Table of Contents
Code Doesn’t Check for a Modified Role Assignment Policy
Message center notification MC762509 (published 30 March 2024) marks Microsoft’s latest attempt to rid itself of some of the lingering bits of the old Exchange admin center (EAC). The notification announces the replacement of the old Exchange Control Panel (ECP) component to allow OWA users to manage distribution lists with a modernized version that brings users to a page belonging to the new EAC.
Microsoft brought back the old ECP component in July 2023 when their previous attempt at modernizing distribution list management failed. This time round, Microsoft plans to deploy the change in early April 2024 and complete the worldwide roll-out in early May.
The Value of Role Assignment Policies
Unhappily, problems exist in the modernized version. It looks like the developers never heard of Exchange role-based access control (RBAC) and the ability to remove options from OWA users through user role assignment policies. Most organizations probably don’t try to customize the default role assignment policy, perhaps because they don’t know that such an adaptable mechanism exists.
A role assignment policy works by revealing OWA functionality to users if they are allowed to run the cmdlets that underpin different pieces of functionality. For instance, to display the set of distribution lists that they belong to, a user must be able to run the Get-DistributionGroup cmdlet. To update the settings of distribution lists, they must be able to run the Set-DistributionGroup cmdlet, and so on. Role assignments within the policy dictate what a user can do through OWA settings, such as updating their autosignature.
Role assignment policies only affect the OWA client. They don’t affect how Outlook for Windows or Mac work (including the new Outlook client) or how Outlook mobile works.
Modified Role Assignments for Distribution List Management
Coming back to distribution list management, Microsoft 365 Groups don’t exist in Exchange Server, and it is common to find that organizations allow users to manage distribution lists, especially the membership of lists that the user owns. Allowing users to create new distribution lists isn’t such a good idea as it can lead to a sprawl of lists in the GAL, like the way that end user can create a terrible mess if allowed to create teams without approval.
The solution is to create a custom role assignment policy that allows users to maintain distribution lists that they own while not being able to create new distribution lists. The change is easy to make and the block on creating new distribution lists is effective soon after assigning the policy to user mailboxes with the Set-Mailbox cmdlet:
Set-Mailbox -Identity Ben.Owens -RoleAssignmentPolicy 'Restricted Group Management'
Figure 1 shows the effect of the restricted role assignment policy. No option is available to create new distribution lists, but the user can edit any of the distribution lists they own.
Alas, things don’t go so well with the new EAC component. First, no block is implemented to prevent users from attempting to create new distribution lists. Second, if a restricted role assignment policy blocks a user from creating new distribution lists, they only find out at the final stage when EAC signals an error that they’re not allowed to run the New-DistributionGroup cmdlet (Figure 2). The error arises because the role assignment policy blocks the ability of the user to run the cmdlet.
Distribution Lists Get No Respect
Distribution lists continue to be very useful in any Exchange Online tenant. In particular, dynamic distribution lists are very powerful. Ten years after the introduction of Office 365 Groups (in preview), Microsoft’s attempts to convince customers to move distribution lists to (the renamed) Microsoft 365 Groups is a flop. Sure, Microsoft 365 Groups come with a SharePoint Online site, but the simplicity of a distribution list is exactly what’s needed in many situations. Many of those sites remain unused and empty, with the equivalent of digital tumbleweed blowing through their document libraries.
Failing to adequately test new code for managing distribution lists before launching it on the innocent public is just another reminder that Microsoft is intent on making distribution lists the Rodney Dangerfield of Microsoft 365. That’s a real pity.
Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.