Create custom Role Group in Exchange

TDx2 81 Reputation points
2022-01-19T17:50:21.477+00:00

I am trying to setup a custom role group for our help desk based on the default role group help desk. I need to prevent changing of mailbox sizes by this new group. I copied the help desk role group without issue. I then went and created a copy of the mail recipients role group. After that I went into my new help desk role and removed the original mail recipients and replaced it with the new one I created. Now finally I went into the set-mailbox cmdlet and removed the parameters for IssueWarningQuota, ProhibitSendQuota and ProhibitSendReceiveQuota under the recently created role group. At this point I am thinking I am good, now this new role should have all the rights that are under the normal help desk role but not be able to resize or change mailbox sizes. When I go in as an account under this new role I can still resize mailboxes and change from "use the default quota settings from the mailbox database".

Troubleshooting the issue, I am wondering if I need to find the "get-mailbox" cmdlet that is actually showing the options in ECP. But when I check the parameters on get-mailbox the above listed parameters are not listed under get-mailbox. I am guessing there is another cmdlet that I should be looking for but not sure which one it is. when I enable show command logging in ECP and then change from "Use the default quota settings from the mailbox database" to "Customize the quota settings for this mailbox and then change issue a warning at(GB)" then hit save, in the logging window it shows as a set-mailbox command.

Can someone please tell me what I am missing?

Thanks-

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,334 questions
No comments
{count} votes

Accepted answer
  1. Aaron Xue-MSFT 2,576 Reputation points Microsoft Vendor
    2022-01-21T01:55:53.437+00:00

    Hi @TDx2 ,

    Glad to hear that your issue has been solved. Thanks for your sharing in this issue.

    According to the latest policy, I'm sorry that you can't mark your answer as the best answer.
    167043-11.png
    https://learn.microsoft.com/en-us/answers/support/accepted-answers

    Issue: How to create a custom rbac that cannot modify the quota of mailboxes

    Solution:
    1 Create a custom Mai Recipients in EMS.
    New-ManagementRole -Name "Custom Mail Recipients" -Parent "Mail Recipients"

    2 Remove the listed parterner of the custom mail recipients.

       IssueWarningQuota       
       Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters IssueWarningQuota –RemoveParameter  
    
       ProhibitSendReceiveQuota  
       Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters ProhibitSendReceiveQuota –RemoveParameter  
    
       ProhibitSendQuota    
       Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters ProhibitSendQuota –RemoveParameter  
    
       UseDatabaseQuotaDefaults  
       Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters UseDatabaseQuotaDefaults –RemoveParameter  
    

    3 Assign this role to a mailbox and log on EAC with the mailbox.
    167083-12.png
    167091-10.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

3 additional answers

Sort by: Most helpful
  1. Vasil Michev 66,956 Reputation points MVP
    2022-01-19T20:03:08.043+00:00

    I believe only the Mail Recipients role has this by default, but just in case, check via:

    Get-ManagementRole -Cmdlet Set-Mailbox -CmdletParameters ProhibitSendQuota
    

    This cmdlet will list any and all roles that have said cmdlet and said parameter enabled. Similarly, you can do this:

    Get-ManagementRoleEntry "*\Set-Mailbox" -Parameters ProhibitSendQuota
    

    Lastly, remember it can take some time for changes to be reflected, and remember to always logoff/login anew.


  2. Aaron Xue-MSFT 2,576 Reputation points Microsoft Vendor
    2022-01-20T08:49:07.25+00:00

    HI @TDx2 ,

    According to the command you have posted
    New-ManagementRole -Name "ZZ Mail Recipients" -Parent "Mail Recipients"

    Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters IssueWarningQuota -RemoveParameter  
    Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters ProhibitSendReceiveQuota -RemoveParameter  
    Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters ProhibitSendQuota -RemoveParameter  
    

    I have tested in my lab, and it worked for me.

    Although it shows that you can modify the quota.
    But the fact that when you modify it, the quota's attribute would not be saved.
    166735-8.png

    Please check if the mailbox is still assigned the default mailrecipient permission.

    Or you could try to create a new user and assign the "ZZ" to it.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. TDx2 81 Reputation points
    2022-01-20T17:49:54.917+00:00

    I found the issue. Along with the above listed parameters I also had to remove UseDatabaseQuotaDefaults. Once I did that the section under Mailbox usage\More options becomes grayed out.

    Thanks for brainstorming with me.