Sometimes the built-in role-based access control (RBAC) in Exchange and Office 365 does not meet your requirements. However, with PowerShell you can create custom management roles to suit your needs.

RBAC allows applying granular permissions based on someone's job role, such as user management, e-discovery, or read-only access. You can customize RBAC with the PowerShell commands explained in this article.

For the examples in this post, I will be using Exchange Online in Office 365; however, these commands should apply to on-premises Exchange Server, but your mileage may vary. In the Exchange admin center, under Permissions and Admin Roles, there are several pre-built groups with assigned roles.

Exchange default roles

Exchange default roles

For instance, the Help Desk group has the Reset Password, User Options, and View-Only Recipients roles assigned to it. These roles allow the administrators in the Help Desk group to run certain Exchange PowerShell commands. To see the commands and parameters attached to a role, run Get-ManagementRoleEntry with the name of the role and an asterisk for all commands associated with the role:

Reset password available commands

Reset password available commands

The Set-User command combined with the ResetPasswordOnNextLogon parameter allows administrators to reset user passwords. Let's say a certain role meets your needs but has some commands in it you don't want administrators to have the ability to run. You can create a custom role based off an existing role and remove PowerShell commands or parameters to limit those permissions.

Let's say I want to create a group that allows administrators to create mailboxes but not remove mailboxes. I need to find an existing role that contains the New-Mailbox command. We'll use the Get-ManagementRole command with -Cmdlet to filter for New-Mailbox:

Management roles with New Mailbox

Management roles with New Mailbox

The Mail Recipient Creation role looks perfect for our needs. Let's create a copy of it and give it a unique name using the New-ManagementRoleEntry command and specifying Mail Recipient Creation as our parent role:

Creating a custom management role

Creating a custom management role

After creating the group, I want to delete the Remove commands available in the role. In this case, these are Remove-MailContact, Remove-MailUser, Remove-Mailbox, and Remove-CalendarEvents:

Commands to remove

Commands to remove

Unfortunately, Remove-ManagementRoleEntry does not like sending objects to it from the pipeline, so we must run the remove command each time, like this:

Deleting commands

Deleting commands

Next, let's remove the Room and Equipment parameters from the New-Mailbox command so the role only allows creating user and shared mailboxes. We can accomplish this by changing the properties of the current entry using the Set-ManagementRoleEntry command and specifying the parameters to remove along with the -RemoveParameter option:

Let's say I also want to add a new command to the group, such as the ability to create databases. I can do this by using the Add-ManagementRoleEntry command:

Add management role error

Add management role error

The error states it didn't find the New-MailboxDatabase management role entry on the Mail Recipient Creation management role. Unfortunately, you can only add role entries that are in the parent role. Since we created our custom role from the Mail Recipient Creation role, we cannot add any commands not a part of that role. We would need to find an existing management role that contains New-MailboxDatabase to work with.

If we go back to the Exchange admin center, we can modify an existing group or create a new group to add the new management role:

Adding management role

Adding management role

Management roles are not restricted to Exchange administrators. You can also create roles you can apply to users to prevent them from changing some of their own options, such as creating inbox rules, changing their photos, or altering voice mail settings.

In addition to custom roles, custom scopes can also apply to the management groups. This allows restricting the types of objects we can manage. For example, we can create a management scope that applies only to shared mailboxes by using the New-ManagementScope command:

When applied to a management group, the users in the group and the commands from the assigned roles will only apply to mailboxes whose RecipientTypeDetails is SharedMailbox. We can expand this idea to databases, servers, organizational units, and sites.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

0
Share
12 Comments
  1. Cam 2 years ago

    Great article and explanation of custom roles. If I want an admin to grant mailbox permissions only (send as, full etc), is there a customisation for this?

    0

    • Author

      Hi Cam, absolutely! You would need to create a new custom role based on an existing scope that includes the Add-MailboxPermission cmdlet, then remove all other commands from the scope.

      0

  2. Hasan 1 year ago

    Hello Team,

    I have a query about setting up password administrator for my organisation but he should be able to reset passwords only for a particular group of users and not everyone in the tenant. I know that a password admin cannot reset password for other admins, but I want to go beyond this and restrict password resting only to a group of users.

    I have created a customized management role & scope in O365 where I have added a filter customatttribute1 = MSP-Password and assigned it to a user but he is still able to reset passwords of any users in the tenant

    0

  3. Manish 9 months ago

    Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"

    This command is not working.

    0

  4. Bent 7 months ago

    Thank you for the nice article. Googled around for  finding a solution to limit helpdesk to only create new shared mailboxes, avoiding them to delete users or create new users. This article pointed me in the right direction.

    I too got the error from the line:

    Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"

    figured out the slash(/) needed to be a back slash (\). At least on a on premise server using Exchange management shell.

    1+

  5. Asharaf 7 months ago

    Thank for the article , can you please help to create a custom role access where user need to view only access to exchange online transport rules ?

     

    Thanks

    0

  6. Rahul Vaid 2 months ago

    Hello Jeff,

    Hope you are doing Well.

    Can you please guide me in creating a custom role that would allow users to only be able to create mail-disabled groups in Office 365.

    Regards

    Rahul Vaid

    0

    • Hi Rahul,

      what exactly do you mean by mail disabled groups? That sound to me like a Security group, to be used to grant access to a resource.

      Thanks for clarifying.

      Leos

      0

  7. Rahul Vaid 2 months ago

    Hello Leos

    The primary ask is to not to allow Office 365 users to create a mail enabled groups. We have this official article Manage who can create Office 365 Groups but it doesn't fulfill my requirements.

    Manage who can create Office 365 Groups

    Please help me and let me know if this is possible.

    Regards

    Rahul Vaid 

    0

    • Oh then. Thats a very difficult question. I am not really sure if thats possible. 

      So, in other words, you would like to allow users to create a group for example in Teams or Sharepoint, but on the other hand, that groups should not be able to be used as distribution list?

      0

  8. rey santiago 6 days ago

    Omg this is exactly what i needed. The only thing that drove me nuts for a n hour or two was a typo in one of your sections. It has the wrong slash. Other than that perfect write up. Thanks. 

    Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account