I recently was presented with a question from a customer about why so many of their users received an email from the Microsoft Office 365 Team notifying them of the availability of Visio Pro for Office 365. I had a hunch it was a bulk email sent to the Global Admins of the tenant but did not want to assume anything until I validated my thoughts.
I first accessed the user list through the Office 365 admin portal and filtered on “Global Admins” only to find that there were more than a page of users represented. Really?! That many for such a small subset of people?! The list of those that received the email notification was the same list of users assigned as global admins in the tenant. Well, if that is what is needed, who am I to recommend otherwise.
To validate the list shown in the portal of who has been assigned as an Office 365 Global Admin, connect to your Office 365 account via PowerShell from your admin workstation, not an Exchange server.
After connecting to Office 365, run the following two commands to be able to access the proper set of cmdlets that will render the correct information regarding what we are looking for. The second of these commands will require you to enter your Office 365 credentials.
This next command will provide a list of Office 365 tenant roles–groups if you will.
The results of the above command displays the objectID, name and description of each role. You will notice from the display of roles that “Global Admins” is not present. However, “Global Admins” is represented by “Company Administrator” via PowerShell.
We will use the ObjectID associated with the “Company Administrator” role to find out what Office 365 users have been assigned as global admins.
NOTE: The ObjectID for “Company Administrator” is unique to every Office 365 tenant.
Enter the following command with your ObjectID to get a list of users assigned as global admins.
Get-MsolRoleMember -RoleObjectId "ObjectID"
The results will provide a comprehensive list of those that have access to make changes to and administer your Office 365 tenant, and this list of users will also receive email notifications from the Microsoft Office 365 Team. Check often and make modifications or corrections as needed to maintain the security of your tenant.
Additionally, the previous command above can be simplified if you choose not to search based on ObjectID but by role name instead by entering the following two commands to search for global admins in your tenant.
$O365ROLE = Get-MsolRole -RoleName “Company Administrator” Get-MsolRoleMember -RoleObjectId $O365ROLE.ObjectId
Good luck and have fun!