Share via

Manage role groups in standalone EOP

  • Article

In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can use the Exchange admin center (EAC) to add users to role groups. Adding a user to a role group gives the user permissions to do specific admin tasks. You can also remove users from role groups.

For more information about roles and role groups, see Permissions in standalone EOP.

What do you need to know before you begin?

Use the EAC to manage role groups

In the EAC at https://admin.exchange.microsoft.com, go to Permissions > Admin roles. Or, to go directly to the Admin roles page, use https://admin.exchange.microsoft.com/#/adminRoles.

Use the EAC to view role groups and role group details

On the Admin roles page in the EAC at https://admin.exchange.microsoft.com/#/adminRoles, the following information is shown for all built-in and customer role groups:

  • Role group: The name of the role group.
  • Description

To sort the list of role groups, click on a column header.

To change the list of entries from normal to compact spacing, select Change view, and then select Compact list.

Use the Search box and a corresponding value to find specific role groups.

To view the details of a role group, select the group from the list by clicking on the name. The details flyout that opens contains the following tabs:

  • General tab: This tab contains the following information about the role:

    • Name
    • Description: Select Edit basics to change the Name.
    • Managed by
    • Write scope

  • Assigned tab: This tab shows the users who are members of the role. The tab has the same Change view and Search capabilities as the main role group view.

    To modify group membership, see the section.

Use the EAC to create role groups

  1. On the Admin roles page in the EAC at https://admin.exchange.microsoft.com/#/adminRoles, do one of the following steps:

    • Create a new role group: Verify that no role groups are selected, and then select Add role group.
    • Copy an existing role group: Select the role group that you want to copy by selecting the round check box that appears in the blank area next to the role group name column, and then select the Copy role group action that appears**.

    Either one of these steps starts the role creation wizard as described in the remaining steps.

  2. On the Basics page, configure the following settings:

    • Name: Enter a unique name for the role group.
    • Description: Enter an optional description for the role group.
    • Write scope: Leave the default value Default, or select an existing write scope object that you previously created in PowerShell.

    If you're copying a role group, the default Name value is Copy of <Role group name> and the existing Description value is copied, but you can change these values.

    When you're finished on the Basics page, select Next.

  3. On the Permission page, select the roles to assign to the role group by selecting the check box next to the Role column.

    To sort the roles, click on a column heading:

    • Role
    • Description
    • Default recipient scope
    • Default configuration scope

    To change the list of entries from normal to compact spacing, select Change view, and then select Compact list.

    Use the Search box and a corresponding value to find a specific role group.

    If you're copying a role group, the permissions from the original role group are already selected, but you can change them.

    When you're finished on the Permission page, select Next.

  4. On the Admins page, select the users to add to the role group.

    Click in the box to see all eligible accounts and role groups to select from, or start typing a name or display name to filter the results.

    If you're copying a role group, the members from the original role group are already selected, but you can change them.

    To remove users from the group, select Remove on the entry.

    When you're finished on the Admins page, select Next

  5. On the Review and finish page, verify your selections.

    Use the Edit links in each section to change the value, or use the Back button.

    When you're finished on the Review and finish page, select Add role group or Copy role group to create the role group.

Use the EAC to modify role groups

Tip

You can't change the name or description of a built-in role group.

Don't change the roles that are assigned to built-in role groups. Copy the existing role group and modify the copy, or create a custom role group instead.

  1. On the Admin roles page in the EAC at https://admin.exchange.microsoft.com/#/adminRoles, select a role group by clicking on the role group name.

  2. In the details flyout that opens, configure one or more of the following settings:

    • General tab: Select Edit basics to change the name or description of the group in the flyout that opens, and then select Save.

    • Assigned tab: Change the membership of the role group:

      • Add members: Select Add. In the Add admins flyout that opens, click in the box to see all eligible accounts and role groups to select from, or start typing a name or display name to filter the results. Select the user by clicking on the entry below the box, and then select Add.

      • Remove members: Select the check box next to one or more existing members in the list, and then select the Delete action that appears, and then select Yes, remove in the confirmation dialog.

    • Permission tab: Select the roles to assign to the role group by selecting the check box next to the Role column.

      To sort the roles, click on a column heading:

      • Role
      • Default recipient scope
      • Default configuration scope

      To change the list of entries from normal to compact spacing, select Change view, and then select Compact list.

      Use the Search box and a corresponding value to find a specific role group.

      When you're finished on the tab, select Save.

    Tip

    Users may have to sign out and sign in again to see the change in their administrative rights after you add or remove members from the role group.

Use the EAC to remove role groups

You can't remove built-in role groups, but you can remove custom role groups.

  1. On the Admin roles page in the EAC at https://admin.exchange.microsoft.com/#/adminRoles, select the role group that you want to remove by selecting the round check box that appears in the blank area next to the role group name column, and then select the Delete action that appears.

  2. In the confirmation flyout that opens, select Confirm.

Use Exchange Online Protection PowerShell to manage role groups

To connect to Exchange Online Protection PowerShell, see Connect to Exchange Online Protection PowerShell.

Use EOP PowerShell to view role groups

To view a role group, use the following syntax:

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

This example returns a summary list of all role groups.

Get-RoleGroup

This example returns detailed information for the role group named Recipient Administrators.

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

This example returns all role groups where the user Julia is a member. You need to use the DistinguishedName (DN) value for Julia, which you can find by running the command: Get-User -Identity Julia | Format-List DistinguishedName.

Get-RoleGroup -Filter "Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'"

For detailed syntax and parameter information, see Get-RoleGroup.

Use EOP PowerShell to create role groups

When you create a new role group, you can configure all of the settings manually (during the creation of the group or after). Or, you can copy an existing role group and modify it.

  • To manually create a new role group, use the following syntax:

    New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...>
    • The Roles parameter specifies the management roles to assign to the role group by using the following syntax "Role1","Role1",..."RoleN". You can see the available roles by using the Get-ManagementRole cmdlet.
    • The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals).

    This example creates a new role group named "Limited Recipient Management" with the following settings:

    • The Mail Recipients role is assigned to the role group.
    • The users Kim and Martin are added as members.
    New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients" -Members "Kim","Martin"

  • To copy an existing role group, do the following steps:

    1. Store the role group that you want to copy in a variable using the following syntax:

      $RoleGroup = Get-RoleGroup "<Existing Role Group Name>"

    2. Create the new role group using the following syntax:

      New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>]

      The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals).

      This example copies the Organization Management role group to the new role group named "Limited Organization Management". The role group members are Isabelle, Carter, and Lukas.

      $RoleGroup = Get-RoleGroup "Organization Management"

New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas"

For detailed syntax and parameter information, New-RoleGroup.

Use EOP PowerShell modify the list of members in role groups

  • The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual members one at a time. The Update-RoleGroupMember cmdlet can replace or modify the existing list of members.
  • The members of a role group can be users, mail-enabled universal security groups (USGs), or other role groups (security principals).

To modify the members of a role group, use the following syntax:

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members>
  • To replace the existing list of members with the values you specify, use the following syntax: "Member1","Member2",..."MemberN".
  • To selectively modify the existing list of members, use the following syntax: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}.

This example replaces all current members of the Help Desk role group with the specified users.

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role group.

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

For detailed syntax and parameter information, see Update-RoleGroupMember.

Use EOP PowerShell to remove role groups

You can't remove built-in role groups, but you can remove custom role groups.

To remove a custom role group, use the following syntax:

Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]

This example removes the Training Administrators role group.

Remove-RoleGroup -Identity "Training Administrators"

For detailed syntax and parameter information, see Remove-RoleGroup.

How do you know these procedures worked?

To verify that you successfully created, modified, or removed a role group, do either of the following steps:

  • In the EAC, go to the Admin roles page at https://admin.exchange.microsoft.com/#/adminRoles, and verify the role group is listed (or not listed). Select the role group by clicking on the name, and verifying the settings in the details flyout that opens.

  • In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the role group exists (or doesn't exist) and verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List