Using Get-ManagementRole to get the permissions required for Exchange-specific cmdlets

I ran into an issue where one of my Exchange scripts didn’t work, “a parameter could not be found that matches the parameter…” Strange error because the parameter is there… Or is it? In this blog post, I will show you how Get-ManagementRole works in Exchange and how it can help you with issues like this.

What does Get-ManagementRole do?

The Get-ManagementRole cmdlet shows you the role-based access control (RBAC) management roles and role groups that give you access to a specified cmdlet—even if your organization has custom roles, custom role groups, or custom role assignments.


When do you use it?

When in doubt, use Get-ManagementRole! As a Consultant, I don’t get all permissions in some of my customer tenants. And when you run inventory scripts against Exchange, and they fail, then you start searching for reasons 🙂

How do you use it for a specific cmdlet?

Before using it, you must either start the Exchange Management Shell on your Exchange Server (Alternatively, if you start a PowerShell session on a machine with the Exchange Management Shell snap-in installed and loaded) or use Connect-ExchangeOnline after installing the ExchangeOnlineManagement PowerShell module.

You can now use the Get-ManagementRole cmdlet to display the required roles for a specific cmdlet. For example:

This will display the roles required for showing the Migration batches in your environment. Sometimes, the cmdlet requires specific permissions, but the Parameters could require additional permissions. You can also specify a Parameter to query the required permissions, for example:

This displays the cmdlet Set-ExternalInOutlook (Information about this cmdlet here) required permission. Still, the Parameter Enabled requires Organization Configuration, and that means that someone with View-Only Configuration permissions can see the Set-ExternalInOutlook cmdlet but not use the Enabled Parameter. This makes sense, of course; it’s a View-Only role, but this is just an example.

You can also specify multiple Parameters if needed:

Note: You must have the View-Only Organization Management or Organization Management role to retrieve this information.

Retrieving all cmdlets and the required permissions

You can also display all the Exchange cmdlets and the required roles by running the following:

Get-ManagementRoleEntry -Identity *\*-* | Sort-Object Name | Out-GridView

This will output the information in an Out-GridView pane like this:

You could also export it to a .csv file like this:

Get-ManagementRoleEntry -Identity *\*-* | Sort-Object Name | Export-Csv -Delimiter ';' -NoTypeInformation -Encoding utf8 -Path c:\data\ExchangeCmdlets.csv

When you open the .csv file, it will look like this:

Note: This outputs the cmdlets and the required roles. If you need the required roles for a specific parameter, use “Get-ManagemenRole -cmdlet XYZ -CmdletParameters XYZ.”

More information

You can find more information about Get-ManagementRole here, but also more information about retrieving required permissions here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.