DirWiz Logo
Knowledgebase

Article Tags

o365 Sample RBAC script to reduce permissions

2020-06-24 10:24:14
Azure Office 365 System Requirements Troubleshooting UnitySync 

When syncing to an Office 365 (O365) tenant we recommend the use of an Admin login account.

However, if you wish to limit access, you may use an role-based access control (RBAC) to reduce permissions on your UnitySync o365 User.

You must create a new RBAC. Using the Exchange Online admin center, add management roles as well as the O365 User account you created for use with UnitySync. Then script the removal of the permissions you want to remove.

For more detailed information, refer to Microsoft tech articles and/or reach out to Microsoft technical support.

IMPORTANT NOTE: The following is an example script for removing Admin rights from your RBAC. Your script may be different depending on your preference and environment.

New-ManagementScope -Name “UnitySync Mail Contacts” -RecipientRestrictionFilter {RecipientType -eq “MailContact”}
New-ManagementRole -Parent “Mail Recipients” -Name UnitySyncGALContacts
New-ManagementRole -Parent “Mail Recipient Creation” -Name UnitySyncGALContactsCreate
remove-ManagementRoleEntry UnitySyncGALContacts\Add-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Clear-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Clear-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Disable-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Disable-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Enable-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Enable-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-AcceptedDomain -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncDeviceStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-AddressBookPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CASMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CASMailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CalendarProcessing -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-GroupMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-HotmailSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ImapSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-LogonStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxAutoReplyConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxCalendarConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxCalendarFolder -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxFolderStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxJunkEmailConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxMessageConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxOverrideConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPreferredLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxRegionalConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxSpellingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ManagementRoleAssignment -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MessageCategory -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MessageClassification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDeviceMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDeviceStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OnlineMeetingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OrganizationalUnit -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-PopSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RbacDiagnosticInfo -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RecipientStatisticsReport -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RoleAssignmentPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SendAddress -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ServiceStatus -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SiteMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SiteMailboxProvisioningPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Subscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SyncRequestStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ToolInformation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UMMailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Import-ContactList -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Import-RecipientDataProperty -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-HybridConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-Subscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Resume-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-CASMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-CalendarProcessing -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Group -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-GroupMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-HotmailSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-ImapSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-LinkedUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxAutoReplyConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxCalendarConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxCalendarFolder -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxJunkEmailConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxMessageConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxRegionalConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxSpellingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-PopSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Start-AuditAssistant -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Suspend-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-InvitationManager -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-MAPIConnectivity -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-OAuthConnectivity -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Update-HybridConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Write-AdminAuditLog -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Clutter -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Clutter -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\SetUserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Disable-JournalArchiving -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ActiveSyncMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-AddressBookPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-LinkedUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailboxPreferredLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ManagementRoleAssignment -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MobileDeviceMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Notification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-OrganizationalUnit -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-RbacDiagnosticInfo -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Recipient -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-RoleAssignmentPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-SharingPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ToolInformation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-SchedulingMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\remove-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-Notification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Start-AuditAssistant -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Undo-SoftDeletedMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Write-AdminAuditLog -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\remove-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Mailbox -Confirm:$false

Share this article: Twitter reddit