Exchange Online (Office365) and RBAC?

  • Article

Oh yes Glimlach It is perfectly possible to create and assign custom roles within Exchange Online. In this example I will create a custom role which, one assigned to a user, will enable that user to change all its user settings, except for its own street address.

Step1. Sign-In as our demo user and check the default permissions

By default, every user has permission to change quite a few of its own settings, like the street address

SNAG-0439

 

SNAG-0440

Step 2. Create a new custom role

First, we need to find out which roles include the ability of changing the value of StreetAddress. This is easy to do using the Exchange Management Shell Glimlach

Get-ManagementRole | Where {$_.RoleEntries –ilike “*streetaddress*”}

or

Get-ManagementRoleEntry “x\set-user” | where { {$_.parameters –ilike “*streetaddress*"} | fl role,name,parameters

SNAG-0441

Running the below enables me to find out that the reason DemoUs kan change its streetaddress, is the fact that he has been assigned the Default Role Assignment Policy

Get-ManagementRoleAssignment | where {$_.roleassigneename –ilike “Default Role Assignment*”} | ft roleassignee,role

SNAG-0442

First I’ll create a new role “No Street Employees”:

New-ManagementRole “No Street Employees” –Parent MyContactInformation

Followed by the creation of a new RoleAssignmentPolicy “No Street Employees” running:

New-RoleAssignmentPolicy “No Street Employees”

SNAG-0443

To which I’ll add all roles, using the cmdlet New-ManagementRoleAssignment –Role <role> –Policy “No Street Employees” ,

including the roles myvoicemail,no street employees,mytextmessaging,mydistributiongroupmembership, and my baseoptions.

SNAG-0444

Then it is time to remove the parameter StreetAddress from the role No Street Employees, and this is done by running the following single line:

Set-ManagementRoleEntry “No Street Employees\Set-User” –Parameters StreetAddress –RemoveParameter

SNAG-0446

Then it’s time to assign the policy to the user DemoUs, using the shell…

Get-Mailbox demous | Set-Mailbox –RoleAssignmentPolicy “No Street Employees”

SNAG-0447

Step 3. Time to test

Once DemoUs logs in, the user is not able anymore to change the value of its StreetAddress, as planned Glimlach

SNAG-0448

RBAC = The Best Way To Control Your Exchange Environment, On Prem &/or Online!!!

 

Ilse