About Exchange role-based access control (RBAC)

To implement the Cloud Extender® correctly for integration with Exchange, the Cloud Extender service account must have Organization Administrator (2007), Organization Management (2010, 2013, 2016), and Global Administrator (Office 365) rights (the highest-level roles available for the Exchange domain).

The Organization Administrator, Organization Management, and Global Administrator roles might contain additional access rights that are not required by the Cloud Extender. You can restrict the Cloud Extender from accessing these additional rights. Microsoft provides the role-based access control (RBAC) feature to address this issue.

For Exchange 2010 and later, use RBAC to create a custom role group within the Active Directory that is limited to the requirements of the Cloud Extender service. You can assign this role to the Cloud Extender service account instead of using Organization Administrator rights to allow the Cloud Extender to function correctly. RBAC applies to Exchange 2010 and later.

Requirements

You can create a custom role group in either Exchange 2010, 2013, 2016, or Office 365. To create a custom role group, follow these steps:
  1. Identify the rights that are needed for the role.
    The Cloud Extender uses the following PowerShell commands to communicate with the Exchange server:
    Table 1. PowerShell commands used by the Cloud Extender
    PowerShell command Description
    Get-PSSnapin Determines the available PowerShell Snapins for Exchange ActiveSync.
    Add-PSSnapin Adds the available Exchange ActiveSync Snapin.
    Get-CASMailbox Gathers a list of mailboxes and displays mailbox attributes.
    Set-CASMailbox Changes settings on user mailboxes.
    Get-ActiveSyncDeviceStatistics Gathers a list of devices and displays device attributes.
    Get-MobileDeviceStatistics Exchange 2013 or Office 365 Wave 15 version of Get-ActiveSyncDeviceStatistics.
    Get-ActiveSyncMailboxPolicy Gathers a list of policies and displays policy attributes.
    Get-MobileDeviceMailboxPolicy Exchange 2013 or Office Wave 15 version of Get-ActiveSyncMailboxPolicy.
    New-ActivesyncMailboxPolicy Creates a mailbox policy.
    New-MobileDeviceMailboxPolicy Exchange 2013 or Office 365 Wave 15 version of New-ActiveSyncMailboxPolicy.
    Remove-ActiveSyncMailboxPolicy Removes a mailbox policy.
    Remove-MobileDeviceMailboxPolicy Exchange 2013 or Office 365 Wave 15 version of Remove-ActiveSyncMailboxPolicy.
    Set-ActiveSyncMailboxPolicy Associates a policy with a user's mailbox.
    Set-MobileDeviceMailboxPolicy Exchange 2013 or Office 365 Wave 15 version of Set-ActiveSyncMailboxPolicy.
    Clear-ActiveSyncDevice Wipes a device or cancels a wipe request.
    Clear-MobileDevice Exchange 2013 or Office 365 Wave 15 version of Clear-ActiveSyncDevice.
    Remove-ActiveSyncDevice Removes a device association with a mailbox.
    Remove-MobileDevice Exchange 2013 or Office 365 Wave 15 version of Remove-MobileDevice.
    Get-ActiveSyncOrganizationSettings Exchange 2010, 2013, Office 365: Determines Auto-Quarantine state.
    Set-ActiveSyncOrganizationSettings Exchange 2010, 2013, Office 365: Sets a new Auto-Quarantine default access level.
    Get-ExchangeServer Retrieves a list of exchange servers and reports the server role and version.
    Get-Recipient Counts the number of mailboxes.
  2. Identify pre-defined roles within the Exchange server that have access to the PowerShell commands that are used by the Cloud Extender.

    To create a new role in Exchange, you must derive the new role from one or more existing roles in the Exchange server. Since each pre-defined role contains a different set of access rights, you must create multiple custom roles to encompass the complete list of PowerShell commands that are required by the Cloud Extender.

  3. Create custom roles in the Exchange Server that inherit from the identified existing roles.

    Each role is from a specific existing role.

  4. Remove unnecessary PowerShell commands from the new custom roles.

    The administrator can restrict access to the PowerShell commands that are not required by the Cloud Extender.

  5. Create a role group that combines all the new custom roles.

    Assign this final role group to the Cloud Extender service account.

Base roles

Use one of the following five base roles as a template for creating custom roles:
  • Organization Client Access
  • Mail-Recipients
  • View-Only Configuration
  • Recipient Policies
  • User Options

When combined, these five role groups contain access to all the required PowerShell commands for Cloud Extender to function. However, the best approach is to create a new custom role that encompasses all access rights to the PowerShell commands that are used by the Cloud Extender. See Creating custom roles in Office 365 for more information.