Managing Exchange / EXO Roles and permissions with RBAC Manager

In this blog, I will explain how to use RBAC Manager utility to manage, create and assign the right permissions and roles within Exchange On-Premises and Exchange Online.

General

Role Based Access Control (RBAC) is the permissions model used since Exchange Server 2013 up to the current versions of Exchange On-Premises and Exchange Online.
RBAC enables you to control, at both broad and granular levels (up to the command level), what administrators and end-users can do.
RBAC also enables you to align the roles more closely you assign users, like allow them to add picture, change their address, distribution groups membership and more.
In addition, RBAC allows to control the different administrative roles other than the Exchange Admins in the organization, like HR, Legal, CISO and others, to manage with the exact permissions they need to do their job.
You can get more information about RBAC at the next link:
Exchange Server permissions, permissions Exchange Server, Exchange Admin roles, Exchange admin permissions, role assignment policy Exchange | Microsoft Docs

RBAC Manager utility was created by a collogue of mine named Can Dedeoglu, who is a Senior Customer Engineer in Microsoft UAE.
This utility is the easiest way to manage, create and set the exact permissions needed to assign distinct roles and positions in Exchange On-Premises and Exchange Online.

Why use RBAC Manager

Well… although RBAC Manager is not the default and built-in way to manage permissions and roles in Exchange On-Premises or Exchange Online, there are two main good reasons why to use it:

  • The first reason to use RBAC Manager, is that managing permissions at the EAC (Exchange Administration Center) or web interface, allows you to add or remove specific roles from the built-in Exchange’s management roles, but not to set granular permissions.
    As you can see at the next screenshot, you can assign only specific role but not specific commands like Get-DLPCompliancePolicy:
  • The second reason to use RBAC Manager, is that managing permissions using PowerShell interface, allows you set roles with the specific commands you would like to permit, but it's an overly complex way.

Using RBAC Manager

After downloading RBAC Manager, the only thing you need to do to run it, is copy the two files from the ZIP file to a folder location based on a Windows machine which only needs to be opened to one of the Exchange servers or to Exchange Online at 443 port.

To run the tool, just double click the RBAC_Manager.exe

Fill in the following fields according to your environment (Exchange server FQDN, Username and Password):

In case you connect Exchange Online, select the Office 365 tab

Creating a and assigning Management Role

After connecting to the Exchange server or Exchange Online you will be able to see all the built-in roles within the system.
You cannot change or delete them, but you can copy each one of them.
After copying the desired roles, you can then change and select the relevant permissions and commands you wish to assign the selected user or group.

It is most recommended to assign a management role to a group and not to a user, since it is much easier to remove or add users from the active directory group, rather than assign a new user to the management role again.

1. Navigate to the role that you would like to replicate (Mail recipient in this example) and right click on the role.

2. Select “New Role From Here” and type the name of the role that you would like to create (Mail-recipient-Help-Desk-Role in this example):

3. Now you will be able to see the new role under the Mail Recipient built-in role:

4. Uncheck the commands that you would like to remove from this role:

5. After you have selected the relevant commands, click on “Save” from the upper right pane:

6. Right click on the new role you have created and select “New Role Assignment”:

  • In this example we will create a new Universal Group named Help-Desk-For-Exchange.
    We will give this group the role assignment we have just created (Mail-recipient-Help-Desk-Role).

7. Verify that the option “Universal Security Group” is selected:

8. Type the name of the group and hit search.
You will be able to see the available groups, choose the group and select OK:

9. Click OK again:

  • To test the role you have just created, login to EAC (Exchange Admin center) with a user which is a member of the group assigned to the new role.
    In this example, test1 is a member of Help-Desk-For-Exchange group:
  • You can see that not all the menus are available because that you have apply a specific role with limited commands.
    In addition, many options are grayed out from the same reason:

Conclusions

Using RBAC to manage roles and permissions is important to eliminate security issues and human mistakes issues caused by too many permissions given to Help Desk, HR, or Compliance role for example.
Managing, creating, and handling roles and permissions within Exchange and Exchange Online can be achieved at the minimum time and with best efficiency using RBAC Manager utility.

During the last 13 years, I'm working as a Senior Customer Succes Engineer (former PFE) at Microsoft. My areas of expertise are Exchange, Powershell & Azure.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store