Recipient permissions (Send As) missing from the default View-Only Organization Management Role group

​Here’s a fun fact – the Get-RecipientPermission cmdlet is not available for members of the “View-Only Organization Management” role group. In effect, those users will not be able to see Send As permissions on any object within their scope, either via the GUI or via PowerShell. It looks like the devs simply forgot to include this cmdlet, so here’s how you can use the RBAC model to bring it back.

First, we need to find out which of the pre-built Roles contain this cmdlet, as we cannot add cmdlets that are not present in the parent role. Thus, we need to make a copy of one of those roles, and get rid of all the other cmdlets. To identify those roles, we can use the following cmdlet:

PS C:\> Get-ManagementRoleEntry "*\Get-RecipientPermission"

Name                           Role                      Parameters
----                           ----                      ----------
Get-RecipientPermission        Mail Recipients           {AccessRights, ErrorAction, ErrorVariable, Identity...}
Get-RecipientPermission        newMailRecipients         {AccessRights, ErrorAction, ErrorVariable, Identity...}

If you have not played with the default roles previously, you will only see the “Mail Recipients” Role. So we will use it as the parent role:

PS C:\> New-ManagementRole -Name "Recipient Permissions" -Parent "Mail Recipients"

Name                                                                                      RoleType
----                                                                                      --------
Recipient Permissions                                                                     MailRecipients

In a real world example, you should use a proper name for the new Role and put a detailed description to explain its purpose. But for our purpose, this will do. Next step, remove all the unneeded cmdlets. And there are lots of these, total 124. As the plan is to add this new role to the “View-Only Organization Management” Role Group, we certainly don’t want to give access to any of the Set- cmdlets. Plus, we already have all the other Get- cmdlets added as part of the two other roles present in “View-Only Organization Management”. So, we can use this cmdlet to remove everything apart from the Get-RecipientPermission cmdlet:

PS C:\> Get-ManagementRoleEntry "Recipient Permissions\*"  | ? {$_.Name -notlike "Get-RecipientPermission"} | % { Remove-ManagementRoleEntry $("Recipient Permissions" + "\" + $_.Name) -Confirm:$false }

This is what we should be left with now:

PS C:\> Get-ManagementRoleEntry "Recipient Permissions\*"

Name                           Role                      Parameters
----                           ----                      ----------
Get-RecipientPermission        Recipient Permissions     {AccessRights, ErrorAction, ErrorVariable, Identity...}

Our last step is to create a Management role association between the new role and the “View-Only Organization Management” role group:

PS C:\> New-ManagementRoleAssignment -Role 'Recipient Permissions' -SecurityGroup 'View-Only Organization Management'

And voila, the users added to the “View-Only Organization Management” role group will now be able to use the Get-RecipientPermission cmdlet as well.

In case none of the above makes sense, review the RBAC documentation on TechNet: https://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx    

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *