I’m in the process of migrating a school domain from Exchange 2016 to Exchange Online (Full Hybrid). I’ve noticed that in Outlook on the web, users are able to right click their inbox (or any other mailbox folder), click Permissions and give other users read and write access to their folders. I want to prevent pupils from accessing this feature, or at least prevent them from adding permissions/sharing their folders (I.e. read only access). Unfortunately, pupils occasionally enjoy trying to delete each other’s work etc so I think it’s best they don’t have access to folder permissions.
From my research I have found that anything which isn’t covered by an Owa Mailbox Policy can be controlled using RBAC (I.e. Role Based Access Control). So I set up and assigned a policy to a test account and removed access to the
Set-MailboxFolderPermission cmdlets as shown below.
Connect-ExchangeOnline New-ManagementRole -Name "MyBaseOptions-ForPupils" -Parent "MyBaseOptions" New-RoleAssignmentPolicy -Name "Test Pupil Role" -Roles "MyBaseOptions-ForPupils", "MyMailSubscriptions" Get-Mailbox -Identity firstname.lastname@example.org | Set-Mailbox -RoleAssignmentPolicy "Test Pupil Role" Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsAdd-MailboxFolderPermission" Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsSet-MailboxFolderPermission Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsRemove-MailboxFolderPermission"
This didn’t work, so I also tried removing the following cmdlets to see if it would remove access to the Permissions feature altogether, but wasn’t sure if this would cause any problems.
Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsGet-MailboxFolderPermission" Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsGet-EXOMailboxFolderPermission"
I haven’t noticed any problems, but the feature is still accessible and the test account can still add, edit and remove folder permissions. I have checked that the cmdlets I have removed are not in the
MyMailSubscriptions role (which I also assigned to the test account) and they are not.
As a test I ran the following commands and the Auto Reply settings disappeared from the UI a few minutes later, so the policy has definitely applied.
Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsGet-MailboxAutoReplyConfiguration" Remove-ManagementRoleEntry -Identity "MyBaseOptions-ForPupilsSet-MailboxAutoReplyConfiguration"
I also authenticated PowerShell as the test account I.e.
Connect-ExchangeOnline -UserPrincipalName email@example.com and confirmed that the account is not able to access the cmdlets which I removed.
Is anybody able to tell me how to get this working please, or if it is even possible?