If you want to delegate the management of telephone numbers to certain persons or groups, you can use the Exchange feature "Role Based Access Control (RBAC)". RBAC can be used to grant users or groups access to the Exchange Admin Center, where these users can only perform previously defined actions.
Using the following example, a user can be allowed to manage only the telephone numbers of other users.
Copy existing RBAC role
There are already some predefined RBAC roles for various administrative purposes. The existing roles can be used as a template so that only certain actions can be carried out in the EAC. The "Mail Recipients" role can be used so that a user can manage telephone numbers for other users. The role can be used as a template for the "Manage Telephone Numbers" role:
New-ManagementRole -Name "Manage Telephone Numbers" -Parent "Mail Recipients"
This means that there is now a new RBAC role called "Manage Telephone Numbers", which has all the settings of the "Mail Recipients" role.
Customize new RBAC role
The original "Mail Recipients" role and therefore also the new "Manage Telephone Numbers" role has far too many authorizations if it is only about managing telephone numbers, so the rights can now be restricted accordingly. To restrict the "Manage Telephone Numbers" role, all unneeded commands are removed.
The following commands remove all commands that are not required for managing telephone numbers:
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -notmatch "Get-"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-AcceptedDomain"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ActiveSync"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-AddressBookPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-DomainController"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-HybridConfiguration"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ManagementRoleAssignment"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ResourceConfig"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-RoleAssignmentPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-SecurityPrincipal"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ServiceAvailabilityReport"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ServiceStatus"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-SiteMailbox"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-SiteMailboxProvisioningPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-TextMessagingAccount"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-Trust"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-UnifiedAuditSetting"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-LogonStatistics"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-OwaMailboxPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-PhysicalAvailabilityReport"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-RbacDiagnosticInfo"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-Mobile"} | Remove-ManagementRoleEntry -confirm:$false
The "Manage Telephone Numbers" role now only contains CMDLets that are required to display the data. The corresponding rights must also be assigned so that telephone numbers can now also be changed or entered.
The following command is used to assign corresponding CMDLets with a restricted parameter set to the role again:
Add-ManagementRoleEntry "Manage Telephone Numbers\Set-User" -Parameters MobilePhone,Phone,Fax,OtherFax,HomePhone,identity
The role has now been customized so that only telephone numbers (and fax) can be edited.
Assign RBAC role
Finally, the new role must be assigned to users so that they receive the corresponding rights:
New-ManagementRoleAssignment -Role "Manage Telephone Numbers" -User lucky
In this case, the user with the name "Lucky" is the lucky one who can maintain and adjust all of the organization's telephone numbers.
The user view
The user "Lucky" now has restricted access to the Exchange Admin Center in which he only sees the settings that apply to the "Manage Telephone Numbers" role:
The user can now still see the mailbox settings, but cannot change them:
Telephone numbers, on the other hand, may be changed by the user:
RBAC roles can therefore be used to delegate administrative tasks with little effort. The example shown here can also be implemented for other tasks. For example, the administration of e-mail addresses or the creation of mailboxes. The procedure is always the same:
- Use the role that fits best as a template
- Adapt new role according to needs
- Testing
- Adapt the role according to requirements
- Testing
- Assign role
Hallo Frank,
wie immer bin ich bei der Recherche zu Exchange bei Dir auf der Seite gelandet. Vielen Dank für Deine Arbeit.
Ich will unserem Supporter Team auch das Recht „Senden Als“ in die Hand geben. Daher habe ich wie beschrieben eine neue Rolle erzeugt.
New-ManagementRole -Name „KKLE-MailboxAdmin“ -Parent „Mail Recipients“
Berechtigungen habe ich keine entfernt, sondern nur versucht Add-AdPermission zu ergänzen.
Add-ManagementRoleEntry „KKLE-MailboxAdmin\Add-AdPermission“ -Parameters Identity, User, ExtendedRights
Da kommt er mit
„Der Verwaltungsrolleneintrag „Add-AdPermission“ wurde für die Verwaltungsrolle „Mail Recipients“ nicht gefunden. Stellen Sie sicher, dass Sie ihn richtig eingegeben haben, und wiederholen Sie den Vorgang.“
Das CMDlet gibt es doch. Bis jetzt haben nur Organisations-Admins da Zugriff, wenn meine Recherche passt.
Warum bezieht die Fehlermeldung sich auf die Verwaltungsrolle „Mail Recipients“? Ich habe es so verstanden, das eine Kopie mit Einstellungen der Parent Rolle angelegt wird und es keine Verbindung dazwischen gibt.
VG
Michael
Hi,
Super Anleitung, ich teste das mal.
Könnte man das erweitern, das diese User auch Kontakte erstellen könnten?
VG
Hi Sebastian,
ja, es kann auch erlaubt werden, dass Kontakte erstellt werden dürfen.
Gruß, Frank
Schönes Praxisbeispiel für RBAC! Vielen Dank!