Get-AzureADDirectoryRole and "Global Administrator" vs. "Company Administrator"

Sayan Ghosh 316 Reputation points Microsoft Employee
2021-01-18T02:56:59.323+00:00

The documentation suggests "In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal."

This used to be the behaviour. However, one of my old scripts started failing and after debugging it seems Get-AzureADDirectoryRole now returns / accepts "Global Administrator" and not "Company Administrator". Can you please confirm this, and if so, update this in the documentation to reflect this correctly please?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
711 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,368 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2021-01-18T06:59:40.483+00:00

    Hello @Sayan Ghosh , thank you for reaching out. The Azure AD Directory Role has been renamed to Global Administrator even in Powershell and Microsoft Graph API responses.

    You can take a look at the screenshots below:
    57542-ga-pscmdlet.png

    57533-ga-graph.png

    I am working on updating the doc with the newer details. Please do allow us some time to update the docs, and also thanks a lot for bringing this to our notice.

    From your script side, yes, you would have to update your script so that it accepts "Global Administrator" now instead of "Company Administrator"

    I will get the docs updated and share the update with you here for your reference.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Syed Sohail 1 Reputation point
    2021-01-20T21:42:46.697+00:00

    Was there any official communication shared by MS around this change? this is a breaking change for any applications that were using this Role name as "Company Administrator" so wondering if there was anything communicated in advance so users could get a chance to update and fix their scripts etc.

    0 comments
  2. Abhijeet Kumar Sinha 1 Reputation point Microsoft Employee
    2021-01-21T00:21:59.093+00:00

    Hey Sayan,
    I am from Azure AD RBAC team. Yes, this is expected. The change is rolling out to all tenants as we speak. We had communicated about this upcoming change in message center post in M365 Admin Center way back in July. Today, we did a repost of the same message as a reminder (MC# 235242).

    We strongly discourage the use of display names in your script or code. Instead, you should reference the role template ID. See this list of template IDs for Azure AD built-in roles.

    Regarding docs update - Yes, the docs update is on its way.

    0 comments