Remove Multiple Management Role Entries In Office 365


Exchange Online in Office 365 has a very similar RBAC implementation to the on-premises installations of Exchange.  After previously bumping to an issue with Exchange Online (EXO), and then twice again in the last fortnight this bubbled to the top of the publishing pile.

In this environment, a custom Management Role was created called Level1-HelpDesk.  This is a copy from the Mail Recipients built-In role. 

New-ManagementRole –Name Level1-HelpDesk –Parent “Mail Recipients”

Creating Custom ManagementRole From Mail Recipients

As you can see above the new Management Role was created.  Since this is for Level 1 helpdesk we want to tune the role and restrict what cmdlets are available.  If we then look to see what cmdlets match the phrase “Set-Mail*”, we can see there are several and one is Set-Mailbox. 

Get-ManagementRoleEntry "Level1-HelpDesk\set-mail*"

Verifying Cmdlets Present In Management Role

Let’s then remove all of these cmdlets by piping the above results to Remove-ManagementRoleEntry.

Get-ManagementRoleEntry "Level1-HelpDesk\set-mail*" | Remove-ManagementRoleEntry

Remove-ManagementRoleEntry - Errors When Piping To Remove-ManagementRoleEntry

Well that was less than stellar….

This is the charming error text:

Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Level1-HelpDesk" to type"Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in theMicrosoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
    + CategoryInfo          : InvalidData: (Level1-HelpDesk:PSObject) [Remove-ManagementRoleEntry], ParameterBindin…mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
    + PSComputerName        : pod51042psh.outlook.com

 

Troubleshooting Time

Was this due to multiple Management Role Entries being piped over?  Let’s try with just one, Set-Mailbox.  We already confirmed that this cmdlet is present in the Management Role.

Remove-ManagementRoleEntry - Piping A Single Management Role Entry Still Fails

Nope – same issue. 

PowerShell has the  –Verbose and –Debug switches that can provide additional detail.  Unfortunately in this case, they did not.

Remove-ManagementRoleEntry - No Extra Love From Verbose Or Debug

At this point we can safely say that we cannot pipe a Management Role Entry over to the Remove-ManagementRoleEntry cmdlet.  So let’s try this without the pipe, and do it directly from the Remove-ManagementRoleEntry cmdlet.

Remove-ManagementRoleEntry Level1-HelpDesk\Set-Mailbox -Confirm:$False

Remove-ManagementRoleEntry - Success!

The Confirm:$False was added to prevent a load of distracting confirmation text. 

This works!  Yay, but do I really want to manually do this for every Management Role Entry to be removed.

 

PowerShell Automation

I wrote a quick script to automate this process.  You can edit the script and specify what you want remove from one of your custom Management Roles.  In the script the above example is present, and this needs to be modified to suit your organisation. 

Download Remove Management Role Entries Script

Please download the script from the TechNet scripting gallery and provide feedback either on the gallery on in a comment on this blog posting.

 

Cheers,

Rhoderick

Comments (4)

  1. Andrew says:

    Thanks for this. I did something similar with a for-each loop (though not exactly the same) but may help others

    Get-ManagementRoleEntry "ActiveSync Approval*" | Where {$_.Name -NotLike "Set-CASMailbox*"} | foreach {
    $rolename = "ActiveSync Approval" + $_.Name
    remove-ManagementRoleEntry "$rolename" -confirm:$false}

  2. Geoff says:

    Thank you for sharing this!

    Can you pass along a suggestion that Example 2 from the technet article
    https://technet.microsoft.com/en-us/library/dd351187%28v=exchg.160%29.aspx get replaced with a link to your script? Example 2 shows them piping from the Get-ManagementRoleEntry cmdlet to the Remove-ManagementRoleEntry cmdlet.

  3. Jeremy Bradshaw says:

    What a pain. I figured by now all of Microsoft’s cmdlets would start from some great masterful template. Instead it’s like every single one is created on the fly by whoever was working that day on the development floor and their work isn’t being checked. There’s a very similar problem with Get-MailboxImportRequestStatistics in Exchange Online. I’ve found that it requires the RequestGuid attribute from the MailboxImportRequest to be used as its Identity parameter.

    It’s like the Exchange product is being created on the fly similar to how my own personal scripts library gets put together day by day on an as needed basis, with style differences here and there (because I’m not selling my scripts to anyone).

Skip to main content