If you want to quickly get a list of all users in your tenant that are administrators, you can use the following method.
It will not only list Global Admin users, but also Exchange Admin, Sharepoint Admin, and all other admins defined in your tenant.
This can be usefull to see if any users have access that they should not, or should no longer, have. It’s therefore recommended to run this script periodically and examine the result.
If you do not have the Powershell module installed, follow this instruction first.
Generating the list
- Connect to msol service
Connect-MsolService- Use the Get-MsolRoleMember commandlet
Get-MsolRole | %{$role = $_.name; Get-MsolRoleMember -RoleObjectId $_.objectid} | select @{Name="Role"; Expression = {$role}}, DisplayName, EmailAddress, UserPrincipalName|Format-Table -Autosize -WrapThe MsolRoleMember command uses the RoleObjectId to differentiate between the roles. It is maybe interesting to know that these Ids are the same across all tenants. For example, the Id for a Global Admin role is always 62e90394-69f5-4237-9190-012177145e10. So no matter what tenant you connect to, if you are in a hurry and need to find the Global Admin accounts, you could use this:
Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10(Very) high-risk admin ObjectIds
A list of other useful (very high risk) admin ObjectIds to keep an eye on:
| 29232cdf-9323-42fd-ade2-1d097af3e4de | Exchange Admin |
| f2ef992c-3afb-46b9-b7cf-a126ee74c45101 | Global Reader |
| 194ae4cb-b126-40b2-bd5b-6091b380977d | Security Admin |
| f28a1f50-f6e7-4571-818b-6a12f2af6b6c | Sharepoint Admin |
| e8611ab8-c189-46e8-94e1-60213ab1f814 | Privileged Role Admin |
| b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 | Conditonal Access Admin |