Jun 10 2020 12:42 PM
Jun 10 2020 12:42 PM
I found something interesting today, two things:
While I've only just noticed this now, it could be something specific to me and my setup, so I am wondering if anyone else has noticed, or would be will to test and see.
Many thanks in advance. I may also send this to the EXO V2 preview email address, but since it's not entirely an issue with the module (only #2 is), I'm holding off for now. I'd like for the Exchange Team to notice this and fix Global Reader too, which isn't something the V2 module support group will be able to help with.
Jun 10 2020 11:36 PM
I haven't bothered to test this against a "vanilla" tenant, so it might be something I've done, but I can see that Global readers are assigned the View-Only Organization Management role group, and as such have access to the Get-RecipientPermission via the Recipient Permissions role.
I do get the timeouts for the V2 cmdlets though, even for Get-EXORecipient. Report it, I'll do the same.
Jun 11 2020 05:12 AM - edited Jun 11 2020 05:13 AM
@Vasil Michev I just checked the tenant where I was working in where I first noticed this, and then in my current lab tenant. Turns out View-Only Recipients, a nested role in View-Only Organization, doesn't have Get-RecipientPermission included.
>Get-ManagementRoleEntry "View-Only Recipients\Get*Permission" | select Name Name ---- Get-MailboxPermission Get-SenderPermission Get-PublicFolderClientPermission Get-MailboxFolderPermission
Interesting side note - I never realized the existence of "Get-SenderPermission" before. Back to the point though, I bet when Get-RecipientPermission was invented in EXO, it was missed to add it into the View-Only Recipients management role.
I will go and report to the EXO v2 email that the new cmdlets should only be exposed if the old cmdlet is also available to the current user. Thanks for nudging me into the right direction.
Jun 11 2020 07:41 AM
That's right, but the "Recipient Permissions" does have it:
[17:40:43][Login script]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644 Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ----------------- View-Only Configuration-Vie... View-Only Configuration View-Only Organization Management RoleGroup RoleGroup All Group Members View-Only Recipients-View-O... View-Only Recipients View-Only Organization Management RoleGroup RoleGroup All Group Members Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members Recipient Permissions-View-... Recipient Permissions View-Only Organization Management RoleGroup RoleGroup All Group Members
Jun 11 2020 09:17 AMSolution
@Vasil Michev Thanks again. I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:
I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment. Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management. In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).
I realize I'm spending way too much time on this low low priority issue:). But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration". The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user. I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).