管理角色角色Exchange OnlineManage role groups in Exchange Online

角色组是一种特殊的通用安全组 (USG) ,用于 Exchange Online 中基于角色的访问控制 (RBAC) 权限模型。A role group is a special kind of universal security group (USG) that's used in the Role Based Access Control (RBAC) permissions model in Exchange Online. 管理角色组简化了向用户分配和维护权限Exchange Online。Management role groups simplify the assignment and maintenance of permissions to users in Exchange Online. 角色组的成员分配有同一组角色,您通过向用户添加权限或从角色组中删除用户来添加和删除权限。The members of the role group are assigned the same set of roles, and you add and remove permissions from users by adding them to or removing them from the role group. 有关角色组中角色组Exchange Online,请参阅Permissions in Exchange OnlineFor more information about role groups in Exchange Online, see Permissions in Exchange Online.

开始前,有必要了解什么?What do you need to know before you begin?

  • 估计完成每个步骤的时间:5 到 10 分钟Estimated time to complete each procedure: 5 to 10 minutes

  • 若要在 EAC Exchange管理 (中心) ,Exchange管理Exchange Online。To open the Exchange admin center (EAC), see Exchange admin center in Exchange Online. 若要打开 Exchange Online PowerShell,请参阅连接Exchange Online PowerShell。To open Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

  • 本主题中的过程需要角色管理 RBAC 角色Exchange Online。The procedures in this topic require the Role Management RBAC role in Exchange Online. 通常,可以通过全局管理员角色组或全局管理员角色 (组Microsoft 365 Office 365成员身份获取此) 。Typically, you get this permission via membership in the Organization Management role group (the Microsoft 365 or Office 365 Global administrator role).

  • 有关可能适用于本主题中的过程的键盘快捷方式的信息,请参阅适用于 Exchange键盘快捷方式For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts for the Exchange admin center.

提示

是否有任何疑问?Having problems? 在 Exchange 论坛中寻求帮助。Ask for help in the Exchange forums. 请访问以下论坛:Exchange OnlineExchange Online ProtectionVisit the forums at: Exchange Online, or Exchange Online Protection.

查看角色组View role groups

使用新的 EAC 查看角色组Use the new EAC to view role groups

  1. 在新的 EAC 中,转到"角色"" > 管理员角色"。In the new EAC, go to Roles > Admin roles. 这里列出了你组织中的所有角色组。All of the role groups in your organization are listed here.

  2. 选择角色组。Select a role group. 细节窗格显示角色组的 "名称"、说明、"托管者"、写入作用域、"已分配"和"权限"。 The details pane shows the Name, Description, Managed by, Write scope, Assigned, and Permissions of the role group.

使用经典 EAC 查看角色组Use the Classic EAC to view role groups

  1. 在经典 EAC 中,转到"权限"" > 管理员角色"。In the Classic EAC, go to Permissions > Admin Roles. 这里列出了你组织中的所有角色组。All of the role groups in your organization are listed here.

  2. 选择角色组。Select a role group. 细节窗格显示角色组的 "名称"、"说明"、分配的角色 、" 成员"、"管理者"和"写入"作用域。 The details pane shows the Name, Description, Assigned roles, Members, Managed by, and Write scope of the role group. You can also see this information by clicking Edit  Edit icon .You can also see this information by clicking Edit Edit icon.

使用 Exchange Online PowerShell 查看角色组Use Exchange Online PowerShell to view role groups

若要查看角色组,请使用以下语法:To view a role group, use the following syntax:

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

本示例返回所有角色组的摘要列表。This example returns a summary list of all role groups.

Get-RoleGroup

本示例返回名为 Recipient Administrators 的角色组的详细信息。This example returns detailed information for the role group named Recipient Administrators.

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

本示例返回用户 Julia 是成员的所有角色组。This example returns all role groups where the user Julia is a member. 需要为 Julia 使用 DistinguishedName (DN) 值,可以通过运行命令找到该值 Get-User -Identity Julia | Format-List DistinguishedName :。You need to use the DistinguishedName (DN) value for Julia, which you can find by running the command: Get-User -Identity Julia | Format-List DistinguishedName.

Get-RoleGroup -Filter "Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'"

有关详细的语法和参数信息,请参阅 Get-RoleGroupFor detailed syntax and parameter information, see Get-RoleGroup.

创建角色组Create role groups

创建新角色组时,您需要在组创建期间或 (配置所有设置) 。When you create a new role group, you need to configure all of the settings yourself (during the creation of the group or after). 若要开始配置现有角色组并进行修改,请参阅复制 现有角色组To start with the configuration of an existing role group and modify it, see Copy existing role groups.

使用新的 EAC 创建角色组Use the new EAC to create role groups

  1. 在新的 EAC 中,转到"角色 > ""管理员角色",然后单击"添加角色组"。In the new EAC, go to Roles > Admin roles and then click Add role group.

  2. 在"添加角色组"窗口的"设置 基础知识"部分下,配置以下设置并单击"下一 步":In the Add role group window, under Set up the basics section, configure the following settings and click Next:

    • 名称:输入角色组的唯一名称。Name: Enter a unique name for the role group.

    • 说明:输入角色组的可选说明。Description: Enter an optional description for the role group.

    • 写入作用域:默认值为 Default, 但您也可以从下拉列表中选择自定义收件人写入作用域。Write scope: The default value is Default, but you can also select a custom recipient write scope from the drop-down list.

  3. "添加权限" 部分,选择角色并单击"下一 步"。In Add permissions section, select the roles and click Next. 角色定义分配给此角色组的成员有权管理的任务的范围。Roles define the scope of the tasks that the members assigned to this role group have permission to manage.

  4. "分配管理员" 部分,选择要分配给此角色组的用户,然后单击"下一 步"。In Assign admins section, select the users to assign to this role group and click Next. 他们有权管理你分配的角色。They'll have permissions to manage the roles that you assigned.

  5. "查看角色组并完成"部分,验证所有详细信息,然后单击"添加角色组"。In Review role group and finish section, verify all the details, and then click Add role group.

  6. 单击“完成”。Click Done.

使用经典 EAC 创建角色组Use the Classic EAC to create role groups

  1. 在经典 EAC 中,转到" 权限"" > 管理员角色 ",然后单击" 添加添加  图标 "。In the Classic EAC, go to Permissions > Admin Roles and then click Add Add icon.

  2. 在出现的 "新建角色 组"窗口中,配置以下设置:In the New role group window that appears, configure the following settings:

    • 名称:输入角色组的唯一名称。Name: Enter a unique name for the role group.

    • 说明:输入角色组的可选说明。Description: Enter an optional description for the role group.

    • 写入作用域:默认值为 Default,但您也可以选择已创建的自定义收件人写入作用域。Write scope: The default value is Default, but you can also select a custom recipient write scope that you've already created.

    • 角色单击"添加"图标,选择要分配给新窗口中显示的角色  组的角色。Roles: Click Add Add icon to select the roles that you want to be assigned to the role group in the new window that appears.

    • 成员单击"添加"图标,选择要添加到新窗口中显示的角色  组的成员。Members: Click Add Add icon to select the members that you want to add to the role group in the new window that appears. 可以选择用户、启用邮件的通用安全组 (USG) 或其他角色 (安全主体) 。You can select users, mail-enabled universal security groups (USGs), or other role groups (security principals).

    完成后,单击"保存 " 创建角色组。When you're finished, click Save to create the role group.

使用 Exchange Online PowerShell 创建角色组Use Exchange Online PowerShell to create a role group

若要创建新的角色组,请使用以下语法:To create a new role group, use the following syntax:

New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...> -ManagedBy <Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name>"
  • Roles 参数通过以下语法指定要分配给角色组的管理角色 "Role1","Role1",..."RoleN"The Roles parameter specifies the management roles to assign to the role group by using the following syntax "Role1","Role1",..."RoleN". 你可以使用 Get-ManagementRole cmdlet 来查看可用角色。You can see the available roles by using the Get-ManagementRole cmdlet.

  • Members 参数通过以下语法指定角色组的成员: "Member1","Member2",..."MemberN"The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". 你可以指定用户、已启用邮件的通用安全组 (USG) 或其他角色组(安全主体)。You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals).

  • ManagedBy 参数指定可以使用以下语法修改和删除角色组的代理人: "Delegate1","Delegate2",..."DelegateN"The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN". 请注意,此设置在 EAC 中不可用。Note that this setting isn't available in the EAC.

  • CustomRecipientWriteScope 参数指定要应用于角色组的现有自定义收件人写入作用域。The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to the role group. 你可以使用 Get-ManagementScope cmdlet 查看可用的自定义收件人写入作用域。You can see the available custom recipient write scopes by using the Get-ManagementScope cmdlet.

本示例将创建一个名为"Limited Recipient Management"的新角色组,并具有以下设置:This example creates a new role group named "Limited Recipient Management" with the following settings:

  • "邮件收件人"和"已启用邮件的公用文件夹"角色将分配给角色组。The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role group.

  • 用户 Kim 和 Martin 被添加为成员。The users Kim and Martin are added as members. 由于未指定自定义收件人写入作用域,Kim 和 Martin 可以管理组织的任何收件人。Because no custom recipient write scope was specified, Kim and Martin can manage any recipient in the organization.

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -Members "Kim","Martin"

这是使用自定义收件人写入作用域的相同示例,这意味着 Kim 和 Martin 只能管理 Seattle Recipients 作用域中包含的收件人 (其 City 属性设置为值 Seattle) 的收件人。This is the same example with a custom recipient write scope, which means Kim and Martin can only manage recipients that are included in the Seattle Recipients scope (recipients who have their City property set to the value Seattle).

New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"

有关语法和参数的详细信息,请参阅New-RoleGroup。For detailed syntax and parameter information, New-RoleGroup.

复制现有角色组Copy existing role groups

如果根据要分配给用户的权限和设置关闭现有角色组,您可以复制现有角色组并修改副本以满足您的需求。If an existing role group is close in terms of the permissions and settings that you want to assign to users, you can copy the existing role group and modify the copy to suit your needs.

使用新的 EAC 复制角色组Use the new EAC to copy a role group

注意:如果使用 Exchange Online PowerShell 在角色组上配置多个作用域或独占作用域,便无法使用新的 EAC 复制角色组。Note: You can't use the new EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要复制具有这些设置的角色组,您需要使用 Exchange Online PowerShell。To copy role groups that have these settings, you need to use Exchange Online PowerShell.

  1. 在新的 EAC 中,转到"角色"" > 管理员角色"。In the new EAC, go to Roles > Admin roles.

  2. 选择要复制的角色组,然后单击"复制 角色组"。Select the role group that you want to copy and then click Copy role group.

  3. 在"复制角色组" 窗口的"设置 基础知识"部分下,配置以下设置并单击"下一 步":In the Copy role group window, under Set up the basics section, configure the following settings and click Next:

    • 名称:默认值为 "Copy of <Role Group Name> ,但您可以输入角色组的唯一名称。Name: The default value is "Copy of <Role Group Name>, but you can enter a unique name for the role group.

    • 说明:现有说明存在,但你可以更改它。Description: The existing description is present, but you can change it.

    • 写入作用域:已选择现有写入作用域,但可以从下拉列表中选择"默认"或自定义收件人写入作用域。Write scope: The existing write scope is selected, but you can select Default or a custom recipient write scope from the drop-down list.

  4. "编辑权限" 部分,修改角色并单击"下一 步"。In Edit permissions section, modify the roles and click Next. 角色定义分配给此角色组的成员有权管理的任务的范围。Roles define the scope of the tasks that the members assigned to this role group have permission to manage.

  5. "分配管理员" 部分,修改角色组成员身份,然后单击"下一 步"。In Assign admins section, modify the role group membership and click Next. 他们有权管理你分配的角色。They'll have permissions to manage the roles that you assigned.

  6. "查看角色组并完成"部分,验证所有详细信息,然后单击"复制 角色组"。In Review role group and finish section, verify all the details, and then click Copy role group.

  7. 单击“完成”。Click Done.

使用经典 EAC 复制角色组Use the Classic EAC to copy a role group

注意:如果你已使用 Exchange Online PowerShell 在角色组上配置多个作用域或独占作用域,你无法使用经典 EAC 复制角色组。Note: You can't use the Classic EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要复制具有这些设置的角色组,您需要使用 Exchange Online PowerShell。To copy role groups that have these settings, you need to use Exchange Online PowerShell.

  1. 在经典 EAC 中,转到"权限"" > 管理员角色"。In the Classic EAC, go to Permissions > Admin Roles.

  2. 选择要复制的角色组,然后单击复制 复制  图标 Select the role group that you want to copy and then click Copy Copy icon.

  3. 在出现的 "新建角色 组"窗口中,配置以下设置:In the New role group window that appears, configure the following settings:

    • 名称:默认值为 "Copy of <Role Group Name> ,但您可以输入角色组的唯一名称。Name: The default value is "Copy of <Role Group Name>, but you can enter a unique name for the role group.

    • 说明:现有说明存在,但你可以更改它。Description: The existing description is present, but you can change it.

    • 写入作用域:已选择现有写入作用域,但可以选择 "默认 "或已创建的另一个自定义收件人写入作用域。Write scope: The existing write scope is selected, but you can select Default or another custom recipient write scope that you've already created.

    • 角色:单击 "添加"图标或ITPro_EAC_RemoveIcon.png"删除角色"可修改分配给   角色组的角色。Roles: Click Add Add icon or Remove ITPro_EAC_RemoveIcon.png to modify the roles that are assigned to the role group.

    • 成员:单击 "添加  "图标或  ITPro_EAC_RemoveIcon.png"删除"以修改角色组成员身份。Members: Click Add Add icon or Remove ITPro_EAC_RemoveIcon.png to modify the role group membership.

    完成后,单击"保存 " 创建角色组。When you're finished, click Save to create the role group.

使用 Exchange Online PowerShell 复制角色组Use Exchange Online PowerShell to copy a role group

  1. 请使用以下语法将想要复制的角色组存储在变量中:Store the role group that you want to copy in a variable using the following syntax:

    $RoleGroup = Get-RoleGroup "<Existing Role Group Name>"
    
  2. 使用下面的语法创建新角色组:Create the new role group using the following syntax:

    New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>] [-ManagedBy <Managers>] [-CustomRecipientWriteScope "<Existing Custom Recipient Write Scope Name>"]
    
    • Members 参数通过以下语法指定角色组的成员: "Member1","Member2",..."MemberN"The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". 你可以指定用户、已启用邮件的通用安全组 (USG) 或其他角色组(安全主体)。You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals).

    • ManagedBy 参数指定可以使用以下语法修改和删除角色组的代理人: "Delegate1","Delegate2",..."DelegateN"The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the following syntax: "Delegate1","Delegate2",..."DelegateN". 请注意,此设置在 EAC 中不可用。Note that this setting isn't available in the EAC.

    • CustomRecipientWriteScope 参数指定要应用于角色组的现有自定义收件人写入作用域。The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to the role group. 你可以使用 Get-ManagementScope cmdlet 查看可用的自定义收件人写入作用域。You can see the available custom recipient write scopes by using the Get-ManagementScope cmdlet.

本示例将组织管理角色组复制到名为"Limited Organization Management"的新角色组。This example copies the Organization Management role group to the new role group named "Limited Organization Management". 角色组的成员是 Isab carter、Carter 和 Lukas,角色组代理人是 Katie 和 Katie。The role group members are Isabelle, Carter, and Lukas and the role group delegates are Jenny and Katie.

$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas" -ManagedBy "Jenny","Katie"

此示例将组织管理角色组复制到名为 Vancouver Organization Management 的新角色组,该组具有 Vancouver Users 收件人自定义收件人写入作用域。This example copies the Organization Management role group to the new role group called Vancouver Organization Management with the Vancouver Users recipient custom recipient write scope.

$RoleGroup = Get-RoleGroup "Organization Management"
New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope "Vancouver Users"

有关语法和参数的详细信息,请参阅New-RoleGroup。For detailed syntax and parameter information, New-RoleGroup.

修改角色组Modify role groups

使用新的 EAC 修改角色组Use the new EAC to modify role groups

  1. 在新的 EAC 中,转到"角色""管理员角色",选择要修改的角色组,然后在详细信息窗格中编辑 > 以下内容:In the new EAC, go to Roles > Admin roles, select the role group you want to modify, and then edit the following in the details pane:

    • "常规 "部分 单击"编辑基础知识"以更改名称和说明。In General section, click Edit basics to change the name and description.

    • "已分配 "部分,添加/删除此角色组的用户。In Assigned section, add/delete users from this role group.

    • "权限 "部分,添加/删除分配给角色组的角色。In Permissions section, add/remove roles assigned to the role group.

  2. 完成后,单击“保存”。When you're finished, click Save.

使用经典 EAC 修改角色组Use the Classic EAC to modify role groups

  1. 在经典 EAC 中,转到"权限""管理员角色",选择要修改的角色组, > 然后单击"编辑 编辑  "图标 In the Classic EAC, go to Permissions > Admin Roles, select the role group you want to modify, and then click Edit Edit icon.

修改角色组时可用的选项与使用经典 EAC 创建角色组 时相同The same options are available when you modify role groups as when you Use the Classic EAC to create role groups. 可执行下列操作:You can:

  • 更改名称和说明。Change the name and description.

  • 如果已创建自定义收件人 (作用域,请更改此作用域) 。Change the write scope (if you've created custom recipient write scopes).

  • 添加和删除管理角色 (创建或删除角色) 。Add and remove management roles (create or remove role assignments).

  • 添加和删除成员。Add and remove members.

注意Notes:

  • 如果使用 Exchange Online PowerShell 在角色组上配置多个作用域或独占作用域,则不能使用经典 EAC 修改角色组的写入作用域、角色和成员。You can't use the Classic EAC to modify the write scope, roles, and members of a role group if you've used Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. 若要修改这些角色组的设置,您需要使用 Exchange Online PowerShell。To modify the settings of these role groups, you need to use Exchange Online PowerShell.

  • 某些角色 (例如,组织管理角色) 限制可以从组中删除的角色。Some role groups (for example, the Organization Management role group) restrict the roles that you can remove from group.

  • 可以在经典 EAC 中向角色组添加或删除委派。You can add or remove delegates to a role group in the Classic EAC. 只能使用 PowerShell Exchange Online PowerShell。You can only use Exchange Online PowerShell.

使用 Exchange Online PowerShell 将角色添加到角色组, (角色分配) Use Exchange Online PowerShell to add roles to role groups (create role assignments)

若要在 PowerShell 中Exchange Online角色组,可以使用以下语法创建管理角色分配:To add roles to role groups in Exchange Online PowerShell, you create management role assignments by using the following syntax:

New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope "<Role Scope Name>]
  • 如果不角色分配名称,将自动创建该名称。The role assignment name is created automatically if you don't specify one.

  • 如果不使用 RecipientRelativeWriteScope 参数,则角色的隐式读取作用域和隐式写入作用域将应用于角色分配。If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope and implicit write scope of the role is applied to the role assignment.

  • 如果预定义作用域符合业务需求,可以使用 RecipientRelativeWriteScope 参数将作用域应用于角色分配。If a predefined scope meets your business requirements, you can use the RecipientRelativeWriteScope parameter to apply the scope to the role assignment.

  • 若要应用自定义收件人写入作用域,请使用 CustomRecipientWriteScope 参数。To apply a custom recipient write scope, use the CustomRecipientWriteScope parameter.

此示例将 Transport Rules 管理角色分配给 Seattle Compliance 角色组。This example assigns the Transport Rules management role to the Seattle Compliance role group.

New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role "Transport Rules"

此示例将 Message Tracking 角色分配给 Enterprise Support 角色组,并应用 Organization 预定义作用域。This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization predefined scope.

New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -RecipientRelativeWriteScope Organization

此示例将 Message Tracking 角色分配给 Seattle Recipient Admins 角色组,并应用 Seattle Recipients 作用域。This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle Recipients scope.

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"

有关语法和参数的详细信息,请参阅 New-ManagementRoleAssignmentFor detailed syntax and parameter information, see New-ManagementRoleAssignment.

使用 Exchange Online PowerShell 从角色组中删除角色, (角色分配) Use Exchange Online PowerShell to remove roles from role groups (remove role assignments)

若要从 PowerShell 中Exchange Online角色,可以使用以下语法删除管理角色分配:To remove roles from role groups in Exchange Online PowerShell, you remove management role assignments by using the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role Name>" -Delegating <$true | $false> | Remove-ManagementRoleAssignment
  • 若要 删除向 用户授予权限的常规角色分配,请使用 $false Delegating 参数 的值。To remove regular role assignments that grant permissions to users, use the value $false for the Delegating parameter.

  • 若要 删除允许将 角色分配给其他人的委派角色分配,请使用 $true Delegating 参数的值。To remove delegating role assignments that allow the role to be assigned to others, use the value $true for the Delegating parameter.

本示例从 Seattle Recipient Administrators 角色组中删除通讯组角色。This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.

Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient Administrators" -Role "Distribution Groups" -Delegating $false | Remove-ManagementRoleAssignment

有关语法和参数的详细信息,请参阅 Remove-ManagementRoleAssignmentFor detailed syntax and parameter information, see Remove-ManagementRoleAssignment.

使用 Exchange Online PowerShell 修改角色组中角色分配的范围Use Exchange Online PowerShell to modify the scope of role assignments in role groups

角色组中 角色分配 的写入作用域定义角色组的成员可以在 (上操作的对象,例如所有用户,或仅 City 属性具有值 Vancouver) 的用户。 The write scope of a role assignment in a role group defines the objects that the members of the role group can operate on (for example, all users, or only the users whose City property has the value Vancouver). 可以将分配给角色组的角色的写入作用域修改为:You can modify the write scope of the roles assigned to a role group to:

  • 角色本身中的隐式作用域。The implicit scope from the roles themselves. 这意味着创建角色组时没有指定任何自定义作用域,或者将现有角色组中所有角色分配的值设置为值 $nullThis means you didn't specify any custom scopes when you created the role group, or you set the value of all role assignments in an existing role group to the value $null.

  • 所有角色分配的自定义作用域相同。The same custom scope for all role assignments.

  • 每个自定义域具有不同的自定义角色分配。Different custom scopes for each individual role assignment.

若要同时在角色组上的所有角色分配上设置作用域,请使用以下语法:To set the scope on all of the role assignments on a role group at the same time, use the following syntax:

Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Set-ManagementRoleAssignment [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]

本示例将 Sales Recipient Management 角色组上所有角色分配的收件人作用域更改为"直接销售员工"。This example changes the recipient scope for all role assignments on the Sales Recipient Management role group to Direct Sales Employees.

Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" | Set-ManagementRoleAssignment -CustomRecipientWriteScope "Direct Sales Employees"

若要在角色组和管理角色角色分配单个角色上更改作用域,请执行以下步骤:To change the scope on an individual role assignment between a role group and a management role, do the following steps:

  1. 将 替换为角色组的名称,并运行以下命令以查找角色组上所有 <Role Group Name> 角色分配的名称:Replace <Role Group Name> with the name of the role group and run the following command to find the names of all the role assignments on the role group:

    Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-List Name
    
  2. 查找要更改的角色分配的名称。请在下一步中使用该角色分配的名称。Find the name of the role assignment you want to change. Use the name of the role assignment in the next step.

  3. 若要在单个对象上角色分配范围,请使用以下语法:To set the scope on the individual role assignment, use the following syntax:

    Set-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]
    

    本示例将名为 Mail 角色分配 Recipient Management Recipients_Sales的收件人作用域更改到 All Sales Employees。This example changes the recipient scope for the role assignment named Mail Recipients_Sales Recipient Management to All Sales Employees.

    Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All Sales Employees"
    

有关语法和参数的详细信息,请参阅 Set-ManagementRoleAssignmentFor detailed syntax and parameter information, see Set-ManagementRoleAssignment.

Use Exchange Online PowerShell modify the list of delegates in role groupsUse Exchange Online PowerShell modify the list of delegates in role groups

角色组委派定义允许修改和删除角色组的成员。Role group delegates define who is allowed to modify and delete the role group. 你无法管理 EAC 中的角色组委派。You can't manage role group delegates in the EAC.

若要修改角色组中委派的列表,请使用以下语法:To modify the list of delegates in a role group, use the following syntax:

Set-RoleGroup -Identity "<Role Group Name>" -ManagedBy <Delegates>
  • 若要 现有的委派列表替换为您指定的值,请使用以下语法: "Delegate1","Delegate2",..."DelegateN"To replace the existing list of delegates with the values you specify, use the following syntax: "Delegate1","Delegate2",..."DelegateN".

  • 若要 有选择地修改 现有委派列表,请使用以下语法: @{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...}To selectively modify the existing list of delegates, use the following syntax: @{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...}.

此示例将 Help Desk 角色组的所有当前委派替换为指定的用户。This example replaces all current delegates of the Help Desk role group with the specified users.

Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

本示例将添加一位用户,并从 Help Desk 角色组上的代理人列表中删除一位用户。This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on the Help Desk role group.

Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

有关语法和参数的详细信息,请参阅 Set-RoleGroupFor detailed syntax and parameter information, see Set-RoleGroup.

使用 Exchange Online PowerShell 修改角色组的成员列表Use Exchange Online PowerShell modify the list of members in role groups

  • Add-RoleGroupMemberRemove-RoleGroupMember cmdlet 每次添加或删除单个成员。The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual members one at a time. Update-RoleGroupMember cmdlet 可以替换或修改现有的成员列表。The Update-RoleGroupMember cmdlet can replace or modify the existing list of members.

  • 角色组的成员可以是用户、启用邮件的通用安全组 (USG) 或其他角色 (安全) 。The members of a role group can be users, mail-enabled universal security groups (USGs), or other role groups (security principals).

若要修改角色组的成员,请使用以下语法:To modify the members of a role group, use the following syntax:

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members> [-BypassSecurityGroupManagerCheck]
  • 若要 现有的成员列表替换为您指定的值,请使用以下语法: "Member1","Member2",..."MemberN"To replace the existing list of members with the values you specify, use the following syntax: "Member1","Member2",..."MemberN".

  • 若要 有选择地修改 现有成员列表,请使用以下语法: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}To selectively modify the existing list of members, use the following syntax: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}.

此示例将 Help Desk 角色组的所有当前成员替换为指定的用户。This example replaces all current members of the Help Desk role group with the specified users.

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

本示例将添加一位用户,并从 Help Desk 角色组的成员列表中删除一位用户。This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role group.

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

有关语法和参数的详细信息,请参阅 Update-RoleGroupMemberFor detailed syntax and parameter information, see Update-RoleGroupMember.

删除角色组Remove role groups

不能删除内置角色组,但可以删除已创建的自定义角色组。You can't remove built-in role groups, but you can remove custom role groups that you've created.

注意Notes:

  • 删除角色组时,也将删除角色组和管理角色之间的管理角色分配。When you remove a role group, the management role assignments between the role group and the management roles are deleted. 不会删除分配给角色组的任何管理角色。Any management roles that are assigned to the role group aren't deleted.

  • 如果用户依赖于角色组来访问某个功能,则在您删除角色组后,该用户将无法再访问该功能。If a user depends on the role group for access to a feature, the user will no longer have access to the feature after you delete the role group.

使用新的 EAC 删除角色组Use the new EAC to remove a role group

  1. 在新的 EAC 中,转到"角色"" > 管理员角色"。In the new EAC, go to Roles > Admin roles.

  2. 选择角色组,然后单击"删除 "。Select the role group and click Delete.

  3. 单击 确认 窗口中的"确认"。Click Confirm in the confirmation window.

使用 EAC 删除角色组Use the EAC to remove a role group

  1. 在 EAC 中,转到"权限"" > 管理员角色"。In the EAC, go to Permissions > Admin Roles.

  2. 选择要删除的角色组,然后单击" 删除删除"  图标 Select the role group you want to remove and then click Delete Delete icon.

  3. 出现的 确认窗口中单击"是"。Click Yes in the confirmation window that appears.

使用 Exchange Online PowerShell 删除角色组Use Exchange Online PowerShell to remove a role group

若要删除自定义角色组,请使用以下语法:To remove a custom role group, use the following syntax:

Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]

本示例将删除 Training Administrators 角色组。This example removes the Training Administrators role group.

Remove-RoleGroup -Identity "Training Administrators"

本示例将删除 Vancouver Recipient Administrators 角色组。This example removes the Vancouver Recipient Administrators role group. 由于运行该命令的用户未在角色组的 ManagedBy 属性中定义,因此该命令中需要 BypassSecurityGroupManagerCheck 开关。Because the user running the command isn't defined in the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck switch is required in the command. 为运行该命令的用户分配了 Role Management 角色,这使用户能够绕过安全组管理员检查。The user that's running the command is assigned the Role Management role, which enables the user to bypass the security group manager check.

Remove-RoleGroup - Identity "Vancouver Recipient Administrators" -BypassSecurityGroupManagerCheck

有关语法和参数的详细信息,请参阅 Remove-RoleGroupFor detailed syntax and parameter information, see Remove-RoleGroup.