The Enabling Technologies Blog

Our team of Cloud Strategy Advisors, Solution Architects, Engineers and former C-Suite Executives work diligently to provide our vistors with the most pressing information.

Scott Vickland /

Role Based Access for Teams – Use Least Privilege to Strengthen User Support!

Here at Enabling, we’re working every day with customers of all shapes and sizes as they adopt Teams for collaboration and, in many cases, voice as well. With our voice customers, we often advise how they can best organize themselves to support Teams for Voice for their organization. Customers coming from legacy telephony solutions can find support and administration of Teams is quite different from that of their existing systems, particularly if Teams is their first experience with soft-phone solutions. So, it is important that orgs think about their operational support model for Teams.  

Any successful Teams Voice rollout includes robust change management and training. But we also advise that how an organization handles user support issues is an important determinant in how well users adopt the platform.  


A user struggling with a defective headset or poor audio because of an overly saturated Wi-Fi access point isn’t going to think their headset is a problem nor that the Wi-Fi access point needs upgrading. No, they are going to assume Teams Voice is crap. We need to counter that impression by making the support experience as good as possible for the user. The user should have a seamless, easy, stress-free experience when working with your support team. They should only have to log their ticket once, should only have to explain themselves once, and should: 

  • Get a quick response that their issue is being dealt with, and 
  • Get a resolution of their issue as quickly as possible.  

Obviously, all the other pieces that make up Teams should be in place. For example, deployment of Teams-certified devices and use of the Teams Network Planner can help resolve problems before they become user issues, not to mention regular monitoring of the Call Quality Dashboard. But, in addition, we recommend equipping your Help Desk so that technician can make the user’s experience as simple and as straightforward as possible. You can do this by equipping your Tier 1 support with tools they can use to solve simpler user support issues and provide them with enough understanding of the platform that they know when to escalate an issue and whom in the support team to escalate that issue to. 

As any of our customers will tell you, we emphasize two themes when discussing security: zero trust and least privilege. By way of least privilege in the case of Teams, Microsoft has seeded Azure Active Directory with 5 roles designed to give the IT organization the ability to support Teams without relying on the Global IT Admin role. These roles give IT staff the ability to administer, monitor and troubleshoot Teams without being assigned Global IT Admin rights which is what we often see. However, the content provided in the Microsoft knowledge base on Team admin roles is not as clear as it could be.  

Teams Communications Support Specialist 

This role has the least privileges and is suitable for assignment to Tier 1 Help Desk staff. This role gives the user the ability to check on a user’s profile as well as details around a given user’s call. This role can only see activity for the user they searched for. The use case here is Tier 1 can have a quick look at the Call Quality Dashboard to see what if any issues there might be behind the scenes affecting the user’s experience.  

Teams Communications Support Engineer 

This role is next up the spectrum of least privileges and is also suitable for assignment to Tier 1 Help Desk staff. This role gives the user the ability to check on a user’s profile as well as details around a given user’s call for all participants in the call. Similar to the Teams Communications Support Specialist, this role can check the Call Quality Dashboard, but, as said, is able to see the experience for each of the participants in the call in question. 

Teams Communications Administrator 

This role is not, in our view, suitable for Tier 1 Help Desk but is for higher level user support. They can administer all the setting related to Locations, Users, Meetings, and Voice. In addition, this role manages Template Policies, Call Quality Dashboard, Network Planner, Holidays and Resource Accounts.  

Teams Administrator 

This role builds on Teams Communications Administrator, adding all Teams management functions, Devices, Messaging Policies, Teams Apps, Policy Packages, Analytics and Reporting, all Organization-wide Settings, Planning and the Call Quality Dashboard. This is your role with the highest privileges. 

A table showing access rights for each role is included below.  

If you have any questions about Teams access rights or how to configure your organization to best support the platform, reach out to us at

blog pic 1


blog pic 2


Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.