Category Archives: RBAC

Azure PIM- Create custom RBAC roles for search & delete emails

It’s been a long time since I’ve written a blog article about RBAC roles, especially in relation to Exchange. Because working in Exchange areas was my first job, I had the opportunity to have a sneak peek at this topic when a colleague suggested that we consider providing a scaled down permission level for EXO operations search and remove suspicious emails.

It’s always advisable to give the least amount of authorization for daily operational tasks, such as when an end user reports a suspicious spam email to the security team and helpdesk. There are circumstances when global admin is granted for this operation in this case, because by default there is no direct Azure AD built in roles for instance search & purge roles that is present in the compliance center.

Though there is no direct way to assign the permission via Azure AD roles we have the option to connect it to office 365 security and compliance and add this group to search & purge role. We are going to look out for providing such access via this blog.

We will use PIM to grant just-in-time access to Defender for Office 365 related tasks

In our case in this demo we are going to run this example with a user called Selvam who does not have any access apart from a regular user privilege’s. In our example Selvam will be a SOC Admin who is responsible for searching and deleting suspicious emails when an incident is reported.

The first task is to customize and add some permission entry for Selvam .

Navigate to security reader role in roles and administrator.

And go to role settings and here we need to tweak the activate maximum duration hours settings

In the next pane we can choose the role settings for example the duration hours to be 24 hours.

Continue reading

Microsoft Azure – Leverage Manage Engine AD Manager and delegate MFA reset action to the Helpdesk Team

Currently there is no option as per this uservoice to delegate the MFA reset action to help desk team via an admin role. As of now only the global admin have the required privileges to perform this action from the azure portal. In this article we had a look into how to reset this option by creating an automation account and integrating with Microsoft Flow. Though this is a good option there is another way where this action can be delegated via ManageEngine AD manager plus. 

Most of the organizations have AD Manager plus and its features integrated on their on premise tenant. This can be used to execute office 365 and Azure AD operations in a hybrid environment. In this article we will have a look at the steps to integrate AD manager plus with Azure AD to  delegate this action to the help desk team.

Below are the prerequisites :

  1. AD manager plus server must be present in the hybrid domain. Not necessarily a hybrid domain it works well for cloud only accounts as well.
  2. The connectivity to the Azure IPs and URLs are required to connect azure module connect-msolservice
  3. Azure AD modules must be downloaded  on the AD manager plus server.
  4. AD delegation must be already assigned to the help desk team with AD management role.
  5. Global admin account is required to specify them as encrypted credentials with key on the AD manager plus server. This global admin account will only be used by the manage engine AD manager server in the backend and not exposed to the helpdesk team.
Continue reading

RBAC role to Manage end user contacts through (Exchange Control Panel)

There might be a requirement to delegate the management of contacts for all the staffs especially for the HR team.Since the staffs position title change, phone numbers, city, extension , address change will happen randomly for all the staffs.

Its better to delegate this task alone to the HR team member so that the help desk calls for changing these information will be reduced. Also there is no need to wait for a period of time to make these changes from the help desk team.

Basically we can create a custom RBAC role and assign this to a HR staff who would be able to manage this task through ECP .

Create a new management role :

New-ManagementRole -Parent “Mail Recipients” -Name “Contact Management”


Now we need to create a new role group

Create a new role group :

New-RoleGroup –Name “Contact Editor” –Roles “Contact Management”


Remove all of the unwanted cmdlets from our newly created  role, since we need to give the bare minimum permission of modifying only  the contacts.

Get-managementRoleEntry “Contact Management\*” | where { $_.Name –ne “Set-User”} | Remove-ManagementRoleEntry


Add only the required entries for the new role

Set-ManagementRoleEntry “Contact Management\Set-User” -Parameters “Phone,city,phone,fax,mobilephone,department,title,street address”



New-ManagementRoleAssignment -Role Contact Management -User TestITHRAdmin RBAC7


Run the below command to check and ensure that only set-user  editor rights are assigned Get-managementRoleEntry “Contact Management\*” RBAC6

When this RBAC role  person can login through ECP  and he would be able to manage only the AD contacts


Sathish Veerapandian

MVP – Exchange Server

RBAC error – Disable-Mailbox isn’t within your current write scopes can’t perform save operation

I just recently ran into this problem and thought of sharing this which might be helpful to others in similar situations.

I just created a RBAC  Role group and a write scope for a group of admins to create and mange mailboxes in few mailbox databases.

All the role group was created successfully and role entries seems to be working fine without any issues except for the disable-mailbox and enable-mailbox.

So when the assigned role admins were able to create, modify , remove mailboxes, mail universal distribution groups , mail contacts , mail universal security groups , dynamic distribution groups but they weren’t able to enable or disable any of the objects on their own.

When they tried to enable  or disable any mailboxes  that they get the below error




I ran the command Get-ManagementScope Scopename | Fl to see the recipient filter types

I was able to see the recipient type user mailbox, mail enabled contacts, mail contacts , mail universal security groups  and dynamic distribution.

But still it was not working.

later i identified the problem. Enable-Mailbox and Disable-Mailbox will remove only the exchange attributes from the user account and leaves the user account and the mailbox in the retention.

For this functionality to work we will need to have AD permission for the user in the RBAC to perform this operation.

So we need to add the recipient filter  (recipientType -eq ‘user’ ) which will grant AD permission to the desired RBAC custom group which will grant permissions to those RBAC admins.

So i have added list of possible entries below that would be helpful for the help-desk team since by running only the above will remove the other permissions.

So for helpdesk to manage the normal daily operations the below entries will be sufficient along with  (recipientType -eq ‘user’ ) added.

Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}



Once after the above i was successfully able to come out of the error 🙂


Sathish Veerapandian

MVP – Exchange Server 



Custom RBAC role for setting “Full Mailbox folder“ and “Send as” permission

I tried to create an Custom RBAC role for setting the “Full Mailbox “ and “Send as” permission by going through few blogs and TechNet discussion. I just tried to implement in my lab and it was successful. I tried hard for Delegate and there is no option to  assign the permission to any of the Security Group Members for setting the Delegates. Delegate is an option which can be set only through outlook.

Below are the steps to create an custom RBAC role for Full Mailbox and Send As and it might be useful for if it suits some of their environment.

We can assign the permission to any of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes through RBAC custom role.

We can accomplish this task by  assigning the Permissions to one of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes, Shared Mailboxes

In order to test this in lab I first created a distribution group named Exchange Mailbox Folder.


We can use  the below command to check the default management role entry

get-ManagementRoleEntry “Mail Recipients\*”


Here we have the list of Mail recipients. We cannot modify the default Role   “Mail Recipients”, so we have to create the new custom role.

We can remove all the unwanted cmdlets from the custom Role and then we can assign the below listed permission to the created  Security Group Only.

1)       Add-MailboxPermission

2)       Add-MailboxFolderPermission

First we need to create a new management role with the below command

New-ManagementRole “Custom AddMailbox Permission” -Parent “Mail Recipients”


Now we need to view the list of management role entry assigned for a custom role. We do not need all of the entries which are assigned for a default custom role.

get-ManagementRoleEntry “Custom AddMailbox Permission\*”


Now we can go ahead and remove all of the role entries which we do not require and keep only add-mailbox permission and send as permission by running the below command.

get-ManagementRoleEntry “Custom AddMailbox Permission\*” | where {($ -ne “Add-Mailboxpermission”) -and ($ -ne “Add-MailboxFolderPermission”)} | Remove-ManagementRoleEntry


We then  have to assign the permissions through  the managementRoleAssignment.

For Full Mailbox Folder  run the below command –

New-ManagementRoleAssigment “add mailbox permissions” -role “Custom AddMailbox Permission” -securityGroup “Exchange MailboxFolder ”  

For SendAsPermissions run the below command  –

New-ManagementRoleAssigment  “add mailbox permissions” -role “Active Directory Permissions” -securityGroup “Exchange MailboxFolder ”  


I was successfully able to assign the Permission to “Exchange MailboxFolder “ security Group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes.


Sathish Veerapandian – MVP

%d bloggers like this: