Remove Multiple Management Role Entries In Office 365

Exchange Online in Office 365 has a very similar RBAC implementation to the on-premises installations of Exchange.  After previously bumping to an issue with Exchange Online (EXO), and then twice again in the last fortnight this bubbled to the top of the publishing pile.

In this environment, a custom Management Role was created called Level1-HelpDesk.  This is a copy from the Mail Recipients built-In role.

New-ManagementRole –Name Level1-HelpDesk –Parent “Mail Recipients”

Creating Custom ManagementRole From Mail Recipients

As you can see above the new Management Role was created.  Since this is for Level 1 helpdesk we want to tune the role and restrict what cmdlets are available.  If we then look to see what cmdlets match the phrase “Set-Mail*”, we can see there are several and one is Set-Mailbox.

Get-ManagementRoleEntry "Level1-HelpDeskset-mail*"

Verifying Cmdlets Present In Management Role

Let’s then remove all of these cmdlets by piping the above results to Remove-ManagementRoleEntry.

Get-ManagementRoleEntry "Level1-HelpDeskset-mail*" | Remove-ManagementRoleEntry

Remove-ManagementRoleEntry - Errors When Piping To Remove-ManagementRoleEntry

Well that was less than stellar….

This is the charming error text:

Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Level1-HelpDesk" to type"Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in theMicrosoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
+ CategoryInfo          : InvalidData: (Level1-HelpDesk:PSObject) [Remove-ManagementRoleEntry], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
+ PSComputerName        : pod51042psh.outlook.com

Troubleshooting Time

Was this due to multiple Management Role Entries being piped over?  Let’s try with just one, Set-Mailbox.  We already confirmed that this cmdlet is present in the Management Role.

Remove-ManagementRoleEntry - Piping A Single Management Role Entry Still Fails

Nope – same issue.

PowerShell has the  –Verbose and –Debug switches that can provide additional detail.  Unfortunately in this case, they did not.

Remove-ManagementRoleEntry - No Extra Love From Verbose Or Debug

At this point we can safely say that we cannot pipe a Management Role Entry over to the Remove-ManagementRoleEntry cmdlet.  So let’s try this without the pipe, and do it directly from the Remove-ManagementRoleEntry cmdlet.

Remove-ManagementRoleEntry Level1-HelpDeskSet-Mailbox -Confirm:$False

Remove-ManagementRoleEntry - Success!

The Confirm:$False was added to prevent a load of distracting confirmation text.

This works!  Yay, but do I really want to manually do this for every Management Role Entry to be removed.

PowerShell Automation

I wrote a quick script to automate this process.  You can edit the script and specify what you want remove from one of your custom Management Roles.  In the script the above example is present, and this needs to be modified to suit your organisation.

Download Remove Management Role Entries Script

Please download the script from GitHub.



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *