I suggest you ...

← Public

More granular admin RBAC

Right now there are four Teams admin roles available.
It would be great if there was an option to create customized admin roles via PowerShell with a specific user scope. This would allow a customized admin group/role.

E.g. for a medium to large orgs sometimes certain user settings should be manageable at a branch site by a branch site admin or a certain manager. However, the customized branch site admin must not manage and not see other users which are out of his/her admin scope.

It would be very nice and helpful to have a cmdlet to create customized admin role with a scope based on users within a specific AD/AAD user group (e.g. a security group in Azure AD or dynamic Azure AD group). In enterprises with subsidaries (different legal entities) this can be handy to avoid a multi-tenant for that enterprise's subsidaries, at least for Teams/O365 groups.

115 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

erik365.blog shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

15 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Ali Dodd commented  ·   ·  Flag as inappropriate

    The current roles are very much slanted towards teams teams voice capabilities. For an organisation who needs people to support teams channels, groups and members they are either too narrow or they give way too much rights. I was looking at custom roles in PIM and this doesn't help at all as this seems to be very limited to application controls. I'm nagged every five minutes to use PIM but it does do what we need.

  • Daniel commented  ·   ·  Flag as inappropriate

    As long as Teams is not doing this automatically, our help desk must be able to enable users for Teams Direct Routing and they must be able to assign phone numbers. The current roles grant too many permissions that are potentially harmful in the wrong hands. We can't risk breaking telephony for >1000 employees because a help desk user changed a Teams-DR setting or a Teams policy. We need the flexibility and granularity that come with Exchange-RBAC: Being able to very granularily grant users access to specific functions / PowerShell cmdlets in Teams.

  • Anonymous commented  ·   ·  Flag as inappropriate

    We have some specific requirements also that mean we need certain individuals in the company to be able to view only the teams voice settings since we use direct routing, at present we cannot do this without giving admin access which is not what we want, we also want to give granular access only to the voice section of teams admin RBAC would be ideal here.

  • Osman Sharif commented  ·   ·  Flag as inappropriate

    Teams RBAC roles are highly needed for enterprise companies also the inclusion of more granular roles or maybe the ability to create custom roles via "Roles and Administrators" in Azure Active Directory etc

  • Anonymous commented  ·   ·  Flag as inappropriate

    Currently in order to create Teams in Teams Admin Center we need to grant access to user as Teams Service Administrator. We require a new role where Teams Group Admin can create Teams without access to org-wide settings.

  • Lawrence Frias commented  ·   ·  Flag as inappropriate

    +1 Vote from me. Looking to create a Teams Channel Administrator role (or something like that) to grant support personnel the ability to manage Team and channel membership.

  • Ben commented  ·   ·  Flag as inappropriate

    there should be a role that can edit a users policy assignments without being able to edit the policies!

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is becoming more important with the use of Teams Rooms and devices.

    For example it is important to allow on site support to update and change device settings without granting them full access over all devices and users.

  • James Hooper commented  ·   ·  Flag as inappropriate

    Integration of Teams RBAC roles within Admin units would be ideal but also the inclusion of more granular roles or maybe the ability to create custom roles via "Roles and Administrators" in Azure Active Directory

  • Paul Marskell commented  ·   ·  Flag as inappropriate

    Agree the current RBAC for Teams Admin is too broad and needs to be cut down, to allow more granular allocation in large organisations. Is this being considered at all?

  • Rich Wells commented  ·   ·  Flag as inappropriate

    This is a desperate need. Currently it's mostly all or nothing and quite insecure. Helpdesk users are particularly singled out. More granular permissions please.

  • Raul Villegas commented  ·   ·  Flag as inappropriate

    Currently in order to get access to Devices in admin center we need to grant access to user as Teams Service Administrator. We require a new role were Device admin can only have access Devices only.

  • Donia Lava commented  ·   ·  Flag as inappropriate

    We need a Read-Only Admin for Teams, and we are fine with creating the role, but the underlying mechanism to create RBAC roles in Teams should be made available first, much in the same way like Exchange Online.

    For example the following command gives a blank/null output:

    Get-ManagementRole -Cmdlet Get-Team

    At present, it appears that custom roles cannot be created using RBAC principles in Teams.
    Please provide that option.

Forum Home

Reference Information for Teams

Public: IT Pro

Categories

Feedback and Knowledge Base

(thinking…)

More Teams Information