DirWiz Logo
Knowledgebase

Article Tags

o365 Sample RBAC script to reduce permissions

2019-01-30 12:14:56
Azure Office 365 System Requirements Troubleshooting UnitySync 

When syncing to an Office 365 (O365) tenant we recommend the use of an Admin login account. However, you may use an RBAC to reduce permissions on your UnitySync o365 User.

You must create a new role-based access control (RBAC). Using the Exchange Online admin center, add management roles as well as the o365 User account you created for use with UnitySync. Then script the removal of the permissions you want to remove.

For more detailed information, refer to Microsoft tech articles

The following is an example script for removing Admin rights from your RBAC. Your changes may be different depending on your preference.

New-ManagementScope -Name “UnitySync Mail Contacts” -RecipientRestrictionFilter {RecipientType -eq “MailContact”}
New-ManagementRole -Parent “Mail Recipients” -Name UnitySyncGALContacts
New-ManagementRole -Parent “Mail Recipient Creation” -Name UnitySyncGALContactsCreate
remove-ManagementRoleEntry UnitySyncGALContacts\Add-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Clear-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Clear-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Disable-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Disable-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Enable-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Enable-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-AcceptedDomain -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncDeviceStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-AddressBookPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CASMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CASMailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CalendarProcessing -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-GroupMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-HotmailSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ImapSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-LogonStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxAutoReplyConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxCalendarConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxCalendarFolder -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxFolderStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxJunkEmailConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxMessageConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxOverrideConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPreferredLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxRegionalConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxSpellingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ManagementRoleAssignment -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MessageCategory -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MessageClassification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDeviceMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDeviceStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OnlineMeetingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OrganizationalUnit -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-PopSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RbacDiagnosticInfo -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RecipientStatisticsReport -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RoleAssignmentPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SendAddress -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ServiceStatus -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SiteMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SiteMailboxProvisioningPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Subscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SyncRequestStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ToolInformation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UMMailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Import-ContactList -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Import-RecipientDataProperty -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-HybridConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-Subscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Resume-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-CASMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-CalendarProcessing -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Group -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-GroupMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-HotmailSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-ImapSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-LinkedUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxAutoReplyConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxCalendarConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxCalendarFolder -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxJunkEmailConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxMessageConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxRegionalConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxSpellingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-PopSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Start-AuditAssistant -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Suspend-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-InvitationManager -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-MAPIConnectivity -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-OAuthConnectivity -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Update-HybridConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Write-AdminAuditLog -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Clutter -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Clutter -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\SetUserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Disable-JournalArchiving -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ActiveSyncMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-AddressBookPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-LinkedUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailboxPreferredLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ManagementRoleAssignment -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MobileDeviceMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Notification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-OrganizationalUnit -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-RbacDiagnosticInfo -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Recipient -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-RoleAssignmentPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-SharingPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ToolInformation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-SchedulingMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\remove-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-Notification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Start-AuditAssistant -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Undo-SoftDeletedMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Write-AdminAuditLog -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\remove-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Mailbox -Confirm:$false

Share this article: Twitter reddit