Wer das Verwalten von Telefonnummern an bestimmte Personen oder Gruppen delegieren möchte, kann dazu das Exchange Feature “Role Based Access Control (RBAC)“ verwenden. Benutzer oder Gruppen kann mittels RBAC der Zugriff auf das Exchange Admin Center gewährt werden, wo diese Benutzer allerdings nur zuvor festgelegte Aktionen durchführen dürfen.
Using the following example, a user can be allowed to manage only the telephone numbers of other users.
Copy existing RBAC role
There are already some predefined RBAC roles for various administrative purposes. The existing roles can be used as a template so that only certain actions can be carried out in the EAC. The "Mail Recipients" role can be used so that a user can manage telephone numbers for other users. The role can be used as a template for the "Manage Telephone Numbers" role:
New-ManagementRole -Name "Manage Telephone Numbers" -Parent "Mail Recipients"
This means that there is now a new RBAC role called "Manage Telephone Numbers", which has all the settings of the "Mail Recipients" role.
Customize new RBAC role
The original "Mail Recipients" role and therefore also the new "Manage Telephone Numbers" role has far too many authorizations if it is only about managing telephone numbers, so the rights can now be restricted accordingly. To restrict the "Manage Telephone Numbers" role, all unneeded commands are removed.
The following commands remove all commands that are not required for managing telephone numbers:
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -notmatch "Get-"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-AcceptedDomain"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ActiveSync"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-AddressBookPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-DomainController"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-HybridConfiguration"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ManagementRoleAssignment"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ResourceConfig"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-RoleAssignmentPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-SecurityPrincipal"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ServiceAvailabilityReport"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-ServiceStatus"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-SiteMailbox"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-SiteMailboxProvisioningPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-TextMessagingAccount"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-Trust"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-UnifiedAuditSetting"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-LogonStatistics"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-OwaMailboxPolicy"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-PhysicalAvailabilityReport"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-RbacDiagnosticInfo"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Manage Telephone Numbers\*" | Where-Object {$_.Name -match "Get-Mobile"} | Remove-ManagementRoleEntry -confirm:$false
The "Manage Telephone Numbers" role now only contains CMDLets that are required to display the data. The corresponding rights must also be assigned so that telephone numbers can now also be changed or entered.
The following command is used to assign corresponding CMDLets with a restricted parameter set to the role again:
Add-ManagementRoleEntry "Manage Telephone Numbers\Set-User" -Parameters MobilePhone,Phone,Fax,OtherFax,HomePhone,identity
The role has now been customized so that only telephone numbers (and fax) can be edited.
Assign RBAC role
Finally, the new role must be assigned to users so that they receive the corresponding rights:
New-ManagementRoleAssignment -Role "Manage Telephone Numbers" -User lucky
In this case, the user with the name "Lucky" is the lucky one who can maintain and adjust all of the organization's telephone numbers.
The user view
The user "Lucky" now has restricted access to the Exchange Admin Center in which he only sees the settings that apply to the "Manage Telephone Numbers" role:
The user can now still see the mailbox settings, but cannot change them:
Telephone numbers, on the other hand, may be changed by the user:
RBAC roles can therefore be used to delegate administrative tasks with little effort. The example shown here can also be implemented for other tasks. For example, the administration of e-mail addresses or the creation of mailboxes. The procedure is always the same:
- Use the role that fits best as a template
- Adapt new role according to needs
- Testing
- Adapt the role according to requirements
- Testing
- Assign role