mail@pastecode.io avatar
6 months ago
2.1 kB
#Requires -Modules ExchangeOnlineManagement,ImportExcel

# Check/Connect to EXO
$Connections = Get-ConnectionInformation
If (-Not ( $Connections.ConnectionUri -match 'outlook\.office365\.com' ) ) {
    Connect-ExchangeOnline -ShowBanner:$False # Connect to EXO

$NewRoleName = 'Example_HelpDesk'
New-ManagementRole -Name $NewRoleName -Parent 'Mail Recipients'
$AllCmdEntries = Get-ManagementRoleEntry "$NewRoleName\*"

# I only added param exclusions to try and filter out the various "default" PowerShell parameters (ErrorAction, etc.)
# That said, while I did not do any parameter level filtering it was still helpful to reduce parameter noise when reviewing
# the Excel file to determine if there were any parameters I needed to remove. Leaving here in case it's useful for you, otherwise
# you can mostly ignore this as it will still output the relevant data to Excel for you to manipulate later.
$ParamExclusions = '(Confirm|ErrorAction|ErrorVariable|^Out(Buf|Var)|^Warning(Action|Variable)|WhatIf)'
$Results = Foreach ($Item in $AllCmdEntries) {
    $Params = $Item.Parameters | Where-Object { $_ -notmatch $ParamExclusions } | Sort-Object
        Name       = $Item.Name
        Parameters = ($Params -join "; ")

$RoleFile = "C:\Temp\RoleEntries-$NewRoleName.xlsx"
$Results | Export-Excel $RoleFile

# Now open the Excel file and *REMOVE* whatever commands you want to *BLOCK* from this role.
# Any commands left in the Excel file will be *ALLOWED* on the role.
# Save the Excel file with the relevant changes.

$AllowedCmdlets = Import-Excel $RoleFile | Select-Object -ExpandProperty Name

### I saved both version below...and I'm not sure why, so I'd urge you to do some testing #
# Remove commands (Option 1)
Get-ManagementRoleEntry "$NewRoleName\*" | Where-Object Name -NotIn $AllowedCmdlets | Remove-ManagementRoleEntry
# Remove commands (Option 2)
Get-ManagementRoleEntry "$NewRoleName\*" | Where-Object Name -NotIn $AllowedCmdlets | ForEach-Object {
    Remove-ManagementRoleEntry "$NewRoleName\$($_.Name)" -Confirm:$False