Create a custom user role in Exchange Online using RBAC - part 2
Hi guys,
In this second part, I have written a script that creates a new user role using a given list of cmdlets/entries. Unlike the script from the first part, in this one we are just identifying the common parent role of the given commands and creating a new user role that contains them. If you later want to customize even more the cmdlets and remove some switches from within, you can either refer to my first article - Create a custom user role in Exchange Online using RBAC – part 1 or simply manually edit the entries:
#Remove the unwanted switches
Set-ManagementRoleEntry CustomRBAC\Set-Mailbox -Parameters ExternalOofOptions,ForwardingAddress,ForwardingSmtpAddress -RemoveParameter -Confirm:$false
#Remove the cmdlet along with the switches that it contains and add just the parameters that you want
Remove-ManagementRoleEntry CustomRBAC\Set-mailbox -Confirm:$false
Add-ManagementRoleEntry CustomRBAC\Set-Mailbox -Parameters ExternalOofOptions,ForwardingAddress,ForwardingSmtpAddress
What do you need to know before you begin?
- In order to be able to create a custom user role containing a specific list of cmdlets, you need to make sure that these cmdlets have at least one parent management user role in common. The "-parent" switch is mandatory when you create a new management role in Exchange Online.
e.g. Create a custom user role that contains the following cmdlets:
Remove-InboxRule
New-InboxRule
Set-CasMailbox
Clear-MobileDevice
If you run the command below for each cmdlet you're gonna find that MyBaseOptions is the common parent for all of them.
PS C:\WINDOWS\system32> Get-ManagementRole -Cmdlet Remove-InboxRule | ? {$_.IsEndUserRole -match 'True' -and $_.IsRootRole -match 'True'}
Name RoleType
---- --------
MyBaseOptions MyBaseOptions
- When the child/user management role is being created, the parent management role assignment is removed (if there's an existing one) and the child is becoming active.
Type the cmdlets that you want to add to your custom RBAC user role: Remove-InboxRule,New-InboxRule,Set-CasMailbox,Clear-MobileDevice
Type the name for the new custom RBAC user role: CustomRBAC
DISCLAIMER: This application is a sample application. The sample is provided “as is” without warranty of any kind. Microsoft further disclaims all implied warranties including without limitation any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the samples remains with you. in no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss arising out of the use of or inability to use the samples, even if Microsoft has been advised of the possibility of such damages). Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
$var = @();
$common = @();
$ErrorActionPreference = 'SilentlyContinue'
[array]$list = (Read-Host "Type the cmdlets that you want to add to your custom RBAC user role").split(“,”)
for($j=0;$j -lt $list.Count; $j++){
if(!$j) {
(Get-ManagementRole -Cmdlet $list[$j] | ? {$_.IsEndUserRole -match 'True' -and $_.IsRootRole -match 'True'}).RoleType | % { $var+=$_; }
}
else {
if($j -gt 1) { $var = $common; $common = @(); }
(Get-ManagementRole -Cmdlet $list[$j] | ? {$_.IsEndUserRole -match 'True' -and $_.IsRootRole -match 'True'}).RoleType | % {
for($i=0;$i -lt $var.Count; $i++){
if($_ -eq $var[$i]) { $common+=$_; }
}
}
}
}
$name = Read-Host "Type the name for the new custom RBAC user role"
if($common) {
New-ManagementRole $name -Parent $common[0]
}
else {
Write-Host "The cmdlets that you entered don't have a common root role" -ForegroundColor yellow
}
Get-ManagementRoleEntry $name\* | % {
Remove-ManagementRoleEntry "$name\$($_.Name)" -Confirm:$false
}
$remove = (Get-ManagementRoleEntry $name\*).Name
foreach ($cmd in $list)
{
Add-ManagementRoleEntry "$name\$($cmd)"
}
Remove-ManagementRoleEntry $name\$remove -Confirm:$false
$parent = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" -Role $common[0]
if($parent) { Remove-ManagementRoleAssignment -Confirm:$false }
New-ManagementRoleAssignment -Name "$name-RAP" -Role $name -Policy "Default Role Assignment Policy"