How To Prevent Users From Creating Distribution Groups(aka Public Groups) Or From Having Access to the Groups Page Entirely

Following on from a previous post on restricting users from modifying their Outlook Live properties, another one of our escalation engineers, Kevyn Pietsch, has weighed in with more great content!  Over to Kevyn!

Please note: The following information is specific to R3, and may change during future updates of the product.

In Outlook Live, one of the features that helps promote collaboration between students is the capability users have been given to create and manage their own Distribution Groups(DGs; aka Public Groups), as well as manage their membership in other DGs, via the Exchange Control Panel(ECP). Tenant administrators(TAs) have asked for guidance on how to control what users can do in this area. One example we’ve heard TAs ask about is how to prevent students from creating their own DGs. This blog discusses how to use Role Based Access Control(RBAC) to prevent users from being able to create DGs, as well as how to completely remove their abilility to access the Groups page, in the ECP.

By default, users are given access to manage DGs they belong to, and DGs they own, via two default RBAC roles/role assignments. The roles define what a student can view/modify for their own account. In order to determine the names of the two default DG roles/role assignments, you can run the following RPS command:

Get-ManagementRoleAssignment -User DefaultMailboxPlan | where {$_.name -like "MyDistributionGroup*"} | fl Name,Role

In a default RBAC setup, the output will be as follows:

Name : MyDistributionGroups-MailboxPlan-DefaultMailboxPlan<tenant specific alphanumeric sequence>

Role : <domain name>\MyDistributionGroups_DefaultMailboxPlan

Name : MyDistributionGroupMembership-MailboxPlan-DefaultMailboxPlan<tenant specific numeric sequence>

Role : <domain name>\MyDistributionGroupMembership_DefaultMailboxPlan

The roles listed above are comprised of the cmdlets(aka tasks) listed in the following tables. The parameters of each of the cmdlets is not listed in the tables, but can be determined, per cmdlet, by running the following command:

$(Get-ManagementRoleEntry <role name>\<cmdlet name>).parameters

Role: <domain name>\MyDistributionGroups_DefaultMailboxPlan

Cmdlet Name

Update-DistributionGroupMember

Set-Group

Set-DynamicDistributionGroup

Set-DistributionGroup

Remove-DistributionGroupMember

Remove-DistributionGroup

New-DistributionGroup

Get-User

Get-Recipient

Get-MessageLatencyReport

Get-Mailbox

Get-MailUser

Get-MailContact

Get-Group

Get-DistributionGroupMember

Get-DistributionGroup

Get-Contact

Add-DistributionGroupMember

Role: <domain name>\MyDistributionGroupMembership_DefaultMailboxPlan

Cmdlet Name

Remove-DistributionGroupMember

Get-User

Get-Recipient

Get-MessageLatencyReport

Get-Mailbox

Get-MailUser

Get-MailContact

Get-Group

Get-DistributionGroupMember

Get-DistributionGroup

Get-Contact

Add-DistributionGroupMember


Removing users’ ability to create DGs

Please note that the following information assumes a default RBAC setup for the DG roles/role assignments.

In order to prevent users from being able to create DGs, the New-DistributionGroup cmdlet must be removed from the list of cmdlets they have access to. Since default roles(aka parent roles), such as the DG roles listed earlier, cannot be modified, a customized copy of the <domain name>\MyDistributionGroups_DefaultMailboxPlan parent role must be modified and assigned to the users via a new role assignment. Also, the role assignment that assigns the <domain name>\MyDistributionGroups_DefaultMailboxPlan parent role to users, via the DefaultMailboxPlan security context, must be removed. This is because the cmdlets/parameters in the roles that are assigned to users are cumulative. The steps to do this are as follows:

1. Make a customized copy of the <domain name>\MyDistributionGroups_DefaultMailboxPlan parent role by running the following RPS command:

New-ManagementRole -Name Limited_MyDGs_DefaultMailboxPlan -Parent MyDistributionGroups_DefaultMailboxPlan

Note: When using a parent role name in an RPS command, including the <domain name> part of the role name is optional. For this example, when specifying the parent role name in the -Parent paramter, I have left out the <domain name> part of the parent role name. Also, for this example, I used the customized role name of Limited_MyDGs_DefaultMailboxPlan. It is recommended that a memorable naming convention be used for the new role/role assignment names.

2. Remove the New-DistributionGroup cmdlet from the Limited_MyDGs_DefaultMailboxPlan role by running the following RPS command:

Remove-ManagementRoleEntry -Identity Limited_MyDGs_DefaultMailboxPlan\New-DistributionGroup

3. Create the new role assignment to assign the Limited_MyDGs_DefaultMailboxPlan role to users, via the DefaultMailboxPlan security context, via the following RPS command:

New-ManagementRoleAssignment -Name Limited_MyDGs_DefaultMailboxPlan_RoleAssignment -Role Limited_MyDGs_DefaultMailboxPlan -User DefaultMailboxPlan

Note: For this example, I used Limited_MyDGs_DefaultMailboxPlan_RoleAssignment as the name of the new role assignment that assigns the Limited_MyDGs_DefaultMailboxPlan customized role to the users, via the DefaultMailboxPlan security context.

4. Determine the name of the default role assignment that assigns the <domain name>\MyDistributionGroups_DefaultMailboxPlan parent role to the users via the following RPS command:

Get-ManagementRoleAssignment -User DefaultMailboxPlan | where {$_.name -like "MyDistributionGroups*"} | fl Name,Role

5. Remove the default role assignment from the users by running the following RPS command:

Remove-ManagementRoleAssignment -Name <default role assignment name from step 4>

Removing access to the Groups page

In order to remove access to the Groups page, you simply remove both of the default DG role assignments by going through the following steps:

1. Determine the names of the DG role assignments that assigned the roles to the users(via the DefaultMailboxPlan), via the following RPS command:

Get-ManagementRoleAssignment -User DefaultMailboxPlan | where {$_.name -like "MyDistributionGroup*"} | fl Name

2. Remove the two default DG role assignments by running the following command against both of the role assignment names from step 1, via the following RPS command:

Remove-ManagementRoleAssignment -Identity <role assignment name>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: