Teams Admin Roles

Teams, like SfB, has a concept of administrative roles. These roles control what you as an administrator can see and do. This helps secure the environment, and also simplifies things for the administrator. If you’re not in charge of Direct Routing, why even see that in the Teams admin center?

I didn’t understand the first docs.microsoft.com post that tried to explain these roles, and while they’ve improved the explanations and role descriptions, I thought a more thorough explanation might help others out. Here’s what my investigate found.

The four roles and a brief outline of what they do are:

  • Teams Service Administrator. This role manages the Teams service, and also allows the creation and management of O365 Groups, which are a core foundation for Teams
  • Teams Communications Administrator. This role can manage call and meeting functionality within Teams.
  • Teams Communications Support Engineer. This role can manage communication issues within Teams by using advanced tools.
  • Teams Communications Support Specialist. This role can manage communication issues within Teams by using basic tools.

If you’re more of a visual learner, here is what the four roles would see in the Teams Admin Center:

Teams Service Admin…

TACServiceAdmin

Teams Communications Administrator

TACCommsAdmin

The Teams Communications Support Specialist and Teams Communications Support Engineer see the same thing in the menu:

TACSpecEng

However they see different things when they drill down into things. Here’s what the Teams Communications Support Specialist sees:

TACSpecWide

and here’s what the Teams Communication Support Engineer sees:

TACEng

Note the highlight part, showing that the Engineer role sees more advanced details suitable for their role.

PowerShell tells us a similar story. Here, the Teams Communications Support Specialist has no access to PSTN or voice commands:

PowerShell Spec

While the Teams Service Admin does:

PowerShellServiceAdmin

While these four roles don’t provide the same degree of flexibility and granularity (and complexity!) that was available in Skype for Business Server, you should ensure that you follow the principal of least privilege when assigning permissions to your support team.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s