cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

Jeremy Bradshaw
Steel Contributor

‎Jun 10 2020 12:42 PM

‎Jun 10 2020 12:42 PM

Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

I found something interesting today, two things:

 

  1. Global Reader seems to not have access to the Get-RecipientPermission cmdlet.
  2. Get-EXORecipientPermission doesn't think about this and will just hang (seemingly) indefinitely.

While I've only just noticed this now, it could be something specific to me and my setup, so I am wondering if anyone else has noticed, or would be will to test and see.

 

Many thanks in advance.  I may also send this to the EXO V2 preview email address, but since it's not entirely an issue with the module (only #2 is), I'm holding off for now.  I'd like for the Exchange Team to notice this and fix Global Reader too, which isn't something the V2 module support group will be able to help with.

3,030 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Jun 10 2020 11:36 PM

‎Jun 10 2020 11:36 PM

Re: Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

I haven't bothered to test this against a "vanilla" tenant, so it might be something I've done, but I can see that Global readers are assigned the View-Only Organization Management role group, and as such have access to the Get-RecipientPermission via the Recipient Permissions role. 

 

I do get the timeouts for the V2 cmdlets though, even for Get-EXORecipient. Report it, I'll do the same.

0 Likes
Reply
Jeremy Bradshaw

‎Jun 11 2020 05:12 AM - edited ‎Jun 11 2020 05:13 AM

‎Jun 11 2020 05:12 AM - edited ‎Jun 11 2020 05:13 AM

Re: Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

@Vasil Michev I just checked the tenant where I was working in where I first noticed this, and then in my current lab tenant.  Turns out View-Only Recipients, a nested role in View-Only Organization, doesn't have Get-RecipientPermission included.

 

>Get-ManagementRoleEntry "View-Only Recipients\Get*Permission" | select Name

Name
----
Get-MailboxPermission
Get-SenderPermission
Get-PublicFolderClientPermission
Get-MailboxFolderPermission

 

 

Interesting side note - I never realized the existence of "Get-SenderPermission" before.  Back to the point though, I bet when Get-RecipientPermission was invented in EXO, it was missed to add it into the View-Only Recipients management role.

 

I will go and report to the EXO v2 email that the new cmdlets should only be exposed if the old cmdlet is also available to the current user.  Thanks for nudging me into the right direction.

0 Likes
Reply
Vasil Michev

‎Jun 11 2020 07:41 AM

‎Jun 11 2020 07:41 AM

Re: Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

That's right, but the "Recipient Permissions" does have it:

 

[17:36:36][Login script]# Get-ManagementRoleEntry "Recipient Permissions\Get*Permission*"
Name                           Role                      Parameters
----                           ----                      ----------
Get-SenderPermission           Recipient Permissions     {Recipients, Sender}
Get-RecipientPermission        Recipient Permissions     {AccessRights, ErrorAction, ErrorVariable...
 
 
Again, might be something I've added and forgot about since, and a quick check in another tenant doesnt even reveal the Global readers role/group at all. Here's what I see in my personal tenant though:
 
[17:40:43][Login script]# Get-ManagementRoleAssignment -RoleAssignee GlobalReaders_1611162644

Name                           Role                              RoleAssigneeName                  RoleAssigneeType                  AssignmentMethod                  EffectiveUserName
----                           ----                              ----------------                  ----------------                  ----------------                  -----------------
View-Only Configuration-Vie... View-Only Configuration           View-Only Organization Management RoleGroup                         RoleGroup                         All Group Members
View-Only Recipients-View-O... View-Only Recipients              View-Only Organization Management RoleGroup                         RoleGroup                         All Group Members
Recipient Permissions-View-... Recipient Permissions             View-Only Organization Management RoleGroup                         RoleGroup                         All Group Members
Recipient Permissions-View-... Recipient Permissions             View-Only Organization Management RoleGroup                         RoleGroup                         All Group Members
Recipient Permissions-View-... Recipient Permissions             View-Only Organization Management RoleGroup                         RoleGroup                         All Group Members
0 Likes
Reply
best response confirmed by Jeremy Bradshaw (Steel Contributor)
Jeremy Bradshaw

‎Jun 11 2020 09:17 AM

‎Jun 11 2020 09:17 AM

Solution

Re: Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

@Vasil Michev Thanks again.  I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:

https://docs.microsoft.com/en-us/exchange/view-only-organization-management-exchange-2013-help#manag... 

 

I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment.  Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management.  In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).

 

I realize I'm spending way too much time on this low low priority issue:).  But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration".  The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user.  I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Jeremy Bradshaw (Steel Contributor)
Jeremy Bradshaw

‎Jun 11 2020 09:17 AM

‎Jun 11 2020 09:17 AM

Solution

Re: Global Reader and Get-RecipientPermission (and Get-EXORecipientPermission)

@Vasil Michev Thanks again.  I think it must be something in your tenant as you alluded, as I've found this article which shows the default nested management roles inside View-Only Organization Management which Global Reader is a member of:

https://docs.microsoft.com/en-us/exchange/view-only-organization-management-exchange-2013-help#manag... 

 

I have though, figured out exactly where the issue is, based on my finding above, and comparing to a vanilla Exchange 2010 and 2016 on-premises environment.  Get-ADPermission is a role entry in "View-Only Configuration", which is nested in View-Only Org. Management.  In EXO, View-Only Configuration does not contain Get-RecipientPermission (nor Get-ADPermission, obviously but just to be thorough).

 

I realize I'm spending way too much time on this low low priority issue:).  But to summarize in closing, Global Reader doesn't have access to Get-RecipientPermission, because Get-RecipientPermission has not been added to the EXO role "View-Only Configuration".  The EXO v2 PS module still exposes the new Cmdlets, even if the corresponding legacy Cmdlet isn't available to the current user.  I've reported the latter, will just let this thread inform them of the former, in case they want to fix it (not gonna bother with a UserVoice or support ticket though).

View solution in original post

1 Like
Reply