Forum Discussion
Assign Permissions To Certain CMDlets for powershell?
I've never seen a way to do this and I honestly can't imagine the complexity of implementing something like this. Like you said, the actions of the various cmdlets are controlled by the users permission to Office 365.
Limiting what cmdlets people could use would be the equivalent of limiting permissions in the Office 365 admin center on a link by link basis. Not something that would really even be feasible to do (or easy to manage).
The only way I've come close to something like this is by building my own "front end" for the actions. At a hight level:
- Create a SharePoint list that a user has access to (let's say a list for adding people to that need a specific O365 license)
- Trigger a flow when a list item is added
- Launch Azure Automation as part of that flow
- Run the specific cmdlet(s) to assign license within an Azure Automation runbook using credentials stored in Azure Automation and parameters past from the list to Azure Automation via Flow
this would allow you to grant people access to the list to assign licenses without having to give them any rights in Office 365 Admin Center.
https://cloudblogs.microsoft.com/enterprisemobility/2015/12/10/custom-roles-in-azure-rbac-is-now-ga/
Could creating a custom role give access to certain cmdlets?
Bill,
The link you posted below refers to Azure RBAC, not Office 365. This also isn't something that you can apply to just anything when building custom roles. It's also not limiting cmdlets, but rather what people may (or may not be) allowed to do with them.
Right now RBAC is only Azure functionality, there isn't anything with RBAC in Office 365.
I also don't believe there is any way to do RBAC or define custom roles even if you wanted to focus just an Azure AD (a small subset of Office 365).
So..while the link below might allow you to sort of do it with certain Azure resources and Azure cmdlets (by limiting permissions, not necessarily cmdlets), it doesn't apply to Office 365 and limiting Office 365 cmdlets.
Actually, RBAC works for Exchange Online inside Office 365. You can customize the roles assigned to users so that they can only use specific cmdlets and specific parameters for those cmdlets. This capability has existed since Exchange 2010 and is a well-understood feature.
- Hi can you point me in a direction where this is documented?
So do you think this is possible then. There are CMDlets to manage o365 groups but a lot of them require global permissions so using RBAC with exchange can we assign the ability to manage o365 groups as a permission?
ThanksBill,
I actually did some looking into this a little bit after reading Tony's comment. TonyRedmond, thanks for calling this out! I missed it...you learn something ever day and would love to get more of your input on this as well :)
I found this documentation - https://technet.microsoft.com/en-us/library/jj200692(v=exchg.150).aspx. Tony, not sure if you have some other.
However, in looking through it, I didn't see anything specific to a roll for just Unified Groups/Office 365 Groups. Office 365 Groups in general are a little different b/c they ofter involve more than just Exchange Online, even thought that's where the cmdlets are.
It might help if you could explain a little more what exactly your are trying to allow users to manage/not manage within the Office 365 groups.
