Module 6

Exchange Online
Permissions
Presenter Name
Presenter Role

Conditions and Terms of Use

Microsoft Confidential

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in
such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond
to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

2014 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, Outlook, SkyDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.

Overview:

This module covers the permission model of Exchange Online:

Overview of Role Based Access Control (RBAC)

Management Roles, Groups and Scopes

Role Assignment Policies

Outlook Web App Policies

Objectives

After completing this module, you will be able to:

Understand the permission structure of Exchange Online
Administer Exchange Online RBAC

Overview of
Exchange Online
Access Control

Role Based
Access
Control

Role Based Access Control (RBAC)

Provides a more granular way for Administrators to determine
the exact level of Administrative access that is available to
other users in the tenant
Administrators can use pre-configured or custom built RBAC
roles
Role Groups
Administrator Role (also known as Role Groups)
- Determines which Exchange objects an Administrator can
view and
manage in the Organization view of the EAC and PowerShell
User Role (also known as a Role Assignment Policy)
- Determines what options an End-User sees in their view of
the ECP
6

RBAC and
Active
Directory
Domain
Services

Controls who can perform what and where

Once agreed, the action is performed by the Exchange server
The servers through the Exchange Trusted Subsystem
group has extended rights in Active Directory

RBAC Roles
Control
Who is being given the ability to control
objects
What kinds of
objects
can be controlled

Where are the controlled objects

located

RBAC
Who?

Office 365
Administrators

Users

RBAC can be used to assign permissions to both Administrators and 9

Users in Exchange Online

RBAC
Who?
Administrat
or

Office 365
Administrators

Users

Role Group

Office 365 Administrators can be added to Role

Groups.
10

Role Groups allow specific access to be assigned to

a group of Administrators.
These role groups can be customized with specific
permissions depending on the desires of the
organization.
10

RBAC
Where?
Administrator

Office 365
Administrators

Users

Role Group
Administrators are
typically given control
over Exchange objects
across the entire
organization (tenant).
This access can be
limited to part of the
organization, but in
most cases, access is
granted to the entire
organization.

11

Organization

11

RBAC
What?
Administrator

Office 365
Administrators

Mailboxes

Users

Role Group

Public Folders

Contacts
Organization

Administrator role
groups control
Exchange objects like
User Mailboxes, Mail12
Contacts, and Public
folders etc.

PowerShell

12

RBAC Who?
End User

Office 365
Administrators

Users

Role Assignment Policy

End Users in Exchange

Online can be assigned
a User Role, also known
as a Role Assignment
Policy, to gain access to
specific settings

13

13

RBAC
Where?
End User

Office 365
Administrators

Users

Role Assignment Policy

Specifically, User Roles

allow Exchange Online
users to gain access to
specific settings
presented in the Options
in Outlook Web App

14

Outlook Web App

14

RBAC
What?
End User

Office 365
Administrators

Users

Distribution Group
Role Assignment Policy

LinkedIn FaceBook
User Roles can control the ability to:

Mobile Devices

Create and manage distribution groups

Manage mobile devices

Integrate Facebook and LinkedIn inside of OWA

15

Outlook Web App

15

O365 Admin
Roles vs.
EXO Admin
Roles
vs.
EXO User Roles

Roles can be assigned by using:

Office 365 Admin Center
Exchange Admin Center
PowerShell
Office 365 Administrator roles allow you to control Azure Active Directory
objects and functionality only, which limits you to administration via
Office 365 Admin Center
Azure Active Directory Module for Windows PowerShell
Exchange Admin roles limit you to administering Exchange Online only via
Exchange Admin Center
Remote PowerShell
Exchange User roles limit what the user can see and do from the OWA
options page

16

Exchange
Admin
Center
Permissions
Page

17

Default
Role Groups

On the Admin Roles tab in EAC, administrators are given a list

of default role groups which cover most delegated
administration needs
Administrators can create new role groups from scratch, or
make a copy of a default role group and customize its
functionality by adding or removing roles from within the
group

18

Default
Exchange
Admin
Roles

19

Exchange
Admin
Center View

When you add a user to an existing or new role group they will
then have the ability to view the Exchange Admin Center with
the view restricted based on the functionality of the role
group.

To access the Exchange Admin Center the administrator would

navigate to https://outlook.office365.com/ecp/

Member of Organization
Management

Member of Recipient Management

20

Role Groups
and
PowerShell

To get a list of role groups

Get-RoleGroup

To see who is a member of a role group

Get-RoleGroupMember -Identity "Recipient Management

To add a user to a role group

Add-RoleGroupMember "Recipient Management" -Member
John

To remove a member of a role group

Remove-RoleGroupMember "Recipient Management" -Member
John

21

User Roles

User roles are defined by a role assignment policy

This policy grants end users permissions to set their Outlook
Web App options and perform other self-administration tasks
A default role assignment policy exists in Exchange Online
that has all OWA options enabled by default.
You can create customized role assignment policies in EAC or
via PowerShell and restrict what options are available to users
Role assignment policies are assigned to the mailbox
To create a role assignment policy via PowerShell:
New-RoleAssignmentPolicy -Name "Limited" -Roles
"MyPersonalInformation", "MyDistributionGroupMembership
To assign the new policy to all mailboxes via PowerShell:
Get-Mailbox | Set-Mailbox RoleAssignmentPolicy Limited

22

Outlook Web
Access Policies

23

Configuring
OWA
Mailbox
Policies

Owa Mailbox Policies control the features available to users in

Outlook Web App. For example: Administrators can block
opening all attachments in OWA
Notable Configurable options:
Blocked/Allowed Attachment types
Access to Calendar Configuration
Social Network Configuration
Users may select themes for OWA

24

Applying
OWA
Mailbox
Policy to
Users

Rules for Applying OWA Mailbox Policies:

Only one Outlook Web App mailbox policy can be applied to a
mailbox
The Set-CASMailbox cmdlet may be used to apply a policy
Or use EAC to single-select or bulk-select mailboxes:

25

End user
experience:
Default
Policy vs
Restricted
Policy

User with Default OWA Mailbox Policy

User with limited OWA Mailbox Policy

26

Lab: Managing
Permissions
(RBAC)

27

Module
Review

1. What is the difference between an Exchange Online Admin

role and User role?
2. What enables Exchange Server to create and manage Active
Directory objects?
3. If you wanted to give the user the ability to manage the
whole Exchange Online tenant, what role group would you
add them to?

28

Module
Summary

In

this module, you learned:

About RBAC
How to configure and administer role groups
The differences between admin and user roles

30

 2013
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION