Forum Discussion
New role recommendation: Read Only Exchange Admin
To fully leverage PIM, we are transitioning to Entra roles wherever possible. We wish we could get off of customized Exchange RBAC roles, but the Exchange Recipient Admin role, lacks access to infor...
Global reader should cover this:
[18:12:02][O365]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644 | sort Role -Unique
Name Role RoleAssigneeName RoleAssigneeType
---- ---- ---------------- ----------------
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup
View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup
View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup
where the View-Only Configuration role gives you access to Mail flow rules and so on.
[18:12:02][O365]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644 | sort Role -Unique
Name Role RoleAssigneeName RoleAssigneeType
---- ---- ---------------- ----------------
Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup
View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup
View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup
where the View-Only Configuration role gives you access to Mail flow rules and so on.
VasilMichev Thanks for the quick reply. Global Reader is a bit broad for this use case and we'd like to limit the viewer access just to the Exchange service. From my research I don't see a way to customize an Entra role to hook into specific Exchange roles. Is that correct? The other solution might be to use PIM group access to time box access to EXO RBAC roles, but that's not ideal.
- Security Reader should also work. You cannot go more granular than that with Entra roles.