Exchange Online in Office 365 has a very similar RBAC implementation to the on-premises installations of Exchange. After previously bumping to an issue with Exchange Online (EXO), and then twice again in the last fortnight this bubbled to the top of the publishing pile.
In this environment, a custom Management Role was created called Level1-HelpDesk. This is a copy from the Mail Recipients built-In role.
New-ManagementRole –Name Level1-HelpDesk –Parent "Mail Recipients"
As you can see above the new Management Role was created. Since this is for Level 1 helpdesk we want to tune the role and restrict what cmdlets are available. If we then look to see what cmdlets match the phrase "Set-Mail*", we can see there are several and one is Set-Mailbox.
Let's then remove all of these cmdlets by piping the above results to Remove-ManagementRoleEntry.
Get-ManagementRoleEntry "Level1-HelpDeskset-mail*" | Remove-ManagementRoleEntry
Well that was less than stellar….
This is the charming error text:
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Level1-HelpDesk" to type"Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in theMicrosoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
+ CategoryInfo : InvalidData: (Level1-HelpDesk:PSObject) [Remove-ManagementRoleEntry], ParameterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Remove-ManagementRoleEntry
+ PSComputerName : pod51042psh.outlook.com
Was this due to multiple Management Role Entries being piped over? Let's try with just one, Set-Mailbox. We already confirmed that this cmdlet is present in the Management Role.
Nope – same issue.
PowerShell has the –Verbose and –Debug switches that can provide additional detail. Unfortunately in this case, they did not.
At this point we can safely say that we cannot pipe a Management Role Entry over to the Remove-ManagementRoleEntry cmdlet. So let's try this without the pipe, and do it directly from the Remove-ManagementRoleEntry cmdlet.
Remove-ManagementRoleEntry Level1-HelpDeskSet-Mailbox -Confirm:$False
The Confirm:$False was added to prevent a load of distracting confirmation text.
This works! Yay, but do I really want to manually do this for every Management Role Entry to be removed.
I wrote a quick script to automate this process. You can edit the script and specify what you want remove from one of your custom Management Roles. In the script the above example is present, and this needs to be modified to suit your organisation.
Please download the script from GitHub.