add user to management role assignment exchange 2016

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Set-Management Role Assignment

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Set-ManagementRoleAssignment cmdlet to modify existing management role assignments.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax .

Description

When you modify a role assignment, you can specify a new predefined or custom management scope or provide an organizational unit (OU) to scope the existing role assignment.

You can create custom management scopes using the New-ManagementScope cmdlet and can view a list of existing scopes using the Get-ManagementScope cmdlet. If you choose not to specify an OU, predefined scope, or custom scope, the implicit write scope of the role applies to the role assignment.

For more information about management role assignments, see Understanding management role assignments .

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet .

This example disables the Mail Recipients_Denver Help Desk role assignment. When a role assignment is disabled, the users assigned the role can no longer run cmdlets granted by the role.

This example changes the recipient scope for the MyGAL_KimA role assignment to MyGAL. When the recipient scope is changed to a predefined value, any previously defined OUs or custom scopes are overwritten.

This example restricts the Mail Recipients_Marketing Admins role assignment to the contoso.com/North America/Marketing/Users OU. Users who are members of the Marketing Admins role group assigned the role assignment can create, modify, and remove objects only in the specified OU. When the RecipientOrganizationalUnitScope parameter is used, any predefined or custom scopes on the role assignment are overwritten.

This example restricts the Distribution Groups_Cairns Admins role assignment using the Cairns Recipients custom recipient management scope. Users that are members of the Cairns Admins role group assigned the role assignment can create, modify, and remove only the distribution group objects that match the Cairns Recipients custom recipient management scope.

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

• Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false .
• Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.

-CustomConfigWriteScope

This parameter is available only in on-premises Exchange.

The CustomConfigWriteScope parameter specifies the existing configuration management scope to associate with this management role assignment. If the management scope name contains spaces, enclose it in quotation marks (").

If you use the CustomConfigWriteScope parameter, you can't use the ExclusiveConfigWriteScope parameter.

To remove a scope, specify a value of $null.

-CustomRecipientWriteScope

The CustomRecipientWriteScope parameter specifies the existing recipient-based management scope to associate with this management role assignment. If the management scope name contains spaces, enclose it in quotation marks (").

If you use the CustomRecipientWriteScope parameter, you can't use the RecipientOrganizationalUnitScope, RecipientRelativeWriteScope, or ExclusiveRecipientWriteScope parameters, and any configured OU or predefined scope on the role assignment is overwritten.

-CustomResourceScope

This parameter is available only in the cloud-based service.

The CustomResourceScope parameter specifies the custom management scope to associate with this management role assignment. You can use any value that uniquely identifies the management scope. For example:

• Distinguished name (DN)

If the value contains spaces, enclose the value in quotation marks (").

You use this parameter with the App parameter to assign permissions to service principals. For more information, see For more information about service principals, see Application and service principal objects in Microsoft Entra ID .

-DomainController

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

The Enabled parameter specifies whether the management role assignment is enabled or disabled. The valid values are $true and $false.

-ExclusiveConfigWriteScope

The ExclusiveConfigWriteScope parameter specifies the existing configuration exclusive management scope to associate with this management role assignment. If the management scope name contains spaces, enclose it in quotation marks (").

If you use the ExclusiveConfigWriteScope parameter, you can't use the CustomConfigWriteScope parameter.

-ExclusiveRecipientWriteScope

The ExclusiveRecipientWriteScope parameter specifies the existing recipient-based exclusive management scope to associate with this management role assignment. If the management scope name contains spaces, enclose it in quotation marks (").

If you use the ExclusiveRecipientWriteScope parameter, you can't use the CustomRecipientWriteScope, RecipientOrganizationalUnitScope, or RecipientRelativeWriteScope parameters and any configured OU or predefined scope on the role assignment is overwritten.

The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch.

You can use this switch to run tasks programmatically where prompting for administrative input is inappropriate.

The Identity parameter specifies the name of the management role assignment to modify. If the name of the management role contains spaces, enclose it in quotation marks (").

-RecipientAdministrativeUnitScope

This parameter is functional only in the cloud-based service.

The RecipientAdministrativeUnitScope parameter specifies the administrative unit to scope the role assignment to.

Administrative units are Microsoft Entra containers of resources. You can view the available administrative units by using the Get-AdministrativeUnit cmdlet.

You can't use this parameter with any of the other scope parameters.

-RecipientGroupScope

The RecipientGroupScope parameter specifies a group to consider for scoping the role assignment. Individual members of the specified group (not nested groups) are considered as in scope for the assignment. You can use any value that uniquely identifies the group: Name, DistinguishedName, GUID, or DisplayName.

-RecipientOrganizationalUnitScope

The RecipientOrganizationalUnitScope parameter specifies the OU to scope the new role assignment to. If the OU name contains spaces, enclose the domain and OU in quotation marks (").

If you use the RecipientOrganizationalUnitScope parameter, you can't use the CustomRecipientWriteScope, ExclusiveRecipientWriteScope, or RecipientRelativeWriteScope parameters and any predefined scopes or custom scopes on the role assignment are overwritten.

To specify an OU, use the syntax: domain/ou. To remove an OU, specify a value of $null.

-RecipientRelativeWriteScope

The RecipientRelativeWriteScope parameter specifies the type of restriction to apply to a recipient scope.

If you use the RecipientRelativeWriteScope parameter, you can't use the CustomRecipientWriteScope, ExclusiveRecipientWriteScope, or RecipientOrganizationalUnitScope parameters.

The available types are: None, Organization, MyGAL, Self and MyDistributionGroups. If you specify a predefined scope, any custom scope or configured OU on the role assignment is overwritten.

Even though the NotApplicable, OU, MyDirectReports, CustomRecipientScope, MyExecutive, MailboxICanDelegate, and ExclusiveRecipientScope values appear in the syntax block for this parameter, they can't be used directly on the command line. They're used internally by the cmdlet.

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types . If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types . If the Output Type field is blank, the cmdlet doesn't return data.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

MSExchangeGuru.com

Learn Exchange the Guru way !!!

• Contact us -MS Exchange Guru
• MSExchangeGuru on YouTube

How to setup Exchange 2016 Admin Roles

Admin roles are needed in the organization to assign a permission to administrators to manage a specific role such as managing users or databases

There are two ways to use administrative role:

Use the default created administrative roles

• Create custom administrative roles.

Before you start to manage admin role you should answer the three questions:

• Who will be assign to this admin role?
• What is the exact tasks that need administrators to be able to do?
• What is the scope that the administrators will have access to manage?

To use the default created administrative roles should be done as below steps:

To know the exact target of each default role group you can check the description and the roles assigned on it.

Create custom administrative roles

• Description

Ratish Nair

Microsoft MVP | Office Servers and Services

Team @MSExchangeGuru

Posted August 8th, 2017 under Exchange 2016 . RSS 2.0 feed. Leave a response , or trackback .

Leave a Reply

Name (required)

Mail (will not be published) (required)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

• Active Directory
• Autodiscover
• Best Practices
• Certificate Authority
• Co-existence
• Cumulative Update
• Database Management
• Disaster Recovery
• Edge Transport
• Exchange 2003
• Exchange 2007
• Exchange 2010
• Exchange 2013
• Exchange 2016
• Exchange 2019
• Exchange ActiveSync
• Exchange Online Protection
• Exchange Tools
• Export Mailbox using Shell
• Installation
• LegacyExchangeDN
• Miscellaneous blabberings
• msExch Attributes
• Online and Offline Defrag
• Public Folders
• Recovery Storage Group
• Site Updates
• Skype for Business
• Uncategorized
• Windows 2012 R2
• January 2021
• December 2019
• November 2019
• September 2019
• January 2019
• December 2018
• October 2018
• September 2018
• February 2018
• January 2018
• December 2017
• November 2017
• October 2017
• September 2017
• August 2017
• February 2017
• January 2017
• December 2016
• November 2016
• October 2016
• September 2016
• August 2016
• February 2016
• January 2016
• December 2015
• November 2015
• October 2015
• September 2015
• August 2015
• February 2015
• January 2015
• December 2014
• November 2014
• October 2014
• September 2014
• August 2014
• February 2014
• January 2014
• December 2013
• November 2013
• October 2013
• September 2013
• August 2013
• February 2013
• January 2013
• December 2012
• November 2012
• October 2012
• September 2012
• August 2012
• February 2012
• January 2012
• December 2011
• November 2011
• October 2011
• September 2011
• August 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• February 2010
• January 2010
• November 2009
• October 2009
• September 2009

Microsoft MVP award

Subcribe to MSExchangeGuru

Recent Comments

• Exchange 2016: URLs Configuration Script « MSExchangeGuru.com on Exchange 2013: URLs Configuration Script
• [Exchange 2016] Débloquer un lot de migration en « synchronisation » on Exchange Hybrid: Batch Migration
• Sysadmin Today #38: Email Security on Exchange 2016 Anti-Spam configuration
• Exchange 2016 Dynamic distribution Group returning all users using filter RecipientContainer « MSExchangeGuru.com on Create Dynamic distribution Groups in Exchange 2016
• Monthly IT Newsletter – November 2017–January 2018 – Guy UC World on How to Use Task Scheduler to schedule PowerShell Scripts
• Collab365 Global Conference November 1st 2017
• Global Azure Boot Camp 2018 – April 21, 2018
• Los Angeles Microsoft Exchange Server User Group – 3rd Thursday of the Month

Other cool places

• Flipping Bits
• Lets Exchange
• MSExchangeTeam
• PowerWindows

Theme by BytesForAll

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

how do I resolve "user isn't assigned to any management roles" error in Exchange 2010 EMC?

Newly installed Exchange 2010 box (technically, a partially installed box, as this error is preventing me from completing the install).

When I launch EMC or the Management Powershell, I get this error:

The logged in administrator account (confirmed using 'whoami') is a member of the following groups:

Any ideas? how can I get past this?

• permissions
• exchange-2010

4 Answers 4

@Richard, chances are a different user account was used for the schema preparations during the pre-install tasks as to those that were used to install Exchange.

Ensure your account is a member of the Organization Management group, and see if the error is resolved for you.

• 1 The Organization Management group can be found in Active Directory Users and Computers under the "Microsoft Exchange Security Groups" folder in the domain. –  Wolfgang Aug 11, 2017 at 23:19
• This worked for me. I was a domain admin and still not working. Adding to the Organization management group worked instantly :-) Thanks –  jcrawfor74 Jul 26, 2018 at 11:16
• Thanks! I added Domain Admins to this group –  Xebozone Jul 21, 2020 at 1:37

I found the solution, courtesy of David Strome at Microsoft.

http://gaionlinekb.blogspot.com/2009/11/emc-rbac-authorization-returns-access.html

When our Exchange 2010 server was installed we used a particular domain account.

For administration we use different User accounts.

Each user that will be administering the exchange server must be a member of "Organization Management" this is all you should need to ensure the user is a member of.

I wanted to claify this as the simplest fix also posted by David George

I was also facing the same issue. but now its working by login with Administrator Privilege account Simply right click on Exchange management console run as different user my server operation system is 2012...........use your administrator account for exchange login....

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged permissions exchange exchange-2010 ..

• The Overflow Blog
• Upcoming research at Stack Overflow
• The reverse mullett model of software engineering
• Featured on Meta
• Testing a new version of Stack Overflow Jobs

Hot Network Questions

• Can I remove the pigtails on an AFCI breaker if I have a panel that supports plug-on-neutral?
• What is the integer literal suffix 'i' in C?
• Will installing a kernel mode driver onto a PC compromise the entire network it's connected to?
• Find rate of convergence of two sequence
• Circuitikz - Label for component duplicated
• Can I degrade Groundclear with vinegar
• You are given 8 fair coins and flip all of them at once. Then, you can reflip as many coins as you want. What is optimal expected number of heads?
• Can every manifold be written as the union of two contractible open subspaces?
• Increasing sequences and Wieferich primes
• Manga where the bespectacled main character meets a porter girl and gets trapped in a cave fighting a monster
• Why doesn't Japanese pineapple hurt my mouth, unlike what I eat in the US?
• Why is true time delay beamforming more expensive to implement?
• Why does changing one's name to 'Vladimir' indicate allegiance to Moscow?
• Can a straight line be drawn through a single node on an infinite square grid without passing through any other nodes?
• When embedding Einstein bot in an external site, an error No targetElement specified occurs
• "No obligation cash offer on your house" What is the risk
• Pipe union fitting leaks slowly. How to seal?
• "for what it's worth — used to say that one/someone is not sure whether something one/someone is about to say will be helpful or valued"
• Matthew 22 and Psalms 110. Did Jesus lose the original meaning?
• Alright to leave or use electric bicycle in rain
• Is .txt the only email attachment type that can always be opened without risk?
• Synonym for "turn around" in the given context?
• Where does length contraction occur towards?
• Why does Ripley buy six train tickets?

Subscribe for Practical 365 updates

Please turn off your ad blocker and refresh the page to subscribe.

You may withdraw your consent at any time. Please visit our Privacy Statement for additional information

Exchange Online / Exchange Server

How to report on exchange rbac assignments.

Exchange Server and its cloud sibling are well-known for their robust administrative controls, powered by the RBAC model. Designed with great attention to detail, the RBAC model allows you to granularly control what each admin or user can do, down to the individual cmdlet or even parameter level. While this is extremely useful, because of the flexibility of the model, sometimes it can be a bit hard to keep track of just what permissions have been granted in the organization.

To address this issue, you can use PowerShell to prepare detailed reports of the roles assigned. One such example script is provided by Paul here at Practical 365, and many admins have already made a habit of running it periodically against their environments. The script, however, relies on the AD PowerShell cmdlets and as such cannot be run against Exchange Online, so in this article, we will introduce an updated/alternative approach. We will also discuss some potential improvement areas, and of course, provide you with the actual solution.

A quick refresher on Exchange RBAC

As the name suggests, Exchange’s Role-based Access Control (RBAC) permission model has management roles as its building blocks. A role represents a set of tasks or cmdlets, granted to a role assignee . The role assignee can be a user, a security group or a role group (or a role assignment policy, which we don’t cover here). The link between the role and its assignees is called a management role assignment . Role assignments, in turn, can be regular or delegating. The former is used when you grant someone access to the management tools and features. On the other hand, delegating role assignments don’t grant access to the management tools, but are used to grant someone the ability to assign a given role to others. Lastly, we have the concept of management scopes , which can be used to limit the effect of the role to a subset of the objects in your organization.

While this all might sound very confusing at first, once you understand the basic principles behind the RBAC model, you will certainly appreciate its robustness and customizability. Even more so if you come to compare it with other workloads such as SharePoint or Skype for Business. In Exchange Online, the RBAC model is a bit more limited compared to on-premises versions, but it’s still well ahead of what we get in other parts of the service, including Azure AD.

How to find out who has permissions

Just because some admin functionality exists, it doesn’t mean it’s in use. The same goes for any Exchange management roles. Role assignments effectively represent the “link” between a role and the security principals who have been granted permissions to access the cmdlets, scripts or tools available as part of the role. If no role assignment exists for a given role, then no one in the organization has access to the management tasks it enables. Generally speaking, you can omit such roles from your report. But if you want to be thorough, or are just curious, here’s how to list any (admin) roles that have no corresponding role assignments:

In the above, we are listing all roles, then for each role checking whether any role assignments exist. We are also excluding any “end user” roles, such as the ones that govern different OWA features. The resulting list will return just the “unassigned” roles if any. Again, as no one is currently assigned to said roles, they are not “in use” and you can simply ignore them. The bottom line here is that if you want to get an overview of what permissions are granted in the company at present, the Get-ManagementRoleAssignment cmdlet is your natural starting point.

We now know how to list assignments for a given role. However, this doesn’t completely answer the question of who has been granted access, as roles can be delegated to security groups, or bundled in role groups and role assignment policies. If we want to list the individual users, we have to further “expand” the corresponding object, which is effectively what Paul’s script does for Role Groups. We are trying to address a broader scenario, however, so we need to also account for assignments of type User , SecurityGroup and PartnerLinkedRoleGroup. In turn, where needed we should aim to expand group membership and list individual users.

In the on-premises world, group expansion is easily performed via the AD tools. In Office 365, however, things aren’t that straightforward, and in general, we have to use solutions such as the one described in this article . Luckily, in the case of role assignments, the good folks at Microsoft have given us an easier method, namely the -GetEffectiveUsers switch parameter. What the switch does is to recursively process each nested group and return a list of the individual user entries. Here’s an example:

The first cmdlet lists just the direct assignees to the Journaling role. Three of those entries, namely the “Compliance management” and “Organization management” role groups and the “MESGtop” security group have additional members and even some nested groups. The full list of members is returned when we rerun the cmdlet with the – GetEffectiveUsers switch, one entry per user. Which is practically all we need to generate the report.

Another approach would be to use the Get-ManagementRoleAssignment cmdlet against specific security principal entry. The cmdlet is intelligent enough to not only list direct assignments, but also any assignments corresponding to security or role groups that have the given security principal as a member, including nested groups. However, since the number of such objects in most companies is larger than the number of role assignments, this method might be slower. Just in case, here’s an example:

Preparing the output

Now that we know how to list each individual user and each role they have been assigned, all we need to do is prepare the output. One approach is to just dump all this information into a CSV file, then use Excel to filter/sort it as needed. However, as you can see from the above screenshot, some of the data presented is quite ambiguous as objects are listed by their display name. We can improve the quality of the output by finding the corresponding object and return a unique identifier. Unfortunately, this might not always be possible, but for most scenarios, we should be able to identify the correct object.

The getUPN and getGroup helper function will try to “convert” a given DisplayName to the corresponding object and return a unique identifier for it. Since there can be multiple entries matching a given display name, the functions will call the Get-ManagementRoleAssignment and use the – Role and – RoleAssignee parameters to find out which entry corresponds to the actual role assignment. If they cannot find a match or multiple matches remain even after these additional checks, the display name will be returned as is.

Apart from providing additional information about each assignee, we can also use the native PowerShell capabilities to group the output by user. This might or might not be more convenient, but as mentioned above you can also use tools such as Excel to perform any grouping, sorting and filtering operations. The output returned from the script is sampled below:

For each user, group, or role group object, the object type, and unique identifier are returned (UPN or PrimarySMTPAddress where available, GUID otherwise). Then, a list of the individual Roles assigned to the given security principal is listed, and an indicator of the type of assignment. For objects with multiple roles assigned, we can have multiple values for the assignment type. Because we are grouping results, only unique role entries will be returned, if that’s not what you expect, edit the code on line 161.

Additional parameters

The script features a few additional parameters that govern the output. The first parameter is – IncludeDelegatingAssignments , which signals the script to also return details on any non-default Delegating Role Assignments. By non-default we mean delegating role assignments outside of those assigned to the “Organization Management” role group. If you don’t agree with the logic used here, feel free to adjust the filter on line 79.

The – IncludeRoleGroups parameter will force the script to return entries for “parent” role group assignments in the output. Since we are using the – GetEffectiveUsers parameter, any individual user that’s a direct member of the role group or member of any nested group within it is returned, so you might not want to see the “parent” entry as well. This is the default behavior, but if you do want to see such entries, you can specify the – IncludeRoleGroups parameter when invoking the script. No entries will be returned in the output for any nested groups, just the user objects within them! This is a limitation of using the – GetEffectiveUsers switch, but we plan to present an alternative solution in a future article.

Lastly, the – IncludeUnassignedRoleGroups switch governs whether to return entries for role groups that don’t have any role assignments. As discussed above, any cmdlets included in such role groups are effectively in “no use”, but you might want to include the role groups for completeness. This parameter can only be used when – IncludeRoleGroups is set to $true.

Here’s how the console output will look like when all these parameters are used. In the highlighted entries, you can see an object with a duplicate display name, but thanks to the additional checks performed by the script, a unique identifier is returned. You can also see users and groups with direct role assignments, including delegating ones; role groups with no assignments; “parent” groups.

The output will also be stored in the global variable $ varRoleAssignments so it can be easily reused. Don’t forget that the script will also save the “raw” output to a CSV file!

Download the script from the TechNet Gallery or GitHub , and don’t forget to send us your comments.

About the Author

Vasil Michev

Hi, Could you please test it in your environment and let me know if it works for you ? Regards

Forget this i have achieved with using parameters , but my next question is, the output of the Assignee is with ID instead of username, how can i get this with username ?

what kind of ID? A GUID? Can you do Get-Recipient -Id $Value to see what $Value (the identifier) resolves to?

Hi, this code doesn’t return any output. What could be the reason ? Thanks in advance. regards

No idea. Have you debugged it? The code is PowerShell after all, so you can step through it to discover where problems might lie.

One basic problem I see is that the script in GitHub attempts to connect to Exchange Online via basic auth. Have you tried changing the script so that it uses a simple Connect-ExchangeOnline instead of running the Check-Connectivity function?

Leave a Reply Cancel reply

Latest articles.

Microsoft on Protecting Identity – The Core of Your Digital Ecosystem: The Practical 365 Podcast S4 E18

On this week's episode of the Practical 365 podcast, Steve, Rich, and Paul are joined by Alex Weinert, Director of Identity Security at Microsoft, to discuss the critical topic of identity threat detection and response (ITDR).

Practical Sentinel: Setting the Scene

Welcome to Practical Sentinel! In the introductory blog of this series, we review how Microsoft positions Sentinel, what capabilities the product includes, and what it does well.

Practical PowerShell: Flow Control

In this edition of Practical PowerShell, Michel De Rooij discusses the code flow constructs available in PowerShell regarding looping and how to use them.

Stefanos Cloud

How to manage Microsoft 365 user role assignments and administrative units

• Role assignments
• Administrative Units

This article provides guidance on how to manage Microsoft 365 user role assignments and administrative units. The article is also available on my podcast and Youtube channel .

View this article as a how-to video on Youtube.

You need to manage existing user roles, create new custom user roles and assign users and groups to existing roles in Microsoft 365 . You need to also manage Microsoft 365 administrative units.

In this how-to article, we will show you how to manage Microsoft 365 user role assignments and administrative units.

Role assignments #

From within the Microsoft 365 Admin Center portal, you can assign ‎ Azure AD‎ built-in roles to users who need access to other admin centers and resources in ‎ Azure Active Directory‎, such as users, groups, and apps which use ‎Microsoft Graph‎ API. The following groups of user role assignments can be made from the Admin Center portal.

• Azure AD role assignments
• Exchange Online role assignments
• Intune role assignments

In the next steps, we will show you how to assign the Global Administrator Azure AD role to a user and group. Follow the steps below to assign the Global Administrator role to a user or group.

• Navigate to https://admin.microsoft.com and authenticate as a global admin user.
• On the left pane, expand the "Roles" section and click on "Role assignments". On the main section click on the "Global Administrator" role. On the popup form on the right, you should be able to review the general properties of the role in question. On the permissions tab, the system lists details of the permissions which are assigned with the role in question.
• On the "Assigned" tab, you can assign users or groups to the role in question. Click on "Add Users" and then "Add Groups" to add a user and group respectively to the specific role.
• To run the Azure portal as a specific Azure AD user role, tick on the checkbox next to the role and click "Run As". This will show you the view of the Azure portal as if you had logged in via a user with the role in question.
• To compare permissions of user roles, tick on two or more roles and then click on "Compare Roles". In the next screen, you should see a tabular comparison of the permissions assigned to each of the compared roles. You can also click on "Export comparison" to export the comparison matrix of the selected roles.

In the next steps, we will show you how to assign the Organization Management Exchange Online role to a user and group, as well as how to create a new custom Exchange Online role. Follow the steps below.

• Navigate to the "Exchange" tab under the "Role Assignments" section.
• Click on the "Organization Management" role. On the popup form on the right, you can review the general settings of the role under the "general" tab. Under the "Permissions" tab, you can review in detail the available permissions of the role in question.
• Under the "Assigned" tab, you can assign a user or group to the role in question. Click "Add" and choose the user or group to assign to the role.
• You can also create a custom Exchange Online role by ticking the checkbox next to the role which will be used as the template for the new role. Then click on "Copy role group". This will take you to a wizard to create your new custom role. On the "Set up the basics" page, fill-in the name, description and write scope of the new role and click Next.
• Select the roles to add to the ‎new custom role group. Roles define the scope of the tasks that the members assigned to this role group have permission to manage.
• Select the users to assign to this role group. They'll have permissions to manage the roles that you assigned in the previous step.
• Review your selections and click Finish.

In the next steps, we will show you how to assign Intune roles. Assign ‎Intune‎ roles to specialists who need to view or manage ‎Intune‎ data, devices, or services. These roles can only be assigned to users who have a license that includes ‎Intune‎. Follow the steps below.

• Under the "Role assignments" section, navigate to the "Intune" tab. If you need to export existing assignments, click on the "Export assignments" button.
• Click on the Intune role you wish to edit assignments of. On the "General tab" you can review the general settings of the role in question. On the "Permissions" tab you can see in detail all permissions of the role in question.
• To assign users to the Intune role, under the "Assigned" tab click on "Add". This will take you to the "Set up the basics" wizard. Fill-in a name and description and click Next.
• Select the security groups that contain the users you want to become admins for the role. Click Next.
• Select a built-in security group like 'All users', or search for and select security groups which contain the users and devices that the ‎Intune role can manage.
• You can optionally add tabs which limit the specific Intune policies, apps and devices that the admins can see. Click "Next".
• Review all your assignment settings and click "Finish".

Administrative Units #

Now we will move on to show you how to create and manage Microsoft 365 Administrative Units. Units let you sub-divide your organization into any unit that you want, and then assign specific administrators that can only manage that unit. For example, you can assign the Helpdesk Administrator role to a regional support specialist, so they can manage users only in that region.

Carry out the following steps:

• Under the "Roles" section, click on "Administrative Units". Click on "Add Unit" to add a new administrative unit.
• Provide a name and Description of the new administrative unit and click "Next". Administrative units let you limit admins to manage users for a specific department, region, or any segment that your organization defines. Start by giving the administrative unit a name and description that will let other admins know its purpose.
• Choose "Add up to 20 users and groups" or "Upload users" if you need to bulk upload a large number of users to be linked to the new administrative unit. If you choose "Add up to 20 users and groups", then click on "Add Users" or "Add Groups" to add the desired users to the administrative unit and click Next. The administrators assigned to this unit will manage the settings for these users and groups. Adding groups doesn't add users to the unit, it lets the assigned admins manage group settings. You can only add up to ‎20‎ members individually or you can bulk upload up to ‎200‎ users. If you need to add more, you can edit this unit to add them.
• Assign admins to scoped roles. The following roles are the only roles that support administrative units. Authentication Administrator Cloud Device Administrator Groups Administrator Helpdesk Administrator License Administrator Password Administrator SharePoint Administrator Teams Administrator Teams Device Administrator User Administrator.

Select a role and then assign admins to it. The admins that you assign to roles in this step will manage the members of this administrative unit.

• Review your selections and click "Finish". The new administrative unit has been created. You can always edit its properties by clicking on the Administrative Unit name. From that page you can edit the administrative unit's members and role assignments.
• You can also edit the name and description of an administrative unit by ticking the checkbox next to the administrative unit name and clicking on "Edit name and description".

What are your Feelings

Share this article :, how can we help.

Powered by BetterDocs

• Infra as Code
• Microsoft 365

Its always a problem on finding, What Roles the Current user is Assigned to, Not sure on what all he has having access to.

You can use the Below PowerShell Command to Find in which role assigments the user is part of in Exchange Role based acess groups.

Replace with “Username” with the Alias of the mailbox

Related Articles

Disable changing picture in teams, disk encryption bitlocker policy in intune endpoint security, deploying docker image to azure container registry and hosting it with azure web app service., 15 comments.

That’s a nice post.

I try, it’ works, and it’s helpful. Keep posting helpful article.

Your most welcome Sendi

Hi Satheshwaran,

Can we know which commands a perticular user(admin) can execute depend on the permissions given to him?

Regards, Hemant

Check what all roles assigned to the user. = Check what all the commands the role contains. or login as him — run — Get-command

It didn’t appear to make a difference.

What does it mean if nothing is returned?

Not a member of anything

Your articles are really informative and good , Thanks for sharing the commands , Keep up your good work .

Hi I am trying to get a user name with a specific role assigned for e.g. Get-User | Get-ManagementRoleAssignment -Role ‘audit logs’

Ho can I get this working. Please help

soulful resource http://xnxx-love.com

corporate web site http://iqxnxx.com

Six years later and this is the most helpful article I’ve found. Nothing helpful (cmdlet or article wise) from Microsoft

Many thanks for this simple yet evidently necessary post!

Thank you Nick

The command only works for first 1000 entries. We have over 10 K entries where it is not pulling all the roles assigned to an admin. I tried to explore but it appears there is no parameter called resultsize or -All .

LEAVE A REPLY Cancel reply

Save my name, email, and website in this browser for the next time I comment.

EDITOR PICKS

Manual validation approval for ci/cd release pipeline using yaml in azure devops, a step-by-step guide to deploying next.js to azure app service using github action, popular posts, enhancing email security: tagging external emails in microsoft 365, popular category.

• x-All Posts-x 654
• Exchange 2013 183
• Microsoft 365 132
• Exchange 2010 122
• Exchange 2016 105
• Azure Active Directory 102
• Windows Server 55

Update 1-6-2015: Link to an Exchange 2013 specific version of this post was added.

How can we solve the challenge of allowing users to managed Distribution Groups that they own, but also prevent them from removing or adding new ones?  Well, it’s a similar story to the previous blog – we will create a custom RBAC Role!

One thing that is a little different is that the RBAC configuration for the items related to configuring your own mailbox is stored within a Role Assignment Policy .  The same terminology applies but we need to be clear that end-user RBAC is contained within a Role Assignment Policy and administrator RBAC lives in Management Roles.

This scenario calls for having multiple Role Assignment Polices as each will have a different configuration.  For example you may envision the following:

• Default Role Assignment Policy – can edit zero Distribution Groups
• DG-Management Role Assignment Policy – can edit Distribution Groups owned by user, cannot create new ones.
• DG-Full-Management Role Assignment Policy – can edit Distribution groups owned by user, and can create new ones.

We will create option #2 in this blog.  Option1 is the initial setup with the Default Role Assignment Policy, and Option3 can be done by following the steps in the previous blog to simply enable the MyDistributionGroups Role in the relevant Role Assignment Policy.

Let’s get jiggy with it , and create a new Role Assignment Policy!  **

Create New Role Assignment Policy

Let’s create a new Role Assignment Policy called DG-Management .  We want to mirror the existing Default Role Assignment Policy, as a mailbox can only be assigned a single Role Assignment policy and we need to ensure that the user can perform all required activities on their mailbox.  This can be customised to suit your requirements, in this example we will copy from the Default Role Assignment Policy, but this is not required.

We can write down the roles assigned to the Default Role Assignment Policy and manually add them, or alternatively we can save the Default Role Assignment Policy  roles to a variable.  We can then provide this variable as the list of roles when the new Role Assignment Policy is created.  let’s save the Roles assigned to the variable $Roles.

$Roles = (Get-RoleAssignmentPolicy -Identity "Default Role Assignment Policy").AssignedRoles

$Roles will then contain the following Roles:

MyBaseOptions MyContactInformation MyVoiceMail MyTextMessaging MyDistributionGroupMembership

When creating the new Role Assignment Policy called DG-Management , we provide the $Roles variable which contains the saved roles.

New-RoleAssignmentPolicy –Name DG-Management –Roles $Roles

Create Custom Management Role

All the Management Roles that can be assigned to a Role Assignment Policy  are prefixed with “ My ” to indicate that they are for user RBAC.  This is a list of the Exchange 2010 roles starting with the prefix “ My ”:

The Management Role Entries for MyDistributionGroups is shown below along with showing that this is a built-in role and is intended for end user purposes.

In order to stop users with this Management Role creating and deleting Distribution Groups, we need to remove the “New-DistributionGroup” and “Remove-DistributionGroup” cmdlets.  As before, the built-in RBAC roles are read only so we need to make a writable copy.

New-ManagementRole -Name "Edit-Existing-DG-Only" -Parent MyDistributionGroups

Then removing the new and remove distribution group cmdlets:

Remove-ManagementRoleEntry Edit-Existing-DG-OnlyNew-Distributiongroup

Remove-ManagementRoleEntry Edit-Existing-DG-OnlyRemove-Distributiongroup

Checking to see the current Management Role Entries, note the New and Remove cmdlets are gone:

Once happy, will assign this custom Role to our new Role Assignment Policy.

New-ManagementRoleAssignment -Policy "DG-Management" -Role Edit-Existing-DG-Only

Note that we can do most RBAC work in ECP after Exchange 2010 SP1, though I still prefer PowerShell as that was what I had to learn initially.  Old dog, new tricks etc…..

Testing & Validation

In order to test the work we have done, the Role Assignment Policy must be assigned to a mailbox.  As mentioned above a mailbox can only have a singe Role Assignment Policy at any given time.  You can have multiple Role Assignment Policies, and assign one to a given mailbox.  You do not have to explicitly assign a Role Assignment Policy, and this is the default behaviour for a mailbox.  If you do not explicitly state which one should be used when creating  or moving a mailbox to Exchange 2010, Exchange will use the one marked as default.  Note it is not necessarily the one called “Default Role Assignment Policy”;  that one is created by default, is the only one by default and is initially marked as default.  This can be changed to suit your needs.  Let’s say you create a Role Assignment Policy that you want 95% of the users to have as it’s your base standard then you can mark it as the default.

Set-RoleAssignmentPolicy -Identity "Contoso Standard" -IsDefault:$true

Viewing all of the Role Assignment Policies shows Contoso Standard is the default.  Mailboxes created will now leverage the Contoso Standard Role Assignment Policy unless explicitly stated otherwise.  Mailboxes created prior to this point will continue to use their existing Role Assignment Policy and will not automagically change to this new default policy.

Let’s set our test mailbox (user-20) to explicitly use the DG-Management Role Assignment Policy

Set-Mailbox -Identity user-20 -RoleAssignmentPolicy DG-Management

When user-20 then opens up ECP, they have the following capabilities, note that there is no New or Delete button under “Public Groups That I Own”.

For a Distribution Group to show up, it must have the ManagedBy attribute set.  In this test org there are several DGs, but only the ones that user-20 has ManagedBy appear.

We can see that the basic steps to tune and customise RBAC are very similar to the previous blog on delegating Mail Enabled Contact creation .  There are some differences as we are creating a custom Management Role to be used as part of a Role Assignment Policy though all the concepts still apply.

** – Forget the music and stuff Will Smith, where is Independence Day 2 anyway ?!?!?

Rhoderick Milne [MSFT]

One comment.

I had to update the syntax for Remove-ManagementRoleEntry to "Remove-ManagementRoleEntry Edit-Existing-DG-Only\New-Distributiongroup"

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Contribute to the Microsoft 365 and Office forum! Click  here  to learn more  💡

April 9, 2024

Contribute to the Microsoft 365 and Office forum!

Click  here  to learn more  💡

Subscription, account, billing Top Forum Contributors: NoOneCan  -  Dillon Silzer  -  Stefan Blom   👍✅

April 17, 2024

Subscription, account, billing Top Forum Contributors:

NoOneCan  -  Dillon Silzer  -  Stefan Blom   👍✅

• Search the community and support articles
• Microsoft 365 and Office
• Subscription, account, billing
• Search Community member

Ask a new question

Can't add permission to a role.

I signed in to the Exchange admin center with a username that is assigned the Exchange Administrator and Global Administrator roles. Under Roles / Admin Roles, I select the Organization Management role and in the Permissions tab I select "Mailbox Import Export" and click Save. The message "We couldn't save your changes. Please try again." appears. I have tried multiple times over two days. How can I get past this?

Report abuse

Reported content has been submitted​

Replies (3) 

• Microsoft Agent |

Hello Gary Timm1,

Good day! Thank you for posting to Microsoft Community. We are happy to help you.

According to your description, seems you trying to add roles from Admin center and based on it we have checked from our side and found the same result as yours. However we have checked from Classic Exchange Admin center and able to add “Mailbox Import Export” role in “Organization Management” role. So suggest you to kinldy check with it by follow the below steps to see if you are able to add it. Also in your organization if any other user has admin permission, also check with that other admin if he/she can add role from his/her side.

Login to Microsoft365 Admin center > click on “ Show all ”> select Exchange from Admin center >  Select Classis Exchnage Admin center > Permissions > Admin roles > Select Organization Management and click Edit > select (+) from Roles , select Mailbox Import Export and add it > save the changes.

Screenshot for reference :

You can also check with PowerShell command let to see if you can add role. For this, first you need to connect through Exchange Online PowerShell via follow this article and then use PowerShell to assign the admin role by follow Manage role groups in Exchange Online | Microsoft Docs .

If the issue persists, it is recommended that you create a service request since it needs to be resolved via the backend. To open ticket, kinldy check Contact Microsoft Office Support .

Thank you so much for your precious time and kind cooperation. Stay safe and healthy.

Ankita Vaidya | Microsoft Community Moderator

***Note: In the event that you're unable to reply to this thread, please ensure that your Email address is verified in the Community Website by clicking on Your Account Name > "My Profile" > "Edit Profile" > Add your Email Address > tick "Receive email notifications" checkbox > click on "Save".***

1 person found this reply helpful

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Thank you Ankita. I was able to make the change using Classic Exchange Admin. Currently I am the only administrator. Perhaps sometime in the future I can find another administrator to try it.

Many thanks for update and glade to hear that our suggestion to use Classic Exchnage admin center helps you to add required role in Organization Management role.

Thank you so much for your precious time. Stay safe and healthy.

Question Info

• For business
• Exchange Online management
• Norsk Bokmål
• Ελληνικά
• Русский
• עברית
• العربية
• ไทย
• 한국어
• 中文(简体)
• 中文(繁體)
• 日本語