Customize Role-Based Access Control in Office 365


Office 365 includes several default RBAC roles which allow end-users to access ECP and manage their own account properties or advanced mailbox features.  A summary of the built-in roles can be found at http://help.outlook.com/en-us/140/Dd207272.aspx.  An O365 administrator can also enable and disable certain roles to control what properties and/or features a user can manage.  There are several roles, however, that may not provide the desired functionality in Office 365.  For example, allowing a federated user to modify their own contact information results in an error since that information is synchronized from on-premise.  Similarly, a customer may not want users managing their own distribution groups, or may have policies which forbid connected mailboxes.  In these cases, the default user role assignment policy can be customized to remove many of the RBAC roles.

  1. Logon to O365 and administrator
  2. On the Admin Overview page, click Manage under Exchange Online
  3. From ECP, select Roles & Auditing
  4. Select Default Role Assignment Policy and click Details
  5. From the list of RBAC roles, uncheck the options/features that are not required and click Save.

In my customer’s case, we unchecked all options except MyBaseOptions.  This allowed a user to view their contact information, but not make any changes.  In addition, it removed most of the other advanced settings and self-service features.  However, we discovered it does not remove the user’s ability to forward incoming email to alternate address.  My customer had a strict policy related to automatic email forwarding, so this feature also had to be removed and controlled as a separate management role. We accomplished this by customizing the RBAC roles in O365 using a remote PowerShell session.

  1. Export MyBaseOptions management role entries for reference:
    Get-ManagementRoleEntry MyBaseOptions\* | ConvertTo-Html > C:\MyBaseOptions.htm
  2. Copy the existing MyBaseOptions management role as new MyMailForwarding Role:
    New-ManagementRole –Parent MyBaseOptions –Name MyMailForwarding
  3. Copy the existing MyBaseOptions management role as a new MyMailbox role:
    New-ManagementRole –Parent MyBaseOptions –Name MyMailbox
  4. Remove all Set-Mailbox parameters (which include mail forwarding permissions) from the new MyMailbox role:
    Remove-ManagementRoleEntry MyMailbox\Set-Mailbox
  5. Add Set-Mailbox parameters back to MyMailbox role except those associated with mail forwarding:
    Add-ManagementRoleEntry MyMailbox\Set-Mailbox –Parameters AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers, ErrorAction, ErrorVariable, ExternalOofOptions, GrantSendOnBehalfTo, Identity, Languages, MailTip, MailTipTranslations, OutBuffer, OutVariable, Password, RejectMessagesFrom, RejectMessagesFromDLMembers, RejectMessagesFromSendersOrMembers, RequireSenderAuthenticationEnabled, UserCertificate, UserSMimeCertificate, WarningAction, WarningVariable

Now we modify the Default Role Assignment Policy so that includes only the new MyMailbox role which we’ve customized.  It includes all the same settings as MyBaseOption, minus the mail forwarding feature.

  1. Logon to ECP as administrator account
  2. Click Roles & Auditing along the left
  3. Click User Roles along the top
  4. Select “Default Role Assignment Policy” and click Details
  5. Uncheck all management roles except MyMailbox and click Save

Capture_thumb_1_57A3C484

With the customizations complete and the new policy defined, all O365 users now have only the bare minimum of features approved by the customer.  However, we all agreed that there may be exceptions where mail forwarding must be enabled for select accounts.  Therefore, we created an new role assignment policy which could selectively be applied to specific mailboxes.

  1. Logon to ECP as administrator account
  2. Click Roles & Auditing along the left
  3. Click User Roles along the top
  4. Under Role Assignment Policies, click New
  5. Name the new policy Enable Mail Forwarding and provide a description
  6. Select only MyBaseOptions role which now contains both MyMailbox and MyMailForwarding
  7. Click Save

Capture2_thumb_57A3C484

To allow mail forwarding for specific users, the new Enable Mail Forwarding policy can be applied to their mailbox.

  1. Logon to ECP as administrator account
  2. Click Users & Groups along the left
  3. Click Mailboxes along the top
  4. Locate and select a specific user and click Details
  5. Expand Mailbox Settings
  6. Change the role assignment policy to Enable Mail Forwarding
  7. Click Save

These instructions reflect a real-world scenario in which RBAC roles in O365 had to be customized.  They outline the steps to explicitly manage email forwarding, but can be applied to any situation where individual features must be enabled or disabled.  RjZ

Comments (1)

  1. Roman Zarka says:

    Since federated users cannot change their password in O365, I was recently asked if customizing the RBAC roles could also remove the Change Password icon from ECP.  (For federated users, it generates an error.)  I've tested this scenario and the answer is yes.  Set-Mailbox contains a Password parameter that can be removed from the Management Role Assisgnment of MyBaseOptions.  However, if these changes are made to the Default Role Assignment Policy, then un-federated users will not be able to change their passwords either.  If you must support both federated and un-federated user accounts, it is important to create a new policy which you can apply to users selectively.  RjZ

Skip to main content