O365 Sample RBAC script to reduce permissions
Created: 2019-01-30 12:13:50Modified: 2023-08-28 15:14:21
Tags: Office 365 System Requirements Troubleshooting UnitySync
When syncing to an Office 365 (O365) tenant we highly recommend the use of an Admin login account. Please refer to the UnitySync Office 365 login requirements before trying to limit permissions.
If you still wish to limit permissions, you may use a role-based access control (RBAC) to reduce permissions on your UnitySync O365 User.
You must create a new RBAC. Using the Exchange Online admin center, add management roles as well as the O365 User account you created for use with UnitySync. Then script the removal of the permissions you want to remove.
For more detailed information, refer to Microsoft tech articles and/or reach out to Microsoft technical support.
IMPORTANT NOTE: The following is an example script for removing Admin rights from your RBAC. Your script may be different depending on your preference and environment.
New-ManagementScope -Name “UnitySync Mail Contacts” -RecipientRestrictionFilter {RecipientType -eq “MailContact”}
New-ManagementRole -Parent “Mail Recipients” -Name UnitySyncGALContacts
New-ManagementRole -Parent “Mail Recipient Creation” -Name UnitySyncGALContactsCreate
remove-ManagementRoleEntry UnitySyncGALContacts\Add-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Add-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Clear-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Clear-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Disable-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Disable-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Enable-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Enable-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-AcceptedDomain -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncDeviceStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ActiveSyncMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-AddressBookPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CASMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CASMailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-CalendarProcessing -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-GroupMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-HotmailSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ImapSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-LogonStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxAutoReplyConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxCalendarConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxCalendarFolder -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxFolderStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxJunkEmailConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxMessageConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxOverrideConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxPreferredLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxRegionalConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxSpellingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ManagementRoleAssignment -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MessageCategory -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MessageClassification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDeviceMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MobileDeviceStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OnlineMeetingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OrganizationalUnit -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-PopSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RbacDiagnosticInfo -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RecipientStatisticsReport -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-RoleAssignmentPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SendAddress -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ServiceStatus -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SiteMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SiteMailboxProvisioningPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Subscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-SyncRequestStatistics -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-ToolInformation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UMMailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Import-ContactList -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Import-RecipientDataProperty -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\New-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-ActiveSyncDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-HybridConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MailboxPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-MobileDevice -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-RecipientPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-Subscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Resume-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-CASMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-CalendarProcessing -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Group -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-GroupMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-HotmailSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-ImapSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-InboxRule -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-LinkedUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxAutoReplyConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxCalendarConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxCalendarFolder -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxJunkEmailConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxMessageConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxRegionalConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailboxSpellingConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-PopSubscription -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UnifiedGroup -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-UserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Start-AuditAssistant -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Suspend-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-InvitationManager -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-MAPIConnectivity -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Test-OAuthConnectivity -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Update-HybridConfiguration -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Write-AdminAuditLog -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-Clutter -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Clutter -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\SetUserPhoto -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-OwaMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\remove-SyncRequest -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-MailboxLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Set-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContacts\Get-UnifiedGroupLinks -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Disable-JournalArchiving -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ActiveSyncMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-AddressBookPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-LinkedUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailboxPlan -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MailboxPreferredLocation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ManagementRoleAssignment -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-MobileDeviceMailboxPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Notification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-OrganizationalUnit -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-RbacDiagnosticInfo -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Recipient -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-RoleAssignmentPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-SharingPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-ToolInformation -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-User -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-SchedulingMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\remove-MailUser -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-DataEncryptionPolicy -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-MailboxFolderPermission -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-Notification -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Set-UnifiedAuditSetting -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Start-AuditAssistant -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Undo-SoftDeletedMailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Write-AdminAuditLog -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\remove-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\New-Mailbox -Confirm:$false
remove-ManagementRoleEntry UnitySyncGALContactsCreate\Get-Mailbox -Confirm:$false