Custom RBAC role to allow access to only the Action Center


If a user account has been compromised and used to send massive amounts of spam, Exchange Online will block the account from sending (if enabled, a notification email can be sent to administrators to alert them when this happens). Once the account password has been reset, the block can be lifted by an administrator from the Action Center, located in the Protection section of the Exchange Online portal.

action-centre

We often see organizations that would like to give help desk individuals rights to the Action Center so that they can unblock a banned sender. The stipulation being that the help desk individuals won’t have rights to change anything else in the portal, and only have rights to unblock a banned sender. Out of the box this is not possible, as the built-in admin roles that grant access to unblocking users also grant access to other parts of the Exchange Online portal.

Have no fear, we can create a custom RBAC (Role Based Access Control) role which will ONLY grant access to the Action Center. To do this, we are going to create a custom RBAC role through PowerShell which will only grant access to the cmdlets Remove-BlockedSenderAddress & Get-BlockedSenderAddress, which will, in turn, allow delisting through the portal as these are the cmdlets that are run in the background.

Typically the process for creating a custom RBAC role begins with copying an existing one. From there, we will remove cmdlets (or add) until we have the rights that we are looking for. With that in mind, let’s first see which built in roles grant access to the Remove-BlockedSenderAddress cmdlet.

PS > Get-ManagementRoleEntry *\remove-blockedsenderaddress

Running this returns the following.

get-managementroleentry

We have two built-in roles that we can start with. For absolutely no reason in particular, I’m going to start with the “Transport Hygiene” role. First, create a copy of the “Transport Hygiene” management role. I’m going to call my copy “Blocked Sender.”

New-ManagementRole -Parent "Transport Hygiene" -Name "Blocked Sender"

This new management role will contain all the cmdlets that the Transport Hygiene management role contains. Let’s take a look.

Get-ManagementRoleEntry "Blocked Sender\*"

get-managementroleentry-2

If a user has been assigned this new role, they will be able to run all of these cmdlets. This includes being able to run them from PowerShell, but also gives rights to anything in the portal that runs these cmdlets in the background. We want to remove all the cmdlets except the two the deal with unblocking banned senders. To do this, I’m going to run the following.

$(Get-ManagementRoleEntry "Blocked Sender\*") | where {$_.name -notlike "*blockedsender*"} | foreach {$id =$_.identity + "\" + $_.name;Remove-ManagementRoleEntry $id -confirm:$false}

Once this completes, I’ll re-run the following to see which cmdlets are left in my new management role.

Get-ManagementRoleEntry "Blocked Sender\*"

get-managementroleentry-3

Excellent, we now have two cmdlets left in our new management role, both of which are required to unblock a banned sender. We can now assign this new Management Role to an admin role through the Portal.

blocked-sender-border

 

 

Help desk personal with this role will now be able to unblock banned senders from the Action Center in the Exchange Online portal, and will not have access to any change anything else. If you followed along with me, give yourself a pat on the back!

achievement

Comments (1)

  1. turbomcp says:

    thanks

Skip to main content