Forum Discussion

Kristin_L_365's avatar
Kristin_L_365
Copper Contributor
Oct 31, 2024

New role recommendation: Read Only Exchange Admin

To fully leverage PIM, we are transitioning to Entra roles wherever possible.  We wish we could get off of customized Exchange RBAC roles, but the Exchange Recipient Admin role, lacks access to information like mail flow rules, which is essential for troubleshooting mail delivery issues.  We would appreciate the introduction of a read-only role that allows viewing all information in Exchange without the ability to make changes.

  • Global reader should cover this:

    [18:12:02][O365]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644 | sort Role -Unique

    Name Role RoleAssigneeName RoleAssigneeType
    ---- ---- ---------------- ----------------
    Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup
    View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup
    View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup

    where the View-Only Configuration role gives you access to Mail flow rules and so on.
    • Kristin_L_365's avatar
      Kristin_L_365
      Copper Contributor

      VasilMichev Thanks for the quick reply.  Global Reader is a bit broad for this use case and we'd like to limit the viewer access just to the Exchange service.  From my research I don't see a way to customize an Entra role to hook into specific Exchange roles.  Is that correct?  The other solution might be to use PIM group access to time box access to EXO RBAC roles, but that's not ideal.  

      • VasilMichev's avatar
        VasilMichev
        MVP
        Security Reader should also work. You cannot go more granular than that with Entra roles.

Resources