Exchange RBAC Tips N Tricks – PowerShell

Most of the time when working with RBAC in Exchange we are not using large scripts to create and manage roles.  Generally we use one-liners to configure RBAC.  So I thought it would be useful to post some of the ones that I find myself frequently using.

As always please add a comment, or hit me up on the contact page and  tell me want topics you want to see added here!

Where does this Cmdlet Live

Get-ManagementRole –Cmdlet Set-CASMailbox
Get-ManagementRoleEntry "*Set-CASMailbox"

Where does this Parameter live

Get-ManagementRole –Parameters Name

Note that ExchangeOnline has different syntax nowadays. It expects to see CmdletParameters

Get-ManagementRole –CmdletParameters Name
Get-ManageMentRoleEntry "*\*" –Parameter Name

Note that you may need to use on newer versions of Exchange:

Get-ManagementRole –CmdletParameters

What Management Role Entries Are In a Management Role

This example works, but also review the next one down

Get-ManagementRole "Monitoring" | Select Name, RoleEntries | FL


Much better to use:

Get-ManagementRoleEntry "Monitoring*"

This can also be filtered.  For example show me all the Get-Cmdlets in the Mail Recipients role:

Get-ManagementRoleEntry "Mail Recipients\Get-*"

Show me all the Set-  cmdlets in the Mail Recipients role:

Get-ManagementRoleEntry "Mail Recipients\Set-*"

Understanding RBAC Assignment Mappings

What RBAC Assignments Are Made Directly To A User

Get-ManagementRoleAssignment -RoleAssigneeType User

What RBAC Assignments Are to Role Assignment Policies

Get-ManagementRoleAssignment –RoleAssigneeType RoleAssignmentPolicy

What RBAC Assignments Are Made to Role Groups

Get-ManagementRoleAssignment -RoleAssigneeType RoleGroup

Who Is A Member Of A Role Group

Get-RoleGroupMember -Identity "Organization Management"


Get-RoleGroup -Identity "Organization Management" | Get-RoleGroupMember

What Management Roles Have Been Assigned To A Role Group

The RoleAssignee parameter specifies the role group, assignment policy, user, or universal security group (USG) for which you want to view role assignments. If the RoleAssignee parameter is used, you can't use the Identity parameter.

By default, the command returns both direct role assignments to the role assignee, and indirect role assignments granted to a role assignee through role groups or assignment policies.

Get-ManagementRoleAssignment -RoleAssignee "Help Desk" | Select-Object Role,AssignmentMethod, EffectiveUserName

What Can Someone Do

Using the Get-ManagementRoleAssignment cmdlet’s GetEffectiveUsers  parameter, we can examine the effective permissions one individual has over another object.  Using role groups and assignment policies make it easy to grant permissions to large numbers of users, you may not be aware of exactly who is a member of a role group, or who has been assigned an assignment policy. This is where the GetEffectiveUsers switch on the Get-ManagementRoleAssignment cmdlet is useful. It shows you what users are granted the permissions given by a management role through the role groups, assignment policies, and USGs that are assigned to them.

The GetEffectiveUser switch doesn't list users that are members of a linked foreign role group.

The GetEffectiveUsers switch specifies that the command should show the list of users in the role groups, assignment policies, or USGs associated with a role assignment. The users are effectively assigned the role assignment through their role group, assignment policy, or USG.

List All Effective Users

Show users that are granted permissions provided by the Mail Recipients role:

Get-ManagementRoleAssignment -Role "Mail Recipients" –GetEffectiveUsers

Find A Specific User In A Role

To find a specific user that's been granted permissions by a management role, you must use the Get-ManagementRoleAssignment cmdlet to retrieve a list of all effective users, and then pipe the output of the cmdlet to the Where cmdlet. The Where cmdlet filters the output and returns only the user you specified:

Get-ManagementRoleAssignment -Role Journaling -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "Matt Goss" }

Find A Specific User In All Roles

To know every role that a user receives permissions from, you must use the Get-ManagementRoleAssignment cmdlet to retrieve all effective users on all management roles and then pipe the output of the cmdlet to the Where cmdlet. The Where cmdlet filters the output and returns only the role assignments that grant the user permissions.

Get-ManagementRoleAssignment -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "Ross Smith" }

What Can Someone Do – To A Specific Object

In addition to the GetEffectiveusers option this is another one which is very useful – WritableReipient.

The WritableRecipient parameter specifies the recipient object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment.

If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the recipient object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned.

In this example what can the Help-Desk-Admin do to account  User-20?

Get-ManagementRoleAssignment -WritableRecipient User-20 -GetEffectiveUsers | where {$_.EffectiveUserName -eq "Help-Desk-Admin"}

In this example what can User-1 do to the MailContact object called Contact1 that is stored in AD?

Get-ManagementRoleAssignment -WritableRecipient Contact1 -GetEffectiveUsers | where {$_.EffectiveUserName -eq "user-1"}

Exchange RBAC - What Can Someone Do To This Object.....

Get-ManagementRoleAssignment provides a lot of filtering capabilities.  You can customise this to tune searches to RoleAssignments that are Delegating, exclusive or by RoleAssigneeType.


While Exchange does not provide an out of the box mechanism to immediately show all RBAC in a single window (more on that in a future post), it does allow us to use the above PowerShell methods to create scripts and one-liners to discover and document.  There are several example scripts out on ze interwebs, one example being here on MSPFE.

Get-ManagementRoleAssignment –GetEffectiveUsers | Where {$_.Enabled -eq $True} | Select-Object Role, RoleAssigneeName, RoleAssigneeType, RoleAssignmentDelegationtype, User, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, Identity | Export-CSV $PWD\RBAC-Effective.csv -NoTypeInformation

Note that I changed the original example from MSPFE.  Formatting was updated, .csv file path is no longer hardcoded and NoTypeInformation was added.





Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *