Managing Microsoft Teams with role-based admin groups

• Author
• Recent Posts

Jeff Brown

Jeff is a systems administrator and cloud engineer with over a decade of experience in server and application administration. He has managed a wide range of technologies in his career, including Windows Server, Microsoft 365. and Azure. Jeff has also created video-based training for Cybrary and PluralSight. You can follow Jeff on his blog at jeffbrown.tech, or feel free to contact him on Twitter at @jeffwbrown.

Latest posts by Jeff Brown (see all)

• Manage Azure Policy using Terraform - Tue, Aug 2 2022
• Getting started with Terraform in Azure - Tue, Jul 12 2022
• Azure Bicep: Getting started guide - Fri, Nov 19 2021

As Microsoft Teams continues to evolve in Office 365, it is gaining feature parity with its counterpart Skype for Business Online. In addition to feature parity, Microsoft Teams is also gaining new features never deployed in Skype for Business Online. One feature released this year is role-based access control (RBAC) administrator groups. These groups allow for different levels of access for managing Microsoft Teams, from an all-access admin group to tier 1 or 2 helpdesk-type groups. This post will cover how to assign these groups and what admin features are currently available to them.

First, let's cover the four groups:

The primary difference between the Support Engineer and the Support Specialist is the Engineer can view full details inside Call Analytics for the users or the participants in their meetings. The Support Specialist can only view the specific user's data inside Call Analytics. This prevents first-tier support from seeing information they may not need to know about for troubleshooting a poor call, such as the participants in an executive meeting. We'll highlight what this difference looks like later in this post.

Next, let's look at how to assign admins to these groups. You'll need to be a global administrator in the tenant to assign admin roles. There are two different places to add an admin to these roles. The first is the Office 365 admin center (https://admin.microsoft.com). Select Users on the left-side navigation, search for the user to modify, and then select the user's name. On the user's information page, next to Roles, select Edit (if Edit is missing, you are not a global admin). Choose Customized administrator, and the Teams admin roles are near the bottom. Select one or more desired roles, and then click Save.

Assigning admin roles in the Office 365 admin center

The second place to assign an admin role is in the Microsoft Azure Portal (https://portal.azure.com). On the left side, select Azure Active Directory and then Roles and administrators under Manage. From here, you can view the Teams admin roles on the right. Select the desired role, click the plus sign labeled Add member, search for the user to add, and then click Select. You can add multiple users at once to a single group.

Navigating to Roles and administrators in Azure Portal

Adding a member to an administrator role in Azure Portal

Now let's see what's available in the Microsoft Teams and Skype for Business admin center (https://admin.teams.microsoft.com). Starting with the Teams Communications Support Specialist, this role will have the fewest options available. The dashboard will allow the support specialist to search for users or view all users to troubleshoot the quality of their calls. However, it will obfuscate the other people the user has called or participated in meetings with, displaying them as INTERNAL or EXTERNAL.

Support specialist limited details

Then there is the Teams Communications Support Engineer. The admin center will initially look the same with only the option to search for users. However, this time the support engineer will be able to view the full call detail record including advanced quality of experience data.

Support engineer full details

Support engineer advanced quality data

Next, the Teams Communications Administrator has a few additional menu options. In addition to the call detail and quality data, this admin will be able to manage IP address and location mapping information as well as settings related to meetings. These include the management of conference bridges, meeting policies and settings, and live events policies. Missing right now are settings related to managing voice, such as assigning phone numbers to users, managing calling policies, and emergency locations options. You still need to manage these in the legacy Skype for Business admin center, but check back on a regular basis because they will be available in the future.

Teams communications administrator dashboard menu

Finally, there is the Teams Service Administrator. This administrator role can manage and modify all aspects of Microsoft Teams. These include creating and configuring teams, Office 365 groups, devices, meetings and messaging policies, and organization-wide settings, such as external and guest access and upgrade options. As with the communications administrator, currently missing are voice-related settings; more settings will likely come in the future.

Teams service administrator dashboard menu

One final interesting note—these Teams-specific admin roles do not grant permissions to other Skype for Business portals, such as the legacy Skype for Business admin center or the Call Quality Dashboard. When logging into the new modern admin center as both a Teams Service Administrator and a Skype for Business administrator, these additional menu options are available. While Teams and Skype may be similar, giving access to one doesn't necessarily translate in access to the other. If you are a current Skype for Business administrator in your tenant, be sure to request an additional Teams admin role.

While these are the options available now, they will change in the future. The modern Teams and Skype admin center is still missing some core voice management features, such as the ability to provision new phone numbers, create dial plans, and manage emergency locations. As new options become available, it's a good idea to review what access each role has to determine whether to modify group memberships.