Not applicable

I am in the need of creating a service account and granting only Get-MessageTrace commandlet to that account. I created a custom role from Compliance admin with below command


New-ManagementRole  -name 'customrole' -Parent 'compliance admin' -EnabledCmdlets 'Get-MessageTrace'


I have verified the same with below command


Get-ManagementRoleEntry "customrole\*" | ft -AutoSize

i get below output

Get-MessageTrace Customrole {EndDate, ErrorAction, ErrorVariable, Expression...}


I added respective service account to this role.


when I connect exchange PowerShell command using the service admin account and password 


when PowerShell connection is established I see several commands has been imported.


Can someone tell me how can I make sure the service account can see just only one command which is get-messagetrace command?

2 Replies
best response

There are many cmdlets that are available for all users, even those without any admin permissions. Those include mostly things you can do with your own mailbox or groups you manage, so nothing to worry about.

@Vasil Michev thanks for the clarification.