This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 66%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
In designing a support operational model, several custom role groups have been created with specific permissions. Testing in a development tenant was successful, but in the production environment, some users are missing access to certain cmdlets (e.g., Get-MessageTrace, Add-RecipientPermission) despite being assigned to the correct role group.
New-RoleGroup -Name "Exchange Operator" -Description "Handles simple user-related tasks and basic issue resolution. Members can manage mailbox permissions, track messages, and view quarantined emails." -DisplayName "Exchange Operator" -ManagedBy "[******@pepe.com](mailto:******@pepe.com)", "[******@pepe.com](mailto:******@pepe.com)" -Roles "Mail Recipients","Message Tracking","View-Only Recipients","User Options"
New-RoleGroup -Name "Exchange Engineer" -Description "Handles more complex tasks and advanced troubleshooting. Includes all Operator permissions, plus management of distribution groups, transport rules, and quarantined emails." -DisplayName "Exchange Engineer" -ManagedBy "[******@pepe.com](mailto:******@pepe.com)", "[******@pepe.com](mailto:******@pepe.com)" -Roles "Mail Recipients","Message Tracking","View-Only Recipients","User Options", "Distribution Groups", "Mail Tips", "Migration", "Transport Rules", "Mailbox Search", "Audit Logs", "Mail Recipient Creation", "Security Reader"
Access is granted through PIM roles in Azure, which has been functioning properly until now. What could be causing the discrepancies in cmdlet access in the production environment?
Thats not supported if you are using PIM groups for custom roles:
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-roles
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,@Manu
Thanks for posting your question in the Microsoft Q&A forum.
Based on your description, you assigned permissions to the user, but the user still doesn't seem to be able to use some of the commands.
What is the error reported when the user is unable to use these commands?
Has there been any attempt to set up role groups in EAC and does the same problem occur?
No "error" shown.
The issue is that certain options don’t even appear in the GUI for these users. For example, members of the Operator group cannot run a message trace — the option simply isn’t visible. Similarly, members of the Engineering group are unable to add recipient permissions to a mailbox, as that option is also missing (grant access and send on behalf are present).
This behavior is consistent both in the Exchange Admin Center (GUI) and when using PowerShell — the relevant cmdlets aren’t available either.
Regarding the second part of your question: yes, we’ve also tried assigning the roles directly in the Exchange Admin Center (instead of using PIM in Azure), but the result is exactly the same.
To add more info, if I assign users directly to the role created on the EAC, permissions work fine! It only seems to fail when using PIM Role