Permissions Needed to Run Get Commands Agains Exchange

Understanding Exchange Online'southward Role-Based Access Control model

The Role-Based Access Control model manages and evaluates permissions in Exchange Online. Admins can explore the model, create new permissions and customize roles.

Managing permissions in an Exchange Server environs can be complex, and Exchange Online is no dissimilar.

Administrators who manage this messaging platform should understand the Role-Based Admission Control model when setting up permissions for end users.

To enable the management of a Role-Based Access Control (RBAC) model in Exchange, we need to import the PowerShell cmdlets on the ambassador's reckoner.

To do this, connect to Substitution Online and import the session with the following script:

$Session = New-PSSession -ConfigurationName Microsoft.Commutation -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential (Go-Credential) -Authentication Basic -AllowRedirection

Import-PSSession -Session $Session

This script will asking a password before connecting to Exchange; it then will bring in the necessary cmdlets.

The Substitution Online Role-Based Admission Command model consists of several different components: Roles, Function Groups, Part Entries and Role Assignments. To begin exploring, run the Go-ManagementRole cmdlet to see what management roles exist in the environment.

The Get-ManagementRole cmdlet lists the management roles in the organization.

The listing can get lengthy, which may pb you to believe there are a lot of roles to manage. However, in that location is also the default Function Groups, as shown below.

That default set of Role Groups comes with every subscription and is a style to aggregate a large, circuitous set of granular permissions into a more than digestible set of descriptively named groups. Role Groups spare the ambassador from having to look at detail-level permissions.

Adding people to roles

Assume an employee has moved to the Help Desk-bound department. There is a Role Group called Help Desk, so the administrator needs to add together that end user to the Help Desk role. Y'all can check what function memberships the terminate user has. Considering yous don't want to meet private roles, but the office groups, run the following script:

Get-ManagementRoleAssigment -RoleAssignee "jnewhire" | Select-Object -unique RoleAssigneeName

This query returns no results; the blank output means that this user has no roles assigned to it. The following command fixes this:

Add-RoleGroupMember -Identity "Help Desk" -Member "jnewhire"

Next, run the previous command once again to find the role membership, which now is called Help Desk-bound.

Adding users to roles one at a time can be tedious. An easier fashion is to build a filter for the Get-User Cmdlet that finds users and adds them, as such:

Go-User -filter {StateOrProvince -eq "CA" -And Department -eq "Support"} | Foreach-Object{Add together-RoleGroupMember -Identity "Help Desk" -Fellow member $_.Identity}

The role membership allows yous to run a script to encounter which PowerShell cmdlets and parameters users in the Help Desk office can run. Results show which Direction Roles are grouped into the Help Desk Management Part Group.

Help Desk Role Group — This PowerShell command shows what management roles are in the Aid Desk Part Grouping.

The Proper noun column is the name of a Role Assignment Entry. To the left of the dash is the Function Name, and the office to the right is the proper name of the Role Grouping -- where role is assigned. Running the following command shows which commands each Office Assignment Entry volition allow the user to access:

Become-ManagementRoleEntry -Identity "View-Only Recipients\*"

Role Entries — The Go-ManagementRoleEntry cmdlet shows the role entries configured on a specific function.

This list can be all-encompassing. To come across what roles requite access to a specific command, invoke Get-ManagementRoleEntry, as shown below.

Go-ManagementRoleEntry -identity "*\Become-Mailbox"

The Get-ManagementRoleEntry cmdlet tin too evidence what roles give access to a given command.

Custom role assignment

Default Office Groups and Role Assignments inside the Role-Based Admission Control model work well for a lot of Exchange Online users, but they're non right for every stop user. If the business needs something custom, PowerShell is the best bet.

To customize a role using PowerShell, enable customization by running the Enable-OrganizationCustomization cmdletS. To customize the office, run the cmdlet to instruct Exchange Online that you want your own re-create.

For case, customization can help if yous desire to requite Help Desk users the ability to meet more than of the configuration within the Exchange environment. This should help them rails down issues faster before they need to escalate tickets to more than privileged admins. We can add together the View-Only Configuration role to the Assist Desk Part Group, and let them see -- simply not change -- more settings.

New-ManagementRoleAssignment -SecurityGroup "Help Desk" -Function "View-But Configuration"

This control lets Help Desk users view the Commutation environment configuration.

Next Steps

Permission options for RBAC

PowerShell in Exchange essential guide

Dig Deeper on Windows Server Bone and management

Using PowerShell for Azure service principal authentication

By: Adam Bertram
How to ready Office 365 modern authentication

Past: Nathan O'Bryan
Windows Compatibility module expands PowerShell Core reach

By: Richard Siddaway
Manage host, VM access with a Hyper-V administrators security group

By: Nirmal Sharma