Learn Exchange the Guru way !!!


Creating an RBAC group with access to Grant mailbox access ONLY

Here in the below scenario, we need to restrict the helpdesk to only have permission to grant mailbox access to other users.

Steps to be followed:

Create a new management role “Mailbox delegation Permission”. We have used “Mail recipients” as parent group for the creation of this management role.

New-ManagementRole -Name “Mailbox delegation Permission” -Parent “Mail Recipients”

Now we need to remove all the command from the newly created role & keep only mailbox permission assignment entry. Below command will remove the all the role entries from newly created management role group and left only with Add-Mailbox permission.

Get-ManagementRoleEntry “Mailbox delegation Permission \*” | Where {$ -ne “Add-MailboxPermission”} | Remove-ManagementRoleEntry

Add-Mailbox permission Role entry is enough to grant mailbox access through EMS but to grant the access through Exchange Management Console we need to add few more role entries with this role as follows.

Add-ManagementRoleEntry “Mailbox delegation Permission\Get-MailboxPermission”

Add-ManagementRoleEntry “Mailbox delegation Permission\Get-Mailbox”

Add-ManagementRoleEntry “Mailbox delegation Permission\Get-Recepient”

Add-ManagementRoleEntry “Mailbox delegation Permission\Set-Mailbox”

Add-ManagementRoleEntry “Mailbox delegation Permission\Get-SecurityPrincipal”

Add-ManagementRoleEntry “Mailbox delegation Permission\Remove-MailboxPermission”

Now we need to create a new Role group. So that we can add required helpdesk administrator to this role group.

 New-RoleGroup “Mailbox delegation Permission” -Roles “Mailbox delegation Permission”

In orders to grant Send As access for a mailbox to users, we need to add additional role “Active Directory Permissions” to this role group.

 New-ManagementRoleAssignment –Role “Active Directory Permissions” –SecurityGroup “Mailbox delegation Permission”

Now we will add helpdesk members to newly created role group. So that they should be able to assign the mailbox permission. Use below command to achieve same.

Add-RoleGroupMember “Mailbox delegation Permission” –Member HelpdeskUser1

As a final step we can do testing by asking helpdesk engineer test3 as mentioned ion above command. Test can run try running below command & try to assign full mailbox permission on user test2 user mailbox for user test1.

Add-MailboxPermission “test2” -User “test1” -AccessRights FullAccess

To view the list of members in a group, we can use the below cmdlet

Get-RoleGroupMember -Identity “Mailbox delegation Permission”

Ratish Nair

Microsoft MVP | Exchange Server


8 Responses to “Creating an RBAC group with access to Grant mailbox access ONLY”

  1. Blog Posts of the Week (8th - 14th September 2013) - The South Asia MVP Blog - Site Home - TechNet Blogs Says:

    […] Creating an RBAC group with access to Grant mailbox access ONLY […]

  2. Durrok Says:

    Hey just wanted to say I have been looking for something like this for awhile. Your post solved a problem with defining access for our helpdesk that I have been trying to solve for week. Thank you very much for taking the time to make this post!

  3. Marcel Says:

    Hello, I have taken the steps you discribed, the only problem I have is that I can not double click a recipient. I says You don’t have permissions to view this page.

    Do you know the solution for this?

    Thanks in advance. Marcel

  4. Prabhat Nigam Says:

    Are you a member of Organization management group?

  5. New Tool – Out of Office Manager | UC Sorted Says:

    […] Typically the permissions required would be full access to the users mailbox, however – it is possible to create roles that have access to various PowerShell commands see […]

  6. Exchang3r Says:

    One little fault in the script, it must be:
    Add-ManagementRoleEntry “Mailbox delegation Permission\Get-Recipient”
    Ist working great!

  7. Hossein Says:

    would you please explain how i can grant access to the shared mailboxes by universal security group? because it can be manged centralize and there is no need to change permission via mailbox, this is so important.
    thanks in advanced

  8. Prabhat Nigam Says:

    This is impossible. Keep it simple.

Leave a Reply




Do NOT follow this link or you will be banned from the site!