Managing Microsoft Teams with role-based admin groups

Earlier this year, Microsoft released new admin roles for Microsoft Teams. This feature allows Office 365 tenant administrators to limit the scope of actions available to other administrators in the modern Teams and Skype for Business admin center. This post will go over how to assign these new roles and show what administrative controls are currently available.

As Microsoft Teams continues to evolve in Office 365, it is gaining feature parity with its counterpart Skype for Business Online. In addition to feature parity, Microsoft Teams is also gaining new features never deployed in Skype for Business Online. One feature released this year is role-based access control (RBAC) administrator groups. These groups allow for different levels of access for managing Microsoft Teams, from an all-access admin group to tier 1 or 2 helpdesk-type groups. This post will cover how to assign these groups and what admin features are currently available to them.

First, let's cover the four groups:

Teams Service AdministratorCan manage the Microsoft Teams service and all of its features as well as Office 365 groups
Teams Communications AdministratorCan manage calling and meetings features and policies
Teams Communications Support EngineerCan access a user's profile page with call history (with full details of participants) and advanced quality of experience data
Teams Communications Support SpecialistCan access a user's profile page with anonymized participant data and quality information

The primary difference between the Support Engineer and the Support Specialist is the Engineer can view full details inside Call Analytics for the users or the participants in their meetings. The Support Specialist can only view the specific user's data inside Call Analytics. This prevents first-tier support from seeing information they may not need to know about for troubleshooting a poor call, such as the participants in an executive meeting. We'll highlight what this difference looks like later in this post.

Next, let's look at how to assign admins to these groups. You'll need to be a global administrator in the tenant to assign admin roles. There are two different places to add an admin to these roles. The first is the Office 365 admin center (https://admin.microsoft.com). Select Users on the left-side navigation, search for the user to modify, and then select the user's name. On the user's information page, next to Roles, select Edit (if Edit is missing, you are not a global admin). Choose Customized administrator, and the Teams admin roles are near the bottom. Select one or more desired roles, and then click Save.

Assigning admin roles in the Office 365 admin center

Assigning admin roles in the Office 365 admin center

The second place to assign an admin role is in the Microsoft Azure Portal (https://portal.azure.com). On the left side, select Azure Active Directory and then Roles and administrators under Manage. From here, you can view the Teams admin roles on the right. Select the desired role, click the plus sign labeled Add member, search for the user to add, and then click Select. You can add multiple users at once to a single group.

Navigating to Roles and administrators in Azure Portal

Navigating to Roles and administrators in Azure Portal

Adding a member to an administrator role in Azure Portal

Adding a member to an administrator role in Azure Portal

Now let's see what's available in the Microsoft Teams and Skype for Business admin center (https://admin.teams.microsoft.com). Starting with the Teams Communications Support Specialist, this role will have the fewest options available. The dashboard will allow the support specialist to search for users or view all users to troubleshoot the quality of their calls. However, it will obfuscate the other people the user has called or participated in meetings with, displaying them as INTERNAL or EXTERNAL.

Support specialist limited details

Support specialist limited details

Then there is the Teams Communications Support Engineer. The admin center will initially look the same with only the option to search for users. However, this time the support engineer will be able to view the full call detail record including advanced quality of experience data.

Support engineer full details

Support engineer full details

Support engineer advanced quality data

Support engineer advanced quality data

Next, the Teams Communications Administrator has a few additional menu options. In addition to the call detail and quality data, this admin will be able to manage IP address and location mapping information as well as settings related to meetings. These include the management of conference bridges, meeting policies and settings, and live events policies. Missing right now are settings related to managing voice, such as assigning phone numbers to users, managing calling policies, and emergency locations options. You still need to manage these in the legacy Skype for Business admin center, but check back on a regular basis because they will be available in the future.

Teams communications administrator dashboard menu

Teams communications administrator dashboard menu

Finally, there is the Teams Service Administrator. This administrator role can manage and modify all aspects of Microsoft Teams. These include creating and configuring teams, Office 365 groups, devices, meetings and messaging policies, and organization-wide settings, such as external and guest access and upgrade options. As with the communications administrator, currently missing are voice-related settings; more settings will likely come in the future.

Teams service administrator dashboard menu

Teams service administrator dashboard menu

One final interesting note—these Teams-specific admin roles do not grant permissions to other Skype for Business portals, such as the legacy Skype for Business admin center or the Call Quality Dashboard. When logging into the new modern admin center as both a Teams Service Administrator and a Skype for Business administrator, these additional menu options are available. While Teams and Skype may be similar, giving access to one doesn't necessarily translate in access to the other. If you are a current Skype for Business administrator in your tenant, be sure to request an additional Teams admin role.

While these are the options available now, they will change in the future. The modern Teams and Skype admin center is still missing some core voice management features, such as the ability to provision new phone numbers, create dial plans, and manage emergency locations. As new options become available, it's a good idea to review what access each role has to determine whether to modify group memberships.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

0
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account