- Manage Azure Policy using Terraform - Tue, Aug 2 2022
- Getting started with Terraform in Azure - Tue, Jul 12 2022
- Azure Bicep: Getting started guide - Fri, Nov 19 2021
RBAC allows applying granular permissions based on someone's job role, such as user management, e-discovery, or read-only access. You can customize RBAC with the PowerShell commands explained in this article.
For the examples in this post, I will be using Exchange Online in Office 365; however, these commands should apply to on-premises Exchange Server, but your mileage may vary. In the Exchange admin center, under Permissions and Admin Roles, there are several pre-built groups with assigned roles.
Exchange default roles
For instance, the Help Desk group has the Reset Password, User Options, and View-Only Recipients roles assigned to it. These roles allow the administrators in the Help Desk group to run certain Exchange PowerShell commands. To see the commands and parameters attached to a role, run Get-ManagementRoleEntry with the name of the role and an asterisk for all commands associated with the role:
Get-ManagementRoleEntry "Reset Password\*"
Reset password available commands
The Set-User command combined with the ResetPasswordOnNextLogon parameter allows administrators to reset user passwords. Let's say a certain role meets your needs but has some commands in it you don't want administrators to have the ability to run. You can create a custom role based off an existing role and remove PowerShell commands or parameters to limit those permissions.
Let's say I want to create a group that allows administrators to create mailboxes but not remove mailboxes. I need to find an existing role that contains the New-Mailbox command. We'll use the Get-ManagementRole command with -Cmdlet to filter for New-Mailbox:
Get-ManagementRole -Cmdlet New-Mailbox
Management roles with New Mailbox
The Mail Recipient Creation role looks perfect for our needs. Let's create a copy of it and give it a unique name using the New-ManagementRoleEntry command and specifying Mail Recipient Creation as our parent role:
New-ManagementRole -Name "My Custom Mailbox Recipient Creation" -Description "Allows creating mailbox but not deletion." -Parent "Mail Recipient Creation"
Creating a custom management role
After creating the group, I want to delete the Remove commands available in the role. In this case, these are Remove-MailContact, Remove-MailUser, Remove-Mailbox, and Remove-CalendarEvents:
Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"
Commands to remove
Unfortunately, Remove-ManagementRoleEntry does not like sending objects to it from the pipeline, so we must run the remove command each time, like this:
Deleting commands
Next, let's remove the Room and Equipment parameters from the New-Mailbox command so the role only allows creating user and shared mailboxes. We can accomplish this by changing the properties of the current entry using the Set-ManagementRoleEntry command and specifying the parameters to remove along with the -RemoveParameter option:
Set-ManagementRoleEntry -Identity "My Custom Mailbox Recipient Creation\New-Mailbox" ‑Parameters Room,Equipment -RemoveParameter
Let's say I also want to add a new command to the group, such as the ability to create databases. I can do this by using the Add-ManagementRoleEntry command:
Add-ManagementRoleEntry -Identity "Shared Mailbox Recipient Creation\New-MailboxDatabase"
Add management role error
The error states it didn't find the New-MailboxDatabase management role entry on the Mail Recipient Creation management role. Unfortunately, you can only add role entries that are in the parent role. Since we created our custom role from the Mail Recipient Creation role, we cannot add any commands not a part of that role. We would need to find an existing management role that contains New-MailboxDatabase to work with.
If we go back to the Exchange admin center, we can modify an existing group or create a new group to add the new management role:
Adding management role
Management roles are not restricted to Exchange administrators. You can also create roles you can apply to users to prevent them from changing some of their own options, such as creating inbox rules, changing their photos, or altering voice mail settings.
In addition to custom roles, custom scopes can also apply to the management groups. This allows restricting the types of objects we can manage. For example, we can create a management scope that applies only to shared mailboxes by using the New-ManagementScope command:
Subscribe to 4sysops newsletter!
New-ManagementScope -Name "Shared Mailbox Management" -RecipientRestrictionFilter {RecipientTypeDetails -eq "SharedMailbox"}
When applied to a management group, the users in the group and the commands from the assigned roles will only apply to mailboxes whose RecipientTypeDetails is SharedMailbox. We can expand this idea to databases, servers, organizational units, and sites.
Great article and explanation of custom roles. If I want an admin to grant mailbox permissions only (send as, full etc), is there a customisation for this?
Hi Cam, absolutely! You would need to create a new custom role based on an existing scope that includes the Add-MailboxPermission cmdlet, then remove all other commands from the scope.
Hello Team,
I have a query about setting up password administrator for my organisation but he should be able to reset passwords only for a particular group of users and not everyone in the tenant. I know that a password admin cannot reset password for other admins, but I want to go beyond this and restrict password resting only to a group of users.
I have created a customized management role & scope in O365 where I have added a filter customatttribute1 = MSP-Password and assigned it to a user but he is still able to reset passwords of any users in the tenant
Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"
This command is not working.
Hi Manish, what error do you get when trying the command?
Thank you for the nice article. Googled around for finding a solution to limit helpdesk to only create new shared mailboxes, avoiding them to delete users or create new users. This article pointed me in the right direction.
I too got the error from the line:
Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"
figured out the slash(/) needed to be a back slash (\). At least on a on premise server using Exchange management shell.
Thank for the article , can you please help to create a custom role access where user need to view only access to exchange online transport rules ?
Thanks
Hello Jeff,
Hope you are doing Well.
Can you please guide me in creating a custom role that would allow users to only be able to create mail-disabled groups in Office 365.
Regards
Rahul Vaid
Hi Rahul,
what exactly do you mean by mail disabled groups? That sound to me like a Security group, to be used to grant access to a resource.
Thanks for clarifying.
Leos
Hello Leos
The primary ask is to not to allow Office 365 users to create a mail enabled groups. We have this official article Manage who can create Office 365 Groups but it doesn't fulfill my requirements.
Manage who can create Office 365 Groups
Please help me and let me know if this is possible.
Regards
Rahul Vaid
Oh then. Thats a very difficult question. I am not really sure if thats possible.
So, in other words, you would like to allow users to create a group for example in Teams or Sharepoint, but on the other hand, that groups should not be able to be used as distribution list?
Omg this is exactly what i needed. The only thing that drove me nuts for a n hour or two was a typo in one of your sections. It has the wrong slash. Other than that perfect write up. Thanks.
Get-ManagementRoleEntry "My Custom Mailbox Recipient Creation/Remove-*"
Hi Jeff,
Hope you are doing good.
can you please help to create a custom role to prevent owners/user to edit distribution group
I want to create a role group with only the PowerShell “Mail Recipient:” permissions
Hi Great tutorial , is there also the option to limit the scope of the custom admin role to specific domains?
Hi
I need to create the necessary rbac role/customize a role within Azure to allow only user Quarantine permission to specific Admins. In the past, we have allowed full exchange online admin role to work around this however I am not willing to do that anymore. Would you be able to assist me in finding the necessary role/permissions to complete the exact activity that you need to do (allow release of mobile devices from quarantine within EXO)