How do I create a group and role in RBAC?

Question

Hi. Exchange 2016 on-premise.

I need to create a group and include a user who can manage mobile devices.

Can you please give me a Powershell algorithm, how can I create a group, a role with the necessary commands?

An employee must connect remotely to the server.

I found the necessary roles:

Get-ManagementRole | Get-ManagementRoleEntry | Where {$_.name -match "mobile"}

What are my next steps? I have to create the role itself with View-Only Configuration role ? This will give the ability to connect via Powershell.

like this ? New-RoleGroup -Name "MobileDevice Manegement" -Roles "View-Only Configuration" -Members svc_MobileAdmin

What is the correct way to create a role, include the required commandlets in it and add it to my group ?

Answer 1

Hi, @Андрей Михалевский

Based on your description, I understand that you want to create a role group to manage devices, and users need to connect remotely.

Creating a role group and assigning rules, as well as adding users, can be broken down into the following steps:

1.Create a Custom Management Role

You can use cmdlet to create the custom role.

New-ManagementRole -Name "Custom-MobileDeviceManagement" -Parent "View-Only Configuration"

You need not to create the role with View-Only Configuration role. The View-Only Configuration role allows administrators to view Exchange configuration settings for all non-recipients in the organization. This does not serve the purpose of a remote connection.

2.Create the Role Group

Then you can use cmdlet to create a new role group and assign a custom administrative role to the group.

New-RoleGroup -Name "MobileDevice Management" -Roles "Custom-MobileDeviceManagement"

3.Add a Member to the Role Group

Finally, add the user to the role group. You can use cmdlet

add-RoleGroupMember -identity "MobileDevice Management" -Member

In addition, if you need to use Power Shell to connect to the server remotely, you can refer to the following articles. Connect to Exchange servers using remote PowerShell | Microsoft Learn

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 2

I think I got it:

$CustomGroupName = "MobileDevice Admninistrators"
$CustomRoleName  = "MobileDevice Management"
$ParentRoleName  = "Mail Recipients"
$userAccount     = "svc_MobileAdmin"

$AllowedCmdlets  = @(
    "Set-CASMailbox",
    "Get-MobileDeviceStatistics",
    "Remove-MobileDevice"
)


New-ManagementRole -Name $CustomRoleName -Parent $ParentRoleName
Get-ManagementRoleEntry "$CustomRoleName\*"| Where-Object { $AllowedCmdlets -notcontains $_.Name } | Remove-ManagementRoleEntry -Confirm:$false
New-RoleGroup -Name $CustomGroupName -Roles $CustomRoleName -Members $userAccount

PS C:\scripts> Get-ManagementRole $customRoleName| Get-ManagementRoleEntry 

Name                           Role                      Parameters                                                                                                                                                                                              
----                           ----                      ----------                                                                                                                                                                                              
Get-MobileDeviceStatistics     MobileDevice Management   {ActiveSync, Debug, DomainController, ErrorAction...}                                                                                                                                                   
Remove-MobileDevice            MobileDevice Management   {Confirm, Debug, DomainController, ErrorAction...}                                                                                                                                                      
Set-CASMailbox                 MobileDevice Management   {ActiveSyncDebugLogging, ActiveSyncEnabled, ActiveSyncMailboxPolicy, ActiveSyncSuppressReadReceipt...}   

Why did I get access to get-mailbox ?