Remove management role entries RRS feed

  • Question

  • In further pursuit of delegating Mobile Device Management for our Exchange Online tenant, I am trying to create custom roles to add to a role group.  Here is what I am trying to do.

    $RolesforMDM = "Get-ActiveSyncOrganizationSettings","Get-ActiveSyncDeviceStatistics","Get-ActiveSyncDevice","Get-Recipient","Get-ActiveSyncMailboxPolicy","Get-CASMailbox","Set-ActiveSyncOrganizationSettings","Set-CASMailbox","Get-ActiveSyncDeviceAccessRule","Set-ActiveSyncDeviceAccessRule","New-ActiveSyncDeviceAccessRule","Set-ActiveSyncMailboxPolicy","New-ActiveSyncMailboxPolicy","Remove-ActiveSyncDevice","Clear-ActiveSyncDevice"
    $MDM_ROLES = "MDM-Mail","MDM-OrgCliAcc","MDM-RecipPol"
    New-Managementrole -Name MDM-Mail -Parent "Mail Recipients"
     New-Managementrole -Name MDM-OrgCliAcc -Parent "Organization Client Access"
     New-Managementrole -Name MDM-RecipPol -Parent "Recipient Policies"
    ForEach ($roleName in $MDM_ROLES)
        Get-ManagementRoleEntry "$roleName\*" | where {$RolesforMDM -notcontains $_.Name} | Remove-ManagementRoleEntry -Confirm:$False
        $entrylist = Get-ManagementRoleEntry "$roleName\*" | Select -ExpandProperty Name
    New-RoleGroup MDM_Admin -Roles $MDM_ROLES

    This is "breaking" trying to pipe the results of the where statement to the Remove-ManagementRoleEntry statement.

    Cannot process argument transformation on parameter 'Identity'. Cannot convert value "MDM-RecipPol" to type

    "Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in the

    Microsoft.Exchange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.

    Parameter name: identity"

        + CategoryInfo          : InvalidData: (MDM-RecipPol:PSObject) [Remove-ManagementRoleEntry],

    Monday, November 10, 2014 10:30 PM


  • Here was the fix.

    Get-ManagementRoleEntry "$roleName\*" | where {$RolesforMDM -notcontains $_.Name} | %{Remove-ManagementRoleEntry -Identity "$($_.Role)\$($_.Name)" -Confirm:$False}

    • Marked as answer by Jason Cramsey Wednesday, November 12, 2014 7:48 PM
    Wednesday, November 12, 2014 7:48 PM