Custom RBAC role for setting “Full Mailbox folder“ and “Send as” permission

I tried to create an Custom RBAC role for setting the “Full Mailbox “ and “Send as” permission by going through few blogs and TechNet discussion. I just tried to implement in my lab and it was successful. I tried hard for Delegate and there is no option to  assign the permission to any of the Security Group Members for setting the Delegates. Delegate is an option which can be set only through outlook.

Below are the steps to create an custom RBAC role for Full Mailbox and Send As and it might be useful for if it suits some of their environment.

We can assign the permission to any of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes through RBAC custom role.

We can accomplish this task by  assigning the Permissions to one of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes, Shared Mailboxes

In order to test this in lab I first created a distribution group named Exchange Mailbox Folder.

Image

We can use  the below command to check the default management role entry

get-ManagementRoleEntry “Mail Recipients\*”

Image

Here we have the list of Mail recipients. We cannot modify the default Role   “Mail Recipients”, so we have to create the new custom role.

We can remove all the unwanted cmdlets from the custom Role and then we can assign the below listed permission to the created  Security Group Only.

1)       Add-MailboxPermission

2)       Add-MailboxFolderPermission

First we need to create a new management role with the below command

New-ManagementRole “Custom AddMailbox Permission” -Parent “Mail Recipients”

Image

Now we need to view the list of management role entry assigned for a custom role. We do not need all of the entries which are assigned for a default custom role.

get-ManagementRoleEntry “Custom AddMailbox Permission\*”

Image

Now we can go ahead and remove all of the role entries which we do not require and keep only add-mailbox permission and send as permission by running the below command.

get-ManagementRoleEntry “Custom AddMailbox Permission\*” | where {($_.name -ne “Add-Mailboxpermission”) -and ($_.name -ne “Add-MailboxFolderPermission”)} | Remove-ManagementRoleEntry

Image

We then  have to assign the permissions through  the managementRoleAssignment.

For Full Mailbox Folder  run the below command –

New-ManagementRoleAssigment “add mailbox permissions” -role “Custom AddMailbox Permission” -securityGroup “Exchange MailboxFolder ”  

For SendAsPermissions run the below command  –

New-ManagementRoleAssigment  “add mailbox permissions” -role “Active Directory Permissions” -securityGroup “Exchange MailboxFolder ”  

Image

I was successfully able to assign the Permission to “Exchange MailboxFolder “ security Group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes.

Thanks

Sathish Veerapandian – MVP

4 thoughts on “Custom RBAC role for setting “Full Mailbox folder“ and “Send as” permission

  1. Ravi October 24, 2013 at 9:46 pm Reply

    Excellent post.. Also include the Get cmdlets for AD and Mailbox permission so that the group members can also view who has permissions when required and also verify after permissions after assignment.

    Like

  2. Malli October 29, 2014 at 8:52 am Reply

    This shouldn’t work for SENDAS as would require Remove-ADPermission, Get-ADPermission and Add-ADPermission

    Like

    • sathishveerapandian October 29, 2014 at 11:51 am Reply

      Hi Mailli,
      Thanks for identifying . I have updated the post with command

      New-ManagementRoleAssigment “add mailbox permissions” -role “Active Directory Permissions” -securityGroup “Exchange MailboxFolder ”

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: