Removing the email subscriptions interface using PowerShell

First of all, it is great to be posting on PowerShell again… it has been too long 🙂

I got a question from a K-12 customer today about the email subscriptions interface in Outlook Web Access.  Email subscriptions is a great service that allows students to pull their mail in from any other accounts they might have into a consolidated inbox.  Some schools, such as Ohio State University, use the service as a mechanism for email migration from legacy student email systems.  In K-12 however, this feature may cause a concern as it allows a student to directly pull content into their Outlook Live inbox that bypasses any filtering or controls that the school may have put in place for inbound email.

Turning the functionality off is a job for custom RBAC roles, and an understanding of how the Outlook Live interface builds the subscriptions in the background.  To turn off email subscriptions for everyone in my personal test domain, I essentially used two resources:

  1. A list of the available PowerShell cmdlets in Outlook Live:
  2. The article on customizing a mailbox plan:

I coupled this with the knowledge that some of the interface elements a user gets to see in OWA Options are based on PowerShell cmdlets that a user has indirect access to through the same interface.  So here is what I did:

Displayed the management roles assigned to the DefaultMailboxPlan for informational purposes:

Get-ManagementRoleAssignment -user DefaultMailboxPlan | format-table Role

Created a custom management role that I, in turn, stripped of the cmdlets I do not want:

New-ManagementRole -Name NoSubscriptions_defaultmailboxplan -Parent\myoptions_defaultmailboxplan

Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\Get-HotmailSubscription
Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\Set-HotmailSubscription
Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\New-HotmailSubscription

Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\Get-PopSubscription
Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\Set-PopSubscription
Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\New-PopSubscription

Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\Get-Subscription
Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\New-Subscription
Remove-ManagementRoleEntry NoSubscriptions_defaultmailboxplan\Remove-Subscription

Add the new custom role to the Default Mailbox Plan:

New-ManagementRoleAssignment -User DefaultMailboxPlan -Role NoSubscriptions_defaultmailboxplan -Name NoSubscription_DefaultMailboxPlan_Custom

Removed the built-in management role from the mailbox plan:

Get-ManagementRoleAssignment -User DefaultMailboxPlan -Role MyOptions_DefaultMailboxPlan | Remove-ManagementRoleAssignment

Verified that the original MyOptions_DefaultMailboxPlan role assignment had been removed, and NoSubscription_DefaultMailboxPlan_Custom had been added:

Get-ManagementRoleAssignment -user DefaultMailboxPlan | format-table Role

…anyway, the Options interface now looks like this… note the missing email subscriptions section.

Happy scripting!



5 Responses to Removing the email subscriptions interface using PowerShell

  1. Julie says:

    I have a different question relating to K12–in this case, for a K-5 school. I\’d like to know if the following is possible:Giving students Live@edu accounts that do not require them to have any email accounts at all, but that allow them to access SkyDrive and OfficeLive services.Locking down their profiles with certain defaults that they cannot change, such as sharing profile information and content within the school domain only.Live@edu\’s TOU covering these uses, and not requiring parental credit cards. It looks to me that the Live@edu TOU allows bypass of the parental consent for email, but not for SkyDrive and OfficeLive–am I misunderstanding?In a K-5 environment, I need to be able to monitor students\’ use of these services. (I need to be able to view their account information and what they\’ve stored online.) What mechanism(s) do I use for monitoring students\’ accounts and what they have stored? Can I make myself as administrator manditorily shared on everything?This could be a very useful service for my 3rd-5th grade students if it can be so controlled.

  2. US LiveAtedu says:

    Hi Julie,It is certainly possible to have the Live@edu service with no email. You can set up either an Outlook Live service, and simply not use the mailboxes, or setup Hotmail and do the same. The Hotmail path is more straightforward as you can use more simplistic tools to manage the accounts. If you use a CNAME verification of the domain, you do not even have to fiddle around with MX records.On your follow on questions…Locking down the LiveID profiles is not something that we offer currently.With the new Organizational Owned model, you are correct in that under 13s do not require credit card verification but usage of the other services does. This is something we are working on addressing in the future, as we recognise the value of these services in the classroom.Outside of Outlook Live, we do not provide monitoring tools for the other Live Services. These services are consumer services that are self-managed. K-12\’s that use these tools in the classroom do so according to whatever acceptable use policy that the school lays down.

  3. Julie says:

    Jonny, I appreciate the answers! I\’m disappointed with them in that we probably won\’t be able to use the service (yet), because it does look useful–but it\’s helpful to know I shouldn\’t keep pursuing this direction, at least for now. I\’ll keep an eye on it for future changes.In case it\’s useful to you as you plan the future, here\’s my perspective as a teacher of 3rd-5th grade students (ages 8-11)–a very different kettle of fish from the 9-12 grades. The younger students could definitely take advantage of and learn from using the collaboration tools, but some adult needs to be able to monitor their use closely–either parents, teachers, or administrators. If parents must take this responsibility, it\’s very reasonable for them to refuse to allow their child to use the tools; if a classroom has some students whose parents prohibit their use, they become much less useful than if teachers can depend on all students having access. On the other hand, if the school takes responsibility, it must be very easy to completely monitor students\’ use–tricky, because the students can access from outside school. (One reason I wanted to prohibit email–I don\’t have time to be the playground monitor outside school time, and I can\’t justify to parents forcing them to be the monitors. Some would be comfortable with this; others prefer not to, and who am I to say they must?) But it would be lovely to have students using the SkyDrive, Spaces, and OfficeLive–if I could easily check up on them. These very young students need different policies than the high-schoolers.

  4. US LiveAtedu says:

    Julie… we hear you load and clear… things will evolve, and I will blog on it here when the time is right 🙂

  5. Julie says:

    I\’ll keep tuned, then!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: