Azure Active directory - role for HR department to modify user contact and job information

Question

Hello,

Our HR department want to maintain user contact and job information via Azure Active directory, however I cannot find a suitable role that doesn't give them access to other administrative functions in Azure. It appears this was possible before users using Exchane online commands and ECP portal , however no longer works - https://community.spiceworks.com/topic/269898-best-way-to-allow-a-hr-user-to-edit-the-global-address-book-in-outlook.

Is there a solution?

Answer 1

You can still use Exchange's RBAC model, if that fits your needs and covers all the attributes you are interested in. Within Azure AD, granular RBAC roles for user objects are not currently available, so you'll have to assign something like the User admin role. You can optionally scope it to cover only some users via administrative units: https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

Answer 2

Hi,

For those who want to perform this exercise, some of the commands in the Spiceworks link https://community.spiceworks.com/topic/269898-best-way-to-allow-a-hr-user-to-edit-the-global-address-book-in-outlook were returning errors, but these appear to execute;

#Create new management role based on existing role
New-ManagementRole -Name "Manage_org_info" -Parent "Mail Recipients"

#Clear management attributes from copied role
Get-ManagementRoleEntry "Manage_org_info*" | Where { $.Name -NotLike "Get*" } | %{Remove-ManagementRoleEntry -Identity "$($.id)\$($_.name)"}

#Attributes required to be edited by HR
Add-ManagementRoleEntry "Manage_org_info\Set-User" -Parameters Identity,Title,Department,Company,Manager,StreetAddress,City,StateOrProvince,PostalCode,CountryOrRegion,Office,Phone,Fax,HomePhone,MobilePhone,Notes,

HR users are then added to new role via the admin console (https://admin.microsoft.com/#/rbac/exchange)

I will ask HR to test again (using https://outlook.office.com/ecp/) and report back