This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 84%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
We are a club with a handful of committee members and many club members.
We load our club members up as type "Contacts" and have a dynamic DL to allow our Editor by example to send the monthly magazine to all club members.
I'm looking for a way to allow our club secretary to add/remove Contacts, but not fiddle with the rest of Exchange users/groups.
Managed to get it to work by creating a scope, but the more elegant way would be to not have the other resource types even visible.
I've found this old post that would be perfect but does not seem to work on Exchange Online: https://community.spiceworks.com/topic/2152103-o365-allow-users-to-add-edit-delete-contacts
Any thoughts on getting this to work in the current Microsoft 365?
@TLCCWA
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.
You could follow steps below to create permission group for managing mail user and mail contact. For more detailed information, you could have a look at this article:
New-ManagementRole -Name "Contact1" -Parent "Mail Recipient Creation"
New-ManagementRole -Name "Contact2" -Parent "Mail Recipients"
Get-ManagementRoleEntry -Identity "Contact1\*" | where{$_.Name -notlike "*MailContact*" -and $_.Name -notlike "*mailUser*"} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)" -Confirm:$false}
Get-ManagementRoleEntry -Identity "Contact2\*" | where{$_.Name -notlike "*MailContact*" -and $_.Name -notlike "*mailUser*"} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)" -Confirm:$false}
New-RoleGroup "MailboxManagement" -Roles "Contact1","Contact2" -Members Onlineuser1@domain.onmicrosoft.com
After that those users need to manage Contact from PowerShell, there may exist some issue in GUI due to the migration from old one to new one.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
What exactly doesn't work? The only thing that has changed since is the introduction of the modern EAC, but the underlying RBAC controls still apply.
Thanks @Vasil Michev and @KyleXu-MSFT
Got it to work, but oddly enough it does not remove Mailboxes or Resources, Mail Flow etc. from the Exchange Admin Centre menu like I had hoped.
So the effect is much the same as using Scope, as in they can only add/remove/modify contacts but the menu and list of other stuff remains visible (can't open or do anything with them though).
What was throwing me in the query is some of the starting directions such as:
Get-ManagementRole -Cmdlet New-MailContact
or
Get-ManagementRoleEntry –Identity “Mail Recipient Creation*”
were not working, and I didn't want to start going down to the level of the New creations if I was such on the Get's already haha. The latter was missing a / as I now realised.
Again, appreciate the help, sorted :)
Cheers
Yes, this user could see some other configuration from EAC but cannot manage it. It is the same for both Exchange on-premises and Exchange online RBAC.