In February 2024, Microsoft will be updating the scope of the existing Built-In Global Reader role in Microsoft Entra to make it more accessible to those who need read-only access to Teams devices from within the Teams admin center.
Message Center message MC711015 in the Microsoft 365 admin portal explains:
Admins can now use the existing Global reader role for read-only access to the Teams devices section in the Teams admin center!
The Global reader role is a built-in role in Microsoft Entra ID that allows admins to view all administrative features and settings without the ability to edit or modify them. This role is useful for auditing, reporting, and troubleshooting purposes.
This change is due to start rolling out in mid-February, with completion due at the end of February.
Previously, the only option to give someone access to the Teams Devices menu was to grant them the Teams Administrator role. This, as you can imagine, has likely led to some over-privileged access within Teams, whether managed through PIM or not.
Although this is a relatively low-impact change, you should still plan to ensure you are proactively improving any existing role assignments in your organisation.
Review assignments to the Teams Administrator role in Microsoft Entra
2. Expand Identity > Roles & admins, then select Role & admins.
3. Select the Teams Administrator role and note any Active assignments.
4. Take some time to contact each user assigned to this role. If their assignment was a result of not being able to access the Teams Devices menu, then inform them of the change and remove their assignment to that role.
Review Teams Administrators using Microsoft Graph PowerShell
As an admin, you can also quickly generate a report of Teams Administrators using this small Microsoft Graph PowerShell script:
(This script uses the Microsoft.Graph.Beta modules, for installation instructions, see: How To Install the Microsoft Graph PowerShell Module)
Connect-MgGraph -Scope RoleManagement.Read.Directory, user.read.all
$TeamsAdmins = Get-MgBetaDirectoryRoleMember -DirectoryRoleId 68680e1a-8ab1-4e7a-9a37-3259350c3fdd
$report = Foreach ($admin in $TeamsAdmins){
Get-MgBetaUser -userid $admin.id | Select DisplayName, UserPrincipalName
}
$Report | Export-CSV C:\Temp\TeamsAdminsReport.CSV -NoTypeInformation
A small CSV file will be generated in C:\temp\ containing a list of active Teams Administrators.
If you want to export a result of all active and eligible PIM assignments from Microsoft Entra, check out the script I wrote at: How to Export All Entra PIM Roles with Microsoft Graph PowerShell.