© 2020 B41N5 Solutions Ltd - All Rights Reserved | Co Number: 9806325 | Tel: 0115 8576885 | Email: info@b-fortyone.com

  • Facebook - Black Circle
  • Twitter - Black Circle
  • Google+ - Black Circle
  • Hardeep Bains

Role Based Access Control to Office 365 ActiveSync


Recently, I created a new mobile device policy for a client where all new connections to Office 365 ActiveSync resulted in the device getting quarantined. An administrator would then need to go in and either Allow Access, Deny Access or leave the device in quarantine. The reason for this was to have more control on who was accessing company emails and on which device. We did not want users to connect to corporate emails on their personal devices.

Question that arose after this was successfully implemented was how do we manage this going forward. We wanted the Service Desk staff to manage Office 365 Active Sync but we did not want to give them full Exchange Online Admin Rights.

Fear not, it is possible to provide the users with limited access rights to the Exchange Admin Console giving them the ability to perform their duties safely.

Instructions on how this is achieved is below but first, connect to your Office 365 with PowerShell

Step One:

The first thing we need to do is to create a new management role ActiveSync with Organization Client Access as its parent.

New-ManagementRole -Name “ActiveSync” -Parent “Organization Client Access”

Step Two:

The new ActiveSync role will inherit all privileges that Organization Client Access has which is what we do not want. The 2 commands below will remove all permissions except Set-CASMailbox

$ActiveSyncroles = Get-ManagementRoleEntry "ActiveSync\*" | where {$_.name -ne "Set-CASMailbox"}

$ActiveSyncroles.name | foreach {Remove-ManagementRoleEntry ActiveSync\$_ -Confirm:$false}

Step Three:

Now we need to add only the role entries the Service Desk will need, including creating, deleting mailboxes through the EAC

Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceAccessRule”

Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceClass”

Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncOrganizationSettings”

Add-ManagementRoleEntry “ActiveSync\Get-CASMailbox”

Add-ManagementRoleEntry “ActiveSync\Remove-ActiveSyncDeviceAccessRule”

Add-ManagementRoleEntry “ActiveSync\Set-ActiveSyncDeviceAccessRule”

Add-ManagementRoleEntry “ActiveSync\Write-AdminAuditLog”

Step Four:

OK, let's create a new Role Group into which we can add the Service Desk guys

New-RoleGroup “B-FortyOne ActiveSync Management” -Roles “ActiveSync”

You can call this Role Group whatever you want - although you can call it B-FortyOne if you like :)

Step Five:

Something that we haven't set permission for so far is enable and disable ActiveSync since the Set-CASMailbox role entry in Organization Client Access does not include this parameter. So let's now go ahead and create a new role called ActiveSyncMailboxManagement with Mail Recipients as its parent

New-ManagementRole -Name “ActiveSyncMailboxManagement” -Parent “Mail Recipients”

Step Six:

Now let's remove unwanted privileges from the ActiveSyncMailboxManagement role

$ActiveSyncMailboxManagementroles = Get-ManagementRoleEntry "ActiveSyncMailboxManagement\*" | where {$_.name -ne "Set-CASMailbox"}

$ActiveSyncMailboxManagementroles.name | foreach {Remove-ManagementRoleEntry ActiveSyncMailboxManagement\$_ -Confirm:$false}

Step Seven:

Now its a case of adding in all the required role entries back in

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-User”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-Mailbox”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-CASMailbox”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-Recipient”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Set-Mailbox”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-ActiveSyncDeviceStatistics”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Clear-ActiveSyncDevice”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Remove-ActiveSyncDevice”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-MobileDevice”

Add-ManagementRoleEntry “ActiveSyncMailboxManagement\Get-MobileDeviceStatistics”

Step Eight:

Last thing to do now is to add the ActiveSyncMailboxManagement role to the B-FortyOne ActiveSync Management Role Group we created earlier

New-ManagementRoleAssignment –Role “ActiveSyncMailboxManagement” –SecurityGroup “B-FortyOne ActiveSync Management”

Now all you need to do is add your Service Desk users to the newly created role group in the Permissions sections in the Exchange Admin Console in Office 365

And that is it !!!

#ActiveSync #Office365 #MDM