none
Assigning permissions to a user to manage a distribution group for a group of external e-mails

    Question

  • Hello, 

    I have been asked to create a new DG_VIP distribution group that can be managed by an AdminDG user. To this distribution group external emails will be added / removed on demand. This activity will be performed by the AdimDG user.

    By design to be able to add external emails to a distribution group, I must first create its corresponding contact and then the contact can be added to the Group.

    Therefore I must grant permissions of:
         1.- Creation / elimination / editing of contacts
         2.- Aggregation of members, restriction of sending messages and other configurations only for the Distribution Group DG_VIP.

    I have created a ManagementRole of the type "Mail Recipient Creation", then I have removed and added the necessary ManagementRoleEntry as minimum permissions, with this the ADMINDG user can perform point 1.

    In the case of the point 2, I have done something similar by creating a ManagementRole of the "Distribution Group" type, adding and removing the necessary ManagementRoleEntry; however, the user can manage not only the DG_VIP group, but also all the distribution groups of the organization.

    I have tried to add a ManagementScope to add it as EclusiveRecipientWriteScope without success.

    All help will be welcome

    regards

    _TNT_

    Friday, February 09, 2018 9:36 PM

Answers

  • Thank you very much for your answers Michael and Niko.

    I managed to solve the requirement creating an exclusive Management scope  (CustomAttribute1 -eq "VIP") and then when assigning the managementroleassigment I added the ExclusiveRecipientWriteScope parameter associated with the previous managementscope and it worked, the user can only modify the DG VIP

    • Marked as answer by _TNT_ Monday, February 12, 2018 5:25 PM
    Monday, February 12, 2018 5:25 PM

All replies

  • You don't have to create a RBAC group to manage the DG. I would just grant the user managed rights to the DG directly. This will reduce the complexity to your setup.
    Friday, February 09, 2018 11:46 PM
  • ok, but how or from where the user AdminDG manages that DG:

    add / remove members and add users with permissions to send messages to DG

    Saturday, February 10, 2018 1:23 AM
  • Below is the property of the DG in EAC.

    Sunday, February 11, 2018 10:11 PM
  • Hi TNT,

    For the point 1, you can create a custom RBAC group to assign the permission to user "AdminDG", let it be possible to create contacts.

    For the point 2, as far as i know, a RBAC group cannot be only applied to some specify DGs, it can only be applied to all DGs or none. As Michael mentioned, granting the user managed rights to the DG directly would be a simplest way:

    Set-DistributionGroup -Identity "DG_VIP" -Managedby "AdminDG"


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    Monday, February 12, 2018 9:01 AM
    Moderator
  • Hi Michael,

    Sorry, I did not understand your answer well.

    But with this method I give you permission to administer all the DGs with it, you would have problems before some involuntary error on some other DG

    Monday, February 12, 2018 5:20 PM
  • Thank you very much for your answers Michael and Niko.

    I managed to solve the requirement creating an exclusive Management scope  (CustomAttribute1 -eq "VIP") and then when assigning the managementroleassigment I added the ExclusiveRecipientWriteScope parameter associated with the previous managementscope and it worked, the user can only modify the DG VIP

    • Marked as answer by _TNT_ Monday, February 12, 2018 5:25 PM
    Monday, February 12, 2018 5:25 PM