Exchange Server 2010 SP1 Hosting Deployment – RBAC simplified #4 – Tenants

Tenant Administrators and Tenants

By now you probably know that when you create a new tenant organization, there are a few RBAC roles being created and there are also a few role groups created out of the box. You may also see some assignments being created by default.

So, by default, it creates the following,

Role Groups

[PS] C:\> Get-RoleGroup -Organization AlpineSkiHouse | select Name



Discovery Management

Help Desk

Organization Management

Recipient Management

Records Management

View-Only Organization Management

If you supply the administrator password by supplying -AdministratorPassword when creating a new organization (Exchange Server 2010 SP1 Beta Hosting Deployment - First Look), it will automatically create an administrator account and it will automatically make this account a role group member of all the role groups above except for Discovery Management.

Now, it is important to note that each tenant Organization can actually have their own management roles, their own management role assignment and role groups. This is possible because in Hosting Deployment, every tenant have their own configuration unit in Active Directory. Also, because they are in their own segregated organization, the scope stays in that too.


Here are all the canned management roles created when you create a new organization,

[PS] C:\> Get-ManagementRole -Organization AlpineSkiHouse

Name                                                        RoleType

----                                                        --------

ApplicationImpersonation                                    ApplicationImpersonation

Audit Logs                                                  AuditLogs

Distribution Groups                                         DistributionGroups

Journaling                                                  Journaling

Legal Hold                                                  LegalHold

Mail Recipient Creation                                     MailRecipientCreation

Mail Recipients                                             MailRecipients

Mail Tips                                                   MailTips

Mailbox Import Export                                       MailboxImportExport

Mailbox Search                                              MailboxSearch

Message Tracking                                            MessageTracking

Move Mailboxes                                              MoveMailboxes

MyBaseOptions                                               MyBaseOptions

MyContactInformation                                        MyContactInformation

MyAddressInformation                                        MyContactInformation

MyMobileInformation                                         MyContactInformation

MyPersonalInformation                                       MyContactInformation

MyDistributionGroupMembership                               MyDistributionGroupMembership

MyDistributionGroups                                        MyDistributionGroups

MyProfileInformation                                        MyProfileInformation

MyDisplayName                                               MyProfileInformation

MyName                                                      MyProfileInformation

MyRetentionPolicies                                         MyRetentionPolicies

MyTextMessaging                                             MyTextMessaging

MyVoiceMail                                                 MyVoiceMail

Organization Client Access                                  OrganizationClientAccess

Organization Configuration                                  OrganizationConfiguration

Organization Transport Settings                             OrganizationTransportSettings

Recipient Policies                                          RecipientPolicies

Remote and Accepted Domains                                 RemoteAndAcceptedDomains

Reset Password                                              ResetPassword

Retention Management                                        RetentionManagement

Role Management                                             RoleManagement

Security Group Creation and Membership                      SecurityGroupCreationAndMembership

Transport Rules                                             TransportRules

User Options                                                UserOptions

View-Only Audit Logs                                        ViewOnlyAuditLogs

View-Only Configuration                                     ViewOnlyConfiguration

View-Only Recipients                                        ViewOnlyRecipients


There isn't any big surprise here.  Most of them are pretty standard. There are a few roles I would like to highlight though. They are all those that starts with My* such as MyBaseOptions, MyContactInformation, MyAddressInformation, MyMobileInformation, MyPersonalInformation, MyDistributionGroupMembership, MyDistributionGroups, MyDisplayName and etc. These roles has the recipient read and write scope of SELF and they are primarily being used to assign permissions to the mailbox as in your Service Plan. I will talk a little bit more about this in my next post and will go in a little bit more to talk about the inter dependencies of the service plans, mail plans and also the Role Assignment Policy.

Management Roles Assignment

There are a list of assignments, depending on how you configure your Service Plans. If you look at your service plan, you will find that in the Organization section, you define what kind of roles will the tenant administrator have. It will then assign the Organization Management role group to those roles. As for those permissions set in the mailbox plan, it will depend on the Role Assignment Policy as it will be applicable according to mailbox plan.

To take a look at the assignment, just execute [PS] C:\> Get-ManagementRoleAssignment -Organization AlpineSkiHouse



Read More on this RBAC Series.

Read all other Exchange Server 2010 SP1 Hosting Deployment blog posts.


Comments (7)
  1. Anonymous says:

    Hmm.. where is the user that you are trying to add? Is that user from the same Org? You can't add another user from a different Org.

  2. Anonymous says:

    Well, you can definitely programatically create the administrator by supplying the password using secure string.

    Or if you want to, you can create the mailbox and then assign the Organization Management role. Try this,

    Get-RoleGroup -Organization AlpineSkiHouse "Organization Management" | Add-RoleGroupMember -member "username"

  3. Anonymous says:

    Hmm.. where is the user that you are trying to add? Is that user from the same Org? You can't add another user from a different Org.

  4. lee says:

    – When I use new-organization using the following syntax "New-Organization -Name "" -DomainName "" -Location "en-us" -ProgramId "Business" -OfferId "2"  " it creates the new tenant client without an administrative user.

    – When I add the "–AdministratorPassword (get-credential).password" it prompts for the username/password.

    My challenge is that we're wanting to programmically create these organizations so we need to be able to script it. It would also be handy from our tool to be able to add new tenant administrators easily.

    One thought is to create a user and assign the roles (shown above) but I can't find how to do it. Technet documentation eludes to maybe a easy way to do it with the article "Grant a Tenant User Administrative Permission" which no one has started writing yet.

    What would you recommend as a solution?

  5. lee says:

    Wow that was fast. 🙂

    When I try to login I try to run that command it tells me "This operation can only be performed by a manager of the group." I am logged in as a domain admin and have the shell run-as administrator…

    Is there a permission tweak I would need to do?

  6. lee says:

    Ok after some messing around, I got a bit further. I don't know what happened but I created a new orgnization and a new user, it seems better, but I'm now faced with the error "A recipient in one organization can't be a member in another organization."

    I would assume I need to somehow in the Add-RoleGroupMember tell it what organization to focus on as is done in the Get-RoleGroupMember command. Any ideas?

  7. aw says:

    hai, I just want to tell you that I am just very new to blogs and seriously loved this website. More than likely I’m planning to bookmark your blog post .
    You amazingly come with really good posts. Thanks a lot for sharing your blog Microsoft.

Comments are closed.

Skip to main content