This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 81%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I am trying to setup a custom role group for our help desk based on the default role group help desk. I need to prevent changing of mailbox sizes by this new group. I copied the help desk role group without issue. I then went and created a copy of the mail recipients role group. After that I went into my new help desk role and removed the original mail recipients and replaced it with the new one I created. Now finally I went into the set-mailbox cmdlet and removed the parameters for IssueWarningQuota, ProhibitSendQuota and ProhibitSendReceiveQuota under the recently created role group. At this point I am thinking I am good, now this new role should have all the rights that are under the normal help desk role but not be able to resize or change mailbox sizes. When I go in as an account under this new role I can still resize mailboxes and change from "use the default quota settings from the mailbox database".
Troubleshooting the issue, I am wondering if I need to find the "get-mailbox" cmdlet that is actually showing the options in ECP. But when I check the parameters on get-mailbox the above listed parameters are not listed under get-mailbox. I am guessing there is another cmdlet that I should be looking for but not sure which one it is. when I enable show command logging in ECP and then change from "Use the default quota settings from the mailbox database" to "Customize the quota settings for this mailbox and then change issue a warning at(GB)" then hit save, in the logging window it shows as a set-mailbox command.
Can someone please tell me what I am missing?
Thanks-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 20%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAX%3C/text%3E%3C/svg%3E)
Hi @TDx2 ,
Glad to hear that your issue has been solved. Thanks for your sharing in this issue.
According to the latest policy, I'm sorry that you can't mark your answer as the best answer.
https://learn.microsoft.com/en-us/answers/support/accepted-answers
Issue: How to create a custom rbac that cannot modify the quota of mailboxes
Solution:
1 Create a custom Mai Recipients in EMS.
New-ManagementRole -Name "Custom Mail Recipients" -Parent "Mail Recipients"
2 Remove the listed parterner of the custom mail recipients.
IssueWarningQuota
Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters IssueWarningQuota –RemoveParameter
ProhibitSendReceiveQuota
Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters ProhibitSendReceiveQuota –RemoveParameter
ProhibitSendQuota
Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters ProhibitSendQuota –RemoveParameter
UseDatabaseQuotaDefaults
Set-ManagementRoleEntry "Custom mail recipients\set-mailbox" -Parameters UseDatabaseQuotaDefaults –RemoveParameter
3 Assign this role to a mailbox and log on EAC with the mailbox.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I believe only the Mail Recipients role has this by default, but just in case, check via:
Get-ManagementRole -Cmdlet Set-Mailbox -CmdletParameters ProhibitSendQuota
This cmdlet will list any and all roles that have said cmdlet and said parameter enabled. Similarly, you can do this:
Get-ManagementRoleEntry "*\Set-Mailbox" -Parameters ProhibitSendQuota
Lastly, remember it can take some time for changes to be reflected, and remember to always logoff/login anew.
yes you are correct Mail Recipients is the only one that contains the settings I need to change. I have removed IssueWarningQuota, ProhibitSendQuota and ProhibitSendReceiveQuota from the newly created helpdesk role\set-mailbox. But I still have the ability to change mailbox size.
Here is a breakdown of what I did.
In ECP, I copied the Help Desk Management Role group and named the new group ZZ_HelpDesk.
Copied Mail Recipients so that I can make changes to the role
New-ManagementRole -Name "ZZ Mail Recipients" -Parent "Mail Recipients"
Removing parameters (what I think will keep new helpdesk group from resizing mailboxes)
Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters IssueWarningQuota -RemoveParameter
Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters ProhibitSendReceiveQuota -RemoveParameter
Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters ProhibitSendQuota -RemoveParameter
Once all that was done I went into the ZZ_HelpDesk Role group and removed Mail Recipients role and added the ZZ mail recipients role. Next, from an account that is assigned to this role group, I logged into ECP and tested. For some reason I am still able to change the size of a mailbox.
I am starting to think that I need to limit this by somehow not allowing it from get-mailbox. But I don't have an option for any of the parameters under that cmdlet.
The Get-Mailbox entries should not matter. Can you login via PowerShell with the user in question, see if he can still run the Set-Mailbox cmdlet with said parameters?
HI @TDx2 ,
According to the command you have posted
New-ManagementRole -Name "ZZ Mail Recipients" -Parent "Mail Recipients"
Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters IssueWarningQuota -RemoveParameter
Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters ProhibitSendReceiveQuota -RemoveParameter
Set-ManagementRoleEntry "ZZ mail recipients\set-mailbox" -Parameters ProhibitSendQuota -RemoveParameter
I have tested in my lab, and it worked for me.
Although it shows that you can modify the quota.
But the fact that when you modify it, the quota's attribute would not be saved.
Please check if the mailbox is still assigned the default mailrecipient permission.
Or you could try to create a new user and assign the "ZZ" to it.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Let me clarify
I am not able to enter a value, let's say 15, under Issue a warning at (GB). But, I am able to select unlimited. That is definitely not desirable. I am looking for an option to NOT allow "Customize the quota settings for this mailbox".
Are you able to select unlimited in your lab once you select customize the quota settings for this mailbox?
I found the issue. Along with the above listed parameters I also had to remove UseDatabaseQuotaDefaults. Once I did that the section under Mailbox usage\More options becomes grayed out.
Thanks for brainstorming with me.