Partilhar via


Exchange Online: Restricting cmdlets with RBAC

Background:

We do not get many cases like this in CSS for some reason. I believe this is because most enterprises seem to leverage their Tenant Admin for support and provisioning the service. As this service grows, there will be more and more support personnel supporting this service in the enterprise. Occasionally, we will get asked how to restrict specific functionality from users though. One thing you should consider is that anything changed/executed in EAC is ultimately just triggering a cmdlet to be run. All of the pages will be visible, but their ability to read/write values depends on the cmdlets you allow them to run via RBAC.

Solution:

Since this can potentially impact production support users, I highly recommend copying a Management Role that you intend on trimming up, just so that you're not changing anything that anyone is using presently. To do that, you just need to specify a parent role to when running New-ManagementRole in remote powershell (this cannot be done via EAC)

Example:

New-ManagementRole –Name “Transport Rules Limited” –Parent “Transport Rules"
New-ManagementRole –Name “Transport Hygiene Limited” –Parent “Transport Hygiene”

From there, you can run something like this:

Get-ManagementRoleEntry "Transport Hygiene Limited\*"

OR

Get-ManagementRoleEntry "Transport Rules Limited\*"

Which should output something like this (notice that the parameters aren't fully enumerated):

Disable-HostedContentFilter... Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Disable-MalwareFilterRule      Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Enable-HostedContentFilterRule Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Enable-MalwareFilterRule       Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Get-HostedConnectionFilterP... Transport Hygiene Limited {ErrorAction, ErrorVariable, Identity, OutBuffer...}
Get-HostedContentFilterPolicy  Transport Hygiene Limited {ErrorAction, ErrorVariable, Identity, OutBuffer...}
Get-HostedContentFilterRule    Transport Hygiene Limited {ErrorAction, ErrorVariable, Identity, OutBuffer...}
Get-HostedOutboundSpamFilte... Transport Hygiene Limited {ErrorAction, ErrorVariable, OutBuffer, OutVariable...}
Get-MalwareFilterPolicy        Transport Hygiene Limited {ErrorAction, ErrorVariable, Identity, OutBuffer...}
Get-MalwareFilterRule          Transport Hygiene Limited {ErrorAction, ErrorVariable, Identity, OutBuffer...}
New-HostedConnectionFilterP... Transport Hygiene Limited {AdminDisplayName, Confirm, EnableSafeList, ErrorAction...}
New-HostedContentFilterPolicy  Transport Hygiene Limited {AddXHeaderValue, AdminDisplayName, Confirm, DownloadLink...}
New-HostedContentFilterRule    Transport Hygiene Limited {Comments, Confirm, Enabled, ErrorAction...}
New-MalwareFilterPolicy        Transport Hygiene Limited {Action, AdminDisplayName, Confirm, CustomAlertText...}
New-MalwareFilterRule          Transport Hygiene Limited {Comments, Confirm, Enabled, ErrorAction...}
Release-QuarantineMessage      Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Remove-HostedConnectionFilt... Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Remove-HostedContentFilterP... Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Remove-HostedContentFilterRule Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Remove-MalwareFilterPolicy     Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Remove-MalwareFilterRule       Transport Hygiene Limited {Confirm, ErrorAction, ErrorVariable, Identity...}
Set-HostedConnectionFilterP... Transport Hygiene Limited {AdminDisplayName, Confirm, EnableSafeList, ErrorAction...}
Set-HostedContentFilterPolicy  Transport Hygiene Limited {AddXHeaderValue, AdminDisplayName, Confirm, DownloadLink...}
Set-HostedContentFilterRule    Transport Hygiene Limited {Comments, Confirm, ErrorAction, ErrorVariable...}
Set-HostedOutboundSpamFilte... Transport Hygiene Limited {AdminDisplayName, BccSuspiciousOutboundAdditionalRecipient...
Set-MalwareFilterPolicy        Transport Hygiene Limited {Action, AdminDisplayName, Confirm, CustomAlertText...}
Set-MalwareFilterRule          Transport Hygiene Limited {Comments, Confirm, ErrorAction, ErrorVariable...}
Get-QuarantineMessage          Transport Hygiene Limited {Confirm, Direction, Domain, EndExpiresDate...}
Get-QuarantineMessageHeader    Transport Hygiene Limited {ErrorAction, ErrorVariable, Identity, OutBuffer...}

Run the following and it will force it to enumerate those fields:

$FormatEnumerationLimit =-1

Then you can run and it will display the cmdlets and switches the user belonging to that role can run. If it's not listed, they can't run it.

Get-ManagementRoleEntry "Transport Hygiene Limited\*" | fl name,parameters

Name : Set-HostedContentFilterPolicy
Parameters : {AddXHeaderValue, AdminDisplayName, BulkThreshold, Confirm, DownloadLink, EnableEndUserSpamNotifications,
EnableLanguageBlockList, EnableRegionBlockList, EndUserSpamNotificationCustomFromAddress,
EndUserSpamNotificationCustomFromName, EndUserSpamNotificationCustomSubject,
EndUserSpamNotificationFrequency, EndUserSpamNotificationLanguage, EndUserSpamNotificationLimit,
ErrorAction, ErrorVariable, HighConfidenceSpamAction, Identity, IncreaseScoreWithBizOrInfoUrls,
IncreaseScoreWithImageLinks, IncreaseScoreWithNumericIps, IncreaseScoreWithRedirectToOtherPort,
LanguageBlockList, MakeDefault, MarkAsSpamBulkMail, MarkAsSpamEmbedTagsInHtml, MarkAsSpamEmptyMessages,
MarkAsSpamFormTagsInHtml, MarkAsSpamFramesInHtml, MarkAsSpamFromAddressAuthFail,
MarkAsSpamJavaScriptInHtml, MarkAsSpamNdrBackscatter, MarkAsSpamObjectTagsInHtml,
MarkAsSpamSensitiveWordList, MarkAsSpamSpfRecordHardFail, MarkAsSpamWebBugsInHtml, ModifySubjectValue,
OutBuffer, OutVariable, QuarantineRetentionPeriod, RedirectToRecipients, RegionBlockList, SpamAction,
TestModeAction, TestModeBccToRecipients, WarningAction, WarningVariable, WhatIf}

Name : New-HostedContentFilterPolicy
Parameters : {AddXHeaderValue, AdminDisplayName, BulkThreshold, Confirm, DownloadLink, EnableEndUserSpamNotifications,
EnableLanguageBlockList, EnableRegionBlockList, EndUserSpamNotificationCustomFromAddress,
EndUserSpamNotificationCustomFromName, EndUserSpamNotificationCustomSubject,
EndUserSpamNotificationFrequency, EndUserSpamNotificationLanguage, EndUserSpamNotificationLimit,
ErrorAction, ErrorVariable, HighConfidenceSpamAction, IncreaseScoreWithBizOrInfoUrls,
IncreaseScoreWithImageLinks, IncreaseScoreWithNumericIps, IncreaseScoreWithRedirectToOtherPort,
LanguageBlockList, MarkAsSpamBulkMail, MarkAsSpamEmbedTagsInHtml, MarkAsSpamEmptyMessages,
MarkAsSpamFormTagsInHtml, MarkAsSpamFramesInHtml, MarkAsSpamFromAddressAuthFail,
MarkAsSpamJavaScriptInHtml, MarkAsSpamNdrBackscatter, MarkAsSpamObjectTagsInHtml,
MarkAsSpamSensitiveWordList, MarkAsSpamSpfRecordHardFail, MarkAsSpamWebBugsInHtml, ModifySubjectValue,
Name, OutBuffer, OutVariable, QuarantineRetentionPeriod, RedirectToRecipients, RegionBlockList,
SpamAction, TestModeAction, TestModeBccToRecipients, WarningAction, WarningVariable, WhatIf}

Name : Disable-HostedContentFilterRule
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Disable-MalwareFilterRule
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Enable-HostedContentFilterRule
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Enable-MalwareFilterRule
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Get-HostedConnectionFilterPolicy
Parameters : {ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable}

Name : Get-HostedContentFilterPolicy
Parameters : {ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable}

Name : Get-HostedContentFilterRule
Parameters : {ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, State, WarningAction, WarningVariable}

Name : Get-HostedOutboundSpamFilterPolicy
Parameters : {ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, WarningVariable}

Name : Get-MalwareFilterPolicy
Parameters : {ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable}

Name : Get-MalwareFilterRule
Parameters : {ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, State, WarningAction, WarningVariable}

Name : New-HostedContentFilterRule
Parameters : {Comments, Confirm, Enabled, ErrorAction, ErrorVariable, ExceptIfRecipientDomainIs, ExceptIfSentTo,
ExceptIfSentToMemberOf, HostedContentFilterPolicy, Name, OutBuffer, OutVariable, Priority,
RecipientDomainIs, SentTo, SentToMemberOf, WarningAction, WarningVariable, WhatIf}

Name : New-MalwareFilterPolicy
Parameters : {Action, AdminDisplayName, Confirm, CustomAlertText, CustomExternalBody, CustomExternalSubject,
CustomFromAddress, CustomFromName, CustomInternalBody, CustomInternalSubject, CustomNotifications,
EnableExternalSenderAdminNotifications, EnableExternalSenderNotifications,
EnableInternalSenderAdminNotifications, EnableInternalSenderNotifications, ErrorAction, ErrorVariable,
ExternalSenderAdminAddress, InternalSenderAdminAddress, Name, OutBuffer, OutVariable, WarningAction,
WarningVariable, WhatIf}

Name : New-MalwareFilterRule
Parameters : {Comments, Confirm, Enabled, ErrorAction, ErrorVariable, ExceptIfRecipientDomainIs, ExceptIfSentTo,
ExceptIfSentToMemberOf, MalwareFilterPolicy, Name, OutBuffer, OutVariable, Priority, RecipientDomainIs,
SentTo, SentToMemberOf, WarningAction, WarningVariable, WhatIf}

Name : Release-QuarantineMessage
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, ReleaseToAll,
ReportFalsePositive, User, WarningAction, WarningVariable, WhatIf}

Name : Remove-HostedContentFilterPolicy
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Remove-HostedContentFilterRule
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Remove-MalwareFilterPolicy
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Remove-MalwareFilterRule
Parameters : {Confirm, ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction, WarningVariable,
WhatIf}

Name : Set-HostedContentFilterRule
Parameters : {Comments, Confirm, ErrorAction, ErrorVariable, ExceptIfRecipientDomainIs, ExceptIfSentTo,
ExceptIfSentToMemberOf, HostedContentFilterPolicy, Identity, Name, OutBuffer, OutVariable, Priority,
RecipientDomainIs, SentTo, SentToMemberOf, WarningAction, WarningVariable, WhatIf}

Name : Set-HostedOutboundSpamFilterPolicy
Parameters : {AdminDisplayName, BccSuspiciousOutboundAdditionalRecipients, BccSuspiciousOutboundMail,
BlockUnlistedDomains, Confirm, ErrorAction, ErrorVariable, Identity, NotifyOutboundSpam,
NotifyOutboundSpamRecipients, OutBuffer, OutVariable, WarningAction, WarningVariable, WhatIf}

Name : Set-MalwareFilterPolicy
Parameters : {Action, AdminDisplayName, Confirm, CustomAlertText, CustomExternalBody, CustomExternalSubject,
CustomFromAddress, CustomFromName, CustomInternalBody, CustomInternalSubject, CustomNotifications,
EnableExternalSenderAdminNotifications, EnableExternalSenderNotifications,
EnableInternalSenderAdminNotifications, EnableInternalSenderNotifications, ErrorAction, ErrorVariable,
ExternalSenderAdminAddress, Identity, InternalSenderAdminAddress, MakeDefault, OutBuffer, OutVariable,
WarningAction, WarningVariable, WhatIf}

Name : Set-MalwareFilterRule
Parameters : {Comments, Confirm, ErrorAction, ErrorVariable, ExceptIfRecipientDomainIs, ExceptIfSentTo,
ExceptIfSentToMemberOf, Identity, MalwareFilterPolicy, Name, OutBuffer, OutVariable, Priority,
RecipientDomainIs, SentTo, SentToMemberOf, WarningAction, WarningVariable, WhatIf}

Name : Get-QuarantineMessage
Parameters : {Confirm, Direction, Domain, EndExpiresDate, EndReceivedDate, ErrorAction, ErrorVariable, Identity,
MessageId, OutBuffer, OutVariable, Page, PageSize, RecipientAddress, Reported, SenderAddress,
StartExpiresDate, StartReceivedDate, Subject, Type, WarningAction, WarningVariable, WhatIf}

Name : Get-QuarantineMessageHeader
Parameters : {ErrorAction, ErrorVariable, Identity, OutBuffer, OutVariable, WarningAction}

OK COOL, HOW DO I REMOVE/SCOPE THIS FURTHER???

Simple! If you see a cmdlet that you don't want your support staff to run, let's say you don't want them to be able to do anything regarding the connection filters (IP Allow/Block etc), run the following:

Remove-ManagementRoleEntry “Transport Hygiene Limited\New-HostedConnectionFilterPolicy”
Remove-ManagementRoleEntry “Transport Hygiene Limited\Remove-HostedConnectionFilterPolicy”
Remove-ManagementRoleEntry “Transport Hygiene Limited\Set-HostedConnectionFilterPolicy”

This makes it so they can only read the settings but cannot execute changes if they're a member of this role.

Bonus:

Want an easy way to see which role allows a specific cmdlet? Easy! Obviously, you can narrow it down to the cmdlet/Role if you wish, but I just dump it to an easily searchable text file.

Get-ManagementRoleEntry *\* | fl name, parameters, role | out-file C:\temp\cmdlets.txt

As always, I hope this helps!

Mitchel

Comments

  • Anonymous
    January 01, 2003
    My pleasure! Thanks for the feedback!
  • Anonymous
    January 13, 2015
    Thanks alot