Skip to content

Automatic Office 365 Role membership management

Automatic Office 365 Role membership management
Automatic Office 365 Role membership management

NOTE: Azure AD now support group based administration roles assignment (see

Office 365 Role membership management is one of the few workload you can not manage using groups.

To automate the membership of these roles I have created a script.

The script is comparing Active Directory group membership with the corresponding Office 365 Role, excluding online account added to the Office 365 role. If there is any difference, the script will automatically grant or revoke role membership based on the AD group.

To take advantage of this script you need the following requirements:

Azure Active Directory PowerShell module v1
Have your Active Directory synchronized
Create one Active Directory group for each Office 365 role; the name must match the Office 365 name; you can get the Office 365 role name here; for example the Skype for Business Service Administrator role is called Lync Service Administrator
NOTE the script will only work with existing AD group matching the Office 365 role

Active Directory user accounts used to manage the role permission are synchronized
All accounts have a routable UPN – i.e. not using @domain.local. If not you will got the error “Access Denied. You do not have permissions to call this cmdlet.” when updating Office 365 role
Use an account with Office 365 Global Administrator; it will be needed to update Office 365 role membership.If you plan to use the script with a scheduled task you need to use a service account with the password set to never expire
A service mailbox you can authenticate with to send email notifications after completion
Script Variables
There are few variables you have to update to match your environment

$ScriptFolder defines the folder location where the script is saved; set by default to C:\Scripts. It is optional to update. All encrypted credentials files and log files will be saved in this directory
$GroupOU defines the organizational unit where the AD groups used for Office 365 Role management are located; this OU does not need to be synchronized with Office 365. For example, $GroupOU = “Office 365 Roles Management”
$MFAEnabled defines if you want to enable Azure MFA or not; a pop up will ask for your choice. If you do not answer withing 20 seconds it will apply the default setting set to enable MFA; this helps the script to detect if it is running interactively or with a scheduled task
$SMTPServer to define the SMTP server to use for sending email notification. For example, $SMTPServer = “”
$SMTPPort to define the communication port to use to connect to the SMTP server – usually 25 or 587
$From defines the FROM field of the email notification; it does not need to be an existing email address
$To defines the recipient for the notification. If you want to define multiple recipients, separate each recipient with a coma. For example, $To = “”,””
More details available in my blog

Published: May 1, 2017