Forum Discussion

Bill Nollol's avatar
Bill Nollol
Copper Contributor
Dec 27, 2017
Solved

Assign Permissions To Certain CMDlets for powershell?

I am wondering is it possible to be able to assign users the ability to use certain CMDlets through powershell. For example the New-AzureADDirectorySetting cmdlet is generally only allowed to be us...
admin
office 365
  • BenStegink's avatar
    BenStegink
    Dec 27, 2017

    I've never seen a way to do this and I honestly can't imagine the complexity of implementing something like this.  Like you said, the actions of the various cmdlets are controlled by the users permission to Office 365.

     

    Limiting what cmdlets people could use would be the equivalent of limiting permissions in the Office 365 admin center on a link by link basis.  Not something that would really even be feasible to do (or easy to manage).

     

    The only way I've come close to something like this is by building my own "front end" for the actions.  At a hight level:

    - Create a SharePoint list that a user has access to (let's say a list for adding people to that need a specific O365 license)

    - Trigger a flow when a list item is added

    - Launch Azure Automation as part of that flow

    - Run the specific cmdlet(s) to assign license within an Azure Automation runbook using credentials stored in Azure Automation and parameters past from the list to Azure Automation via Flow

     

    this would allow you to grant people access to the list to assign licenses without having to give them any rights in Office 365 Admin Center.

     

BenStegink's avatar
BenStegink
Iron Contributor
Dec 27, 2017

I've never seen a way to do this and I honestly can't imagine the complexity of implementing something like this.  Like you said, the actions of the various cmdlets are controlled by the users permission to Office 365.

 

Limiting what cmdlets people could use would be the equivalent of limiting permissions in the Office 365 admin center on a link by link basis.  Not something that would really even be feasible to do (or easy to manage).

 

The only way I've come close to something like this is by building my own "front end" for the actions.  At a hight level:

- Create a SharePoint list that a user has access to (let's say a list for adding people to that need a specific O365 license)

- Trigger a flow when a list item is added

- Launch Azure Automation as part of that flow

- Run the specific cmdlet(s) to assign license within an Azure Automation runbook using credentials stored in Azure Automation and parameters past from the list to Azure Automation via Flow

 

this would allow you to grant people access to the list to assign licenses without having to give them any rights in Office 365 Admin Center.

 

jcgonzalezmartin's avatar
jcgonzalezmartin
MVP
Dec 27, 2017
Totally agree with Ben, this is something not possible Today and don't think we will have in the short-medium term

Resources