This post describes the details for RBAC (Role Based Access Control) for Exchange Online
The scenario is that the admin wants to create custom Exchange admin roles based on region.
For ex. if in a MNC is spread across many cities and the global admin wants to create custom roles based on the city meaning that particular admin should be able to change the settings only for users based in his region(city).
For applying this we need RBAC model for exchange online.
1. First Connect to Exchange Online
2. Open PowerShell Type these commands
3. Open PowerShell with Administrator Privileges
4. To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you open by selecting Run as administrator):
- Set-ExecutionPolicy RemoteSigned
- $UserCredential = Get-Credential //enter the admin credentials
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import-PSSession $Session
5. After this, your PowerShell is connected to exchange online and you can write any commands for exchange online
- Get-RoleGroup
- Get-ManagementScope
- Get-Recipient -Filter {city -eq “Riyadh”}
6. Command for assigning new management scope for people we have city "Riyadh"
- New-ManagementScope “HelpDesk for riyadh” -RecipientRestrictionFilter {city -eq “riyadh”}
7. This command will create management scope "Helpdesk for riyadh", users having city riyadh will automatically be added to this management scope.
- New-RoleGroup -Name “HelpDesk for IT RIYADH” -Roles “Mail Recipients”, “Reset Password”, “Distribution Groups”, “Mail Recipient Creation” -Members “HelpDeskUser” -CustomRecipientWriteScope “HelpDesk for riyadh” -ManagedBy “Organization Management”
8. This command will create new role group "HelpDesk for IT RIYADH" which will contains the following roles “Mail Recipients”, “Reset Password”, “Distribution Groups”, “Mail Recipient Creation” and “HelpDeskUser” will be added as a member of the group. The assigned member will be able to control the selected properties of the users in “HelpDesk for riyadh” management scope. the security group will be managed by the members of the Organizational Management Role group.
