Restrict user to only create/edit Mail Contacts (user sees Compliance, Retention, Hybride?)

Frequent Contributor

I'm looking for a way to centralize contact management in a small organization (around 8 people). Unfortunately they all use Outlook for Mac, so Outlook had limitations in e.g. Outlook Customer Manager.


My second place would be the Global Address List. But I can only edit it in the ECP. Now I want 1 user to only be able to create and edit Mail Contacts. So, based on an instruction I created a new admin role "Contact Management" and assigned a test user to it.


To this role I then added "_MVDB_ContactMailRecipient" (parent "Contact Mail Recipient") and "_MVDB_ContactManagementMailCreation" (parent "Contact Mail Recipient Creation"). I then stripped all role entry's that didn't have anything to do with Mail Contacts and added Set-Contact and Get-Contact. leaving this short list:










Though, when I sign in as this user, I also see "Compliance Management" (retention policy, retention labels), "Mail Flow" (accepted domains) and "Hybride" (Installation).


Why? And what do I need to do to remove those options for this user as well.


I don't think this GAL Management is very user friendly, but it will do I guess. One thing I'm missing is how this user could fill the custom attributes, to create an additional list of vendors, customers, etc.

11 Replies

Because all admin roles come with some "View" permissions, regardless of any roles assigned to them. You cannot remove them.

@Vasil MichevClear. So just explain to the user to ignore them? :)


There's not much he can do with them anyway :)

@Vasil Michev , in your expert opinion :) , would you suggest the Gal as a central storage for company contacts (where an office manager adds info from business cards, which then is used by several people in the organisation) or would you advise some other solution?


(I didn't get much responds here:

If you want to manage contacts within the GAL, an Exchange admin must necessarily use EAC oder PowerShell because the objects must be created in the tenant to appear in the address book.


Other possible ways are:

- public folder for contacts (everyone can read/write/edit)

- shared mailbox (share contact folder; everyone can read/write/edit)


But these contacts are stored in the mailbox itself and won't appear in any address book.


To be honest, Dynamics 365 or any kind of CRM would be much better for storing customer data. Or maybe you can try and test some other Office 365 applications (e.g. OneNote, Planner). Depending on where you need the data and how to access them.

@Dominik Hoefling I agree about an CRM solution, but most of my clients don't use such software (yet). So I look for solutions that are already included in Office 365. I was hoping Outlook Customer Manager would be an option, but:

- My cliënt uses Apple Computers and from what I see those version of OCM has less features.

- I read about a lot of problems in stability of OCM and one of my cliënts actually experiences problems where his colleagues don't see the same accounts/contacts/deals.


In this specific case I already looked into limiting the EAC to a minimized role for the Office manager, so she only sees the GAL contacts. As she will be managing business contacts, it's no problem to put this in the hands of one person. I could even imagine writing a powershell script that imports contacts that she stores in Excel or a SharePoint list. 


Oh, I already read about it on this article, written by @Tony Redmond : 


Which refers to this e-book, written by @Vasil Michev. But it doesn't see to be available?


@Michiel van den Broek  I'll ask someone about the eBook.


As to importing contacts, this code reads a set of contacts in from a CSV file and uses them to create mail contacts. The CSV file has three columns - DisplayName, Alias, and Email.


$Accounts = Import-CSV $File
Write-Host "Processing" $Accounts.Count "accounts"
ForEach ($Account in $Accounts) {
$DisplayName = $Account.DisplayName
$Email = $Account.Email
$MCAlias = $Account.Alias
Write-Host "adding" $DisplayName
New-MailContact -Alias $MCAlias -DisplayName $DisplayName -Name $DisplayName -ExternalEmailAddress $Email
Start-Sleep -m 500
$StartNumber++ }

It really depends on the requirements. For example, if you want the contacts readily available on mobiles, shared mailboxes and PF are a no go. Then again, putting them in the GAL does require admin permissions, however limited they are.

@Vasil Michev I think we need to see this from the user perspective. If we add contacts to the GAL, then we can search for them from all Outlook apps, right? But they are not in our contact list yet, so the user needs to take one extra step when he want the contact to be present in his contact list. 

- Does this work the same on Outlook for Mac as it does in Outlook for Windows?

- When you add a GAL contact to your personal contact list in Outlook, does the contact synchronise itself with the GAL regularly? Or do we need to do this manually? (i noticed a button in the Outlook contact ribbon in Windows) 

- Does the iOS app support this? Or does the user need Outlook for iOS?


I can overcome the need for some admin rights to make an user able to add to the GAL.

The Quadrotech team has withdrawn the eBook on public folder migration. They will post it somewhere else in the near future. Sorry for the bad link.

I'm a Windows/Android user, so I'll let someone else answer the Mac/iOS questions :)


There is no sync between personal contacts and the GAL, it's a manual process. You can use some EWS-based solution to update those periodically.