If you have configured Exchange 2013 in hybrid mode then you have probably noticed the appearance of this link. It’s the Office 365 Mailbox creation link.
However, if you have implemented RBAC this link may not show when you’d expect it to.
I ran into this recently when upgrading an Exchange 2010 hybrid environment to 2013. Previously the client had implemented RBAC where members of the helpdesk team were added to the Recipient Management group. In 2010 this allowed the helpdesk team to create and manage mail recipients; both on-premise and in the cloud. However, when this group attempted to use the 2013 management tools the Office 365 Mailbox link was absent.
After some digging–plus some trial and error–we quickly found an oddity. The short answer–it’s all based around one missing role entry. To see that link you need access to the Get-RemoteDomain command. Members of Recipient Management do not have this.
It seems odd though. Why wouldn’t Recipient Management have this cmdlet? It’s only a Get verb after all. Not much damage you can do with that.
If we dig into RBAC lets see which roles are assigned the Get-RemoteDomain command.
C:\> Get-ManagementRoleEntry *\Get-RemoteDomain | select name, role | ft -autosize Name Role ---- ---- Get-RemoteDomain Remote and Accepted Domains Get-RemoteDomain View-Only Configuration
Just two roles have access to this command. Neither of these roles is assigned to the Recipient Management group. Let’s see what these roles do.
C:\> Get-ManagementRoleEntry "Remote and Accepted Domains\*" | select name,role | ft -autosize Name Role ---- ---- Set-AcceptedDomain Remote and Accepted Domains Set-RemoteDomain Remote and Accepted Domains Set-OrganizationConfig Remote and Accepted Domains Write-AdminAuditLog Remote and Accepted Domains Set-X400AuthoritativeDomain Remote and Accepted Domains Remove-X400AuthoritativeDomain Remote and Accepted Domains Remove-RemoteDomain Remote and Accepted Domains Remove-AcceptedDomain Remote and Accepted Domains New-X400AuthoritativeDomain Remote and Accepted Domains New-RemoteDomain Remote and Accepted Domains New-AcceptedDomain Remote and Accepted Domains Get-X400AuthoritativeDomain Remote and Accepted Domains Get-RemoteDomain Remote and Accepted Domains Get-DomainController Remote and Accepted Domains Get-AcceptedDomain Remote and Accepted Domains
Hmm, that’s a lot of permissions. I really don’t want the helpdesk team adding or removing domains in the Exchange Organization. Let’s check the other role.
C:\> Get-ManagementRoleEntry "View-Only Configuration\*" | select name, role | ft -autosize Name Role ---- ---- Get-MapiVirtualDirectory View-Only Configuration Get-GlobalMonitoringOverride View-Only Configuration Get-AuditLogSearch View-Only Configuration Get-SiteMailbox View-Only Configuration Get-HealthReport View-Only Configuration Get-MalwareFilterRule View-Only Configuration Get-SmimeConfig View-Only Configuration Get-PushNotificationSubscription View-Only Configuration Set-SearchDocumentFormat View-Only Configuration Get-TransportRule View-Only Configuration Get-ThrottlingPolicyAssociation View-Only Configuration Get-DatabaseAvailabilityGroupConfiguration View-Only Configuration Get-SettingOverride View-Only Configuration New-SearchDocumentFormat View-Only Configuration Remove-GlobalMonitoringOverride View-Only Configuration Remove-SearchDocumentFormat View-Only Configuration Get-IntraOrganizationConfiguration View-Only Configuration Get-StoreUsageStatistics View-Only Configuration Retry-Queue View-Only Configuration Set-ServerMonitor View-Only Configuration Set-SmimeConfig View-Only Configuration Get-HostedContentFilterRule View-Only Configuration Get-ServerHealth View-Only Configuration Get-SearchDocumentFormat View-Only Configuration Get-ExchangeDiagnosticInfo View-Only Configuration Get-IntraOrganizationConnector View-Only Configuration Get-FailedContentIndexDocuments View-Only Configuration Add-GlobalMonitoringOverride View-Only Configuration Get-ServerComponentState View-Only Configuration Get-ServerMonitoringOverride View-Only Configuration Get-PublicFolderDatabase View-Only Configuration Get-OabVirtualDirectory View-Only Configuration Get-Notification View-Only Configuration Get-SiteMailboxDiagnostics View-Only Configuration Get-SiteMailboxProvisioningPolicy View-Only Configuration Get-OrganizationalUnit View-Only Configuration Get-PublicFolder View-Only Configuration Get-PolicyTipConfig View-Only Configuration Get-FrontendTransportService View-Only Configuration Get-MonitoringItemIdentity View-Only Configuration Get-MonitoringItemHelp View-Only Configuration Get-MailboxDatabaseCopyStatus View-Only Configuration Get-MobileDeviceMailboxPolicy View-Only Configuration Get-ThrottlingPolicy View-Only Configuration Get-MigrationUserStatistics View-Only Configuration Get-ExchangeServerAccessLicenseUser View-Only Configuration Get-ExchangeServerAccessLicense View-Only Configuration Get-MigrationUser View-Only Configuration Get-ExchangeCertificate View-Only Configuration Get-MigrationStatistics View-Only Configuration Get-MigrationEndpoint View-Only Configuration Get-MigrationConfig View-Only Configuration Get-MigrationBatch View-Only Configuration Get-EcpVirtualDirectory View-Only Configuration Get-ResourcePolicy View-Only Configuration Get-DlpPolicyTemplate View-Only Configuration Get-DlpPolicy View-Only Configuration Get-TransportService View-Only Configuration Get-ResubmitRequest View-Only Configuration Get-DataClassification View-Only Configuration Get-PublicFolderItemStatistics View-Only Configuration Get-PendingFederatedDomain View-Only Configuration Get-UMCallRouterSettings View-Only Configuration Get-PublicFolderClientPermission View-Only Configuration Get-PartnerApplication View-Only Configuration Get-OwaVirtualDirectory View-Only Configuration Get-PublicFolderStatistics View-Only Configuration Get-ClassificationRuleCollection View-Only Configuration Get-Queue View-Only Configuration Get-QueueDigest View-Only Configuration Get-AutodiscoverVirtualDirectory View-Only Configuration Get-AuthServer View-Only Configuration Get-MailboxDatabase View-Only Configuration Get-AuthConfig View-Only Configuration Get-App View-Only Configuration Get-AgentLog View-Only Configuration Get-MalwareFilterRecoveryItem View-Only Configuration Remove-ServerMonitoringOverride View-Only Configuration Send-MapiSubmitSystemProbe View-Only Configuration Get-UMService View-Only Configuration Get-AddressList View-Only Configuration Get-PowerShellVirtualDirectory View-Only Configuration Get-ActiveSyncVirtualDirectory View-Only Configuration Get-WebServicesVirtualDirectory View-Only Configuration Get-WorkloadManagementPolicy View-Only Configuration Get-WorkloadPolicy View-Only Configuration Get-ActiveSyncDeviceAutoblockThreshold View-Only Configuration Get-MalwareFilterPolicy View-Only Configuration Invoke-MonitoringProbe View-Only Configuration Set-OrganizationConfig View-Only Configuration Get-MalwareFilteringServer View-Only Configuration Export-DlpPolicyCollection View-Only Configuration Get-MailboxTransportService View-Only Configuration Get-OutlookAnywhere View-Only Configuration Enable-ExchangeCertificate View-Only Configuration Add-ServerMonitoringOverride View-Only Configuration Get-AddressBookPolicy View-Only Configuration Get-HybridConfiguration View-Only Configuration Get-AuthRedirect View-Only Configuration Get-FederationInformation View-Only Configuration Test-OrganizationRelationship View-Only Configuration Test-FederationTrustCertificate View-Only Configuration Get-X400AuthoritativeDomain View-Only Configuration Get-UserPrincipalNamesSuffix View-Only Configuration Get-UmServer View-Only Configuration Get-UMMailboxPolicy View-Only Configuration Get-UMIPGateway View-Only Configuration Get-UMHuntGroup View-Only Configuration Get-UMDialPlan View-Only Configuration Get-UMCallSummaryReport View-Only Configuration Get-UMAutoAttendant View-Only Configuration Get-UMActiveCalls View-Only Configuration Get-Trust View-Only Configuration Get-TransportServer View-Only Configuration Get-TransportRulePredicate View-Only Configuration Get-TransportRuleAction View-Only Configuration Get-TransportPipeline View-Only Configuration Get-TransportConfig View-Only Configuration Get-TransportAgent View-Only Configuration Get-TextMessagingAccount View-Only Configuration Get-SystemMessage View-Only Configuration Get-SyncConfig View-Only Configuration Get-SharingPolicy View-Only Configuration Get-ServiceStatus View-Only Configuration Get-ServiceAvailabilityReport View-Only Configuration Get-SenderReputationConfig View-Only Configuration Get-SenderIdConfig View-Only Configuration Get-SenderFilterConfig View-Only Configuration Get-SendConnector View-Only Configuration Get-RpcClientAccess View-Only Configuration Get-RoutingGroupConnector View-Only Configuration Get-RoleGroupMember View-Only Configuration Get-RoleGroup View-Only Configuration Get-RoleAssignmentPolicy View-Only Configuration Get-RetentionPolicyTag View-Only Configuration Get-RetentionPolicy View-Only Configuration Get-ResourceConfig View-Only Configuration Get-RemoteDomain View-Only Configuration Get-RecipientFilterConfig View-Only Configuration Get-ReceiveConnector View-Only Configuration Get-RMSTemplate View-Only Configuration Get-PublicFolderAdministrativePermission View-Only Configuration Get-PopSettings View-Only Configuration Get-PhysicalAvailabilityReport View-Only Configuration Get-OwaMailboxPolicy View-Only Configuration Get-OutlookProvider View-Only Configuration Get-OutlookProtectionRule View-Only Configuration Get-OrganizationRelationship View-Only Configuration Get-OrganizationConfig View-Only Configuration Get-OfflineAddressBook View-Only Configuration Get-NetworkConnectionInfo View-Only Configuration Get-MessageClassification View-Only Configuration Get-MessageCategory View-Only Configuration Get-Message View-Only Configuration Get-ManagementScope View-Only Configuration Get-ManagementRoleEntry View-Only Configuration Get-ManagementRoleAssignment View-Only Configuration Get-ManagementRole View-Only Configuration Get-ManagedFolderMailboxPolicy View-Only Configuration Get-ManagedFolder View-Only Configuration Get-ManagedContentSettings View-Only Configuration Get-MailboxServer View-Only Configuration Get-MailboxAuditBypassAssociation View-Only Configuration Get-JournalRule View-Only Configuration Get-ImapSettings View-Only Configuration Get-IRMConfiguration View-Only Configuration Get-IPBlockListProvidersConfig View-Only Configuration Get-IPBlockListProvider View-Only Configuration Get-IPBlockListEntry View-Only Configuration Get-IPBlockListConfig View-Only Configuration Get-IPAllowListProvidersConfig View-Only Configuration Get-IPAllowListProvider View-Only Configuration Get-IPAllowListEntry View-Only Configuration Get-IPAllowListConfig View-Only Configuration Get-GlobalAddressList View-Only Configuration Get-ForeignConnector View-Only Configuration Get-FederationTrust View-Only Configuration Get-FederatedOrganizationIdentifier View-Only Configuration Get-FederatedDomainProof View-Only Configuration Get-ExchangeServer View-Only Configuration Get-ExchangeAssistanceConfig View-Only Configuration Get-EventLogLevel View-Only Configuration Get-EmailAddressPolicy View-Only Configuration Get-EdgeSyncServiceConfig View-Only Configuration Get-EdgeSubscription View-Only Configuration Get-DomainController View-Only Configuration Get-DetailsTemplate View-Only Configuration Get-DeliveryAgentConnector View-Only Configuration Get-DatabaseAvailabilityGroupNetwork View-Only Configuration Get-DatabaseAvailabilityGroup View-Only Configuration Get-ContentFilterPhrase View-Only Configuration Get-ContentFilterConfig View-Only Configuration Get-CmdletExtensionAgent View-Only Configuration Get-ClientAccessServer View-Only Configuration Get-ClientAccessArray View-Only Configuration Get-AvailabilityConfig View-Only Configuration Get-AvailabilityAddressSpace View-Only Configuration Get-AdminAuditLogConfig View-Only Configuration Get-AdSiteLink View-Only Configuration Get-ActiveSyncOrganizationSettings View-Only Configuration Get-ActiveSyncMailboxPolicy View-Only Configuration Get-ActiveSyncDeviceClass View-Only Configuration Get-ActiveSyncDeviceAccessRule View-Only Configuration Get-AcceptedDomain View-Only Configuration Get-ADSite View-Only Configuration Get-ADServerSettings View-Only Configuration Get-ADPermission View-Only Configuration Export-UMCallDataRecord View-Only Configuration Export-TransportRuleCollection View-Only Configuration Export-JournalRuleCollection View-Only Configuration Export-AutoDiscoverConfig View-Only Configuration Export-ActiveSyncLog View-Only Configuration
That’s a ton of cmdlets! Over two-hundred. While the vast majority of these are harmless Get verbs, it’s way more than I want the helpdesk team to see. The View-Only Configuration role is effectively a read-only admin for the entire Exchange environment.
I am trying to implement the least privilege so, these two roles don’t work for me. We will need to create a new role. Let’s use the View-Only Configuration as the parent.
C:\> New-ManagementRole -Parent "View-Only Configuration" -Name "Office 365 Provisioning Link" Name RoleType ---- -------- Office 365 Provisioning Link ViewOnlyConfiguration
By default, this new role inherits all entries from its parent. We don’t need these. However, we want to make sure we don’t remove the Get-RemoteDomain cmdlet. To remove every entry except Get-RemoteDomain, issue the following command. Press “A” to confirm the removal of all entries.
C:\> Get-ManagementRoleEntry "Office 365 Provisioning Link\*" | Where { $_.Name -NotLike "Get-RemoteDomain" } | Remove-ManagementRoleEntry Confirm Are you sure you want to perform this action? Removing the "(Microsoft.Exchange.Management.PowerShell.E2010) Export-ActiveSyncLog -Confirm -Debug -EndDate -ErrorAction -ErrorVariable -Filename -Force -OutBuffer -OutputPath -OutputPrefix -OutVariable -StartDate -UseGMT -Verbose -WarningAction -WarningVariable -WhatIf" management role entry on the "Office 365 Provisioning Link" management role. [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): a
Let’s check our work.
C:\> Get-ManagementRoleEntry "Office 365 Provisioning Link\*" | select name,role | ft Name Role ---- ---- Get-RemoteDomain Office 365 Provisioning Link
Okay, now we have a management role that only contains the Get-RemoteDomain command. Let’s assign it to the Recipients Management group.
C:\> New-ManagementRoleAssignment -Role "Office 365 Provisioning Link" -SecurityGroup "Recipient Management" Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ----------------- Office 365 Provisioning Lin... Office 365 Pro... Recipient Mana... RoleGroup Direct
Let’s check our work in the GUI.
We are all set. Our Recipient Management members can now provision Office 365 remote mailboxes through the New Office 365 Mailbox link.
What do you guys think? Drop a comment below.
Getting the exact same problem as Dimitri, is there a fix for this?
Cannot process argument transformation on parameter ‘Identity’. Cannot convert value “Office 365 Provisioning Link” to
type “Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter”. Error: “The format of the value you specified in
the Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn’t valid. Check the value, and then try
again.
Parameter name: identity”
+ CategoryInfo : InvalidData: (Office 365 Provisioning Link:PSObject) [Remove-ManagementRoleEntry], Param
eterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
+ PSComputerName
I had the same issue on our Exchange 2013 server in Hybrid mode. This article was the first I could find that so clearly explained the issue and the solution. The powershell error listed here is solved with the following:
Get-ManagementRoleEntry “Office 365 Provisioning Link\*” | where { $_.Name -NotLike ‘Get-RemoteDomain’ } | %{
Remove-ManagementRoleEntry -Identity “$($_.id)\$($_.name)”}
I parsed the last part from this page from Microsoft: https://docs.microsoft.com/en-us/powershell/module/exchange/remove-managementroleentry?view=exchange-ps
Many thanks Jase! Sounds like my code is no longer valid. I will have to test and update.
Thanks for this article but I have the following error :
Cannot process argument transformation on parameter ‘Identity’. Cannot convert value “Office 365 Provisioning Link” to
type “Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter”. Error: “The format of the value you specified in
the Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn’t valid. Check the value, and then try
again.
Parameter name: identity”
+ CategoryInfo : InvalidData: (Office 365 Provisioning Link:PSObject) [Remove-ManagementRoleEntry], Param
eterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
+ PSComputerName : vtsuexch01.cts.valtronic.ch
Can you help me ?
Did you get an answer to this? I am experiencing the same problem
Fantastic guide, exactly what I needed. Works on Exchange 2016 too 🙂
this post save my life, thanks 🙂
exactly what i needed. I love you.
Thank you, Gareth. You read my mind and the commands, I just copy & paste in the EMS 🙂
Ran into this today – thanks for posting your findings!
Great read!
Real extensive and in-depth
Thanks
Thank you so much ,great document , this what exactly am looking for.
Brilliant piece of work, really useful.
No one else has documented this process that I could find
Thank you Thank you Thank you!
Many Thanks Gareth. Works on Exchange 2016 and works like a charm.
Great article, thanks! Any idea how to make the “Reset Password” function appear as well? (To change the On-Premise AD password)
Thanks so much for this. I was in the same scenario; trying to allow my service desk staff access to create Office 365 mailboxes, but “Recipient Management” didn’t have the option in the new mailbox drop-down, despite the documentation telling me that that role should give remote recipient management. You may interested to know that a Microsoft support rep linked me to this page; I suppose they haven’t documented it themselves anywhere. 😛
Glad I was able to help John. Hopefully the default gets changed in a future update.
Great article ! I had the same problem and I wonder how did you find that get-remotedomain was the missing cmdlet? It can help me understand why some icons are hidden with RBAC
I knew which management roles the link appeared on. So that was my starting point. Then I examined what cmdlets they had that Recipient Management did not. Then it was a bit of trial and error by adding/removing cmdlets until the link appeared.
do we have same option under Exchange 2016
I just tried this on Exchange 2016 and the same applies!
That’s good to know. I haven’t retested this in 2016. Thanks EXGuru.