Summit 7 Team Blogs

Delegate SharePoint Online Administration Without Tenant Admin!

As I'm sure you know, Office 365 is a pretty incredible product. Honestly, Microsoft has knocked it out of the park with the platform. It really is impressive what they have accomplished, and it's pretty wild to think that we're still pretty early in the product's lifecycle. Every business really should be seriously considering how they can be taking advantage of Office 365's rich offerings.

As we've been working with our Office 365 customers, we've struggled with a limitation in the administrative platform: the lack of delegated administration for SharePoint Online. Many companies, both large and small, have a different set of owners/administrators for SharePoint Online than for the tenant as a whole. These SharePoint people, be it your internal team or partners like Summit 7, need to access the SharePoint Online equivalent of Central Administration: the SharePoint Admin Center. However, they would have to be a Tenant Administrator in order to access it or interact with SharePoint Online via PowerShell. This can cause a lot of heartburn to organizations with a distributed Office 365 administration model.

But not anymore.

Thankfully, Microsoft has heard our cries for mercy and has made it possible for users to have SharePoint Online administrative privileges without being full tenant admins. We can now grant users access to the SharePoint Admin Center without giving them the keys to the kingdom. This is really great news. Thank you, Microsoft!

In this article, I will show you how to delegate admin rights to SharePoint Online. As of when this article is being written, there is currently no user interface to grant these rights. There actually was one in the Office 365 admin portal for a very brief window, but it was removed. Microsoft giveth and Microsoft taketh away. Despite the lack of user interface ("GUI? We don't need no stink' GUI!"), it is still possible to grant the rights via our favorite tool: PowerShell. If you know me, there's no way I can write anything without injecting some PowerShell somewhere.

The first step is to configure your client. Please see https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx for instructions on how to install the Azure AD PowerShell module. You will first need to install the "Microsoft Online Services Sign-In Assistant for IT Professionals" (Microsoft does love long names). Then, you install the "Azure Active Directory Module for Windows PowerShell." You might as well go ahead and install the "SharePoint Online Management Shell" while you're at it (see https://technet.microsoft.com/en-us/library/fp161372.aspx for more). Once these are installed, you should be good to go. You will, however, need to run the commands using tenant administrator credentials.

Open a PowerShell command prompt with elevated privileges (run as administrator). We'll be doing everything at this prompt.

First, run Connect-MsolService and enter tenant administrator credentials. You need to use a tenant admin account in order to delegate the permissions. Enter the login/password as you would if you are signing into Office 365 (enter an email address). Now comes the good stuff.

First, let's take a look at the roles available for delegation. To do so, run

Get-MsolRole | ft –AutoSize

You will see the following:

The role we're going to be using is "SharePoint Service Administrator," but notice the others listed (Lync Service Administrator, Exchange Service Administrator, etc.). Although I have not tested delegating these privileges, I'm pretty confident that they should work the same as with SharePoint Online.

Next, let's see who currently has been given SharePoint Online admin rights. To do so, run

Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "SharePoint Service Administrator").ObjectId | ft –AutoSize

You should see something like the following:

You can see here that the excellent Michael Pigott (read his blogs here) has been delegated SharePoint Online admin rights.

In our little demo, I want to add another Summit 7 employee, Neal Hicks. First off, if he were to try and load the SharePoint Admin Center (https://[YourTenant]-admin.sharepoint.com), he would see this:

Additionally, he would not have the "Admin" app in his App Launcher while logged in to Office 365.

To grant Neal SharePoint Online admin rights, all I need to do is run the following to add him to the SharePoint Service Administrator role:

Add-MsolRoleMember -RoleName "SharePoint Service Administrator" -RoleMemberEmailAddress "neal.hicks@summit7systems.com"

Just change the RoleMemberEmailAddress parameter to the email address of the person you want to add as an administrator.

After this has been run, we can run our previous Get-MsolRoleMember command (just hit the up arrow a couple of times) to verify Neal has been added. As you can see, he is now listed as a SharePoint Service Administrator.

Once Neal logs out and then back on again, he will see the Admin app in his App Launcher. If clicks it, he should be taken to the SharePoint Admin Center. As you can see here (because he doesn't have a picture set, he clicked on his name to prove that it's really him), Neal now has access:

To remove a user's SharePoint Online admin access, we simply run the Remove-MsolRoleMember command like so (just change the Add- to Remove-)

Remove-MsolRoleMember -RoleName "SharePoint Service Administrator" -RoleMemberEmailAddress "neal.hicks@summit7systems.com"

That's all there is to it! Nice and easy, right? With that, you can now grant users admin access to SharePoint Online without making them tenant admins. No pretty user interface required. Awesome.

Two quick points before we go:

  • When adding or removing a user from a role, they must log out and log back in for that change to go into effect (including removing the access).
  • Granting SharePoint Service Administrator privileges only provides access to the SharePoint Admin Center. It provides no access at all to the tenant admin portal (https://[YourTenant]-admin.sharepoint.com). Tenant administrators can feel confident that SharePoint Online admins only have admin rights to SharePoint Online.

I don't know about you, but I've been pretty jazzed about this capability. It will make our jobs as consultants easier and enable us to be more efficient and agile (cheaper) when working on behalf of a customer. I and others in the community have been asking for this for a while. Again, thank you, Microsoft!

Hopefully this has been helpful. Thanks for reading!