Tagged: RBAC

Office 365 – Manage Roles

Office 365 administrator roles

Billing Administrator – manages subscriptions, purchases, support tickets and service health.

Global Administrator – There can only be one, by default it is the person who signs up for Office 365. This administrator can assign other administrative roles.

Password Administrator – manages password resets, service requests and monitors service health. NOTE: This role cannot reset passwords for other administrative roles.

Service Administrator – manages service requests and monitor service health.

User Management Administrator – manage password resets, monitor service health, manage user accounts and groups and manage service requests. NOTE: This role cannot create administrative users nor can it reset the passwords of users with administrative role assignments.

Delegated Administration

Delegated administrators can create users, reset passwords and manage domains.

To enable delegated administration you need to send your customer a link in an email which will enable delegated administration; this is done via the partner page within the Office 365 portal.


Once the customer accepts you as a delegated administrator you’ll be listed within their delegated administrators. The global administrator of the partner Office 365 account can then decide how much administrative access you have over the partners.



To access a customers resources using your delegated credentials go to service settings from within your customers portal.


Within SharePoint you can grant your organisation as a support partner access to your customers SharePoint site collections.


Exchange role-based access control (RBAC) roles

Exchange role-based access control (RBAC) is used to grant administrative users specific privileges within Exchange and allow users to make changes to their personal settings e.g. mobile number.

RBAC can be assigned in 3 ways.

  1. Management role groups; these are used to assign a group of users administrative privileges within the organisation or for objects with a specific attribute.
  2. Management role assignment policies; these are used to assign users more or less privileges over their own mailbox. Only one management role assignment policy can be assign to any one mailbox at a time.
  3. Direct user role assignment; this is where a user account or universal security group would be granted access to a particular role without using a role group or role assignment policy.

The diagrams below show how RBAC components link together.

e.g the Discovery Management role group has management role assignments of Mailbox Search-Discovery Management and Legal Hold-Discovery Management. The assignments link the role group to the management roles Mailbox Search and Legal Hold, if you query those management role using PowerShell you’ll see which cmdlets are available e.g. Get-ManagementRoleEntry  “Mailbox Search\*”

The scope of the management role assignment can be the organisation or a specific attribute e.g. the office attribute equal to “some location” e.g. New-ManagementScope -Name “Ossy Branch” -RecipientRestrictionFilter {Office -eq “Ossy”} If you wanted to protect who could manage mail recipients in the Office location of Ossy, you could make the scope exclusive.

Once the scope is created you would also create New-DistributionGroup as a universal security group (USG) and a New-RoleGroup which defines the Branch e.g.

New-DistributionGroup -Name “Ossy Admins” -Alias OssyAdmins -Type Security

New-RoleGroup “Oswaldtwistle Recipient Admins”

Finally to link together your role group and management role you would create a role assignment defining the scope created earlier e.g.

New-ManagementRoleAssignment -Name “Oswaldtwistle Recipient Admins-Mail Recipients” -Role “Mail Recipients” -SecurityGroup “Oswaldtwistle Recipient Admins” -CustomRecipientWriteScope “Ossy Branch”

Users are now made a member of the USG OssyAdmins would be able to manage recipients who have the Office attribute equal to Ossy.

A custom management role must have a builtin parent role, and cannot have more rights than its parent role i.e. access to more cmdlets. Every role with a Remove- or Set- cmdlet must have a respective Get- cmdlet.

Management Role Assignment

The management role assignment policies are assigned to end users and allow them to manage their own mailboxes and distribution groups; you can introduce new functionality or remove functionality by creating new management role assignment policies, modifying the role assignments and assigning that new policy to a mailbox.

A mailbox can only have one role assignment policy and can only contain roles which are scoped to the end user i.e. start with My…

To view the role assignment assigned use PowerShell to query the management role assignment that are part of the default role assignment policy e.g.

Get-ManagementRoleAssignment | ? {$_.RoleAssigneeName -eq “Default Role Assignment Policy”} | Select-Object Name, RoleAssigneeName

Management Role Assignment Policy