Exchange: Delegate the creation and management of contacts

A reader of this page asked whether it is possible for certain users to create and manage contacts for the organization. A separate RBAC (Role Based Access Control) role can be used for this with little effort. A corresponding role, which can only create and edit contacts in a specific organizational unit, can be created with little effort. Members of the role can then manage contacts via the Exchange Admin Center.

To enable the creation and management of contacts to be delegated, two new management roles must first be created. The new management roles are based on the existing roles (in this case "Mail Recipients" and "Mail Recipient Creation":

New-ManagementRole -Parent "Mail Recipients" -Name Contacts
New-ManagementRole -Parent "Mail Recipient Creation" -Name ContactCreation

All commands that are not required for creating contacts are now removed from the newly created management roles; this is done with the following two commands:

Get-ManagementRoleEntry -Identity "Contacts\*" | where {$_.Name -notlike "*MailContact"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry -Identity "ContactCreation\*" | where {$_.Name -notlike "*MailContact"} | Remove-ManagementRoleEntry -confirm:$false

The two commands above have removed all commands that do not have "MailContact" in their name from the new Managemant roles. However, further commands are required to create and manage contacts. The other necessary commands must therefore be added again:

Add-ManagementRoleEntry -Identity "Contacts\Get-User"
Add-ManagementRoleEntry -Identity "Contacts\Get-Recipient"
Add-ManagementRoleEntry -Identity "Contacts\Set-Contact"
Add-ManagementRoleEntry -Identity "Contacts\Get-Contact"
Add-ManagementRoleEntry -Identity "ContactCreation\Get-OrganizationalUnit"
Add-ManagementRoleEntry -Identity "ContactCreation\Get-User"
Add-ManagementRoleEntry -Identity "ContactCreation\Get-Recipient"

The two management roles are now ready. A new organizational unit for the contacts can now be created in the Active Directory; the users will later only be given permission to create contacts within this organizational unit:

A new administrator role is now created in the Exchange Admin Center:

The new administrator role is now given the name "Contact Management", the write area is only entered after the role has been saved (otherwise an error message will appear). Furthermore, the previously created management roles are added and the members of the administrator role are defined:

Once the administrator role has been saved, the write area can also be customized. The canonical name of the organizational unit can now be entered here:

Entering the organizational unit prevents contacts from being created in other organizational units:

Members of the "Contact Management" administrator role can now log in to the Exchange Admin Center and only have the authorization to create and edit contacts:

Only a few details are required to create a new contact, and with a little training this should not be a problem. However, members of the role must always select the alias and the organizational unit. If the organizational unit is left blank or an OU outside the write area is selected, an error message is displayed:

If desired, a new address list containing the new contacts can be created: