Ensuring user account permissions

Let's check whether the account has the necessary permissions using the following PowerShell cmdlet:

Get-MsolUserRole

This cmdlet gets all the administrator roles that the specified user belongs to. It will also return the roles that the user is a member of through security group membership.

The cmdlet accepts the following three parameters. ObjectId and UserPrincipalName are the required parameters, and we need to pass/provide at least one of them:

• [-ObjectId <Guid>]: Specifies the unique ID of the user to retrieve roles for.
• [-TenantId <Guid>]: Specifies the unique ID of the tenant on which the operation is to be performed. The default value is the tenant of the current user. This parameter applies only to partner users.
• [-UserPrincipalName <String>]: Specifies the UserPrincipalName of the user to retrieve roles for.

The following cmdlet will display the administrative role for a user:

Get-MsolUserRole -UserPrincipalName "pgbhoyar@pgbhoyar.onmicrosoft.com"

The following screenshot shows the output for the preceding command:

Here, the Company Administrator is the same as global administrator.

To grant additional accounts admin roles, we can use the following PowerShell cmdlet:

Add-MsolRoleMember

To get the available administrative roles, we can use the following PowerShell cmdlet:

Get-MsolRole

The following screenshot shows the output for the preceding command:

If we need to grant the user global administrator/company administrator role, we can use the following PowerShell cmdlet:

Add-MsolRoleMember -RoleName "Company Administrator"
 -RoleMemberEmailAddress "prashant-admin@pgbhoyar.onmicrosoft.com"

To verify that the user has the admin role now, we can use the PowerShell Get-MsolUserRole cmdlet mentioned earlier.