EHLO, folks!
Here’s a story from my work with customers, that’s coming out as a blog post series. One of my banking customers raised a request regarding RBAC (Role Based Access Control) permissions...
Updated Mar 28, 2024
Version 3.0
Blog Post
This blog post on creating child RBAC roles with commands removed runs counter to the information I was told by Exchange Online support back in December of 2023. At that time, I was trying to create a custom RBAC role to just allow all methods of running and downloading message trace reports for our helpdesk support staff without granting access to more cmdlets then needed. No matter what we tried, our support staff could run extended message traces but received a HTTP 403 error when downloading them via any method. In contacting MSFT support I was told the following:
- Ideally, Historical Search and Message tracking Role should allow users to download the reports but there is a product limitation role assigned via a group are not correctly propagated to all EXO parts, the message trace report being one of them.
- This is not a bug - this is a work item for a potential future feature which Microsoft currently have significant technical barriers to implementing. There is no ETA provided for the implication.
- We do not suggest you divide the role group "View-Only Recipients" as it will not work as expected to download the reports.
- For on-premises servers we have more flexibility to create custom role group to full fill our requirements.
Does this blog post mean that removing commands from Child Management roles is now working as expected?