Forum Discussion

Stephen Bell's avatar
Stephen Bell
Iron Contributor
Dec 20, 2024

Delegating permission to approve Quarantined Mobile Devices in Exchange Online

Hi all,

 

I would appreciate some guidance.  Today, we are configured to quarantine any mobile device that attempts to add their mailbox to their device.  We have three administrators that can approve these devices.  I'd like to delegate this responsibility to the person on our team who stages and deploys mobile devices without giving them full administrator access.

 

Additionally, I am looking to grant access within the GUI, not the ability to run a PowerShell cmdlet.  

From this post on Reddit, I first attempted this process, but it did not seem to work.  In the GUI, a user in the group I created cannot access the Mobile Devices page in the Exchange Admin Center.  I then attempted this link to Microsoft documentation, but it doesn't seem to fit exactly.  Granted, I don't have much experience with Exchange permissions.

Any help, guidance, or direction you could point me in would be greatly appreciated.

 

Thanks

Steve

  • The method outlined above should work (might need small adjustments for ExO), but it's only needed if you want to go very granular. The issue with this approach is that you need to ensure you have granted access to all the relevant cmdlets/operations, including the Get- ones. An easier way to go about this is to assign the user to the "Organization Client Access" role, which is intended for such tasks:

    New-ManagementRoleAssignment -Role "Organization Client Access" -User email address removed for privacy reasons

    The role does allow the user to also configure mobile device rules, and if you are too worried about that, you need to follow the full setup in the article above (i.e. creating a new role based on the "Organization Client Access" one and remove every cmdlet you don't want the user to have access to).

    Don't forget to have the user re-login after any permissions change.

    • Stephen Bell's avatar
      Stephen Bell
      Iron Contributor

      VasilMichev, Thank you for the response. I went ahead and added the mail-enabled security group to the Organization Client Access management role. However, when I log in as someone in that group, I'm not able to list any quarantined devices under Mobile --> Mobile device access. I see "error executing cmdlet."

      If I try to go via Recipients --> Mailboxes, I see the list of mailboxes, but I can't click on any of them to get the settings I see in my administrative account.  

      If I run a 

      Get-ManagementRoleAssignment -Role 'Organization Client Access' | Select * | ogv

      I see this:

      I attempted to add 

      Get-Mailbox

      To the role by running: 

      Add-ManagementRoleEntry 'Organization Client Access\Get-Mailbox'

      But it looks like I can't modify OOB Management roles.

       

      What is it that I am missing?

       

      Thanks

      Steve

      • VasilMichev's avatar
        VasilMichev
        MVP

        You can simply assign another role that includes the cmdlets you need. For example, the "View-Only Recipients" one.

        And Microsoft should improve their handling of this scenario in the EAC I suppose, I pinged some folks on it.

  • damnsa's avatar
    damnsa
    Copper Contributor

    To delegate mobile device management responsibilities in the Exchange Admin Center (EAC) without giving full administrator access, you need to create a custom role group with the appropriate permissions. 

Resources