Wednesday, 8 April 2015

Assigning RBAC to Manage ActiveSync only



Creating an RBAC group with access to Enable/Disable Active Sync and Wipe Mobile Device

We need to restrict the helpdesk to only have permission to Enable and disable active sync for mailbox and wipe mobile device of users.

Steps to Create Activesync Admin Role.

Create a new management role “ActiveSync”. We have used “Organization Client Access” as parent role for the creation of this management role.

  • New-ManagementRole -Name “ActiveSync” -Parent “Organization Client Access”

Organization Client Access role will give access even to manage the client access array which is not preferable , So we need to remove the role entries other than Set-CASMailbox from the role “ActiveSync”

$ActiveSyncroles = Get-ManagementRoleEntry "ActiveSync\*" | where {$_.name -ne "Set-CASMailbox"}
$ActiveSyncroles.name | foreach {Remove-ManagementRoleEntry ActiveSync\$_ -Confirm:$false}

Now we need to add few more role entries to make this role capable of creating and removing mailboxes through Exchange Management Console.


  • Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceAccessRule”
  • Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceClass”
  • Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncOrganizationSettings”
  • Add-ManagementRoleEntry “ActiveSync\Get-CASMailbox”
  • Add-ManagementRoleEntry “ActiveSync\Remove-ActiveSyncDeviceAccessRule”
  • Add-ManagementRoleEntry “ActiveSync\Set-ActiveSyncDeviceAccessRule”
  • Add-ManagementRoleEntry “ActiveSync\Set-CASMailbox”
  • Add-ManagementRoleEntry “ActiveSync\Write-AdminAuditLog”

 
Now we need to create a new Role group. So that we can add required helpdesk administrator to this role group.


  • New-RoleGroup “ActiveSync Enable Wipe” -Roles “ActiveSync”

Set-CASMailbox role entry in Organization Client Access role will not have the parameter to enable and disable the active sync .
So we need to create new role “ActiveSyncMailboxManagement”  having “Mail Recipients” as its parent role.


  • New-ManagementRole -Name “ActiveSyncMailboxManagement” -Parent “Mail Recipients”

Now we need to remove the unwanted roles entries from ActiveSyncMailboxManagement and having only Set-CASMailbox

$ ActiveSyncMailboxManagementroles = Get-ManagementRoleEntry "ActiveSyncMailboxManagement\*" | where {$_.name -ne "Set-CASMailbox"}
$ ActiveSyncMailboxManagementroles.name | foreach {Remove-ManagementRoleEntry ActiveSyncMailboxManagement\$_ -Confirm:$false}


Now we need to add the required roles entries to ActiveSyncMailboxManagement


  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-User”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-Mailbox”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-CASMailbox”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-Recipient”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Set-Mailbox”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-ActiveSyncDeviceStatistics”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Clear-ActiveSyncDevice”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Remove-ActiveSyncDevice”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-MobileDevice”
  • Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-MobileDeviceStatistics”  

Now we need to add the new management role ActiveSyncMailboxManagement to “ActiveSync Enable Wipe” Role Group.

New-ManagementRoleAssignment –Role “ActiveSyncMailboxManagement” –SecurityGroup “ActiveSync Enable Wipe”
 
Now add user / users to “ActiveSync Enable Wipe” in the Office365 portal, and then the user can login via PowerShell and manage the active sync devices. After the Activesync user has logged into the portal they have to goto this URL to beable to manage the device in the Control Panel

No comments:

Post a Comment

Google+ Followers

Blog Archive