Learn Exchange the Guru way !!!


RBAC group to create view only permissions for Dynamic Groups

This article explains how to create an RBAC group called DL-ViewPermissionsGroup so a user can look at Dynamic Group membership in Exchange 2016.

We don’t want to add users to View-Only organization to give them this access. If you notice, you can pretty much create an RBAC group for any specific cmdlet running perms.

1. Create a new role group.

2. Add members to this group.

3. The members in this permission group have permissions to only view members in a Dynamic DL group.

The member in this group can only open PowerShell to view the members in a dynamic distribute group “Dynamic DL”.

We can use RBAC function to create a new Role group to grant some special permission to the members in this group. If the admin can only view the membership of a dynamic distribution group, we can follow the steps below to create a custom role group.

  1. Create a new Dynamic distribution group in EAC > Recipients > Groups > Add > Dynamic distribution group>  Name it as Group1 as below:

  1. Our purpose is creating a custom role group to have permissions to view the membership in Group1. We need View-Only Recipients role. Create a new role with the same permissions entries in View-only recipients. The new role is Test1. We can run the command in Exchange Management Shell:  New-ManagementRole -Parent “View-only Recipients” -Name “Test1”.

  1. Then Test1 role has the same permissions entries as View-only Recipients role. We can check all permissions in this role: Get-ManagementRoleEntry “View-only Recipients*”. It has the following permissions entries:

The user with View-only Recipients permissions can view the information in EAC as below:

  1. Because we don’t want users to have some permission on Mail Flow, Mobile, Public Folders Migration options displaying on the screenshot above. Therefore, we need to remove these permissions from Test1 role.

    Remove Public Folder related permission entries: Get-ManagementRoleEntry “Test1Get-PublicFolder*” | Remove-ManagementRoleEntry

    Remove Migration related permission entries: Get-ManagementRoleEntry “Test1Get-Migration*” | Remove-ManagementRoleEntry

    Remove Mobile related permission entries: Get-ManagementRoleEntry “Test1Get-Mobile*” | Remove-ManagementRoleEntry

    Remove Mail Flow related permission entries: Get-ManagementRoleEntry “Test1Search*” | Remove-ManagementRoleEntry

  2. After we have a new role “Test1” and remove other permission entries we don’t need, we add this role into a custom role group. We can create a new role group as below: New-RoleGroup -Name “QBDL” -Roles “Test1”

  • Finally, we have a custom role group “QBDL” and this permission group only have a role “Test1”.
  • We can add members in this role group “QBDL” via EAC > Permissions > Admin roles > QBDL > Edit. Make sure that it only include one role “Test1” and add sky7 into this group as a member.


  1. We can access EAC with this account “sky7” and sky7 can only have permissions to view recipients and members in groups including dynamic distribution group “group1” as below.

We can’t remove the permissions entries “Get-Mailbox*” from Test1. Because if we need to view membership of a group, Ge-Mailbox* permission entries are required. Therefore, we need Mailboxes/ resources / contacts /shared related permission entries. In addition, we can check all groups with this method.  It is not feasible to create a role with permissions to check a special group only. Your understanding is highly appreciated.

Ratish Nair

Microsoft MVP | Office Servers and Services

Team @MSExchangeGuru

Leave a Reply




Do NOT follow this link or you will be banned from the site!