Forum Discussion
Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)
VasilMichev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).
That's right, but the "Recipient Permissions" does have it:
---- ---- ----------
Get-SenderPermission Recipient Permissions {Recipients, Sender}
Get-RecipientPermission Recipient Permissions {AccessRights, ErrorAction, ErrorVariable...
[17:40:43][Login script]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
---- ---- ---------------- ---------------- ---------------- -----------------
View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup RoleGroup All Group Members
View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup RoleGroup All Group Members
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group MembersVasilMichev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).
- Michev wrote an article on this subject, including a fix.
https://www.michev.info/Blog/Post/935/recipient-permissions-send-as-missing-from-the-default-view-only-organization-management-role-group
