Administrator Role Groups in Exchange Online
Applies to: Office 365 for enterprises, Live@edu
Role groups make assigning administrative permissions easy. To assign a user the permissions to perform specific administrative tasks, you add the user as a member of the role group for those administrative tasks. For example, if you hire a new employee for your helpdesk staff, you simply add the new employee to the Help Desk role group and they're ready to go.
Let's look at how role groups work and what role groups are available by default:
- Anatomy of a role group
- Built-in role groups
Anatomy of a role group
An administrator role group is a universal security group with administrative rights assigned to it. These administrative rights are specified by built-in management roles, which are part of the role based access control (RBAC) permissions model. A management role, also called an RBAC role or simply role, defines what someone has access to and what tasks they can perform*.*
What that makes up a role group?
.gif "Administrator Role Groups")
Role group members Like distribution groups, or public groups, administrator role groups have members. The roles assigned to the role group are applied to each member who is added to the role group. This grants each user all the permissions allowed by the roles assigned to the role group.
To view the members of a role group:
In the Exchange Control Panel
- Select Manage My Organization > Roles & Auditing > Administrator Roles.
- Select a role group, and you'll see its membership in the details pane.
In Windows PowerShell, run the following command:
Get-RoleGroupMember "<name of role group>"
Role group Roles are assigned to the role group. The combination of all roles assigned to the role group defines everything that role group members can manage in their organization.
To view the role groups for your organization:
In the Exchange Control Panel
Select Manage My Organization > Roles & Auditing > Administrator Roles.In Windows PowerShell, run the following command:
Get-RoleGroup
Role assignments A role assignment associates a management role to a role group. Assigning a role to a role group grants members of the role group permissions to use the Windows PowerShell cmdlets and parameters defined in the role. Role assignments also use management scopes to control where the assignment can be used.
Because a role can be assigned to different role groups, a role assignment identifies a specific assignment, and the name of that assignment is unique within your organization. For example, the User Options role is assigned to the Organization Management group and Help Desk role group, but the name of the assignment is different and uniquely identifies the assignment for each group: User Options-Help Desk and User Options-Organization Management.
To view the roles assigned to a specific role group:
In the Exchange Control Panel
- Select Manage My Organization > Roles & Auditing > Administrator Roles.
- Select a role group, and you'll see the roles assigned to the role group in the details pane.
Note Not all roles assigned to a role group are applicable or available to all cloud-based organizations.
In Windows PowerShell, run the following command:
Get-ManagementRoleAssignment -RoleAssignee "<name of role group>"To view all role assignments in your organization, run the following command:
Get-ManagementRoleAssignment
Role write scopes The write scope defines the administrative boundary of the roles assigned to the role group. In other words, the write scope defines where members of the role group can make changes. For built-in administrator roles that allow users to modify objects, the default write scope is the entire organization.
You can also create custom write scopes based on recipient filters. For example "All users where Department equals 'finance'". If you create a new role group and assign the User Options role using the custom write scope, members of the role group can view and change account settings on the mailbox's Options page only for those mailboxes where "Department equals 'finance'". You create custom write scopes using the New-ManagementScope cmdlet.
To view the write scopes for each role assigned to a specific role group:
In the Exchange Control Panel
- Select Manage My Organization > Roles & Auditing > Administrator Roles.
- Select a role group and click Details to view the write scope for all assigned roles.
Note If any of the following conditions is true, you can't view the write scope in Exchange Control Panel:
• An end-user role is assigned to the role group.
• A role is assigned to the role group using a different write scope than the other roles.
• Roles are assigned to the role group using exclusive write scopes. An exclusive write scope isolates specific mailboxes so they can be managed by designated administrators only. For more information, see Create Exclusive Write Scopes.
In Windows PowerShell, run the following command:
Get-ManagementRoleAssignment -RoleAssignee "<name of role group>" | Format-List Role,RecipientWriteScope
Roles An RBAC role is a container for a grouping of management role entries. Roles define the specific tasks that can be performed by the members of a role group that the role is assigned to.
To view the administrator roles in your organization:
In the Exchange Control Panel
- Select Manage My Organization > Roles & Auditing > Administrator Roles.
- Click New or select an existing role group and click Details.
- In the Role Group page, in the Roles section, click Add. Note that we aren't going to modify the roles assigned to the role group. Instead, we just want to look at the list of administrator roles.
- In the Select a Role page, you can view the names and descriptions of the roles.
- When you are finished, click Cancel in the Select a Role page, and again in the Role Group page.
In Windows PowerShell, run the following command:
Get-ManagementRole | Where {$_.IsEndUserRole -eq $false}
Role entries Role entries are the individual entries on a management role. Role entries provide access to cmdlets, scripts, and other special permissions that let users perform a specific task. A role entry is often a single cmdlet and the parameters that members of a role group can run when the role is assigned to the role group.
To view the cmdlets and the parameters associated with a role without truncating the results:
In Windows PowerShell, run the following command:
Get-ManagementRoleEntry "<name of the role>\*" | ConvertTo-Html > "<file name>.html"Open the resulting HTML file in a Web browser. The information is in the Name and Parameters columns.
Return to top
Built-in role groups
The following built-in role groups are available by default. Remember that not all roles assigned to a role group are applicable or available to a cloud-based organization.
| Role group | Administrative tasks members can perform |
|---|---|
Discovery Management |
Use Multi-Mailbox Search to search mailboxes across the organization for e-mail and other message types that contain specific keywords. |
Help Desk |
Reset passwords for users and manage settings on the Options page for users' cloud-based account. To help troubleshoot user issues, members can also view, but not modify, all mailboxes, distribution groups, and external contacts in the organization. Note In Office 365 for enterprises, you can't reset passwords in the Exchange Control Panel or Windows PowerShell. To allow a user to reset passwords in the Microsoft Office 365 portal, you must assign the Office 365 password administrator role to the user in the Microsoft Office 365 portal. |
Organization Management |
Manage all aspects of the cloud-based organization. By default, the account that you specified during the initial enrollment in the cloud-based e-mail service is a member of this role group. Important This is very powerful role group. Only users who perform organizational-level administrative tasks that may impact your entire organization should be members of this role group. |
Recipient Management |
Create and manage mailboxes, distribution groups, and external contacts. Members can also import new users, track messages sent and received by users, and manage Exchange ActiveSync settings for the organization. |
Records Management |
Create and manage organization-wide rules, also known as transport rules. Members can also track messages sent and received by users. |
UM Management |
Manage Unified Messaging (UM) server configurations, UM properties on mailboxes, UM prompts, and UM auto attendant configuration. Note This role group isn't available in Live@edu organizations. |
View-Only Organization Management |
View, but not modify, all mailboxes, distribution groups, and external contacts in the organization. Members can also view settings for role assignment policies, transport rules, and organization-wide settings. |
Return to top