Azure Active directory - role for HR department to modify user contact and job information

unslog 26 Reputation points
2022-09-08T18:24:29.867+00:00

Hello,

Our HR department want to maintain user contact and job information via Azure Active directory, however I cannot find a suitable role that doesn't give them access to other administrative functions in Azure. It appears this was possible before users using Exchane online commands and ECP portal , however no longer works - https://community.spiceworks.com/topic/269898-best-way-to-allow-a-hr-user-to-edit-the-global-address-book-in-outlook.

Is there a solution?

239157-2022-09-08-19-21-55.png

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 119.9K Reputation points MVP Volunteer Moderator
    2022-09-09T05:13:16.057+00:00

    You can still use Exchange's RBAC model, if that fits your needs and covers all the attributes you are interested in. Within Azure AD, granular RBAC roles for user objects are not currently available, so you'll have to assign something like the User admin role. You can optionally scope it to cover only some users via administrative units: https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

    0 comments No comments

  2. unslog 26 Reputation points
    2022-09-09T05:43:22.457+00:00

    Hi,

    For those who want to perform this exercise, some of the commands in the Spiceworks link https://community.spiceworks.com/topic/269898-best-way-to-allow-a-hr-user-to-edit-the-global-address-book-in-outlook were returning errors, but these appear to execute;

    #Create new management role based on existing role
    New-ManagementRole -Name "Manage_org_info" -Parent "Mail Recipients"

    #Clear management attributes from copied role
    Get-ManagementRoleEntry "Manage_org_info*" | Where { $.Name -NotLike "Get*" } | %{Remove-ManagementRoleEntry -Identity "$($.id)\$($_.name)"}

    #Attributes required to be edited by HR
    Add-ManagementRoleEntry "Manage_org_info\Set-User" -Parameters Identity,Title,Department,Company,Manager,StreetAddress,City,StateOrProvince,PostalCode,CountryOrRegion,Office,Phone,Fax,HomePhone,MobilePhone,Notes,

    HR users are then added to new role via the admin console (https://admin.microsoft.com/#/rbac/exchange)
    239304-2022-09-09-06-39-42.png

    I will ask HR to test again (using https://outlook.office.com/ecp/) and report back

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.