Again not brain surgery. Just need you to calm your mind and enjoy understanding it.
Yes, I know that there would be defaults settings or features that doesn’t mean the customer’s requirement, so they always requested for customization.
So basically I expect that you know what are the default roles in exchange hybrid and its permissions inside. Anyway, you have to be the administrator only you could able to view where are the roles. You can find it at your exchange hybrid console > Permission > Admin roles.
*Note:
- I prefer to use Power Shell to create this customize permission role because it provides more details of what are the functions runs in each role type.
- And you can dig deeper by removing/adding certain role’s type function that you would not wish to be in your customization.
- Try not to configure the default roles given
- Always create a new role
Using Interface to create Admin Roles Group
However, interface doesn’t actually allows you to create customize roles.
To create a new customize permission role you go to this directory Exchange Hybrid console > Permission > Admin roles > “+”
Example below;
Select what roles you want for your customize permission;
Using Power Shell to create customization
What I would do is I will copy a default role and its permission into my new role, which is closer to my client’s request and than I will eliminate the permission based on a comparing function such as “Query if the role’s permission doesn’t has this permission than remove the those permission”. This will definitely save much more time.
If you aren’t sure about what default role should you copy than try to extract the detail list of each roles permission. Simply just type the following code below;
Get-ManagementRole * | Get-MangementRoleEntry
- Go to your Exchange Hybrid Server > Open the Exchange Power Shell console (Run as Administrator)
- Run these commands below
#To get a list of role type Get-ManagementRole #Get function details of each role type Get-ManagementRole "RoleTypeName" | Get-ManagementRoleEntry #Create a new Customize Role copying a default role type New-ManagementRole -Parent "RoleTypeName" -Name "NewCustomizePermissionRoleName"
*RoleTypeName would be these at the picture below, circle in red
Role type name Get-ManagementRoleEntry is basically get the list of permissions that is inside the role.
*Each roles has its own list of permissions
- If you wish to limit or remove a role type’s function/permission, than you can run this command
#Find your customization that you had created
#Query where if the function is not the name "Get-RemoteDomain" & "New-RemoteDomain" remove the other's functions
Get-ManagementRoleEntry "NewCustomizePermissionRoleName\*" | Where { $_.Name -NotLike "Get-RemoteDomain" -and $_.Name -NotLike "New-RemoteDomain" } | Remove-ManagementRoleEntry
#Query your modified customization, to check whether are the modification correct
Get-ManagementRoleEntry "NewCustomizePermissionRoleName\*" | select name,role | ft
#If you wish to undo than just run this command
#It will get the function "Get-Mailbox" from Role Type and add into your customization
Get-ManagementRoleEntry "RoleTypeName\Get-Mailbox" | Add-ManagementRoleEntry -Role "CustomizePermissionRoleName"
References:
- https://docs.microsoft.com/en-us/powershell/module/exchange/role-based-access-control/add-managementroleentry?view=exchange-ps
- https://docs.microsoft.com/en-us/powershell/module/exchange/role-based-access-control/get-managementrole?view=exchange-ps
- https://docs.microsoft.com/en-us/powershell/module/exchange/role-based-access-control/get-managementroleentry?view=exchange-ps
- https://docs.microsoft.com/en-us/exchange/understanding-management-roles-exchange-2013-help
Sabrina Kay's Blog 