RBAC in Exchange 365 to manage Contacts only

TLCCWA 21 Reputation points
2022-04-24T12:18:54.137+00:00

We are a club with a handful of committee members and many club members.
We load our club members up as type "Contacts" and have a dynamic DL to allow our Editor by example to send the monthly magazine to all club members.
I'm looking for a way to allow our club secretary to add/remove Contacts, but not fiddle with the rest of Exchange users/groups.
Managed to get it to work by creating a scope, but the more elegant way would be to not have the other resource types even visible.
I've found this old post that would be perfect but does not seem to work on Exchange Online: https://community.spiceworks.com/topic/2152103-o365-allow-users-to-add-edit-delete-contacts
Any thoughts on getting this to work in the current Microsoft 365?

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,373 questions
{count} votes

Accepted answer
  1. KyleXu-MSFT 26,241 Reputation points
    2022-04-25T07:49:39.817+00:00

    @TLCCWA

    You could follow steps below to create permission group for managing mail user and mail contact. For more detailed information, you could have a look at this article:

    New-ManagementRole -Name "Contact1" -Parent "Mail Recipient Creation"  
    New-ManagementRole -Name "Contact2" -Parent "Mail Recipients"  
    Get-ManagementRoleEntry -Identity "Contact1\*" | where{$_.Name -notlike "*MailContact*" -and $_.Name -notlike "*mailUser*"} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)" -Confirm:$false}  
    Get-ManagementRoleEntry -Identity "Contact2\*" | where{$_.Name -notlike "*MailContact*" -and $_.Name -notlike "*mailUser*"} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)" -Confirm:$false}  
     New-RoleGroup "MailboxManagement" -Roles "Contact1","Contact2" -Members Onlineuser1@domain.onmicrosoft.com  
    

    After that those users need to manage Contact from PowerShell, there may exist some issue in GUI due to the migration from old one to new one.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Vasil Michev 100K Reputation points MVP
    2022-04-25T06:37:06.277+00:00

    What exactly doesn't work? The only thing that has changed since is the introduction of the modern EAC, but the underlying RBAC controls still apply.

    0 comments No comments

  2. TLCCWA 21 Reputation points
    2022-04-25T10:42:23.43+00:00

    Thanks @Vasil Michev and @KyleXu-MSFT

    Got it to work, but oddly enough it does not remove Mailboxes or Resources, Mail Flow etc. from the Exchange Admin Centre menu like I had hoped.
    So the effect is much the same as using Scope, as in they can only add/remove/modify contacts but the menu and list of other stuff remains visible (can't open or do anything with them though).

    What was throwing me in the query is some of the starting directions such as:
    Get-ManagementRole -Cmdlet New-MailContact
    or
    Get-ManagementRoleEntry –Identity “Mail Recipient Creation*”
    were not working, and I didn't want to start going down to the level of the New creations if I was such on the Get's already haha. The latter was missing a / as I now realised.

    Again, appreciate the help, sorted :)

    Cheers