- Article
- 16 minutes to read
A role group is a special type of universal security group (USG) used in the Exchange Online role-based access control (RBAC) permissions model. Management role groups simplify assigning and managing permissions for users in Exchange Online. Role group members are assigned the same set of roles, and you add and remove permissions for users by adding or removing them from the role group. For more information about role groups in Exchange Online, seePermissions in Exchange Online.
What do you need to know before starting?
Estimated time for each operation: 5 to 10 minutes
For information about how to open the Exchange admin center (EAC), seeExchange admin center in Exchange Online. For information about how to open Exchange Online PowerShell, seeConnect an Exchange Online PowerShell.
The procedures in this topic require the RBAC feature for role management in Exchange Online. Typically, you get this permission through membership in the organization's Management role group (the Microsoft 365 or Office 365 global admin role).
For information about keyboard shortcuts that can be applied to procedures in this topic, seeExchange admin center keyboard shortcuts.
Mouse
Having problems? Ask for help on the Exchange forums. Visit the forums at:online exchange, ÖExchange Online-Schutz.
Show function groups
Use the new EAC to display role groups
Switch to the new EAClist>admin list. All of your organization's role groups are listed here.
Select a role group. The details panel shows theName,Description,managed by,recording scope,assigned, jPermissionsthe function group.
Use the classic EAC to display role groups
Enter the classic EAC tooPermissions>admin list. All of your organization's role groups are listed here.
Select a role group. The details panel shows theName,Description,assigned roles,members,managed by, jrecording scopethe function group. You can also view this information by clickingTo edit
.
.Use Exchange Online PowerShell to view role groups
To display a role group, use the following syntax:
Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]This example returns a summary list of all role groups.
Get role groupThis example returns detailed information for the role group named Recipient Admins.
Get-RoleGroup -Identity "Recipient Administrators" | list formatThis example returns all role groups to which the user Julia belongs. You must use the DistinguishedName (DN) value for Julia, which can be found by running the following command:Get-User-Identity Julia | Format-List DistinguishedName.
Get-RoleGroup -Filter "Mitglieder -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'"For detailed information about syntax and parameters, seeGet role group.
Create role groups
If you create a new role group, you must configure all settings yourself (either during group creation or afterwards). To get started with configuring and modifying an existing role group, seeCopy existing role groups.
Use the new EAC to create role groups
Switch to the new EAClist>admin listand then clickAdd role group.
(Video) 54. Configure Role-Based Access Permissions in Exchange 2019inside sideAdd role groupwindow belowconfigure the basicsconfigure the following settings and clickNext:
Name: Enter a unique name for the role group.
Description: Enter an optional description for the role group.
recording scope: The default isPattern, but you can also choose a custom recipient writing area from the drop-down list.
Noadd permissionssection, select the functions and clickNext. Roles define the scope of tasks that members assigned to this role group are allowed to manage.
NoAssign administratorsIn the section, select the users you want to assign to this role group and clickNext. They have permissions to manage the roles you've assigned to them.
NoCheck and exit the function groupCheck all the details and click onAdd role group.
cliqueFez.
Use classic EAC to create role groups
Enter the classic EAC tooPermissions>admin listand then clickAdd to
.inside sidenew role groupIn the window that appears, configure the following settings:
Name: Enter a unique name for the role group.
Description: Enter an optional description for the role group.
recording scope: The default isPattern, but you can also select a custom recipient writing area that you've already created.
list: CliqueAdd to
to select the roles you want to assign to the role group in the new window that appears.members: CliqueAdd to
to select the members you want to add to the role group in the new window that appears. You can select users, mail-enabled universal security groups (USGs), or other role groups (security principals).
When finished, clicksave not computerto create the role group.
.Use Exchange Online PowerShell to create a role group
To create a new role group, use the following syntax:
New-RoleGroup -Name "Eindeutiger Name" -Description "Beschreibender Text" -Roles <"Rolle1","Rolle2"...> -ManagedBy <Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name> "- IT ISlistThe parameter specifies the management roles to be assigned to the role group using the following syntax
"Role1", "Role1", "RoleN". You can view available functions usingGet-ManagementRolecmdlet. - IT ISmembersThe parameter specifies the role group members using the following syntax:
"Member1","Member2","MemberN". You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals). - IT ISmanaged byThe parameter specifies the delegates who can modify and delete the role group using the following syntax:
"Delegate1","Delegate2",..."DelegateN". Note that this setting is not available in the EAC. - IT ISCustomRecipientWriteScopeThe parameter specifies the recipient's existing custom write scope to apply to the role group. You can view the custom recording areas available to recipients usingGet-ManagementScopecmdlet.
This example creates a new role group named "Limited Recipient Management" with the following settings:
- The role group is given the Mail Recipients and Mail-Enabled Public Folders roles.
- Users Kim and Martin are added as members. Since no custom write scope was specified for recipients, Kim and Martin can manage any recipient in the organization.
New Role Group - Name "Restricted Recipient Management" - Roles "Email Recipients", "Mail-Enabled Public Folders" - Members "Kim", "Martin"This is the same example with a custom write scope for recipients, which means that Kim and Martin can only manage recipients included in the Seattle recipient scope (recipients who create their ownCiudadproperty set to value Seattle).
New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail-Enabled Public Folders" -Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"You can find detailed information about syntax and parametersnew role group.
Copy existing role groups
If an existing role group is similar in terms of the permissions and settings you want to assign to users, you can copy the existing role group and customize the copy to suit your needs.
Use the new EAC to copy a role group
UseNote: You can't use the new EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple scopes or unique scopes for the role group. To copy role groups with these settings, you must use Exchange Online PowerShell.
Switch to the new EAClist>admin list.
Select the role group you want to copy and clickCopy role group.
inside sideCopy role groupwindow belowconfigure the basicsconfigure the following settings and clickNext:
- Name: The default value is "Copy of<role group name>, but you can enter a unique name for the role group.
- Description: The existing description exists, but you can change it.
- recording scope: The existing writing area is selected, but you can selectPatternor a custom recipient writing area from the drop-down list.
Noedit permissionssection, change roles and clickNext. Roles define the scope of tasks that members assigned to this role group are allowed to manage.
NoAssign administratorssection, change the role group membership and clickNext. They have permissions to manage the roles you've assigned to them.
NoCheck and exit the function groupCheck all the details and click onCopy role group.
cliqueFez.
Use classic EAC to copy a role group
UseNote: You can't use the classic EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple scopes or unique scopes for the role group. To copy role groups with these settings, you must use Exchange Online PowerShell.
Enter the classic EAC tooPermissions>admin list.
Select the role group you want to copy and clickcopy of
.inside sidenew role groupIn the window that appears, configure the following settings:
Name: The default value is "Copy of<role group name>, but you can enter a unique name for the role group.
Description: The existing description exists, but you can change it.
recording scope: The existing writing area is selected, but you can selectPatternor any other custom recipient writing area you've already created.
list: CliqueAdd to
Öremoved to change the roles assigned to the role group.members: CliqueAdd to
Öremoved to change role group membership.
When finished, clicksave not computerto create the role group.
.
to change the roles assigned to the role group.Use Exchange Online PowerShell to copy a role group
Store the function group you want to copy in a variable with the following syntax:
$RoleGroup = Get-RoleGroup "<Name of existing role group>"Create the new role group with the following syntax:
New-RoleGroup -Name "<Distinguished Name>" -Roles $RoleGroup.Roles [-Members <Members>] [-ManagedBy <Managers>] [-CustomRecipientWriteScope "<Existing custom recipient write scope name>"]- IT ISmembersThe parameter specifies the role group members using the following syntax:
"Member1","Member2","MemberN". You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals). - IT ISmanaged byThe parameter specifies the delegates who can modify and delete the role group using the following syntax:
"Delegate1","Delegate2",..."DelegateN". Note that this setting is not available in the EAC. - IT ISCustomRecipientWriteScopeThe parameter specifies the recipient's existing custom write scope to apply to the role group. You can view the custom recording areas available to recipients usingGet-ManagementScopecmdlet.
- IT ISmembersThe parameter specifies the role group members using the following syntax:
In this example, the Organization Management role group is copied to the new role group named Organization Narrow Management. The role group members are Isabelle, Carter and Lukas and the role group delegates are Jenny and Katie.
$RoleGroup = Get-RoleGroup „Organization Management“ New-RoleGroup „Limited Organization Management“ – Rollen $RoleGroup.Roles – Mitglieder „Isabelle“, „Carter“, „Lukas“ – ManagedBy „Jenny“, „Katie“This example copies the Organization Management role group to the new role group named Vancouver Organization Administration with custom recipient write scope Vancouver Users.
$RoleGroup = Get-RoleGroup "Organization Management" New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope "Vancouver Users"You can find detailed information about syntax and parametersnew role group.
Change role groups
Use the new EAC to change role groups
Switch to the new EAClist>admin list, select the role group you want to change and edit the following in the details pane:
- NoIn generalsection, clickedit basicsto change the name and description.
- Noassignedsection, add users or remove users from this role group.
- NoPermissionsAdd/Remove the Assigned Roles section to the Role Group.
When finished, clicksave not computer.
Use classic EAC to change role groups
- Enter the classic EAC tooPermissions>admin list, select the role group you want to change and clickTo edit .
Modifying role groups has the same options as modifying role groupsUse classic EAC to create role groups. You may:
- Change the name and description.
- Change the recording scope (if you created custom recording scopes for recipients).
- Add and delete management roles (create or delete role assignments).
- Add and remove members.
Nuts:
- You can't use the classic EAC to change a role group's write scope, roles, and membership if you've used Exchange Online PowerShell to configure multiple scopes or unique scopes for the role group. To change settings for these role groups, you must use Exchange Online PowerShell.
- Some role groups (such as the Organization Management role group) restrict which roles you can remove from the group.
- You can add or remove delegates from a role group in the classic EAC. You can only use Exchange Online PowerShell.
Use Exchange Online PowerShell to add roles to role groups (create role assignments)
To add roles to role groups in Exchange Online PowerShell, createAssignments of administrative functionsusing the following syntax:
New-ManagementRoleAssignment [-Name "<distinguished name>"] -SecurityGroup "<role group name>" -Role "<role name>" [-RecipientRelativeWriteScope <MyGAL | My Distribution Groups | Organization | Self>] [-CustomRecipientWriteScope "<Functional scope name>]- The role assignment name is automatically created if you don't specify one.
- If you don't use themRecipientRelativeWriteScopeRecipientRelativeWriteScopeparameters, the role's implicit read scope and implicit write scope are applied to the role assignment.
- If a predefined scope meets your business needs, you can use theRecipientRelativeWriteScopeRecipientRelativeWriteScope-Parameter to apply the scope to the role assignment.
- To apply a custom recording scope for recipients, use theCustomRecipientWriteScopeParameter.
In this example, the Transport Rules Management role is assigned to the Seattle Compliance role group.
New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Rolle "Transportregeln"In this example, the Message Tracking role is assigned to the Corporate Support role group and the predefined scope Organization is applied.
New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -RecipientRelativeWriteScope OrganizaçãoIn this example, the Message Tracking role is assigned to the Seattle Recipient Admins role group and the Seattle Recipients scope is applied.
New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Managers" -Role "Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"For detailed information about syntax and parameters, seeNew-ManagementRoleAssignment.
Use Exchange Online PowerShell to remove roles from role groups (remove role assignments).
To remove roles from role groups in Exchange Online PowerShell, removeAssignments of administrative functionsusing the following syntax:
Get-ManagementRoleAssignment -RoleAssignee "<role group name>" -Role "<role name>" -Delegating <$true | $wrong> | Remove-ManagementRoleAssignment- clearregularRole assignments that grant permissions to users use the value
$wrongFor himdelegateParameter. - cleardelegateRole assignments, which allow you to assign the role to others, use the value
$trueFor himdelegateParameter.
This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.
Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient Admins" -Role "Distribution Groups" -Delegation $false | Remove-ManagementRoleAssignmentFor detailed information about syntax and parameters, seeRemove-ManagementRoleAssignment.
Use Exchange Online PowerShell to change the scope of role assignments in role groups
The write scope of a role assignment in a role group defines the objects that members of the role group can edit (for example, all users or only users whoseCiudadthe property has Vancouver value). You can change the recording scope of roles assigned to a role group as follows:
- The implicit scope of the functions themselves. This means that when you created the role group, you didn't specify custom scopes or set the value of all role assignments in an existing role group to the value
$null. - Same custom scope for all role assignments.
- Different custom scopes for each individual role assignment.
To capture all role assignments in a role group at once, use the following syntax:
Get-ManagementRoleAssignment -RoleAssignee "<role group name>" | Set-ManagementRoleAssignment [-CustomRecipientWriteScope "<recipient write scope name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive recipient write scope name>"]This example changes the recipient scope to Direct Sales Representative for all role assignments in the Sales Recipient Management role group.
Get-ManagementRoleAssignment -RoleAssignee „Vertriebsempfängerverwaltung“ | Set-ManagementRoleAssignment -CustomRecipientWriteScope "Empregados de vendas diretas"To change the scope of a single role assignment between a role group and a management role, complete the following steps:
Replace <role group name> with the role group name and run the following command to find the names of all role assignments in the role group:
Get-ManagementRoleAssignment -RoleAssignee "<role group name>" | Format list namesFind the name of the role assignment you want to change. In the next step, use the role assignment name.
Use the following syntax to scope individual role assignments:
(Video) Daily work of Office 365 Exchange Administrator, Adding Roles, Mailbox Settings and ControlSet-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope <My Distribution Groups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive recipient write scope name>"]This example changes the recipient scope of the Mail Recipients_Sales Recipient Management role assignment to All Sales Employees.
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All Sales Employees"
For detailed information about syntax and parameters, seeSet-ManagementRoleAssignment.
Use Exchange Online PowerShell to change the list of delegates in role groups
Role group delegates define who can modify and delete the role group. You cannot manage role group delegates in the EAC.
Use the following syntax to change the list of delegates in a role group:
Set-RoleGroup -Identity "<Rollengruppenname>" -ManagedBy <Delegados>ANsubstituteFor the existing list of delegates with the values you specified, use the following syntax:
"Delegate1","Delegate2",..."DelegateN".ANselectively modifyFor the existing list of delegates, use the following syntax:
@{Add="Delegate1","Delegate2"...; Delete="Delegate3","Delegate4"...}.
In this example, all current representatives of the Helpdesk role group are replaced by the specified users.
Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates in the Helpdesk role group.
Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai"; Remove="Valeria Barrios"}For detailed information about syntax and parameters, seeDefine role group.
Use Exchange Online PowerShell to change the list of members in role groups
IT ISAdd-RoleGroupMemberjRemove-RoleGroupMemberCmdlets add or remove individual members one at a time. HimUpdate-RoleGroupMemberThe cmdlet can replace or modify the existing member list.
Members of a role group can be users, mail-enabled universal security groups (USGs), or other role groups (security principals).
Use the following syntax to change the members of a role group:
Update-RoleGroupMember -Identity "<Rollengruppenname>" -Membros <Miembros> [-BypassSecurityGroupManagerCheck]- ANsubstituteFor the existing list of members with the specified values, use the following syntax:
"Member1","Member2","MemberN". - ANselectively modifyFor the existing member list, use the following syntax:
@{Add="Member1","Member2"...; Remove="Member3","Member4"...}.
This example replaces all current members of the Helpdesk role group with the specified users.
Update-RoleGroupMember -Identity "Help Desk" -Membros "Gabriela Laureano", "Hyun-Ae Rim", "Jacob Berger"This example adds Daigoro Akai and removes Valeria Barrio from the list of Helpdesk role group members.
Update-RoleGroupMember -Identity "Help Desk" -Membros @{Add="Daigoro Akai"; Remove="Valeria Barrios"}For detailed information about syntax and parameters, seeUpdate-RoleGroupMember.
Delete role groups
You can't remove built-in role groups, but you can remove custom role groups you've created.
Nuts:
- Deleting a role group deletes management role assignments between the role group and management roles. Management roles assigned to the role group are not removed.
- If a user relies on the role group to access a role, the user will no longer have access to the role after the role group is deleted.
Use the new EAC to remove a role group
- Switch to the new EAClist>admin list.
- Select the role group and clickextinguish.
- cliqueconfirmedin the confirmation window.
Use the EAC to remove a role group
- Go to the EAC tooPermissions>admin list.
- Select the role group you want to delete and clickextinguish .
- cliqueEin the confirmation window that appears.
.Use Exchange Online PowerShell to delete a role group
To remove a custom role group, use the following syntax:
Remove-RoleGroup -Identity "<Rollengruppenname>" [-BypassSecurityGroupManagerCheck]This example excludes the Training Admins role group.
Remove-RoleGroup -Identity "Training Administrators"This example removes the Vancouver Recipient Administrators role group. As the user executing the command is not defined in themanaged byFunction group property thatBypassSecurityGroupManagerCheckIt is necessary to activate the command. The user who runs the command is granted the role management role, which allows bypassing the security group administrator verification.
Remove-RoleGroup - Identity "Vancouver Recipient Managers" - BypassSecurityGroupManagerCheckFor detailed information about syntax and parameters, seeRemove role group.