Posh365

0.9.13

Public/Roles/New-GroupManagementRoleWithECPAccess.ps1

                                function New-GroupManagementRoleWithECPAccess {

    <#

    .SYNOPSIS

    This script will create or manage a management role.

    .DESCRIPTION

    It is designed to allow users to modify Exchange Distribution Groups that they already own via ECP

    However, it limits their ability to create or remove Distribution Groups.

    This is commonly used for mailboxes of DG owners migrated to Office 365

    .PARAMETER Name

    Name of the Management Role you want to create

    Defaults to: "ManageDG"

    .PARAMETER Parent

    Base the Role Entries on the Parent Policy

    Defaults to: "Distribution Groups"

    .EXAMPLE

    New-GroupManagementRoleWithECPAccess

    This creates a Management Role named: ManageDG with Role Entries from the Parent 'Distribution Groups'

    It removes the role entries that allow the user to do anything but manage distribution groups via the EMC

    Typically https://hybrid.contoso.com/ecp or similar

    .NOTES

    General notes

    #>

    Param(

        [Parameter()]

        [string] $Name = "ManageDG",

        [Parameter()]

        [string] $Parent = "Distribution Groups"

    )

    If (Get-ManagementRole $Name -erroraction silentlycontinue) {

        Write-Warning "Found a Role with Name: $Name"

        Write-Warning "Check why this Role is already in place"

        Write-Warning "If necessary, rerun with different name parameter"

        break

    }

    Else {

        try {

            New-ManagementRole -Name $Name -Parent $Parent -erroraction stop

            Write-Host "Created Management Role $Name" -ForegroundColor Green

        }

        catch {

            Write-Host "Failed to create Management Role $Name" -ForegroundColor Red

        }

    }

    $Role = Get-ManagementRoleEntry "$Name\*" | Where-Object {

        $_.Name -ne 'Get-Recipient' -and

        $_.Name -ne 'Remove-DistributionGroupMember' -and

        $_.Name -ne 'Add-DistributionGroupMember' -and

        $_.Name -ne 'Update-DistributionGroupMember' -and

        $_.Name -notlike 'Get-*Group*'

    }

    foreach ($CurRole in $Role) {

        $RoleEntry = '{0}\{1}' -f $CurRole.Role, $CurRole.Name

        try {

            Update-RoleEntry -RoleEntry $RoleEntry Remove -erroraction stop

            Write-Host "Successfully Updated Management Role Entry by Removing: $RoleEntry" -ForegroundColor Green

        }

        catch {

            Write-Host "Failed to Update Management Role Entry. Unable to Remove: $RoleEntry" -ForegroundColor Red

        }

    }

    $Roles = $Name

    $RoleGroupName = "User-$Name"

    $RoleGroupSplat = @{

        Name        = $RoleGroupName

        Description = "Members in this management role group can update the membership of the groups they own"

        Roles       = $Roles

    }

    try {

        New-RoleGroup @RoleGroupSplat

        Write-Host "Successfully created Role Group User-$Name" -ForegroundColor Green

    }

    catch {

        Write-Host "Failed to create Role Group User-$Name" -ForegroundColor Red

    }

    $Assignment = $Roles + '-' + $RoleGroupName

    try {

        Set-ManagementRoleAssignment $Assignment -RecipientRelativeWriteScope 'MyDistributionGroups'

        Write-Host "Successfully set Management Role Assignment $($Assignment)" -ForegroundColor Green

    }

    catch {

        Write-Host "Failed to set Management Role Assignment $($Assignment)" -ForegroundColor Red

    }

}