Hi,a colleague with few exchange skills has to maintain our email contact list. So, i need a new administrator role in EAC which can only read / wirte contacts.Under Roles > Admin roles i created a new role "MaintainOrganizationContacts" which has only the permission "Application Contacts.ReadWrite".This Role is associated to my colleagues user account. After the login to https://admin.exchange.microsoft.com/ we are able to configure accepted domains and e-mail flow.Is there any way, to create a user which can only read/write email contacts? thanks

How to create a new administrator role which can only read / write contacts in EAC.

3 Replies

MVP

Jul 26, 2023

The Application Contacts.ReadWrite role is for programmatic access via the Graph API, it won't help you here,

Follow the steps here instead: https://blog.rmilne.ca/2013/08/07/creating-rbac-role-to-delegate-contact-management/

cb_LSN

Copper Contributor

Jul 27, 2023

VasilMichev

Thanks - this article helps a lot.
but still i have the "issue", that my user ca configure accepted domains and e-mail flow. The user account is without administrator roles

After

Get-ManagementRoleEntry -Identity AD-Contact-Editors\* | where {$_.Name -like 'New-*'} | foreach {Remove-ManagementRoleEntry -Identity "$($_.id)\$($_.name)"}

i still have following permissions:

Name                          Role               Parameters
------------                  ------------       ------------ 
New-MailContact               AD-Contact-Editors {Alias, Confirm, DisplayName, ErrorAction…}
Add-MailboxLocation           AD-Contact-Editors {WhatIf}
Get-ActiveSyncMailboxPolicy   AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-AddressBookPolicy         AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-DataEncryptionPolicy      AD-Contact-Editors {Debug, DomainController, ErrorAction, ErrorVariable…}
Get-LinkedUser                AD-Contact-Editors {Anr, ErrorAction, ErrorVariable, Filter…}
Get-MailContact               AD-Contact-Editors {Anr, ErrorAction, ErrorVariable, Filter…}
Get-MailboxPlan               AD-Contact-Editors {AllMailboxPlanReleases, Credential, ErrorAction, ErrorVariab…
Get-MailboxPreferredLocation  AD-Contact-Editors {Identity}
Get-ManagementRoleAssignment  AD-Contact-Editors {AssignmentMethod, ConfigWriteScope, CustomRecipientWriteScop…
Get-MobileDeviceMailboxPolicy AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-Notification              AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-OrganizationalUnit        AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, IncludeContainers…}
Get-RbacDiagnosticInfo        AD-Contact-Editors {ErrorAction, ErrorVariable, OutBuffer, OutVariable…}
Get-Recipient                 AD-Contact-Editors {Anr, AuthenticationType, BookmarkDisplayName, ErrorAction…}
Get-RoleAssignmentPolicy      AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-SharingPolicy             AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-ToolInformation           AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-UnifiedAuditSetting       AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Get-User                      AD-Contact-Editors {Anr, ErrorAction, ErrorVariable, Filter…}
Remove-CalendarEvents         AD-Contact-Editors {CancelOrganizedMeetings, Confirm, Identity, PreviewOnly…}
Remove-MailContact            AD-Contact-Editors {Confirm, ErrorAction, ErrorVariable, Identity…}
Set-MailboxFolderPermission   AD-Contact-Editors {AccessRights, Confirm, ErrorAction, ErrorVariable…}
Set-Notification              AD-Contact-Editors {Confirm, ErrorAction, ErrorVariable, Identity…}
Set-UnifiedAuditSetting       AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, OutBuffer…}
Start-AuditAssistant          AD-Contact-Editors {Identity}
Test-DataEncryptionPolicy     AD-Contact-Editors {Debug, DomainController, ErrorAction, ErrorVariable…}
Undo-SoftDeletedMailbox       AD-Contact-Editors {Confirm, DisplayName, ErrorAction, ErrorVariable…}
Undo-SoftDeletedUnifiedGroup  AD-Contact-Editors {Confirm, SoftDeletedObject, WhatIf}
Write-AdminAuditLog           AD-Contact-Editors {Comment, Confirm, ErrorAction, ErrorVariable…}
Set-DataEncryptionPolicy      AD-Contact-Editors {AvailabilityKeyAzureKeyID, AvailabilityKeyBlob, Confirm, Deb…
Test-DatabaseEvent            AD-Contact-Editors {AssistantName, Counter, DomainController, Process}
Invoke-BirthdayCalendarSync   AD-Contact-Editors {Identity, Verbose, Whatif}
Get-MailUser                  AD-Contact-Editors {Anr, ErrorAction, ErrorVariable, Filter…}
Get-ScopeEntities             AD-Contact-Editors {Filter, Identity, OrganizationalUnit, Properties…}
Get-ScopeAdmins               AD-Contact-Editors {Filter, Identity, OrganizationalUnit, Properties…}
Test-MailboxAssistant         AD-Contact-Editors {AssistantName, DomainController, Process, SoftDeletedMailbox}
Get-Place                     AD-Contact-Editors {ErrorAction, ErrorVariable, Identity, ResultSize…}
Set-Place                     AD-Contact-Editors {AudioDeviceName, Building, Capacity, City…}
Get-Mailbox                   AD-Contact-Editors {Anr, Archive, ErrorAction, ErrorVariable…}
Get-BookingMailbox            AD-Contact-Editors {MailboxName, RecipientTypeDetails}

VasilMichev
MVP
Jul 27, 2023
They probably have another role assigned, Recipient management does not include anything related to accepted domains. Do a

Get-ManagementRoleAssignment -RoleAssignee email address removed for privacy reasons

Forum Discussion

How to create a new administrator role which can only read / write contacts in EAC.