Forum Discussion
Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)
VasilMichev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).
I haven't bothered to test this against a "vanilla" tenant, so it might be something I've done, but I can see that Global readers are assigned the View-Only Organization Management role group, and as such have access to the Get-RecipientPermission via the Recipient Permissions role.
I do get the timeouts for the V2 cmdlets though, even for Get-EXORecipient. Report it, I'll do the same.
VasilMichev I just checked the tenant where I was working in where I first noticed this, and then in my current lab tenant. Turns out View-Only Recipients, a nested role in View-Only Organization, doesn't have Get-RecipientPermission included.
>Get-ManagementRoleEntry "View-Only Recipients\Get*Permission" | select Name Name ---- Get-MailboxPermission Get-SenderPermission Get-PublicFolderClientPermission Get-MailboxFolderPermissionInteresting side note - I never realized the existence of "Get-SenderPermission" before. Back to the point though, I bet when Get-RecipientPermission was invented in EXO, it was missed to add it into the View-Only Recipients management role.
I will go and report to the EXO v2 email that the new cmdlets should only be exposed if the old cmdlet is also available to the current user. Thanks for nudging me into the right direction.
That's right, but the "Recipient Permissions" does have it:
[17:36:36][Login script]# Get-ManagementRoleEntry "Recipient Permissions\Get*Permission*"Name Role Parameters
---- ---- ----------
Get-SenderPermission Recipient Permissions {Recipients, Sender}
Get-RecipientPermission Recipient Permissions {AccessRights, ErrorAction, ErrorVariable...Again, might be something I've added and forgot about since, and a quick check in another tenant doesnt even reveal the Global readers role/group at all. Here's what I see in my personal tenant though:[17:40:43][Login script]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644 Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ----------------- View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup RoleGroup All Group Members View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup RoleGroup All Group Members Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group MembersVasilMichev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).