Setting up Exchange 365 RBAC for Shared Mailboxes to add and remove users

Victor Ramsey 1

Hello,
I have the following question.

Currently the org I work for has an Exchange Hybrid Environment.

The on-premises servers are Exchange 2016.

All shared mailboxes have been migrarted to Exchange 365.

What I am looking to set up, I would like to allow a specific set of users to have access to add and remove Shared Mailbox members.

What is currently set up,
I have created and admin role in Exchange 365 that has a custom Mail Recipient Creation and Mail Recipients Assigned roles.
I have an Exchange 365 user that is a member of the Admin Role.
The admin role is scoped to a specific OU in om-premsies AD that houses the test shared mailbox for this.

The issue, when I log into the Exchange 365 console with the set up account, I do not have the tabs in mailbox delgation for the scoped shared mailbox to add or remove users for full and send as access.

I did add the Exchange Admin role via the azure console to the test Admin account. however it overides the custom admin role with the custom assigned roles in the Exchange 365 control panel.

Thank you, any help at this time is most appreciated.

2 answers

KyleXu-MSFT 26,231 Reputation points

2022-01-07T06:43:09.393+00:00

@Victor Ramsey

I would like to allow a specific set of users to have access to add and remove Shared Mailbox members.

Do you mean manage the Full Access and Send As permission for shared mailbox?

Both are controlled by "Add-MailboxPermission" command, from the information below, we can know this command contained in the "Mail Recipients" admin role:

Here is my testing, you could have a compare with yours:

I created a new admin group which contained this admin role, then added an Exchange online mailbox into it:

This mailbox could manage the delegation permission for this migrated shared mailbox successfully:

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Victor Ramsey 1 Reputation point

2022-01-07T15:01:24.16+00:00

Hello, and thank you for your reply.

So, I creted an Admin role in Exchange 365 for this job role.

In that job role I created a custom assigned role from the Mail Recipients CMD Let set

In that custom assigned role I do have the Add-MailboxPermission and Add-RecipientPermission as part of the CMDLet set.

However, when I go to the console with the assigned account I see the following.

Andy David - MVP 144.1K Reputation points MVP

2022-01-07T16:30:09.28+00:00

Not clear what the issue is? Can you explain more? What is it you arent seeing or do not want to see?

Victor Ramsey 1 Reputation point

2022-01-07T21:10:57.033+00:00

Sure,

Sorry for not being clear.

I would like for the specified user to be able to grant or remove Full and Send As access for Shared Mailboxes in Exchange 365.

Andy David - MVP 144.1K Reputation points MVP

2022-01-08T13:45:39.747+00:00

and you do not see those options? Sorry, just trying to understand.

KyleXu-MSFT 26,231 Reputation points

2022-01-11T09:07:34.17+00:00

Could you provide more detailed information about the issue when you use the custom permission role? Do you mean that there doesn't exist "edit" for that user?

Ramsey II, Victor 1 Reputation point

2022-01-11T13:06:51.983+00:00

Hi and thank you for your time on this,

Let me walk you through it a bit and see if this helps.

In the Exchange 365 Admin Center I go to recipients > shared

In the shared section I go to the shared mailboxes that the user has permissions to.

With that shared mailboxes view open I go to mailbox delegation

Normally you see a + and - sign inder Full Access and Send As

I do not see those options.

The admin role that I created does have the Mail Recipient Creation and Mail Recipients roles assigned.

Thank you

Victor Ramsey 21 Reputation points

2022-01-11T13:29:15.74+00:00

Hi Andy,
Thanks for your time on this.

That is correct under the mailbox delegation option for a shared mailbox the user does not have the + and - options showing for Full or Send As access changes.

Victor Ramsey 21 Reputation points

2022-01-11T13:47:06.337+00:00

Hi Andy,
Thanks for your time on this.

That is correct under the mailbox delegation option for a shared mailbox the user does not have the + and - options showing for Full or Send As access changes.

KyleXu-MSFT 26,231 Reputation points

2022-01-14T08:23:42.313+00:00

Do you try to run command from PowerShell? Whether this user could manage member from PowerShell?

If you cannot modify from PowerShell, it means the custom permission group isn't correct.

If you could modify from PowerShell, it means the GUI needs some additional permission which has been deleted by you.

KyleXu-MSFT 26,231 Reputation points

2022-01-18T01:36:53.8+00:00

@Victor Ramsey
I am writing here to confirm with you any update about this thread now.
If the above suggestion helps, please feel free to accept it as an answer to help more people.

Victor Ramsey 21 Reputation points

2022-01-18T15:33:55.42+00:00

Hi Kyle, I was not able to use Powershell to make the change. That said, I did re-add the default permissions to the admin role, and still was not able to see the + or - in the console for send as and full access. I am working on testing other scenarios to see what I have missed.
Thank you

KyleXu-MSFT 26,231 Reputation points

2022-01-21T08:54:23.967+00:00

if you cannot add/remove full permission for Shared Mailboxes from PowerShell, it means the customized RBAC that you created isn't correct.

I did re-add the default permissions to the admin role, and still was not able to see the + or -

If it still doesn't work for default permission, you could open a service request to check with Office 365 team. They could help you check whether there exists an issue with your default permission role.
Sign in to comment
Victor Ramsey 21 Reputation points

2022-03-17T18:20:26.157+00:00

I was unable to get this to work as expected. That said, we have moved on from this.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Setting up Exchange 365 RBAC for Shared Mailboxes to add and remove users

2 answers