Message Trace - Permission Needed

%3CLINGO-SUB%20id%3D%22lingo-sub-263658%22%20slang%3D%22en-US%22%3EMessage%20Trace%20-%20Permission%20Needed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263658%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20like%20to%20grant%20specific%20users%20access%20to%20Mail%20Flow%20in%20the%20Security%20%26amp%3B%20Compliance%20Center%2C%20giving%20them%20ability%20to%20view%20dashboards%20and%20run%20Message%20Traces.%26nbsp%3B%20What's%20the%20least%20privileged%20role%20I%20could%20grant%20to%20give%20them%20such%20access%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F54789iC54FF566DB8DE5BE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MessageTrace.PNG%22%20title%3D%22MessageTrace.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264415%22%20slang%3D%22en-US%22%3ERe%3A%20Message%20Trace%20-%20Permission%20Needed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264415%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Security%20Reader%20role%20should%20be%20the%20%22best%22%20one%2C%20if%20you%20prefer%20to%20use%20the%20SCC.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20absolutely%20must%20limit%20the%20number%20of%20additional%20permissions%20they%20will%20get%2C%20best%20use%20the%20EAC%20message%20trace%20functionality%20instead%2C%20or%20even%20create%20a%20custom%20role%20(or%20role%20assignment)%20for%20just%20the%20Get-MessageTrace%2FGet-MessageTraceDetail%20cmdlets.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

I'd like to grant specific users access to Mail Flow in the Security & Compliance Center, giving them ability to view dashboards and run Message Traces.  What's the least privileged role I could grant to give them such access?

MessageTrace.PNG

1 Reply

The Security Reader role should be the "best" one, if you prefer to use the SCC.

 

If you absolutely must limit the number of additional permissions they will get, best use the EAC message trace functionality instead, or even create a custom role (or role assignment) for just the Get-MessageTrace/Get-MessageTraceDetail cmdlets.