Delegation of RBAC rights

Question

Hi.

I need delegate for helpdesk, commandlet management rights:

"Set-CASMailbox", "Get-CASMailbox", "Get-MobileDeviceStatistics", "Remove-MobileDevice"

I implemented this with a script.

But now the user cannot access /ECP - Access Denied 403

What's missing? I tried adding a role: New-ManagementRoleAssignment -Role “MyBaseOptions” -SecurityGroup $CustomGroupName

But it didn't help.

$CustomGroupName = "MobileDevice Administrators"
$CASMailboxRole = "Custom CAS Mailbox Management"
$MobileDeviceRole = "Custom Mobile Device Management"
$userAccount = "test_user"
New-ManagementRole -Name $CASMailboxRole -Parent "Organization Client Access"
Get-ManagementRoleEntry "$CASMailboxRole\*" | Where-Object { $_.Name -notin @("Set-CASMailbox", "Get-CASMailbox") } | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry "$CASMailboxRole\Set-CASMailbox" | Where-Object { $_.Parameters -notcontains "ActiveSyncBlockedDeviceIDs" -and $_.Parameters -notcontains "ActiveSyncAllowedDeviceIDs" } | ForEach-Object { Remove-ManagementRoleEntry -Identity $_.Identity -Confirm:$false }
New-ManagementRole -Name $MobileDeviceRole -Parent "Mail Recipients"
Get-ManagementRoleEntry "$MobileDeviceRole\*" | Where-Object { $_.Name -notin @("Get-MobileDeviceStatistics", "Remove-MobileDevice") } | Remove-ManagementRoleEntry -Confirm:$false
New-RoleGroup -Name $CustomGroupName -Roles $CASMailboxRole, $MobileDeviceRole -Members $userAccount

Answer 1

Hello, @Андрей Михалевский,

Welcome to the Microsoft Q&A platform!

You have done quite a bit of work to set up custom roles for your helpdesk, to resolve the 403 Access Denied error when accessing the ECP, there are a few more things you can consider.

1.The "Access Denied 403" issue occurs if a computer object is added to a group that is denied the ms-Exch-EPI-Token-Serialization user right. To resolve this issue, please remove the computer object from the restricted group. For more details, please refer to: Error in EMS, EAC, ECP, OWA, or Outlook on the web in Exchange Server - Exchange | Microsoft Learn.

2.You may lack the necessary role assignments to grant access to the Exchange Control Panel (ECP). To give access to ECP, the user typically needs more general roles beyond the specific cmdlets you've defined. One common role to add is "MyBaseOptions," but it seems you've already tried that without success. Another role that can be useful is "MyMailboxDelegation."

New-ManagementRoleAssignment -Role "MyBaseOptions" -SecurityGroup $CustomGroupName New-ManagementRoleAssignment -Role "MyMailboxDelegation" -SecurityGroup $CustomGroupName

3.Assign users to security groups and verify the roles assigned to users.

Add-DistributionGroupMember -Identity $CustomGroupName -Member $userAccountGet-ManagementRoleAssignment -RoleAssignee $userAccount

4.If adding the above roles doesn't help, you can try adding some other roles related to managing personal options through ECP. These might include:

New-ManagementRoleAssignment -Role “MyProfileInformation” -SecurityGroup $CustomGroupName New-ManagementRoleAssignment -Role “MyContactInformation” -SecurityGroup $CustomGroupName New-ManagementRoleAssignment -Role “MyRetentionPolicies” -SecurityGroup $CustomGroupName

5.Remember that changes to role assignments sometimes require an IIS reset to take effect.

IISRESET

After trying the above steps, make sure the user logs out and logs back into the ECP portal. If the problem persists, you may need to double-check role assignments and make sure there are no conflicting permissions.

Should you need more help on this, you can feel free to post back. 

---

If the answer is helpful, please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.

Best Wishes,

Alex Zhang