Thursday, June 27, 2013

How to Configure Granular Permissions to End Users for Distribution Group Management

Exchange Online in Office 36, Exchange 2013, and Exchange 2010 offer end users the ability to create, edit, and delete Exchange distribution groups in the Global Address List.  This feature is a role assignment called MyDistributionGroups in the User Role's Default Role Assignment Policy and by default it is not enabled.

User's Default Role Assignment Policy
If you enable this role by selecting the checkbox and saving the policy, all users can create, edit, and delete distribution groups that they own (the user is listed in the Owners multivalued property of the group).

But what if you only only want users to be able to edit their own distribution groups? Or maybe you want them to only be able to edit and delete their own groups? Or maybe only add and edit their own groups?  The cmdlets below will configure these options for the Default Role Assignment Policy.

Run the following cmdlets in an Exchange Management Shell session:

New-ManagementRole -Name CanEditDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanEditDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry CanEditDistributionGroups\Remove-DistributionGroup -Confirm:$false

New-ManagementRole -Name CanCreateDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanCreateDistributionGroups\Remove-DistributionGroup -Confirm:$false

New-ManagementRole -Name CanRemoveDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanRemoveDistributionGroups\New-DistributionGroup -Confirm:$false

New-ManagementRoleAssignment -Role CanEditDistributionGroups -Policy "Default Role Assignment Policy"
New-ManagementRoleAssignment -Role CanCreateDistributionGroups -Policy "Default Role Assignment Policy"
New-ManagementRoleAssignment -Role CanRemoveDistributionGroups -Policy "Default Role Assignment Policy"


Once the script completes, you will want to configure the Default Role Assignment Policy in Permissions/User Roles as shown below.  Log into the EAC with Organization Management rights and click Permissions > User Roles and edit the Default Role Assignment Policy.




By default, all three sub-items will be checked.  Clear the checkbox for roles you want to assign and clear the ones you don't want to give, then click Save. The example above allows all users to edit and remove distribution groups where they are the Owner.  Users are unable to modify or delete groups they do not own.

The checkbox for MyDistributionGroupMembership allows users to add or remove themselves from distribution groups that allow it.

Users can manage distribution groups from the Global Address List in Outlook or from Options > Groups in Outlook Web App.

Special Note for Office 365 Tenants in Hybrid Mode:
When an on-premises distribution group is synced to a Microsoft Office 365 organization through Active Directory synchronization, migrated users who are owners of the distribution group can't manage it in Microsoft Exchange Online. For example, a user may receive an error message that resembles the following:
The action 'Update-DistributionGroupMember', 'Identity.Members', can't be performed on the object '<name>' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
According to the TechNet article, Owners of an on-premises distribution group that's synced to Office 365 can't manage the distribution group in Exchange Online, the only way to work around this is to manage group membership in the on-premises Active Directory.  :(  That's not a good option and prevents end users from managing the groups they own from Outlook or OWA.

You could recreate all the groups in the Exchange Administrative Console (EAC), but then you'll have a split level directory.  You would need to create and manage groups from the EAC while everything else is managed in your on-prem AD.  I sure hope Microsoft fixes this soon!


4:02 PM