Manage DL Members in OWA Without Allowing DL Creation – A Practical Solution

Today, I'd like to share a real-world workaround that solves a common issue in Microsoft 365: giving users the ability to manage Distribution List (DL) members through Outlook on the Web (OWA) without giving them permission to create or delete DLs. This is a frequent request for organizations focused on strict governance and efficient delegation.

The Challenge

A client recently encountered a problem where a user was unable to manage Distribution Group (DG) members via OWA. After some investigation, we discovered that the MyDistributionGroups role was not included in their role assignment policy.

While enabling this role would solve the immediate issue, it comes with a significant drawback: it also grants the user the ability to create and delete DLs. For organizations with strict governance policies or those that prefer centralized DL creation, this isn't an ideal scenario.

The Goal

Our objective was clear: Allow users to manage existing Distribution Group (DG) members in OWA, but definitively block them from creating or deleting new DLs.

The Solution: Create a Custom Role

The power of Exchange Online's Role-Based Access Control (RBAC) came to the rescue! Here’s how we solved it, step-by-step:

1. Create a Custom Management Role

We started by creating a new custom management role, basing it on the MyDistributionGroups role. This gives us a copy of all its permissions, which we can then modify.

New-ManagementRole -Name “Edit-Existing-DG-Only” -Parent MyDistributionGroups

2. Remove Unwanted Cmdlets

Next, we removed the specific cmdlets that allow for DL creation and deletion from our newly created custom role. This is the core of our solution!

Remove-ManagementRoleEntry Edit-Existing-DG-Only\New-DistributionGroup
Remove-ManagementRoleEntry Edit-Existing-DG-Only\Remove-DistributionGroup

3. Verify the Entries

It’s always good practice to verify your changes. This command helps ensure that the creation and deletion rights are indeed gone from your custom role.

Get-ManagementRoleEntry Edit-Existing-DG-Only*

You should see that New-DistributionGroup and Remove-DistributionGroup are no longer listed for this role.

4. Create a New Role Assignment Policy

Now, we create a new role assignment policy. This policy will include our custom role along with other standard user roles that provide essential OWA functionalities (like managing contact information, retention policies, etc.).

New-RoleAssignmentPolicy -Name “DG-Management-Members-Only” -Roles Edit-Existing-DG-Only, MyContactInformation, MyRetentionPolicies, MyMailSubscriptions, MyTextMessaging, MyVoiceMail, MyDistributionGroupMembership, MyProfileInformation

Note: MyDistributionGroupMembership is important for users to manage their own membership in DGs, which is often desired.

5. Assign the New Policy to a Mailbox

To apply this policy to a specific user, use the Set-Mailbox cmdlet:

Set-Mailbox –Identity john@contoso.com -RoleAssignmentPolicy DG-Management-Members-Only

Remember to replace john@contoso.com with the actual user's email address.

6. Apply to All Mailboxes (If Needed)

For larger deployments, you can apply this new policy to all existing user mailboxes:

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy DG-Management-Members-Only

7. Set as the Default Policy (Optional)

To ensure that newly created mailboxes automatically inherit this policy, you can set it as the default role assignment policy for your organization:

Set-RoleAssignmentPolicy -Identity DG-Management-Members-Only -IsDefault

Result: Success!

With these steps implemented, the user can now confidently manage Distribution List members directly from Outlook Web App, just as required, but without any ability to create new groups or delete existing ones.

This is a fantastic example of how granular role customization in Exchange Online can help organizations strike the perfect balance between user flexibility and robust security and governance. It demonstrates the power of PowerShell in tailoring your Microsoft 365 environment to your exact needs.

Comments

Post a Comment

Popular posts from this blog

PowerShell Basics for Office 365 Administration (Episode 3)

At its core, PowerShell is designed around the concept of objects. Unlike traditional command-line interfaces that often work with text streams, PowerShell processes structured data in the form of objects. Understanding how objects, properties, and methods function, how variables store and manage this data, and how the pipeline enables seamless command chaining is fundamental to effective Office 365 administration. Understanding Objects, Properties, and Methods In the world of PowerShell, virtually everything you interact with is an object. An object is a structured data entity representing specific items, whether it's a user account, a mailbox, a group, or a system service. These objects possess two primary characteristics: Properties: These are the attributes or characteristics that describe the object. For example, a mailbox object might have properties like DisplayName , EmailAddresses , or RecipientTypeDetails . Methods: These represent the actions or functions that the ob...
Read more

PowerShell Basics for Office 365 Administration (Episode 4): Conditional Logic and Looping Structures

Welcome back to our PowerShell Basics series! In the previous episodes, we've covered connecting to Office 365 services (now primarily using Microsoft Graph), using cmdlets to retrieve and manage objects, and understanding variables and the pipeline. You now have the tools to interact with your environment. However, administration tasks often involve dealing with many objects (users, mailboxes, licenses) or performing actions only when certain conditions are met. Manually running commands for each item or decision is tedious and prone to errors. This is where the true power of scripting comes in, using conditional logic to make decisions and looping structures to process multiple items efficiently. A Note on Modules: As the MSOnline and AzureAD PowerShell modules are being retired, it's crucial to transition to the Microsoft.Graph PowerShell module. All examples in this episode will use Graph PowerShell for user and group management. For Exchange Online examples, we ...
Read more

Unveiling Primary Mailbox Statistics

Keep your Microsoft Exchange environment running smoothly with these simple PowerShell commands. Primary Mailbox Insights Want to know how much space primary mailboxes are using? This single command gives you a clear picture of storage status, item count, and total size: PowerShell Command Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Select DisplayName, StorageLimitStatus , @{ Name = " TotalItemSize (MB) "; Expression = { [math]::Round(($_.TotalItemSize.ToString().Split("(")[1].Split(" ")[0].Replace(",", "") / 1MB), 2) }}, ItemCount | Sort " TotalItemSize (MB) " -Descending | Export-CSV " C:\temp\All Mailboxes.csv " -NoTypeInformation This command does all the heavy lifting: It fetches all user mailboxes fast. It gathers essential stats like size and item count. It converts sizes to MB for easy reading. It sorts mailboxes from largest to sma...
Read more