RBAC does not define permissions on the object; instead it defines permissions on the PowerShell cmdlets that can modify the object. PowerShell cmdlets get added to a role and a user or group is assigned to the role. If the cmdlet and parameters you need are part of a role you participate in, then you will be able to run the cmdlet. Recently I came across to some know issues in EAC, even though you have correct permissions to run the commands still couple of options are not available to save the task.

 

Followed the below steps for assigning the permission to user “E15-User1” for creating distribution groups from EMS (Exchange management shell) and EAC (Exchange admin center)

 

Created a new child management role associated with “Distribution Groups” parent role

New-ManagementRole “DistributionGroupManagement” –Parent “Distribution Groups”

New-RoleGroup “Manage Distribution Groups” –Role ‘DistributionGroupManagement’  -Member  E15-User1

 

If we login to EAC using “E15-User1” credential and then  try to create a new distribution group, Organizational unit option is grayed out as can be seen in the print screen here.

 

 

We can see the Organizational Unit parameter is available in the newly created child role.

 

We are able to create the new distribution groups using the Exchange management shell, but if we login to EAC using “E15-User1” credential and then an Organizational unit option is not available.

 

Thought of using another management role “Security Group Creation and Membership” for the same purpose  

 

New-ManagementRole “ManagementSecurityGroups” –parent “Security Group Creation and Membership”

 

Get-ManagementRoleEntry “ManageSecurityGroups\*”

I can see the New-DistributionGroup command is inherited to ManageSecurityGroups from parent “Security Group Creation and Membership”

 

 

Organizational Unit parameter is available in newly created ‘ManageSecurityGroups’ child role

 

Set-RoleGroup “Manage Distribution Groups” –Role ‘ManageSecurityGroups

It still doesn’t work from EAC, but I can create distribution group using the Exchange management shell.

 

Resolution:

For fixing the problem  followed the below steps

The moment I add both the child roles ‘DistributionGroupManagement’   and ‘ManageSecurityGroups’ in the same role group “Manage Distribution Groups” organizational unit option is available in EAC.

Set-RoleGroup “Manage Distribution Groups” –Role “ManageSecurityGroups”, “DistributionGroupManagement”

It seems that we have to duplicate the permissions to make it work from EAC (Exchange admin center)

 

 

I have recently encounter this problem and It seems to be the known issue in E15 SP1. Till the time we have official fix for this issue, we can go with the workaround of duplicating the permissions.

 

- Anil