RBAC in Exchange Online - Part 1
A common request I get while doing migrations into Exchange Online is to assist customers in setting up permissions so that they can limit administrator's rights and scope to control Exchange Online. The solution for this problem is Role Based Access Control (RBAC), and it can be a little confusing to setup.
In this article I am going to start into the easier, GUI based options for setting up RBAC in Exchange Online. If you're looking for the more advanced RBAC controls, skip ahead to Part 2.
What is Role Based Access Control?
RBAC is not a Microsoft invention. RBAC has been around a while, but Microsoft’s first major implementation of RBAC was in Exchange 2010.
Not all implementations of RBAC are the same. It is to my never ending frustration that not all implementations of RBAC by Microsoft are the same. Even two closely related products like Exchange 2013 and Lync 2013 have different implementations of RBAC. I highlighted some of those differences in an article I wrote a while ago called RBAC: Exchange vs Lync. What’s important for this article is that from here on out, I will be talking about RBAC as it is implemented in Exchange Online running Exchange 2013.
Previous to Exchange 2010, permissions were controlled via Access Control Lists. ACLs are the more traditional permissions model that Windows users have known for decades. ACLs allow you to apply permissions to a file or folder by stating what users or groups have permissions and what those permissions are.
RBAC the easy way
Before we go super deep into the weeds on RBAC, I wanted to start off by giving you a basic way to apply some RBAC controls within your Exchange Online deployment. In this section we’re going to start with the default RBAC settings within Exchange Online and the GUI.
If you log into your Office 365 tenant and go to the Exchange admin center (EAC), you’ll see the permissions selection on the left hand side. This is where our journey begins.
Within permissions, you will see three separate sections; admin roles, user roles, and Outlook Web App policies. The first two are the ones we’re going to be working with.
Admin roles contains a list of roles that can be assigned to administrators for the management of parts of your Exchange Online organization.
User roles contains a list of roles that enable users to manage aspects of their own mailboxes and distribution groups.
Let’s start off with the user roles.
User roles – Allowing users to manage themselves
As I said above, the purpose of user roles is to allow users to manage their options in OWA and perform other self-administration tasks. There are five main categories users can manage.
Contact information – allows users to modify address and phone numbers
Profile information – allows users to modify their name
Distribution groups – allows users to create, modify, and view distribution groups as well as to add, and remove members to distribution groups they own.
Distribution group membership – allows users to view and modify their membership in distribution groups as long as those distribution groups allow these actions.
Other roles - this section contains settings that do not fit into the other four categories. Each of the names of these start with “My” which I have left off for simplicity’s sake.
Custom Apps – allows users to view and modify their custom apps
Marketplace Apps – allows users to view and modify their marketplace apps
BaseOptions – allows users to view and modify the basic configuration of their own mailbox and associated settings. Without this applies, users can not modify any of the other settings in user roles assignments
MailSubscriptions – allows users to view and modify e-mail subscription settings
RetentionPolicies – allows users to view their retention tags, and view and modify their retention tag settings and defaults
TeamMailboxes – allows users to create site mailboxes and connect them to SharePoint sites
TextMessaging – allows users to create, view, and modify their text messaging settings.
Voicemail – allows users to view and modify their voice mail settings
ReadWriteMailbox Apps – allows users to install apps with ReadWriteMailbox permissions.
In the user roles section, you will see a single Default Role Assignment Policy. This policy is assigned to all users in your Office 365 tenant by default, and it allows all the permissions I have listed above. If your organization wants all users to have all these permissions, then you are done with the user roles section. If, however, your organization has a requirement for you to limit some or all of these permissions for some of all of your users then let’s keep going.
Creating a new user role assignment policy
If your organization does decide to limit the self-management permissions of your users in Exchange Online, you have a couple of options. You can either modify the default role assignment policy, or you can create a new role assignment policy.
Modifying the default role assignment policy is very easy. Navigate to the EAC > Permissions > user roles and edit the Default Role Assignment Policy via the pencil icon at the top.
To edit this policy, just uncheck the permissions you wish to remove from all your users. When your done select Save. This policy is already applied to all users, so no further changes are needed. This will affect everyone, including new users created in the future. We’ll go over how to create a new role assignment policy and assign it later. Before we do that, let’s look at the admin roles.
Admin roles – making users into limited administrators
Clicking on the admin roles selection at the top will show you a screen listing the available administrator roles for your Exchange Online tenant.
The first thing to note is that some of the roles listed here are appended with strange letters and numbers. In the screenshot above you’ll see I have highlighted the HelpdeskAdmins_399e1 role. IN addition to this role, you’ll see the same name format for TenantAdmins_aae12 and RIM-MailboxAdmins… These roles are used by the Office 365 service and are not editable here.
The other roles listed allow you to delegate Exchange Online administrative functions to users.
It is important to note at this point, assigning a user to one of this roles does not give them Office 365 administrative rights. That means, they will not get access to the Office 365 Admin Portal. They will be able to go to the EAC via the following link
https://outlook.office365.com/ecp/
but they will not see the admin button in the Office 365 app launcher. From the Office 365 Admin portal, you can also assign limited admin roles as described in the blog post I did called Limited Admin Roles in Office 365 Part 2: The Return. This option gives you the ability to designate specific users as administrators for specific services (Exchange, Skype for Business, or SharePoint), but does not give you much control beyond that.
Adding a user to any of these admin role group will give them the rights of the roles that are assigned to that role group. Exchange Online currently has 49 default roles that can be assigned to these roles groups. You can change the roles assigned to these default role groups if you want, but I would recommend creating your own roles groups to customize.
You will note that the scope of all admin role group is set to the default of organization wide. There is no way to modify this default scope in the GUI.
Scoping admin roles
So far, all I have covered are very basic configurations you can do via the GUI with RBAC in Exchange Online. In the next part of this series, I'm going to cover how to scope admin roles to a specific set of users.
-Nathan
Continue reading Part 2 of this series