question

TLCCWA-0299 avatar image
0 Votes"
TLCCWA-0299 asked KyleXu-MSFT commented

RBAC in Exchange 365 to manage Contacts only

We are a club with a handful of committee members and many club members.
We load our club members up as type "Contacts" and have a dynamic DL to allow our Editor by example to send the monthly magazine to all club members.
I'm looking for a way to allow our club secretary to add/remove Contacts, but not fiddle with the rest of Exchange users/groups.
Managed to get it to work by creating a scope, but the more elegant way would be to not have the other resource types even visible.
I've found this old post that would be perfect but does not seem to work on Exchange Online: https://community.spiceworks.com/topic/2152103-o365-allow-users-to-add-edit-delete-contacts
Any thoughts on getting this to work in the current Microsoft 365?

office-exchange-online-itpro
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image KyleXu-MSFT ·

@TLCCWA-0299
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.

0 Votes 0 ·

3 Answers

KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered

@TLCCWA-0299

You could follow steps below to create permission group for managing mail user and mail contact. For more detailed information, you could have a look at this article:

 New-ManagementRole -Name "Contact1" -Parent "Mail Recipient Creation"
 New-ManagementRole -Name "Contact2" -Parent "Mail Recipients"
 Get-ManagementRoleEntry -Identity "Contact1\*" | where{$_.Name -notlike "*MailContact*" -and $_.Name -notlike "*mailUser*"} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)" -Confirm:$false}
 Get-ManagementRoleEntry -Identity "Contact2\*" | where{$_.Name -notlike "*MailContact*" -and $_.Name -notlike "*mailUser*"} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)" -Confirm:$false}
  New-RoleGroup "MailboxManagement" -Roles "Contact1","Contact2" -Members Onlineuser1@domain.onmicrosoft.com

After that those users need to manage Contact from PowerShell, there may exist some issue in GUI due to the migration from old one to new one.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered

What exactly doesn't work? The only thing that has changed since is the introduction of the modern EAC, but the underlying RBAC controls still apply.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TLCCWA-0299 avatar image
0 Votes"
TLCCWA-0299 answered KyleXu-MSFT commented

Thanks @michev and @KyleXu-MSFT

Got it to work, but oddly enough it does not remove Mailboxes or Resources, Mail Flow etc. from the Exchange Admin Centre menu like I had hoped.
So the effect is much the same as using Scope, as in they can only add/remove/modify contacts but the menu and list of other stuff remains visible (can't open or do anything with them though).

What was throwing me in the query is some of the starting directions such as:
Get-ManagementRole -Cmdlet New-MailContact
or
Get-ManagementRoleEntry –Identity “Mail Recipient Creation*”
were not working, and I didn't want to start going down to the level of the New creations if I was such on the Get's already haha. The latter was missing a / as I now realised.

Again, appreciate the help, sorted :)

Cheers

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image KyleXu-MSFT ·

Yes, this user could see some other configuration from EAC but cannot manage it. It is the same for both Exchange on-premises and Exchange online RBAC.

0 Votes 0 ·