Celebrating four years as a Microsoft MVP in Microsoft 365 apps and services

This is the fourth consecutive year I’ve been awarded as a Microsoft MVP in the Microsoft 365 Apps & Services category. 🤩

What does that mean?

Microsoft presents the MVP award annually to individuals who have regularly made high-quality contributions to the tech community. Sometimes this is forum participation, conference and user group presentations, books, blogs, videos, code and solutions, social media, or any number of other ways a person has evangelized and helped drive adoption and understanding of Microsoft 365.

I focus my contributions on Microsoft 365 productivity and collaboration apps like OneDrive, SharePoint, Teams, Power Automate, Power BI, and more. Specifically:

And all of that’s in addition to my regular, full-time day job.

To become an MVP, start tracking your contributions and reach out to an existing MVP or Microsoft employee that you’ve established a relationship with to secure a nomination. If we’ve crossed paths or worked together, I would be honored to nominate you.

It has been a true pleasure and privilege to be a part of this amazing community for four years now. Here’s to the next year of content, experiences, and connections. 🥳🥂

Power Automate solution: OneNote action errors involving invalid or inaccessible Notebook Keys and sections

When using OneNote (Business) in a Power Automate flow, you may be attempting actions such as Create section in a notebook, Get sections in notebook, or Create page in a section but getting errors when trying to select the relevant notebook and section.

And depending on what you’re using as the Notebook Key and/or Notebook section value(s) you may get any of the following specific errors:

  • Error; the requested notebook or section may have been deleted or is otherwise inaccessible.
  • Invalid notebook key
  • The specified resource ID does not exist.
  • The section id is invalid. If a custom value was entered, please try selecting from the supplied values.

I’ll show you how you may be able to solve this issue in this blog post by using a custom value for Notebook Key. To insert a custom value for Notebook Key, use the dropdown arrow in the Notebook Key field and select Enter custom value.

Enter custom value option for Notebook Key (click to enlarge)

Now you can type text freely. You’ll need to format your notebook key one of two ways, depending on whether it’s a personal (OneDrive for Business) notebook or a shared (SharePoint/Teams) notebook. Both solutions are below.

Solution #1: OneNote Notebook key API format for your own notebooks (stored in OneDrive for Business)

For OneDrive notebooks, such as the default one you get like Nate @ Contoso, format your notebook key as seen below, replacing highlighted parts with your own notebook name, organization URL, and email address (with underscores instead of the usual symbols).

Nate @ Contoso|$|https://contoso-my.sharepoint.com/personal/nchamberlain_contoso_com/Documents/Nate @ Contoso

Still not working? Your organization may have a .com added (even if you don’t see it in your notebook name). Try adding .com to your notebook name in both locations (beginning and end):

Nate @ Contoso.com|$|https://contoso-my.sharepoint.com/personal/nchamberlain_contoso_com/Documents/Nate @ Contoso.com

Solution #2: OneNote Notebook key API format for shared notebooks (stored in SharePoint and used there or in Microsoft Teams)

For shared notebooks, such as the default one you get with every Microsoft Teams team or SharePoint team site, format the notebook key as follows. Be sure to replace bold components of the key with your own notebook name, organization URL, and notebook location:

Notebook Name|$|https://COMPANY.sharepoint.com/sites/SITENAME/NOTEBOOK LOCATION/NOTEBOOK NAME

For example, all default notebooks are stored in a SharePoint site’s Site Assets folder so a complete Notebook key for a notebook like that may resemble the following (yes, you can leave the spaces in notebook names):

Mark 8 Project Team Notebook|$|https://contoso.sharepoint.com/sites/Mark8ProjectTeam/SiteAssets/Mark 8 Project Team Notebook

Or if it’s not the default notebook, and it was created in a document library a couple folders deep, it might resemble the following. Just replace Shared Documents with the name of the library, and replace the folder structure as appropriate:

Policies and Procedures|$|https://contoso.sharepoint.com/sites/Compliance/Shared Documents/Folder 1/Folder 2/Policies and Procedures 

As long as you enter the key correctly using either solution, your flow will connect to the notebook properly and, when relevant, the Notebook section dropdown will refresh and allow you to simply select the section you want rather than entering an API URL.

Notebook section dropdown functioning properly with a correct Notebook Key (click to enlarge)

Additional troubleshooting when sections are still not appearing

If you are certain you followed the instructions above correctly, made no typos, and you used the correct type of key format based on the notebook’s location (OneDrive or SharePoint), and you’re still seeing “Could not retrieve values…” for Notebook section, it might be a simple fix.

Just cut (Ctrl+X) and paste (Ctrl+V) the Notebook Key you entered into the field again and it may refresh and fix the second dropdown.

References

OneNote (Business) – Connectors | Microsoft Docs

Hands-On Microsoft Teams by João Ferreira (Review)

Microsoft MVP João Ferreira released the second edition of a new Microsoft Teams guide in late December 2021, making his one of the most up-to-date Teams books currently available. Other books available, such as my MS-700 exam guide, are geared exclusively towards certification and administrator responsibilities. João’s book reaches a broader audience, sharing important information every Teams user should know.

What I feel really adds value in this book is João provides more than just how-to. You’ll find scenarios and examples throughout the book in which João describes how particular features and tools are used in realistic business scenarios. You’ll also find more than theoretical information because of João’s step-by-step guidance through specific tasks, such as how to create a new team from a template.

And while it’s important to know how to create a team and channels, João takes it a further step to make sure readers not only understand the steps involved, but also the implications in the background. For example, when readers create a team they’ll discover the other Microsoft 365 group resources that are built to support that team simultaneously.

Contents of Hands-On Microsoft Teams

João uses the first chapter to walk readers through various versions of Teams (including desktop apps for Windows, Linux, and macOS, mobile apps, and web apps) and introduce basic concepts (what is a team, what is a channel, etc.). Readers are also shown how different plans affect limits and abilities within your organization.

After the first chapter, readers of all skill levels and interests are led more in depth into topics of interest including:

  • Core topics like how chats, meetings, search, and data storage work
  • Chats and conversation abilities and nuances
  • Using meetings, webinars, and live events (including newer features like registration and attendance reports)
  • Channel types (including the newer Shared channel type) and team governance
  • Teams templates (including administrator setup)
  • Microsoft Viva (all four current modules including Connections, Insights, Topics, and Learning)
  • Microsoft Teams use cases including frontline and personal use (arguably one of the most valuable chapters)
  • Extending Microsoft Teams using apps and understanding personal apps
  • Enabling and implementing custom apps, including using Power Automate and Power Apps with Teams

And the final few chapters (11-13) cover more advanced topics to take Teams usage and administration to the next level including:

  • Building apps and bots using the developer portal, QnA maker, and Power Virtual Agents
  • And lastly, using PowerShell to help administer Teams

Conclusion

João has put together a clear and concise reference guide packed with realistic scenarios and ideas you could refer to regularly. This guide will also be a great gift for co-workers, new hires, and even seasoned administrators since there is truly content for all levels in this book. Personally, I really appreciated that João made sure this new release also included newer features, such as Shared channels, ensuring it’s the most up-to-date Teams reference possible.

And be sure to connect with author João Ferreira on Twitter and LinkedIn to stay up-to-date on his community contributions and any future projects.

Disclaimer: I was provided a digital copy of this book in exchange for consideration of providing a review. Also, as an Amazon affiliate, I earn advertising fees by advertising and linking to Amazon.com.

How to get Planner task Completed By dynamic content in Power Automate

You can use a template in Power Automate to send an email when a Planner task is completed. However, this template returns the Completed by field as a user ID, and not as a display name. And the dynamic content available for a completed task does not include Completed by. We can, however, get this data using an expression. Here’s how to do it (video at bottom of post):

  1. After your trigger (When a task is completed), insert the Get user profile (V2) step.
  2. Click inside the User (UPN) field, then select Expression from the dynamic content panel
Click to enlarge
  1. Paste the following expression in the box and click OK
triggerOutputs()?['body/completedBy/user/id']
  1. Now, in your next step (email, Teams post, etc. – however you’re sharing the completion message), use the dynamic content from the Get user profile (V2) step to insert Display Name.
Click to enlarge
  1. Save and test your flow.

How to share files and folders in OneDrive for Business (Video)

Your OneDrive is your place to store and manage files you use regularly. Occasionally, you may wish to share files and folders with others, however. Learn how to share with different levels of access (i.e. view vs edit) in this lesson.

This video is part of my FREE 30+ lesson self-paced online training course called Collaboration in Microsoft 365 (OneDrive, SharePoint, and Teams). Enroll today at https://www.NateTheTrainer.com for the full learning experience including lesson discussions, quizzes, exams, and a completion certificate.

You can also watch the entire course as a YouTube playlist as well (just without the course discussions, quizzes, exam, and certificate). Be sure to subscribe to support my channel and for easy access to future content.

Notes

Sharing files

When you share a file, you have four link types to choose from. The image below color codes the options you get with each. Anyone with the link gets the most configurable settings. People in your company and Specific people get everything except expiration date and password. People with existing access doesn’t modify permissions at all so it has no unique settings.

You’ll only see Open in review mode only as an option if the file is a Word doc and you’re allowing editing.

You can only Block download (includes print) if disallowing (unchecking) editing.

After you click Apply, you don’t have to enter a name or message. In most cases, it’s fine to click Copy link and share that with whomever you’re granting access. And sometimes you may use that copied link on a SharePoint page, org-wide email, etc. rather than sharing with just a few people.

Specific people is the only link type that requires a signed in user to be someone you’ve specified. It is the most secure option (other than People with existing access which doesn’t change permissions at all).

Co-authoring with people you’ve shared edit rights with

Co-authoring allows anyone with edit permissions to a file to be in the file simultaneously making edits. This works for Word, Excel, PowerPoint, and OneNote. If you’re wanting to use the desktop apps for co-authoring, be sure you’re using the most current (Office 365) version of Office and not a year-specific version like Office 2016.

Sharing folders

You can share folders in the same way you share files, but the benefit to sharing folders is that each file inside the folder inherits the shared folder’s permissions (so it saves you time sharing each individual file). You might use this for processes where you drop files in a particular folder regularly that someone else can access (or even help contribute to).

You can add additional access to a particular file inside a shared folder by sharing the file itself (but it’ll still be shared with those granted rights at the folder level).

Managing access

Manage access by clicking Share > More options () > Manage access -or- by selecting the file > open the details pane (i) > Manage access.

You can click Stop sharing to remove all links and direct access other than yourself (in OneDrive) or all owners (in SharePoint).

You can remove links shared previously individually by using the ellipsis (three dots) next to a link shown in the Manage access panel.

You can also make changes to the settings of a shared link if the the link was Anyone with the link or Specific people type.

Shared with you and Shared by you

Click Shared from the left navigation to easily find files shared with you and shared by you. You can also share files again or manage access from this page.

Additional resources

Restore your entire OneDrive for Business library to an earlier time (Video)

Learn how you can undo any changes made in your OneDrive for Business library by using the Restore feature. You’ll be able to restore your entire library in one action to a point in time you specify.

This video is part of my FREE 30+ lesson self-paced online training course called Collaboration in Microsoft 365 (OneDrive, SharePoint, and Teams). Enroll today at https://www.NateTheTrainer.com for the full learning experience including lesson discussions, quizzes, exams, and a completion certificate.

You can also watch the entire course as a YouTube playlist as well (just without the course discussions, quizzes, exam, and certificate). Be sure to subscribe to support my channel and for easy access to future content.

Notes

If you’ve been working in OneDrive and something has gone wrong, you can restore your entire OneDrive (undo all changes across all your files and folders at once) by using the Restore your OneDrive feature. You can restore to a specific time such as yesterday, a week ago, or a custom date/time. Every edit, deletion, etc. that’s reversible will be reversed.

While the restore is in progress, your OneDrive will be in read-only mode (for existing content) but you can continue to access the content, create or upload new content, and access your Shared content as well.

MS-500 Microsoft 365 Security Administration Exam Study Guide

This summer, Microsoft announced changes to the MS-500 exam objectives. Below you’ll find the updated listing for June 2020 and beyond with links to relevant documentation. The best way to use this study guide is to find the topics you’re least familiar with and focus on those. In any remaining time, you can always review those you’re familiar with to make sure nothing has changed significantly.

As stated on the MS-500 exam page, potential candidates for the MS-500 exam implement, manage and monitor security and compliance solutions for Microsoft 365 and hybrid environments. Professionals familiar with the content of the exam are well-positioned to secure their Microsoft 365 environments by responding to threats, performing investigations, enforcing data governance, and collaborating with other enterprise professionals on security and compliance topics.

Register for the MS-500 exam

Skills measured

  • Implement and manage identity and access (30-35%)
  • Implement and manage threat protection (20-25%)
  • Implement and manage information protection (15-20%)
  • Manage governance and compliance features in Microsoft 365 (20-25%)

MS-500 Study Guides

Objectives with online documentation for study

Implement and manage identity and access (30-35%)

Secure Microsoft 365 hybrid environments

Secure Identities

Implement authentication methods

Implement conditional access

Implement role-based access control (RBAC)

Implement Azure AD Privileged Identity Management (PIM)

Implement Azure AD Identity Protection

Implement and manage threat protection (20-25%)

Implement an enterprise hybrid threat protection solution

Implement device threat protection

Implement and manage device and application protection

Implement and manage Office 365 ATP

Implement Azure Sentinel for Microsoft 365

Implement and manage information protection (15-20%)

Secure data access within Office 365

Manage Azure information Protection (AIP)

Manage Data Loss Prevention (DLP)

Implement and manage Microsoft Cloud App Security

Manage governance and compliance features in Microsoft 365 (25-30%)

Configure and analyze security reporting

Manage and analyze audit logs and reports

Manage data governance and retention

Manage search and investigation

Manage data privacy regulation compliance

Get cooking with Microsoft 365: Two M365 “cookbooks” from Packt to add to your shelf

I recently had the privilege to write a Microsoft 365 administration cookbook for Packt intended for M365 administrators. “Cookbooks” take a large topic, like M365 administration, and divide it into major subject areas each with their own set of “recipes” or step-by-step guides to complete popular tasks.

My friends Gaurav Mahajan and Sudeep Ghatak also wrote an M365 cookbook for Packt that is written for the end-user audience. I was honored to be able to write a foreword for their book, and am impressed with the amount of knowledge they’ve captured and shared in their nearly 800-page cookbook.

  • M365 and SharePoint Online Cookbook – Buy Here
  • O365 Administration Cookbook – Buy Here

More information on each can be found below:

Microsoft 365 and SharePoint Online Cookbook

Embrace modern solutions to enhance collaboration, teamwork, robotic process automation, and business intelligence in your organization using powerful Microsoft 365 services (formerly Office 365)

Key Features

  • Gain a complete overview of popular Microsoft 365 services using practical recipes and expert insights
  • Collaborate with your team and external users effectively using SharePoint and Teams
  • Create no-code and low-code solutions, such as bots, forms, dashboards, and workflows, using the Power platform

Book Description

Microsoft 365 in an integrated suite that provides intelligent tools for managing everyday organizational tasks like content management, communication, creating reports, and automating business processes. With this book, you’ll get to grips with popular apps from Microsoft, with a focus on enabling workspace collaboration and productivity using Microsoft SharePoint Online, Teams, and the Power Platform to name a few.

In addition to guiding you through the implementation of Microsoft 365 apps, this practical guide helps you to learn from a Microsoft consultant’s extensive experience of working with the Microsoft business suite. Starting with a quick overview of the M365 ecosystem, the book covers recipes for implementing SharePoint Online for various content management tasks. You’ll learn how to create sites for your organization and enhance collaboration across the business and then see how you can boost productivity with apps such as Microsoft Teams, Power Platform, Planner, Delve, and M365 Groups. Using a step-by-step approach, you’ll also find out how to use the Power Platform efficiently, making the most of Microsoft PowerApps, Power Automate, PowerBI, and Power Virtual Agents. Finally, the book focuses on the SharePoint framework, which helps you to build custom Teams and SharePoint solutions.

By the end of the book, you’ll be equipped with the skills required to set up Microsoft 365 and SharePoint Online and be ready to enhance business productivity using a variety of tools.

What you will learn

  • Get to grips with a wide range of apps and cloud services in Microsoft 365
  • Discover ways to use SharePoint Online to create and manage content
  • Store and share documents using SharePoint Online
  • Improve your search experience with Microsoft Search
  • Leverage the Power Platform to build business solutions with Power Automate, Power Apps, Power BI, and Power Virtual Agents
  • Enhance native capabilities in SharePoint and Teams using the SPFx framework
  • Use Microsoft Teams to meet, chat, and collaborate with colleagues or external users

Who this book is for

This book is for business professionals, IT administrators, enterprise developers and architects, and anyone who wants to get to grips with using M365 for effective implementation of Microsoft apps. Prior experience with Office 365 and SharePoint will assist with understanding the recipes effortlessly.

Table of Contents

  1. Overview of Microsoft 365
  2. Introduction to SharePoint Online
  3. Working with Modern Sites in SharePoint Online
  4. Working with Lists and Libraries in SharePoint Online
  5. Document Management in SharePoint
  6. Term Store and Content Types in SharePoint Online
  7. OneDrive for Business
  8. Search in Microsoft 365
  9. Office Delve
  10. Microsoft 365 Groups
  11. Microsoft Teams
  12. Yammer – The Enterprise Social Network
  13. Power Automate (Microsoft Flow)
  14. PowerApps
  15. Power BI
  16. Power Virtual Agents
  17. Planner
  18. Custom Development – SharePoint Framework
  19. Microsoft 365 on Mobile
  20. Appendix

Microsoft Office 365 Administration Cookbook

Make the most out of your investment in Office 365 apps and services with this Microsoft Office cookbook

Key Features

  • Learn how to manage and secure the entire Office 365 stack in addition to specific services
  • Delve into newer and frequently shifting areas such as Power Platform, Microsoft Teams, and Microsoft Search administration
  • Discover carefully selected techniques that cover a range of administrative tasks of varying difficulty levels

Book Description

Organizations across the world have switched to Office 365 to boost workplace productivity. However, to maximize investment in Office 365, you need to know how to efficiently administer Office 365 solutions.

Microsoft Office 365 Administration Cookbook is packed with recipes to guide you through common and not so common administrative tasks throughout Office 365. Whether you’re administering a single app such as SharePoint or organization-wide Security & Compliance across Office 365, this cookbook offers a variety of recipes that you’ll want to have to hand. The book begins by covering essential setup and administration tasks. You’ll learn how to manage permissions for users and user groups along with automating routine admin tasks using PowerShell. You’ll then progress through to managing core Office 365 services such as Exchange Online, OneDrive, SharePoint Online, and Azure Active Directory (AD). This book also features recipes that’ll help you to manage newer services such as Microsoft Search, Power Platform, and Microsoft Teams. In the final chapters, you’ll delve into monitoring, reporting, and securing your Office 365 services.

By the end of this book, you’ll have learned to manage individual Office 365 services along with monitoring, securing, and optimizing your entire Office 365 deployment efficiently.

What you will learn

  • Get to grips with basic Office 365 setup and routine administration tasks
  • Manage Office 365 identities and groups efficiently and securely
  • Harness the capabilities of PowerShell to automate common administrative tasks
  • Configure and manage core Office 365 services such as Exchange Online, SharePoint, and OneDrive
  • Configure and administer fast-evolving services such as Microsoft Search, Power Platform, Microsoft Teams, and Azure AD
  • Get up and running with advanced threat protection features provided by the Microsoft 365 Security & Compliance Center
  • Protect your organization’s sensitive data with Office 365 Data Loss Prevention (DLP)
  • Monitor activities and behaviors across all Office 365 services

Who This Book Is For

This book is for newer Office 365 administrators and IT pros alike, and comes with recipes of varying difficulty levels along with step-by-step guidance. Whether you are new to Office 365 administration or just seeking new ideas, this cookbook contains recipes to enhance your organization’s app and service management and productivity.

Creating iCal (.ics) calendar item links with a workflow (Power Automate or SharePoint Designer)

When working with calendars, a big request I hear is to make it more like Outlook or to make it easy to add an event to your calendar, at least. In SharePoint online, this is easy! The Events web part on modern pages includes an Add to my calendar button on events by default.

Click to enlarge

However, when working with classic pages or SharePoint Server/on-prem, it’s not so easy. There are two ways we might utilize Power Automate or SharePoint Designer to help us out:

  • We could create a hyperlink column if we want something on-page/in-item, then populate it using a workflow.
    • Usage idea: A landing page for upcoming training opportunities displayed in list (not calendar) format with a column designated for “Add to my calendar” links
  • If it doesn’t need to be clickable on the item or page within SharePoint, we could just build the URL within the workflow and include it in an email message.
    • Usage idea: A Flow that runs weekly to “Get items” coming up that week and sends a list out with clickable links for adding items of interest to recipients’ calendars

URL structure

No matter the tool, Power Automate or SharePoint Designer, the most important part to know is how to build the URL. That won’t change from one tool to the other.

1. Go the the list settings for the calendar hosting the events

Click to enlarge

2. Copy the list GUID from the URL in the browser. This includes everything in the address bar after “List=”. This should begin with %7B and end with %7D. This is your calendar’s GUID in hyperlink-friendly formatting.

ical4
Click to enlarge

3. Update the following URL template with your site’s path, and paste in the list/calendar GUID you copied from step 2 where GUID is. Leave the [ID] as it is for now.

https://Site or Subsite path/_vti_bin/owssvr.dll?CS=109&Cmd=Display&List=GUID&CacheControl=1&ID=[ID]&Using=event.ics 

Your almost-finished result should resemble this:

https://natechamberlain.sharepoint.com/_vti_bin/owssvr.dll?CS=109&Cmd=Display&List=%7B1EC8795A-3B1D-43D7-A49E-B1CCD4BFF950%7D&CacheControl=1&ID=[ID]&Using=event.ics 

Now we have everything we need to finish the process by using whichever workflow platform you prefer or have access to.

Create iCal (.ics) links using Power Automate

No matter where you’re using the URL in your flow, we’ll create it as an expression so we can use the concat() function.

If you just want to update a field, or create a variable, with the URL, it’s as simple as:

1. Paste the URL part you have from the previous section of this post

2. Delete [ID]

3. With your cursor still where [ID] was, use the dynamic content panel to search for and insert ID in its place.

If you want to populate an actual hyperlink format column with a label/description that’s prettier than the full URL, however, you’ll need to do a bit more work so that you can have both URL and description. Follow the steps in this post on updating hyperlink or picture format columns using Power Automate.

If not updating a field or creating a variable that pieces the URL together, you can create expressions (via Dynamic content panel) to concatenate the different parts of the URL. For example, if I’m creating an HTML table, for Value I’d use the dynamic content panel > Expression and enter a formula like:

concat('<a href="https://natechamberlain.sharepoint.com/_vti_bin/owssvr.dll?CS=109&Cmd=Display&List=%7B1EA8795A%2D3B0D%2D43D7%2DA48E%2DB3CCD4BFE950%7D&CacheControl=1&ID=',item()?['ID'],'&Using=event.ics">Add to my calendar</a>')

In this specific example, I’m creating the table after a “Get items” step. The formula above is what I’m using for the value of the “Save” (Add to Calendar) column.

Check out this post for full instructions on sending weekly emails of upcoming events with easy “Add to calendar” links using Flow.

Create iCal (.ics) links using SharePoint Designer

In SharePoint Designer, we can set a hyperlink field to our iCal link to make it easy to add an event to your calendar. This could be placed as a main column in a list view, or just on item display forms like this:

Let’s set the hyperlink field via workflow:

1. Create a variable (set workflow variable) and use the string builder

2. Paste your almost-finished URL from earlier in this post. Replace [ID] with a lookup to the current item’s ID

3. If setting a field (skip if just using the link elsewhere) add , Add to Calendar (or whatever link text you want) to the end of the string. It just has to be a comma, a space, and the text.

Click to enlarge

4. Set the hyperlink field (iCal in my example above) to your new variable.

If you’re not setting a field in your list, maybe you’re emailing new events to people and want an easy link in the email body itself. In that case, just skip step three above and your variable will just be the URL, ready to be used in email actions.

Click to enlarge

Why can’t we just use calculated columns?

Once upon a time, I blogged about creating Automatic iCal hyperlinks using a calculated column. This almost works. It creates the hyperlinks for all existing items at the time of the calculated column’s creation. But then if you add a new item or modify an existing item, the [ID] field drops out the hyperlink which, of course, breaks the link.

The appeal of calculated columns is that it won’t create another version of an item when the link is generated and it doesn’t require Power Automate or SharePoint Designer to work. Unfortunately, if the link doesn’t work after item edit or creation, then the point is lost anyway. So let’s pretend that method doesn’t exist except for one-time uses or lists that will never change again.

Demystifying Microsoft 365 admin roles in Azure AD and the M365 admin center

As a rule of thumb (not to mention for improving your Secure Score), you should limit the number of people who have the “global admin” role in your organization. Microsoft recommends fewer than 5 global admins. That makes it important to get to know the other roles available and assign the least permissive role (a phrase you’ll see frequently if seeking certifications) rather than blanket roles that often include more permissions than what are necessary (or secure).

Global admins can assign other admin roles, purchase additional products and subscriptions, reset all (including each others’) passwords, and manage absolutely everything in your tenant. So of course you can see why we’d want to restrict how many are working with these capabilities simultaneously.

You may end up assigning five different, non-global admin roles to a user instead of the single global admin role, but your security will be improved significantly.

There are a couple places to assign admin roles: the Azure AD portal, and the M365 admin center. My goal with this post is to consolidate and simplify information on the roles, including which are only available in Azure. I’ve combined information from:

Those marked with * are only available to assign from Azure AD. All others are in both the M365 admin center AND the Azure portal.

Note: Most role descriptions are copied directly from the resources listed above as of date of publish and are subject to change. Always check Microsoft documentation prior to making significant decisions. 

Available roles

Full access to enterprise applications, application registrations, and application proxy settings.

> Read more about this role on docs.microsoft.com

Create application registrations and consent to app access on their own behalf.

> Read more about this role on docs.microsoft.com

Can require users to re-register authentication for non-password credentials, like MFA.

> Read more about this role on docs.microsoft.com

Can manage Azure DevOps organization policy and settings.

> Read more about this role on docs.microsoft.com

Manages labels for the Azure Information Protection policy, manages protection templates, and activates protection.

> Read more about this role on docs.microsoft.com

Can create and manage all aspects of user flows.

> Read more about this role on docs.microsoft.com

Can create and manage the attribute schema available to all user flows.

> Read more about this role on docs.microsoft.com

Can manage secrets for federation and encryption in the Identity Experience Framework.

> Read more about this role on docs.microsoft.com

Can create and manage trust framework policies in the Identity Experience Framework.

> Read more about this role on docs.microsoft.com

Makes purchases, manages subscriptions, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to enterprise applications and application registrations. No application proxy.

> Read more about this role on docs.microsoft.com

Manages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps.

> Read more about this role on docs.microsoft.com

Manages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy.

> Read more about this role on docs.microsoft.com

Manages Customer Lockbox requests, can turn Customer Lockbox on or off.

> Read more about this role on docs.microsoft.com

Can access and manage Desktop management tools and services.

> Read more about this role on docs.microsoft.com

Can read basic directory information. Commonly used to grant directory read access to applications and guests.

> Read more about this role on docs.microsoft.com

Do not use. This role is automatically assigned to the Azure AD Connect service, and is not intended or supported for any other use.

> Read more about this role on docs.microsoft.com

This is a legacy role that is to be assigned to applications that do not support the Consent Framework. It should not be assigned to any users.

> Read more about this role on docs.microsoft.com

Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.

> Read more about this role on docs.microsoft.com

Full access to Exchange Online, creates and manages groups, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Configure identity providers for use in direct federation.

> Read more about this role on docs.microsoft.com

Has unlimited access to all management features and most data in all admin centers.

> Read more about this role on docs.microsoft.com

Has read-only access to all management features and most data in all admin centers.

> Read more about this role on docs.microsoft.com

Creates groups and manages all groups settings across admin centers.

> Read more about this role on docs.microsoft.com

Manages Azure Active Directory B2B guest user invitations.

> Read more about this role on docs.microsoft.com

Resets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to Intune, manages users and devices to associate policies, creates and manages groups.

> Read more about this role on docs.microsoft.com

Full access to all Kaizala management features and data, manages service requests.

> Read more about this role on docs.microsoft.com

Assigns and removes licenses from users and edits their usage location.

> Read more about this role on docs.microsoft.com

Access to data privacy messages in Message center, gets email notifications.

> Read more about this role on docs.microsoft.com

Reads and shares regular messages in Message center, gets weekly email digests, has read-only access to users, groups, domains, and subscriptions.

> Read more about this role on docs.microsoft.com

Manages cloud-based policies for Office and the What’s New content that users see in their Office apps.

> Read more about this role on docs.microsoft.com

Can reset passwords for non-administrators and Password administrators.

> Read more about this role on docs.microsoft.com

Full access to Power BI management tasks, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to Microsoft Dynamics 365, PowerApps, data loss prevention policies, and Microsoft Flow.

> Read more about this role on docs.microsoft.com

Allowed to view, set and reset authentication method information for any user (admin or non-admin).

> Read more about this role on docs.microsoft.com

Manages role assignments and all access control features of Privileged Identity Management.

> Read more about this role on docs.microsoft.com

Reads usage reporting data from the reports dashboard, PowerBI adoption content pack, sign-in reports, and Microsoft Graph reporting API.

> Read more about this role on docs.microsoft.com

Full access to Microsoft Search, assigns the Search admin and Search editor roles, manages editorial content, monitors service health, and creates service requests.

> Read more about this role on docs.microsoft.com

Can only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations.

> Read more about this role on docs.microsoft.com

Can read security information and reports, and manage configuration in Azure AD and Office 365.

> Read more about this role on docs.microsoft.com

Can read security information and reports in Azure AD and Office 365.

> Read more about this role on docs.microsoft.com

Creates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to SharePoint Online, manages Office 365 groups, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

 

Full access to Teams & Skype admin center, manages Office 365 groups and service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Can manage calling and meetings features within the Microsoft Teams service. Assigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics.

> Read more about this role on docs.microsoft.com

Reads call record details for all call participants to troubleshoot communication issues.

> Read more about this role on docs.microsoft.com

Reads user call details only for a specific user to troubleshoot communication issues.

> Read more about this role on docs.microsoft.com

The default role assigned to all users. No admin center access.

Resets user passwords, creates and manages users and groups, including filters, manages service requests, and monitors service health.

> Read more about this role on docs.microsoft.com

Not finding a perfect fit? You can create CUSTOM admin roles in Azure AD if you have Azure AD Premium Plan 1.

Assign admin roles (single or bulk) in M365 admin center

To assign admin roles to a user or multiple users via the M365 admin center:

  1. Go to the M365 admin center
  2. Select Active users from under Users
  3. Select the user(s) to whom you’re assigning an admin role and select “Manage roles” from the menu



  4. Select the role(s) to assign selected user(s) and click Save

Assign admin roles in bulk in Azure AD

To assign the same role(s) to multiple users:

  1.  Sign in to Azure AD
  2. Select Roles and administrators from the left

  3.  Select the role you want to assign



  4. Click Add assignments. Search for or find those you want to add and select each. When finished, click Add.

View/edit assigned roles in Azure AD for an individual

To review a single user’s current roles, or assign more, follow these steps:

  1. Sign in to Azure AD
  2. Find and select the user for whom you want to review admin role(s)
  3. Select “Assigned roles”

  4.  Here you’ll see current assignments and can Add or remove assignments