Limit litigation hold permissions to specific users

%3CLINGO-SUB%20id%3D%22lingo-sub-771283%22%20slang%3D%22en-US%22%3ELimit%20litigation%20hold%20permissions%20to%20specific%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771283%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eive%20been%20asked%20to%20find%20out%20how%20we%20can%20remove%20litigation%20hold%20permissions%20from%20most%20of%20the%20users%20in%20the%20%22Organization%20Management%22%20role.%20This%20role%20has%20wide%20ranging%20powers%20that%20are%20used%20operationally%2C%20but%20we%20would%20like%20to%20limit%20the%20members%20in%20that%20role%20to%20only%20a%20few%20that%20can%20administer%20litigation%20holds.%20Can%20you%20remove%20an%20assigned%20%22sub%22%20role%20from%20an%20admin%20role%20and%20assign%20it%20to%20another%20role%3F%20any%20ideas%20would%20be%20great...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-771283%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771333%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20litigation%20hold%20permissions%20to%20specific%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F381345%22%20target%3D%22_blank%22%3E%40rdoleman%3C%2FA%3E%26nbsp%3BYou%20cannot%20edit%20the%20default%20organization%20management%20role%20group.%20Why%20not%20just%20create%20a%20custom%20group%20with%20all%20the%20permissions%20you%20need%3F%20You%20could%20simply%20mimic%20the%20organization%20management%20role%20group%20and%20leave%20out%20the%20%22hold%22%20role%20from%20it.%20Remove%20users%20from%20Org%20management%20and%20add%20to%20custom%20group%20if%20you%20don't%20want%20them%20to%20perform%20holds.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETip%3A%20If%20you%20click%20on%20the%20Org%20management%20role%20group%2C%20you%20can%20even%20copy%20it%20and%20just%20remove%20the%20%22hold%22%20feature%20to%20create%20your%20custom%20role.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-773094%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20litigation%20hold%20permissions%20to%20specific%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773094%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F381345%22%20target%3D%22_blank%22%3E%40rdoleman%3C%2FA%3E%26nbsp%3BYou%20cannot%20edit%20or%20change%20permissions%20subsets%20for%20a%20builtin%20Role%20in%20Exchange%20like%20Organization%20Management.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBetter%20is%20to%20create%20a%20Custom%20Role%20Group%20with%20defined%20permissions%2C%20example%20for%20Service%20Desk%20you%20wont%20want%20to%20give%20all%20Recipient%20Management%20permissions%20and%20similary%20for%20Exchange%20admin%20(%20there%20would%20be%20different%20Skill%20set%20or%20levels%20like%20L1%2FL2%2FL3%20).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERead%20about%20what%20the%20Role%20Groups%20subset%20functions%20and%20what%20purpose%20they%20fulfill%20and%20then%20based%20on%20that%20create%20your%20Custom%20Role%20Groups%20for%20different%20IT%20Teams%20in%20your%20organization.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMust%20Read%20-%26nbsp%3B%20Get-RoleGroup%20%26amp%3B%20Get-RoleassignmentPolicy%20for%20exchange%20specific%20.%20also%20note%20RoleGroup%20is%20different%20from%20MSOLRoles%20(Get-msolrole%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi All,

 

ive been asked to find out how we can remove litigation hold permissions from most of the users in the "Organization Management" role. This role has wide ranging powers that are used operationally, but we would like to limit the members in that role to only a few that can administer litigation holds. Can you remove an assigned "sub" role from an admin role and assign it to another role? any ideas would be great...

2 Replies
Highlighted

@rdoleman You cannot edit the default organization management role group. Why not just create a custom group with all the permissions you need? You could simply mimic the organization management role group and leave out the "hold" role from it. Remove users from Org management and add to custom group if you don't want them to perform holds.

 

Tip: If you click on the Org management role group, you can even copy it and just remove the "hold" feature to create your custom role.

Highlighted

@rdoleman You cannot edit or change permissions subsets for a builtin Role in Exchange like Organization Management.

 

Better is to create a Custom Role Group with defined permissions, example for Service Desk you wont want to give all Recipient Management permissions and similary for Exchange admin ( there would be different Skill set or levels like L1/L2/L3 ).

 

Read about what the Role Groups subset functions and what purpose they fulfill and then based on that create your Custom Role Groups for different IT Teams in your organization.

 

Must Read -  Get-RoleGroup & Get-RoleassignmentPolicy for exchange specific . also note RoleGroup is different from MSOLRoles (Get-msolrole )

 

Cheers !

Ankit Shukla