Creating custom roles in Office 365

You can create a custom role group called MaaS360 CE Role Group that is limited only to the roles and cmdlets that are required for the Cloud Extender® Exchange ActiveSync module.

Office 365 Custom Role Creation PowerShell script

MaaS360 provides the Office 365 Custom Role Creation PowerShell script: O365CustomRoleCreation.ps1 (ZIP file). This script uses the Microsoft RBAC feature to create custom role groups in your Office 365 instance that contain only the cmdlets used by the Cloud Extender for the Exchange ActiveSync module.

Creating custom roles for the MaaS360 CE Role Group management role group

After you run the Office 365 Custom Role Creation PowerShell script, the following five custom roles are created and assigned to a new management role group called MaaS360 CE Role Group:
  • MaaS360 CE Organization Management
  • MaaS360 CE Mail Recipients
  • MaaS360 CE Server Information
  • MaaS360 CE Policy Management
  • MaaS360 CE Device Management

When this custom role group is created, you can create basic user accounts and assign those accounts to this custom role group. You can use the accounts that are members of the MaaS360 CE Role Group as Cloud Extender service accounts.

Procedure

To create custom Office 365 roles, follow these steps:
  1. Copy the O65CustomRoleCreation.ps1 PowerShell script to the desktop of the server where the Cloud Extender is installed.
  2. Right-click on the script, and then select Open with > Windows PowerShell.
  3. Enter your Office 365 Global Admin Account credentials.
    The PowerShell script opens a PowerShell session with your Office 365 instance. This script runs a clean-up operation to remove any previous versions of the MaaS360 CE Role Group and its component roles. The script then creates new roles and removes all cmdlets except the cmdlets that are needed by the Cloud Extender.
    PowerShell script
    When the new roles are created and configured, the script creates a new role group for MaaS360 CE Role Group.
    PowerShell script
    When the new MaaS360 CE Role Group is created, a message is displayed that the group was created.
    PowerShell script
  4. Log in to the Office 365 console with your Global admin account credentials to confirm that the new role group was created in Roles > Admin roles.
    New MaaS360 custom role group
  5. Click Edit to add your Cloud Extender accounts to the MaaS360 CE Role Group.
    MaaS360 CE Role Group add members
  6. In the Members section, click the plus (+) icon to search for members and add your Cloud Extender accounts to this role group. You can also add multiple accounts from this window.
    Note: You can use the following cmdlet to add members to the MaaS360 CE Role Group: Add-RoleGroupMember –identity “MaaS360 CE Role Group” –member email@domain.com
    MaaS360 CE Role Group
  7. Click OK, and then click Save. The custom accounts are now members of the MaaS360 CE Role Group.
    MaaS360 CE Role Group members