Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2012-10-09

If you want to customize the permissions that you assign to a group of end users, create a new custom management role assignment policy. The assignment policy you create can be customized to suit your end user's specific requirements. For more information about assignment policies in Microsoft Exchange Server 2013, see Understanding Management Role Assignment Policies.

Looking for other management tasks related to managing permissions? Check out Permissions.

What do you need to know before you begin?

  • Estimated time to complete each procedure: 5 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Assignment policies" entry in the Role Management Permissions topic.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

What do you want to do?

Add an assignment policy

After you've created the new assignment policy, you assign users to it. For more information, see Change the Assignment Policy on a Mailbox.

Use the EAC to create a new assignment policy

Note:
You can only create explicit assignment policies using the Exchange Administration Center (EAC). If you want to create a new default assignment policy, you must use the Exchange Management Shell. For more information, see the "Use the Shell to create a default assignment policy" section later in this topic.
  1. In the EAC, navigate to Permissions > User Roles and then click Add Add Icon.

  2. In the role assignment policy window, provide a name for the new assignment policy.

  3. Select the check box next to the role or roles you want to add to the assignment policy. You can select multiple roles, including end-user roles you've added. If you select a role that has child roles, the child roles are automatically selected.

  4. Click Save to save the changes to the assignment policy.

Use the Shell to create an explicit assignment policy

To create an explicit assignment policy that can be manually assigned to mailboxes, use the following syntax.

Copy Code
New-RoleAssignmentPolicy <assignment policy name> -Roles <roles to assign>

This example creates the explicit assignment policy Limited Mailbox Configuration and assigns the MyBaseOptions, MyAddressInformation, and MyDisplayName roles to it.

Copy Code
New-RoleAssignmentPolicy "Limited Mailbox Configuration" -Roles MyBaseOptions, MyAddressInformation, MyDisplayName

For detailed syntax and parameter information, see New-RoleAssignmentPolicy.

Use the Shell to create a default assignment policy

To create a default assignment policy assigned to new mailboxes, use the following syntax.

Copy Code
New-RoleAssignmentPolicy <assignment policy name> -Roles <roles to assign> -IsDefault

This example creates the default assignment policy Limited Mailbox Configuration and assigns the MyBaseOptions, MyAddressInformation, and MyDisplayName roles to it.

Copy Code
New-RoleAssignmentPolicy "Limited Mailbox Configuration" -Roles MyBaseOptions, MyAddressInformation, MyDisplayName -IsDefault

For detailed syntax and parameter information, see New-RoleAssignmentPolicy.

Remove an assignment policy

If you no longer need a management role assignment policy, you can remove it.

What do you need to know before you begin?

  • All users assigned the assignment policy must be changed to another assignment policy. For more information about how to change an assignment policy on a mailbox, see Change the Assignment Policy on a Mailbox.

  • All the management role assignments between the assignment policy and the assigned management roles must be removed. For more information about how to remove a role assignment from an assignment policy, see the Use the Shell to remove a role from an assignment policy section later in this topic.

  • If you want to remove a default assignment policy, it must be the last assignment policy in the Exchange 2013 organization.

Use the EAC to remove an assignment policy

  1. In the EAC, navigate to Permissions > User Roles.

  2. Select the assignment policy you want to remove, and then click Delete Delete Icon.

Use the Shell to remove an assignment policy

To remove an assignment policy, use the following syntax.

Copy Code
Remove-RoleAssignmentPolicy <role assignment policy>

This example removes the New York Temporary Users assignment policy.

Copy Code
Remove-RoleAssignmentPolicy "New York Temporary Users"

For detailed syntax and parameter information, see Remove-RoleAssignmentPolicy.

View a list of assignment policies or assignment policy details

You can view management role assignment policies in a variety of ways, depending on the information you want and whether you're using the EAC or the Shell.

In the EAC, you can view the list of assignment policies and the roles assigned to them. In the Shell, you can view all the assignment policies in your organization, list the mailboxes assigned a specific policy, and more.

Use the EAC to view a list of assignment policies

  1. In the EAC, navigate to Permissions > User Roles. All of the assignment policies in the organization are listed here.

  2. To view the details of a specific assignment policy, select the assignment policy you want to view. The description and the roles assigned to the assignment policy are displayed in the details pane.

Use the Shell to view a list of assignment policies

You can view a list of all the assignment policies in your organization by not specifying any assignment policies when you run the Get-RoleAssignmentPolicy cmdlet.

This procedure makes use of pipelining and the Format-Table cmdlet. For more information about these concepts, see the following topics:

To return a list of all assignment policies in your organization, use the following command.

Copy Code
Get-RoleAssignmentPolicy

To return a list of specific properties for all the assignment policies in your organization, you can pipe the results to the Format-Table cmdlet and specify the properties you want in the list of results. Use the following syntax.

Copy Code
Get-RoleAssignmentPolicy | Format-Table <property 1>, <property 2...>

This example returns a list of all the assignment policies in your organization and includes the Name and IsDefault properties.

Copy Code
Get-RoleAssignmentPolicy | Format-Table Name, IsDefault

For detailed syntax and parameter information, see Get-Mailbox or Get-RoleAssignmentPolicy.

Use the Shell to view the details of a single assignment policy

You can view the details of a specific assignment policy by using the Get-RoleAssignmentPolicy cmdlet and piping the output to the Format-List cmdlet.

This procedure makes use of pipelining and the Format-List cmdlet. For more information about these concepts, see the following topics:

To view the details of a specific assignment policy, use the following syntax.

Copy Code
Get-RoleAssignmentPolicy <assignment policy name> | Format-List

This example views the details about the Redmond Users - no Text Messaging assignment policy.

Copy Code
Get-RoleAssignmentPolicy "Redmond Users - no Text Messaging" | Format-List

For detailed syntax and parameter information, see Get-Mailbox or Get-RoleAssignmentPolicy.

Use the Shell to find the default assignment policy

You can find the default assignment policy by piping the output of the Get-RoleAssignmentPolicy cmdlet to the Where cmdlet. With the Where cmdlet, filter the data returned to display only the assignment policy that has its IsDefault property set to $True.

This procedure makes use of pipelining and the Where cmdlet. For more information about these concepts, see the following topics:

This example returns the default assignment policy.

Copy Code
Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }

For detailed syntax and parameter information, see Get-Mailbox or Get-RoleAssignmentPolicy.

Use the Shell to view mailboxes that are assigned a specific policy

You can find all the mailboxes assigned a specific assignment policy by piping the output of the Get-Mailbox cmdlet to the Where cmdlet. With the Where cmdlet, filter the data returned to display only the mailboxes that have their RoleAssignmentPolicy property set to the assignment policy name you specify.

This procedure makes use of pipelining and the Where cmdlet. For more information about these concepts, see the following topics:

Use the following syntax.

Copy Code
Get-Mailbox | Where { $_.RoleAssignmentPolicy -Eq "<role assignment policy>" }

This example finds all the mailboxes assigned the policy Vancouver End Users.

Copy Code
Get-Mailbox | Where { $_.RoleAssignmentPolicy -Eq "Vancouver End Users" }

For detailed syntax and parameter information, see Get-Mailbox or Get-RoleAssignmentPolicy.

Change the default assignment policy

You can change the management role assignment policy assigned to new mailboxes that are created. Changing the default role assignment policy doesn’t change the assignment policy assigned to existing mailboxes. To change the assignment policy assigned to existing mailboxes, see Change the Assignment Policy on a Mailbox.

Note:
You can't use the EAC to change the default assignment policy. You need to use the Shell.

Use the Shell to change the default assignment policy

To change the default assignment policy, use the following syntax.

Copy Code
Set-RoleAssignmentPolicy <assignment policy name> -IsDefault

This example sets the Vancouver End Users assignment policy as the default assignment policy.

Copy Code
Set-RoleAssignmentPolicy "Vancouver End Users" -IsDefault
Important:
New mailboxes are assigned the default assignment policy even if the policy hasn't been assigned management roles. Mailboxes assigned assignment policies with no assigned management roles can't access any mailbox configuration features in Microsoft Outlook Web App.

For detailed syntax and parameter information, see Set-RoleAssignmentPolicy.

Add a role to an assignment policy

Use the EAC to add a role to an assignment policy

  1. In the EAC, navigate to Permissions > User Roles.

  2. Select the assignment policy you want to add one or more roles to, and then click Edit Edit Icon.

  3. Select the check box next to the role or roles you want to add to the assignment policy. You can select multiple roles, including end-user roles you've added. If you select a role that has child roles, the child roles are automatically selected.

  4. Click Save to save the changes to the assignment policy.

Use the Shell to add a role to an assignment policy

To create a management role assignment between a role and an assignment policy, use the following syntax.

Copy Code
New-ManagementRoleAssignment -Name <role assignment name> -Role <role name> -Policy <assignment policy name>

This example creates the role assignment Seattle Users - Voicemail between the MyVoicemail role and the Seattle Users assignment policy.

Copy Code
New-ManagementRoleAssignment -Name "Seattle Users - Voicemail" -Role MyVoicemail -Policy "Seattle Users"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Remove a role from an assignment policy

If you don't want end users to have permissions to manage certain features of their mailbox or distribution group, you can remove the management role that grants the permissions from the management role assignment policy to which the user is assigned. If other users are assigned the same assignment policy, they also lose the ability to manage that feature.

Use the EAC to remove a role from an assignment policy

  1. In the EAC, navigate to Permissions > User Roles.

  2. Select the assignment policy you want to remove one or more roles from, and then click Edit Edit Icon .

  3. Clear the check box next to the role or roles you want to remove from the assignment policy. If you clear the check box for a role that has child roles, the check boxes for the child roles are also cleared.

  4. Click Save to save the changes to the assignment policy.

Use the Shell to remove a role from an assignment policy

You can remove roles from assignment policies by retrieving the associated management role assignment using the Get-ManagementRoleAssignment cmdlet and then piping the role assignment returned to the Remove-ManagementRoleAssignment cmdlet.

For more information about regular and delegating role assignments, see Understanding Management Role Assignments.

This procedure uses pipelining. For more information about pipelining, see Pipelining.

To remove a role from an assignment policy, use the following syntax.

Copy Code
Get-ManagementRoleAssignment -RoleAssignee <assignment policy name> -Role <role name> | Remove-ManagementRoleAssignment

This example removes the MyVoicemail management role, which enables users to manage their voice mail options, from the Seattle Users assignment policy.

Copy Code
Get-ManagementRoleAssignment -RoleAssignee "Seattle Users" -Role MyVoicemail | Remove-ManagementRoleAssignment

For detailed syntax and parameter information, see Remove-ManagementRoleAssignment.