Forum Discussion

Ajay_Joshi's avatar
Ajay_Joshi
Brass Contributor
Jan 15, 2024

Admins are not able to create DLs even with custom "Exchange RBAC" Distribution Groups permission

Admins are not able to create DLs even with custom "Exchange RBAC" Distribution Groups permission
exchange online
office 365
VasilMichev's avatar
VasilMichev
MVP
Jan 15, 2024
You have to be a bit more specific here, what is the current configuration and what are aiming to achieve? To troubleshoot issues with RBAC roles, the usual place to start would be the Get-ManagementRole cmdlet, which you can use to filter out all the relevant roles containing a given cmdlet. For example:

Get-ManagementRole -Cmdlet New-DistributionGroup

will give you a list of all roles that have sufficient permissions to create a new DG. Make sure that at least one of the returned roles is assigned to the user(s) in question.
  • Ajay_Joshi's avatar
    Ajay_Joshi
    Brass Contributor
    Feb 09, 2024

    VasilMichev Hi, thanks for the reply, I'm a big fan of yours.

     

    In our setup, there are 30+ countries each having their L2 teams and have been given Exchange permissions through country scoped RBAC roles. They have DL permission enabled but not for SG mostly, for some country RBACs both are disabled. When we enabled the latter, they could manage the SGs but not create them. However, they were able to create DLs and ofcourse manage them.


    However, we have have a Global L3 team(includes me) who have Exchange Admin roles so they have full rights. But, we do have Default scoped RBACs meant for Country L2 Admins only that has DL permissions and not SG. We identified this issue that this RBAC allows them to create DLs actually. We have another for Mail Recipients but SG permissions aren't enabled in either of them. 

    That was a reason and having so many custom RBACs took us some time to identify the cause. Thanks again for responding to this query. 

Resources