SuperTekBoy

Practical Help for Exchange & Office 365

RBAC hides the Office 365 Mailbox creation link

By 23 Comments

Share
Tweet
Share
Reddit
Print

If you have configured Exchange 2013 in hybrid mode then you have probably noticed the appearance of this link. It’s the Office 365 Mailbox creation link.

New Office 365 Mailbox link

However, if you have implemented RBAC this link may not show when you’d expect it to.

I ran into this recently when upgrading an Exchange 2010 hybrid environment to 2013. Previously the client had implemented RBAC where members of the helpdesk team were added to the Recipient Management group. In 2010 this allowed the helpdesk team to create and manage mail recipients; both on-premise and in the cloud. However, when this group attempted to use the 2013 management tools the Office 365 Mailbox link was absent.

After some digging–plus some trial and error–we quickly found an oddity. The short answer–it’s all based around one missing role entry. To see that link you need access to the Get-RemoteDomain command. Members of Recipient Management do not have this.

It seems odd though. Why wouldn’t Recipient Management have this cmdlet? It’s only a Get verb after all. Not much damage you can do with that.

If we dig into RBAC lets see which roles are assigned the Get-RemoteDomain command.

 C:\> Get-ManagementRoleEntry *\Get-RemoteDomain | select name, role | ft -autosize

Name                Role
----                ----
Get-RemoteDomain    Remote and Accepted Domains
Get-RemoteDomain    View-Only Configuration

Just two roles have access to this command. Neither of these roles is assigned to the Recipient Management group. Let’s see what these roles do.

 C:\> Get-ManagementRoleEntry "Remote and Accepted Domains\*" | select name,role | ft -autosize

Name                           Role
----                           ----
Set-AcceptedDomain             Remote and Accepted Domains
Set-RemoteDomain               Remote and Accepted Domains
Set-OrganizationConfig         Remote and Accepted Domains
Write-AdminAuditLog            Remote and Accepted Domains
Set-X400AuthoritativeDomain    Remote and Accepted Domains
Remove-X400AuthoritativeDomain Remote and Accepted Domains
Remove-RemoteDomain            Remote and Accepted Domains
Remove-AcceptedDomain          Remote and Accepted Domains
New-X400AuthoritativeDomain    Remote and Accepted Domains
New-RemoteDomain               Remote and Accepted Domains
New-AcceptedDomain             Remote and Accepted Domains
Get-X400AuthoritativeDomain    Remote and Accepted Domains
Get-RemoteDomain               Remote and Accepted Domains
Get-DomainController           Remote and Accepted Domains
Get-AcceptedDomain             Remote and Accepted Domains

Hmm, that’s a lot of permissions. I really don’t want the helpdesk team adding or removing domains in the Exchange Organization. Let’s check the other role.

 C:\> Get-ManagementRoleEntry "View-Only Configuration\*" | select name, role | ft -autosize

Name                                       Role
----                                       ----
Get-MapiVirtualDirectory                   View-Only Configuration
Get-GlobalMonitoringOverride               View-Only Configuration
Get-AuditLogSearch                         View-Only Configuration
Get-SiteMailbox                            View-Only Configuration
Get-HealthReport                           View-Only Configuration
Get-MalwareFilterRule                      View-Only Configuration
Get-SmimeConfig                            View-Only Configuration
Get-PushNotificationSubscription           View-Only Configuration
Set-SearchDocumentFormat                   View-Only Configuration
Get-TransportRule                          View-Only Configuration
Get-ThrottlingPolicyAssociation            View-Only Configuration
Get-DatabaseAvailabilityGroupConfiguration View-Only Configuration
Get-SettingOverride                        View-Only Configuration
New-SearchDocumentFormat                   View-Only Configuration
Remove-GlobalMonitoringOverride            View-Only Configuration
Remove-SearchDocumentFormat                View-Only Configuration
Get-IntraOrganizationConfiguration         View-Only Configuration
Get-StoreUsageStatistics                   View-Only Configuration
Retry-Queue                                View-Only Configuration
Set-ServerMonitor                          View-Only Configuration
Set-SmimeConfig                            View-Only Configuration
Get-HostedContentFilterRule                View-Only Configuration
Get-ServerHealth                           View-Only Configuration
Get-SearchDocumentFormat                   View-Only Configuration
Get-ExchangeDiagnosticInfo                 View-Only Configuration
Get-IntraOrganizationConnector             View-Only Configuration
Get-FailedContentIndexDocuments            View-Only Configuration
Add-GlobalMonitoringOverride               View-Only Configuration
Get-ServerComponentState                   View-Only Configuration
Get-ServerMonitoringOverride               View-Only Configuration
Get-PublicFolderDatabase                   View-Only Configuration
Get-OabVirtualDirectory                    View-Only Configuration
Get-Notification                           View-Only Configuration
Get-SiteMailboxDiagnostics                 View-Only Configuration
Get-SiteMailboxProvisioningPolicy          View-Only Configuration
Get-OrganizationalUnit                     View-Only Configuration
Get-PublicFolder                           View-Only Configuration
Get-PolicyTipConfig                        View-Only Configuration
Get-FrontendTransportService               View-Only Configuration
Get-MonitoringItemIdentity                 View-Only Configuration
Get-MonitoringItemHelp                     View-Only Configuration
Get-MailboxDatabaseCopyStatus              View-Only Configuration
Get-MobileDeviceMailboxPolicy              View-Only Configuration
Get-ThrottlingPolicy                       View-Only Configuration
Get-MigrationUserStatistics                View-Only Configuration
Get-ExchangeServerAccessLicenseUser        View-Only Configuration
Get-ExchangeServerAccessLicense            View-Only Configuration
Get-MigrationUser                          View-Only Configuration
Get-ExchangeCertificate                    View-Only Configuration
Get-MigrationStatistics                    View-Only Configuration
Get-MigrationEndpoint                      View-Only Configuration
Get-MigrationConfig                        View-Only Configuration
Get-MigrationBatch                         View-Only Configuration
Get-EcpVirtualDirectory                    View-Only Configuration
Get-ResourcePolicy                         View-Only Configuration
Get-DlpPolicyTemplate                      View-Only Configuration
Get-DlpPolicy                              View-Only Configuration
Get-TransportService                       View-Only Configuration
Get-ResubmitRequest                        View-Only Configuration
Get-DataClassification                     View-Only Configuration
Get-PublicFolderItemStatistics             View-Only Configuration
Get-PendingFederatedDomain                 View-Only Configuration
Get-UMCallRouterSettings                   View-Only Configuration
Get-PublicFolderClientPermission           View-Only Configuration
Get-PartnerApplication                     View-Only Configuration
Get-OwaVirtualDirectory                    View-Only Configuration
Get-PublicFolderStatistics                 View-Only Configuration
Get-ClassificationRuleCollection           View-Only Configuration
Get-Queue                                  View-Only Configuration
Get-QueueDigest                            View-Only Configuration
Get-AutodiscoverVirtualDirectory           View-Only Configuration
Get-AuthServer                             View-Only Configuration
Get-MailboxDatabase                        View-Only Configuration
Get-AuthConfig                             View-Only Configuration
Get-App                                    View-Only Configuration
Get-AgentLog                               View-Only Configuration
Get-MalwareFilterRecoveryItem              View-Only Configuration
Remove-ServerMonitoringOverride            View-Only Configuration
Send-MapiSubmitSystemProbe                 View-Only Configuration
Get-UMService                              View-Only Configuration
Get-AddressList                            View-Only Configuration
Get-PowerShellVirtualDirectory             View-Only Configuration
Get-ActiveSyncVirtualDirectory             View-Only Configuration
Get-WebServicesVirtualDirectory            View-Only Configuration
Get-WorkloadManagementPolicy               View-Only Configuration
Get-WorkloadPolicy                         View-Only Configuration
Get-ActiveSyncDeviceAutoblockThreshold     View-Only Configuration
Get-MalwareFilterPolicy                    View-Only Configuration
Invoke-MonitoringProbe                     View-Only Configuration
Set-OrganizationConfig                     View-Only Configuration
Get-MalwareFilteringServer                 View-Only Configuration
Export-DlpPolicyCollection                 View-Only Configuration
Get-MailboxTransportService                View-Only Configuration
Get-OutlookAnywhere                        View-Only Configuration
Enable-ExchangeCertificate                 View-Only Configuration
Add-ServerMonitoringOverride               View-Only Configuration
Get-AddressBookPolicy                      View-Only Configuration
Get-HybridConfiguration                    View-Only Configuration
Get-AuthRedirect                           View-Only Configuration
Get-FederationInformation                  View-Only Configuration
Test-OrganizationRelationship              View-Only Configuration
Test-FederationTrustCertificate            View-Only Configuration
Get-X400AuthoritativeDomain                View-Only Configuration
Get-UserPrincipalNamesSuffix               View-Only Configuration
Get-UmServer                               View-Only Configuration
Get-UMMailboxPolicy                        View-Only Configuration
Get-UMIPGateway                            View-Only Configuration
Get-UMHuntGroup                            View-Only Configuration
Get-UMDialPlan                             View-Only Configuration
Get-UMCallSummaryReport                    View-Only Configuration
Get-UMAutoAttendant                        View-Only Configuration
Get-UMActiveCalls                          View-Only Configuration
Get-Trust                                  View-Only Configuration
Get-TransportServer                        View-Only Configuration
Get-TransportRulePredicate                 View-Only Configuration
Get-TransportRuleAction                    View-Only Configuration
Get-TransportPipeline                      View-Only Configuration
Get-TransportConfig                        View-Only Configuration
Get-TransportAgent                         View-Only Configuration
Get-TextMessagingAccount                   View-Only Configuration
Get-SystemMessage                          View-Only Configuration
Get-SyncConfig                             View-Only Configuration
Get-SharingPolicy                          View-Only Configuration
Get-ServiceStatus                          View-Only Configuration
Get-ServiceAvailabilityReport              View-Only Configuration
Get-SenderReputationConfig                 View-Only Configuration
Get-SenderIdConfig                         View-Only Configuration
Get-SenderFilterConfig                     View-Only Configuration
Get-SendConnector                          View-Only Configuration
Get-RpcClientAccess                        View-Only Configuration
Get-RoutingGroupConnector                  View-Only Configuration
Get-RoleGroupMember                        View-Only Configuration
Get-RoleGroup                              View-Only Configuration
Get-RoleAssignmentPolicy                   View-Only Configuration
Get-RetentionPolicyTag                     View-Only Configuration
Get-RetentionPolicy                        View-Only Configuration
Get-ResourceConfig                         View-Only Configuration
Get-RemoteDomain                           View-Only Configuration
Get-RecipientFilterConfig                  View-Only Configuration
Get-ReceiveConnector                       View-Only Configuration
Get-RMSTemplate                            View-Only Configuration
Get-PublicFolderAdministrativePermission   View-Only Configuration
Get-PopSettings                            View-Only Configuration
Get-PhysicalAvailabilityReport             View-Only Configuration
Get-OwaMailboxPolicy                       View-Only Configuration
Get-OutlookProvider                        View-Only Configuration
Get-OutlookProtectionRule                  View-Only Configuration
Get-OrganizationRelationship               View-Only Configuration
Get-OrganizationConfig                     View-Only Configuration
Get-OfflineAddressBook                     View-Only Configuration
Get-NetworkConnectionInfo                  View-Only Configuration
Get-MessageClassification                  View-Only Configuration
Get-MessageCategory                        View-Only Configuration
Get-Message                                View-Only Configuration
Get-ManagementScope                        View-Only Configuration
Get-ManagementRoleEntry                    View-Only Configuration
Get-ManagementRoleAssignment               View-Only Configuration
Get-ManagementRole                         View-Only Configuration
Get-ManagedFolderMailboxPolicy             View-Only Configuration
Get-ManagedFolder                          View-Only Configuration
Get-ManagedContentSettings                 View-Only Configuration
Get-MailboxServer                          View-Only Configuration
Get-MailboxAuditBypassAssociation          View-Only Configuration
Get-JournalRule                            View-Only Configuration
Get-ImapSettings                           View-Only Configuration
Get-IRMConfiguration                       View-Only Configuration
Get-IPBlockListProvidersConfig             View-Only Configuration
Get-IPBlockListProvider                    View-Only Configuration
Get-IPBlockListEntry                       View-Only Configuration
Get-IPBlockListConfig                      View-Only Configuration
Get-IPAllowListProvidersConfig             View-Only Configuration
Get-IPAllowListProvider                    View-Only Configuration
Get-IPAllowListEntry                       View-Only Configuration
Get-IPAllowListConfig                      View-Only Configuration
Get-GlobalAddressList                      View-Only Configuration
Get-ForeignConnector                       View-Only Configuration
Get-FederationTrust                        View-Only Configuration
Get-FederatedOrganizationIdentifier        View-Only Configuration
Get-FederatedDomainProof                   View-Only Configuration
Get-ExchangeServer                         View-Only Configuration
Get-ExchangeAssistanceConfig               View-Only Configuration
Get-EventLogLevel                          View-Only Configuration
Get-EmailAddressPolicy                     View-Only Configuration
Get-EdgeSyncServiceConfig                  View-Only Configuration
Get-EdgeSubscription                       View-Only Configuration
Get-DomainController                       View-Only Configuration
Get-DetailsTemplate                        View-Only Configuration
Get-DeliveryAgentConnector                 View-Only Configuration
Get-DatabaseAvailabilityGroupNetwork       View-Only Configuration
Get-DatabaseAvailabilityGroup              View-Only Configuration
Get-ContentFilterPhrase                    View-Only Configuration
Get-ContentFilterConfig                    View-Only Configuration
Get-CmdletExtensionAgent                   View-Only Configuration
Get-ClientAccessServer                     View-Only Configuration
Get-ClientAccessArray                      View-Only Configuration
Get-AvailabilityConfig                     View-Only Configuration
Get-AvailabilityAddressSpace               View-Only Configuration
Get-AdminAuditLogConfig                    View-Only Configuration
Get-AdSiteLink                             View-Only Configuration
Get-ActiveSyncOrganizationSettings         View-Only Configuration
Get-ActiveSyncMailboxPolicy                View-Only Configuration
Get-ActiveSyncDeviceClass                  View-Only Configuration
Get-ActiveSyncDeviceAccessRule             View-Only Configuration
Get-AcceptedDomain                         View-Only Configuration
Get-ADSite                                 View-Only Configuration
Get-ADServerSettings                       View-Only Configuration
Get-ADPermission                           View-Only Configuration
Export-UMCallDataRecord                    View-Only Configuration
Export-TransportRuleCollection             View-Only Configuration
Export-JournalRuleCollection               View-Only Configuration
Export-AutoDiscoverConfig                  View-Only Configuration
Export-ActiveSyncLog                       View-Only Configuration

That’s a ton of cmdlets! Over two-hundred. While the vast majority of these are harmless Get verbs, it’s way more than I want the helpdesk team to see. The View-Only Configuration role is effectively a read-only admin for the entire Exchange environment.

I am trying to implement the least privilege so, these two roles don’t work for me. We will need to create a new role. Let’s use the View-Only Configuration as the parent.

 C:\> New-ManagementRole -Parent "View-Only Configuration" -Name "Office 365 Provisioning Link"

Name                                      RoleType
----                                      --------
Office 365 Provisioning Link              ViewOnlyConfiguration

By default, this new role inherits all entries from its parent. We don’t need these. However, we want to make sure we don’t remove the Get-RemoteDomain cmdlet. To remove every entry except Get-RemoteDomain, issue the following command. Press “A” to confirm the removal of all entries.

 C:\> Get-ManagementRoleEntry "Office 365 Provisioning Link\*" | Where { $_.Name -NotLike "Get-RemoteDomain" } | Remove-ManagementRoleEntry

Confirm
Are you sure you want to perform this action?
Removing the "(Microsoft.Exchange.Management.PowerShell.E2010) Export-ActiveSyncLog -Confirm -Debug -EndDate -ErrorAction -ErrorVariable -Filename -Force -OutBuffer -OutputPath -OutputPrefix -OutVariable -StartDate -UseGMT -Verbose -WarningAction -WarningVariable -WhatIf" management role entry on the "Office 365 Provisioning Link" management role.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): a

Let’s check our work.

 C:\> Get-ManagementRoleEntry "Office 365 Provisioning Link\*" | select name,role | ft

Name                  Role
----                  ----
Get-RemoteDomain      Office 365 Provisioning Link

Okay, now we have a management role that only contains the Get-RemoteDomain command. Let’s assign it to the Recipients Management group.

 C:\> New-ManagementRoleAssignment -Role "Office 365 Provisioning Link" 
-SecurityGroup "Recipient Management"

Name                           Role              RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserName
----                           ----              ----------------  ----------------  ----------------  -----------------
Office 365 Provisioning Lin... Office 365 Pro... Recipient Mana... RoleGroup         Direct

Let’s check our work in the GUI.

New Office 365 Mailbox link Management Role

We are all set. Our Recipient Management members can now provision Office 365 remote mailboxes through the New Office 365 Mailbox link.

What do you guys think? Drop a comment below.

Print Friendly, PDF & Email

About Gareth Gudger

Gareth is an Microsoft MVP specializing in Exchange and Office 365. Gareth also contributes to the Office 365 for IT Pros book, which is updated monthly with new content. Find Gareth on LinkedIn, Twitter, or, Facebook.

Reader Interactions

End of Article Form

Want to stay up to date?

Join thousands of IT professionals and get the latest Exchange & Office 365 tips and tutorials direct to your inbox

Comments

  1. Janine says

    Getting the exact same problem as Dimitri, is there a fix for this?
    Cannot process argument transformation on parameter ‘Identity’. Cannot convert value “Office 365 Provisioning Link” to
    type “Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter”. Error: “The format of the value you specified in
    the Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn’t valid. Check the value, and then try
    again.
    Parameter name: identity”
    + CategoryInfo : InvalidData: (Office 365 Provisioning Link:PSObject) [Remove-ManagementRoleEntry], Param
    eterBindin…mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
    + PSComputerName

    Reply

  2. Dimitri says

    Thanks for this article but I have the following error :

    Cannot process argument transformation on parameter ‘Identity’. Cannot convert value “Office 365 Provisioning Link” to
    type “Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter”. Error: “The format of the value you specified in
    the Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn’t valid. Check the value, and then try
    again.
    Parameter name: identity”
    + CategoryInfo : InvalidData: (Office 365 Provisioning Link:PSObject) [Remove-ManagementRoleEntry], Param
    eterBindin…mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
    + PSComputerName : vtsuexch01.cts.valtronic.ch

    Can you help me ?

    Reply

  13. Martin M. says

    Great article, thanks! Any idea how to make the “Reset Password” function appear as well? (To change the On-Premise AD password)

    Reply

  14. John says

    Thanks so much for this. I was in the same scenario; trying to allow my service desk staff access to create Office 365 mailboxes, but “Recipient Management” didn’t have the option in the new mailbox drop-down, despite the documentation telling me that that role should give remote recipient management. You may interested to know that a Microsoft support rep linked me to this page; I suppose they haven’t documented it themselves anywhere. 😛

    Reply

  15. fanch says

    Great article ! I had the same problem and I wonder how did you find that get-remotedomain was the missing cmdlet? It can help me understand why some icons are hidden with RBAC

    Reply

    • Gareth Gudger says

      I knew which management roles the link appeared on. So that was my starting point. Then I examined what cmdlets they had that Recipient Management did not. Then it was a bit of trial and error by adding/removing cmdlets until the link appeared.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Toggle Dark Mode
Toggle Font Size
Share
Tweet
Share
Reddit
Print