Forum Discussion
Delegating permission to approve Quarantined Mobile Devices in Exchange Online
The method outlined above should work (might need small adjustments for ExO), but it's only needed if you want to go very granular. The issue with this approach is that you need to ensure you have granted access to all the relevant cmdlets/operations, including the Get- ones. An easier way to go about this is to assign the user to the "Organization Client Access" role, which is intended for such tasks:
New-ManagementRoleAssignment -Role "Organization Client Access" -User email address removed for privacy reasonsThe role does allow the user to also configure mobile device rules, and if you are too worried about that, you need to follow the full setup in the article above (i.e. creating a new role based on the "Organization Client Access" one and remove every cmdlet you don't want the user to have access to).
Don't forget to have the user re-login after any permissions change.
VasilMichev, Thank you for the response. I went ahead and added the mail-enabled security group to the Organization Client Access management role. However, when I log in as someone in that group, I'm not able to list any quarantined devices under Mobile --> Mobile device access. I see "error executing cmdlet."
If I try to go via Recipients --> Mailboxes, I see the list of mailboxes, but I can't click on any of them to get the settings I see in my administrative account.
If I run a
Get-ManagementRoleAssignment -Role 'Organization Client Access' | Select * | ogvI see this:
I attempted to add
Get-MailboxTo the role by running:
Add-ManagementRoleEntry 'Organization Client Access\Get-Mailbox'But it looks like I can't modify OOB Management roles.
What is it that I am missing?
Thanks
Steve
You can simply assign another role that includes the cmdlets you need. For example, the "View-Only Recipients" one.
And Microsoft should improve their handling of this scenario in the EAC I suppose, I pinged some folks on it.
