘advanced’ and ‘debug’ level statistics. The specialist role cannot.

Teams Communications Support Specialist

This is the least powerful of the new roles. Like the engineer role above, it gets you access to the Call Analytics features in the Teams & Skype Admin Center but gives you less information. You get no PII data or advanced statistics. Whether this is enough to troubleshoot issues is up for debate — time will tell if this role is actually used that much.

Engineer vs Specialist

Not sure if this is just me but in my opinion, ‘specialist’ implies a higher level of expertise than ‘engineer’ does. This doesn’t seem the right way round for me? Anyway, it’s no big deal.

As an example, below is what you’ll see as an ‘Engineer’ versus a ‘Specialist’ when viewing the details of a call.

Engineer (left) vs Specialist (right)

I’m not sure when the ability to assign these roles will hit the Office 365 Admin Portal and actually, whether it will or not. It might only be available via Azure AD and PowerShell. We’ll see.

The official Microsoft documentation can be found here: https://docs.microsoft.com/en-us/MicrosoftTeams/using-admin-roles