Category Archives: RBAC

Microsoft Azure – Leverage Manage Engine AD Manager and delegate MFA reset action to the Helpdesk Team

Currently there is no option as per this uservoice to delegate the MFA reset action to help desk team via an admin role. As of now only the global admin have the required privileges to perform this action from the azure portal. In this article we had a look into how to reset this option by creating an automation account and integrating with Microsoft Flow. Though this is a good option there is another way where this action can be delegated via ManageEngine AD manager plus. 

Most of the organizations have AD Manager plus and its features integrated on their on premise tenant. This can be used to execute office 365 and Azure AD operations in a hybrid environment. In this article we will have a look at the steps to integrate AD manager plus with Azure AD to  delegate this action to the help desk team.

Below are the prerequisites :

  1. AD manager plus server must be present in the hybrid domain. Not necessarily a hybrid domain it works well for cloud only accounts as well.
  2. The connectivity to the Azure IPs and URLs are required to connect azure module connect-msolservice
  3. Azure AD modules must be downloaded  on the AD manager plus server.
  4. AD delegation must be already assigned to the help desk team with AD management role.
  5. Global admin account is required to specify them as encrypted credentials with key on the AD manager plus server. This global admin account will only be used by the manage engine AD manager server in the backend and not exposed to the helpdesk team.

Implementation Steps:

First we need to create the encrypted credentials and key . Below command can be used.Kindly note that if we try to execute with plain text password it will not work, Since in our case we are doing an invoke session from AD manager plus and hence it works only with key file.

A very important note here is if there is a password policy for the global admin accounts, ensure to regenerate this key by re-running this script once after the new password is changed on the Global admin account.

$KeyFile = "Z:\ManageEngine\ADManager Plus\bin\AES256.key"
$Key = New-Object Byte[] 32
$Key | out-file $KeyFile
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString -Key $Key | Out-File "C:\ManageEngine\ADManager Plus\bin\credential.cred"

Later place this script on the AD manager plus bin folder as .ps1.

Connect-MsolService -Credential $cred
"`nConnected to MSOL" | Out-File $MFAlog -Append
Set-MsolUser -UserprincipalName $userPrincipalName -StrongAuthenticationMethod @()
"`nUpdated User $userprincipalname" | Out-File $MFAlog -Append

The above script will also  generate MFAActions.log file in the bin folder which will help us to track the MFA actions performed via AD manager by the help desk admins. Even this script must be placed in the bin folder in the AD manager plus server.

Now having done the Azure AD part we need to access Manage Engine AD Manager Plus admin portal and perform the below action:

  1. Go to AD Mgmt – User Modification Templates – Click Create New Template.
  2. Leave all the fields on all the tabs as default – Navigate to Custom Attributes – Select Run Custom Script on successful user modification script command:  add the below format to call our script via AD manager plus – PowerShell  -File mfa.ps1 %userprincipalname%
  3. Once done click on save template.
  4. Assign this template to the helpdesk team.

Once this above action is completed help desk can reset via below method – 

AD mgmt – Modify Single user – Search for affected user – Modify user – Change template – Choose MFA reset template – then click on update user.

Now the MFA value will be cleared for the requested user.

We can also check the status from Azure AD connected Powershell 

(Get-MSOlUser  -UserPrincipalName user@domain.com).strongauthenticationmethods

The value should return null for a user where the MFA reset is successful.

This action will help in achieving the delegation of MFA reset via manage engine. Helpdesk admins can for perform the MFA reset through the manage engine delegated help desk portal by selecting the assigned template and can perform this action.

Thanks & Regards
Sathish Veerapandian

RBAC role to Manage end user contacts through (Exchange Control Panel)

There might be a requirement to delegate the management of contacts for all the staffs especially for the HR team.Since the staffs position title change, phone numbers, city, extension , address change will happen randomly for all the staffs.

Its better to delegate this task alone to the HR team member so that the help desk calls for changing these information will be reduced. Also there is no need to wait for a period of time to make these changes from the help desk team.

Basically we can create a custom RBAC role and assign this to a HR staff who would be able to manage this task through ECP .

Create a new management role :

New-ManagementRole -Parent “Mail Recipients” -Name “Contact Management”

RBAC1

Now we need to create a new role group

Create a new role group :

New-RoleGroup –Name “Contact Editor” –Roles “Contact Management”

RBAC2

Remove all of the unwanted cmdlets from our newly created  role, since we need to give the bare minimum permission of modifying only  the contacts.

Get-managementRoleEntry “Contact Management\*” | where { $_.Name –ne “Set-User”} | Remove-ManagementRoleEntry

 

Add only the required entries for the new role

Set-ManagementRoleEntry “Contact Management\Set-User” -Parameters “Phone,city,phone,fax,mobilephone,department,title,street address”

RBAC4

 

New-ManagementRoleAssignment -Role Contact Management -User TestITHRAdmin RBAC7

 

Run the below command to check and ensure that only set-user  editor rights are assigned Get-managementRoleEntry “Contact Management\*” RBAC6

When this RBAC role  person can login through ECP  and he would be able to manage only the AD contacts

Thanks 

Sathish Veerapandian

MVP – Exchange Server

RBAC error – Disable-Mailbox isn’t within your current write scopes can’t perform save operation

I just recently ran into this problem and thought of sharing this which might be helpful to others in similar situations.

I just created a RBAC  Role group and a write scope for a group of admins to create and mange mailboxes in few mailbox databases.

All the role group was created successfully and role entries seems to be working fine without any issues except for the disable-mailbox and enable-mailbox.

So when the assigned role admins were able to create, modify , remove mailboxes, mail universal distribution groups , mail contacts , mail universal security groups , dynamic distribution groups but they weren’t able to enable or disable any of the objects on their own.

When they tried to enable  or disable any mailboxes  that they get the below error

 

RBAC_no_Enable-Mailbox_error

 

I ran the command Get-ManagementScope Scopename | Fl to see the recipient filter types

I was able to see the recipient type user mailbox, mail enabled contacts, mail contacts , mail universal security groups  and dynamic distribution.

But still it was not working.

later i identified the problem. Enable-Mailbox and Disable-Mailbox will remove only the exchange attributes from the user account and leaves the user account and the mailbox in the retention.

For this functionality to work we will need to have AD permission for the user in the RBAC to perform this operation.

So we need to add the recipient filter  (recipientType -eq ‘user’ ) which will grant AD permission to the desired RBAC custom group which will grant permissions to those RBAC admins.

So i have added list of possible entries below that would be helpful for the help-desk team since by running only the above will remove the other permissions.

So for helpdesk to manage the normal daily operations the below entries will be sufficient along with  (recipientType -eq ‘user’ ) added.

Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}

 

 

Once after the above i was successfully able to come out of the error 🙂

Thanks 

Sathish Veerapandian

MVP – Exchange Server 

 

 

Custom RBAC role for setting “Full Mailbox folder“ and “Send as” permission

I tried to create an Custom RBAC role for setting the “Full Mailbox “ and “Send as” permission by going through few blogs and TechNet discussion. I just tried to implement in my lab and it was successful. I tried hard for Delegate and there is no option to  assign the permission to any of the Security Group Members for setting the Delegates. Delegate is an option which can be set only through outlook.

Below are the steps to create an custom RBAC role for Full Mailbox and Send As and it might be useful for if it suits some of their environment.

We can assign the permission to any of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes through RBAC custom role.

We can accomplish this task by  assigning the Permissions to one of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes, Shared Mailboxes

In order to test this in lab I first created a distribution group named Exchange Mailbox Folder.

Image

We can use  the below command to check the default management role entry

get-ManagementRoleEntry “Mail Recipients\*”

Image

Here we have the list of Mail recipients. We cannot modify the default Role   “Mail Recipients”, so we have to create the new custom role.

We can remove all the unwanted cmdlets from the custom Role and then we can assign the below listed permission to the created  Security Group Only.

1)       Add-MailboxPermission

2)       Add-MailboxFolderPermission

First we need to create a new management role with the below command

New-ManagementRole “Custom AddMailbox Permission” -Parent “Mail Recipients”

Image

Now we need to view the list of management role entry assigned for a custom role. We do not need all of the entries which are assigned for a default custom role.

get-ManagementRoleEntry “Custom AddMailbox Permission\*”

Image

Now we can go ahead and remove all of the role entries which we do not require and keep only add-mailbox permission and send as permission by running the below command.

get-ManagementRoleEntry “Custom AddMailbox Permission\*” | where {($_.name -ne “Add-Mailboxpermission”) -and ($_.name -ne “Add-MailboxFolderPermission”)} | Remove-ManagementRoleEntry

Image

We then  have to assign the permissions through  the managementRoleAssignment.

For Full Mailbox Folder  run the below command –

New-ManagementRoleAssigment “add mailbox permissions” -role “Custom AddMailbox Permission” -securityGroup “Exchange MailboxFolder ”  

For SendAsPermissions run the below command  –

New-ManagementRoleAssigment  “add mailbox permissions” -role “Active Directory Permissions” -securityGroup “Exchange MailboxFolder ”  

Image

I was successfully able to assign the Permission to “Exchange MailboxFolder “ security Group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes.

Thanks

Sathish Veerapandian – MVP

%d bloggers like this: