Exchange 2010/2013/2016 and Exchange Online – List which RBAC role group / role the current logged user has
Hi all !
Another quick post – I post mostly to be able to refer it back when I’ll need it and also when I suspect I’ll need it quite often in the near future and also to let you guys know of course – now this post is about listing which RBAC Roles does the currently PowerShell logged user have.
There are 2 parts here:
- one with the command line to get the roles assigned to the current user that is local to the computer, and how it’s been assigned to him (whether it’s been assigned to the connected user using a Role Group aka Role Group assignment type, or using a RBAC Policy, or using direct role assignment, etc…)
- one with the cmdlet to get the roles assigned to the current user that opened a remote PowerShell session, like a remote session on Exchange Online (see here about how to connect to your O365 tenant)
Part I – Getting the list of role assignments and the type of each of these role assigments for the current computer local user
NOTE: you must be in an Exchange Management Shell to be able to run the below command, or at least a PowerShell session of an Exchange server that you imported to your local Powershell session…
Get-ManagementRoleAssignment –RoleAssignee $env:username | Group -Property RoleAssigneeName, RoleAssigneeType | Sort Name | ft Name –a
this is what you get for example:
Name
----
Default Role Assignment Policy, RoleAssignmentPolicy
Discovery Management, RoleGroup
Organization Management, RoleGroup
The above mean that $env:username, which is the locally logged on user (or the user which launched the PowerShell session using “Run as another user…”) has roles assigned by the “Default Role Assignment Policy” that is applied to him, which is a "Role Assignment Policy", as well as two "Role Groups" assigned to him: the Discovery Management role group and the Organization Management role group.
Then you can see which Management Roles are in each of the above, for example by running the following:
get-rolegroup "Organization Management" | select-ExpandProperty roles
this is what you’ll get for example for Organization Management:
Active Directory Permissions
Address Lists
ApplicationImpersonation
Audit Logs
Cmdlet Extension Agents
Database Availability Groups
Database Copies
Databases
Disaster Recovery
etc…
(note: the “etc…” is not a management role …)
Part II – Getting the list of role assignments and the type of each of these for a user connected on Exchange Online
NOTE: you must be connected to an Exchange Online tenant prior to be able to run the below commands - see here about how to connect to your O365 tenant
First get the current user name (see my friend Rhoderick’s post for more information about it – you may specify a specific PSSession if you have more than one session within your currently opened Powershell console)
$CurrentExOUser=(Get-PSSession).Runspace.OriginalConnectionInfo.Credential.UserName
Then call the same command as Part I except that you now specify the $CurrentExOUser variable we provisioned above for the “-RoleAssignee” parameter:
Get-ManagementRoleAssignment –RoleAssignee $CurrentExOUser | Group-Property RoleAssigneeName,RoleAssigneeType | Sort Name | ft Name -a
this is what you get for example:
Name
----
Organization Management, RoleGroup
And the above means that the user who has opened the local session has the “Organization Management” assignment, which is a Role Group.
References
RBAC examples and tips and how to retrieve cmdlets and where they sit, etc… again from my friend Rhod:
https://blogs.technet.microsoft.com/rmilne/2014/02/18/exchange-rbac-tips-n-tricks-powershell/
Here’s Rhod’s post about the Get-PSSession to get the remotely logged on user name
https://blogs.technet.microsoft.com/rmilne/2016/09/19/remote-powershell-pssession-whoami/
And here’s my post about the basics of RBAC if you need
RBAC Manager tool – a more graphic tool to help manage RBAC roles