Forum Discussion
Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)
VasilMichev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).
VasilMichev I just checked the tenant where I was working in where I first noticed this, and then in my current lab tenant. Turns out View-Only Recipients, a nested role in View-Only Organization, doesn't have Get-RecipientPermission included.
>Get-ManagementRoleEntry "View-Only Recipients\Get*Permission" | select Name
Name
----
Get-MailboxPermission
Get-SenderPermission
Get-PublicFolderClientPermission
Get-MailboxFolderPermission
Interesting side note - I never realized the existence of "Get-SenderPermission" before. Back to the point though, I bet when Get-RecipientPermission was invented in EXO, it was missed to add it into the View-Only Recipients management role.
I will go and report to the EXO v2 email that the new cmdlets should only be exposed if the old cmdlet is also available to the current user. Thanks for nudging me into the right direction.
That's right, but the "Recipient Permissions" does have it:
---- ---- ----------
Get-SenderPermission Recipient Permissions {Recipients, Sender}
Get-RecipientPermission Recipient Permissions {AccessRights, ErrorAction, ErrorVariable...
[17:40:43][Login script]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
---- ---- ---------------- ---------------- ---------------- -----------------
View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup RoleGroup All Group Members
View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup RoleGroup All Group Members
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group MembersVasilMichev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).
- Michev wrote an article on this subject, including a fix.
https://www.michev.info/Blog/Post/935/recipient-permissions-send-as-missing-from-the-default-view-only-organization-management-role-group
