More granular admin RBAC
Right now there are four Teams admin roles available.
It would be great if there was an option to create customized admin roles via PowerShell with a specific user scope. This would allow a customized admin group/role.
E.g. for a medium to large orgs sometimes certain user settings should be manageable at a branch site by a branch site admin or a certain manager. However, the customized branch site admin must not manage and not see other users which are out of his/her admin scope.
It would be very nice and helpful to have a cmdlet to create customized admin role with a scope based on users within a specific AD/AAD user group (e.g. a security group in Azure AD or dynamic Azure AD group). In enterprises with subsidaries (different legal entities) this can be handy to avoid a multi-tenant for that enterprise's subsidaries, at least for Teams/O365 groups.
Ali Dodd commented
The current roles are very much slanted towards teams teams voice capabilities. For an organisation who needs people to support teams channels, groups and members they are either too narrow or they give way too much rights. I was looking at custom roles in PIM and this doesn't help at all as this seems to be very limited to application controls. I'm nagged every five minutes to use PIM but it does do what we need.
As long as Teams is not doing this automatically, our help desk must be able to enable users for Teams Direct Routing and they must be able to assign phone numbers. The current roles grant too many permissions that are potentially harmful in the wrong hands. We can't risk breaking telephony for >1000 employees because a help desk user changed a Teams-DR setting or a Teams policy. We need the flexibility and granularity that come with Exchange-RBAC: Being able to very granularily grant users access to specific functions / PowerShell cmdlets in Teams.
We have some specific requirements also that mean we need certain individuals in the company to be able to view only the teams voice settings since we use direct routing, at present we cannot do this without giving admin access which is not what we want, we also want to give granular access only to the voice section of teams admin RBAC would be ideal here.
Osman Sharif commented
Teams RBAC roles are highly needed for enterprise companies also the inclusion of more granular roles or maybe the ability to create custom roles via "Roles and Administrators" in Azure Active Directory etc
Currently in order to create Teams in Teams Admin Center we need to grant access to user as Teams Service Administrator. We require a new role where Teams Group Admin can create Teams without access to org-wide settings.
Lawrence Frias commented
+1 Vote from me. Looking to create a Teams Channel Administrator role (or something like that) to grant support personnel the ability to manage Team and channel membership.
there should be a role that can edit a users policy assignments without being able to edit the policies!
This is becoming more important with the use of Teams Rooms and devices.
For example it is important to allow on site support to update and change device settings without granting them full access over all devices and users.
James Hooper commented
Integration of Teams RBAC roles within Admin units would be ideal but also the inclusion of more granular roles or maybe the ability to create custom roles via "Roles and Administrators" in Azure Active Directory
Paul Marskell commented
Agree the current RBAC for Teams Admin is too broad and needs to be cut down, to allow more granular allocation in large organisations. Is this being considered at all?
Implement with Azure AD Administrative Units
Rich Wells commented
This is a desperate need. Currently it's mostly all or nothing and quite insecure. Helpdesk users are particularly singled out. More granular permissions please.
Raul Villegas commented
Currently in order to get access to Devices in admin center we need to grant access to user as Teams Service Administrator. We require a new role were Device admin can only have access Devices only.
Intergration with Azure AD Administrative Units would be ideal
Donia Lava commented
We need a Read-Only Admin for Teams, and we are fine with creating the role, but the underlying mechanism to create RBAC roles in Teams should be made available first, much in the same way like Exchange Online.
For example the following command gives a blank/null output:
Get-ManagementRole -Cmdlet Get-Team
At present, it appears that custom roles cannot be created using RBAC principles in Teams.
Please provide that option.