none
Connector - Role exchange RRS feed

  • Question

  • Hi there, 

    I am trying to give permission to admin but for securirty reasons I do not want them to be able to modify rules and connectors from the Exchange Admin. After deleting some of them and putting them back, I cannot figure out which ones should not be here...

    Before the change: 

    Audit Logs
    Data Loss Prevention
    Distribution Groups
    Federated Sharing
    Information Rights Management
    Journaling
    Legal Hold
    Mail Enabled Public Folders
    Mail Recipient Creation
    Mail Recipients
    Mail Tips
    Message Tracking
    Migration
    Move Mailboxes
    Org Custom Apps
    Org Marketplace Apps
    Organization Client Access
    Organization Configuration
    Organization Transport Settings
    Public Folders
    Recipient Policies
    Remote and Accepted Domains
    Reset Password
    Retention Management
    Role Management
    Security Group Creation and Membership
    Team Mailboxes
    Transport Hygiene
    Transport Rules
    UM Mailboxes
    UM Prompts
    Unified Messaging
    User Options
    View-Only Audit Logs
    View-Only Configuration

    View-Only Recipients

    After the change: 

    Audit Logs
    Distribution Groups
    Federated Sharing
    Information Rights Management
    Journaling
    Legal Hold
    Mail Enabled Public Folders
    Mail Recipient Creation
    Mail Recipients
    Mail Tips
    Message Tracking
    Migration
    Move Mailboxes
    Org Custom Apps
    Org Marketplace Apps
    Organization Client Access
    Public Folders
    Recipient Policies
    Remote and Accepted Domains
    Reset Password
    Retention Management
    Role Management
    Security Group Creation and Membership
    Team Mailboxes
    UM Mailboxes
    UM Prompts
    Unified Messaging
    User Options
    View-Only Audit Logs
    View-Only Configuration
    View-Only Recipients

    Am I missing something ? Why can I still see and modify connectors knowing I do not have admin permission...

    Thank you

    Friday, November 8, 2019 3:35 PM

All replies

  • Hi,

    You can use the following command to check what role is needed to create and modify connectors:

    Get-ManagementRole -Cmdlet <cmdlet>

    Remote and Accepted Domains role contributes to this, you can remove this role from the role group. Additionally, you'd better create a new role group, then add roles and specific users in this group. It's not recommended to modify the default role groups.

    From the following image, we can see that Information Rights Management also can give rights to modify transport rules. You should remove this role for the specific member account.

    Since each role can provide other permissions, if needed, we can create new roles to exclude commands using to modify connectors and transport rules. You can check this blog for more details: How To Add Or Remove Cmdlet Parameter From RBAC Management Role

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 11, 2019 8:05 AM
    Moderator
  • Is there any update on this thread?

    Does removing Remote and Accepted Domains role and Information Rights Management work for you?

    Please let us know if you would like further assistance. 

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 19, 2019 2:48 PM
    Moderator