Create a Custom Management Role for Granular Permissions in Exchange Online

  • Article

Creating custom management roles can be very powerful, and they not nearly as complicated as one might think. Most clicks in Office 365 actually cause a PowerShell cmdlet to run in the background. With a custom management role, you can specify right down to which cmdlets you would like a user to have access to. Technically, you can go right down to which parameters on a cmdlet that a user has access too, but I won’t be going that deep in this article.

Real world problem

I recently worked with an organization that wanted the following user role permissions for their end users.

  • End users cannot create new distribution groups
  • End users can add or remove users from distribution groups that they own

The above permission set is very reasonable; however, it is not possible to assign these permissions with the built-in management roles in Exchange Online.

Let’s look at the Default Role Assignment Policy which can be found in the Exchange Online portal under Permissions --> User Roles.

User roll view

We have a management role that we can grant called MyDistributionGroups.

MyDistributionGroups

MyDistributionGroups grants permissions for distribution group creation, along with permissions allowing modifying distribution groups that users may own. With this default permission, it’s either all or nothing. Either end users can manage distribution groups they own and can create new distribution groups, or they cannot manage distribution groups that they own and they cannot create new distribution groups.

From this screen, we are unable to remove the ability of creating a new distribution group, while at the same time keeping the permission which allows distribution group owners to modify their groups.

Luckily, we have PowerShell and can create a new custom management role which will grant the permissions that we would like.

Background

Before we create the custom management role, let’s first talk about what we are going to accomplish from a high level.

For most mouse clicks that happen in Office 365, a PowerShell cmdlet is run in the background. Through the magic of a custom management role, we can limit which cmdlets can be run by users. If you want to get even more granular, you can restrict what parameters can be used with a cmdlet. Awesome right?

What we are going to do here is create a new management role which will initially be identical to the MyDistributionGroups role. We are then going to revoke access to the New-DistributionGroup cmdlet from this new management role. Once completed, we will then assign this new management role to our end users. This will allow end users to manage distribution groups that they own, but they will not be able to create new distribution groups because we have revoked their access to the New-DistriubtionGroup cmdlet.

Now let’s see how we accomplish this.

Steps

Let’s first see what cmdlets are granted when we assign the MyDistributionGroups management role by running the following.

 (Get-ManagementRole MyDistributionGroups).roleentries

ps output

One of the cmdlets granted by the MyDistributionGroups role (and which we can see in the above list) is New-DistributionGroup. This is the cmdlet that we want to remove access to for end users.

Next we are going to create a new management role that we can edit. This new role will initially be a copy of the existing MyDistributionGroups role. The -Parent parameter in the command below is used to specify which existing management role we want to copy into our new management role. I’m calling the new management role No create DG.

 New-ManagementRole -Name "No create DG" -Parent MyDistributionGroups

new-managementrole

If we run (Get-ManagementRole “No create DG”).roleentries we will see that our new management role does indeed contain all of the role entries that the MyDistributionGroups management role contains.

Next, I’m going to search this new management role for the cmdlet that I want to remove. In this case the cmdlet we want to remove is New-DistributionGroup. I’m running this to verify that the New-DistributionGroup cmdlet is present in our new management role.

 Get-ManagementRoleEntry "No create DG\*" | Where { $_.Name -Like "New-DistributionGroup" }

get-managementroleentry

The output above confirms that New-DistributionGroup exists in our new management role.

Before we remove it, I like to run the remove command with the -WhatIf switch. This will allow me to verify that the command will indeed remove only the cmdlet that I want removed, while not actually taking any action.

 Remove-ManagementRoleEntry "No create DG\New-DistributionGroup" -WhatIf

whatif

This output is exactly what I wanted to see. The New-DistributionGroup cmdlet will be removed from this group using this command. Next I re-run the same command, but this time without -WhatIf

 Remove-ManagementRoleEntry "No create DG\New-DistributionGroup"

Remove management role entry

Click "yes" when prompted by PowerShell to confirm. We don’t see any errors here and so we assume the command successfully removed the New-DistributionGroup cmdlet from our new management role. Let’s double check though by searching our new management role, No create DG, for New-DistributionGroup.

success

We get no results, which confirms that the New-DistributionGroup cmdlet was successfully removed from our new management role, No create DG.

Applying our new Management Role

Before applying our new management role, let’s first look at what our end user sees in their Office 365 portal when they manage their distribution groups.

before

Here we can see this user is the owner of one distribution group. They also have a plus icon which will allow them to create a new distribution group.

Now let’s apply our new management role to this user. To do so, I’m going to change the permissions on the Default Role Assignment Policy user role. For testing, you instead may want to create a new user role with the new management role, and then assign this user role to a test user.

For my testing, I’m going to modify the Default Role Assignment Policy. In modifying this user role, notice how I now see my new management role listed under the MyDistributionGroups management role. I’m going to uncheck MyDistributionGroups, and then check off the management role I created and modified, No create DG.

new entry

This will impact my test user as they are currently assigned the Default Role Assignment Policy. After saving my update to the Default Role Assignment Policy and waiting about ten minutes, I refresh the view of my end user and this is what they now see.

after

The plus sign in their portal view has now been removed. It’s like magic! They can no longer create new distribution groups. However, they can still modify distribution groups that they are the owner of by clicking the pencil icon which is still present.

The organization I worked with went a step further and also removed the Remove-DistributionGroup cmdlet from their custom management role. This caused the trash can icon seen above to also disappear from the end users view, meaning they could also not delete distribution groups.

Summary

Custom management roles in Exchange and Exchange Online are very powerful and allow for the creation of very granular permissions. Fire up that PowerShell and try them out!

Resources