Exchange Online Migrate Mailbox Permission PowerShell

Posted on by

Exchange Online Migrate Mailbox Permission PowerShell

Hello,

If you want to delegate the permission to migrate mailboxes from Exchange on-premise to Exchange Online without giving global admin permission, you need to create the management role to delegate only the required role entry.

Let’s take for example some delegated administrator with the management role “mail recipients” and “mail recipient creation” with a custom write scope. When he connects to https://outlook.office365.com/ecp (he won’t see any tile in his home Office 365 portal), he’ll see:

Exchange Online Migrate Mailbox Permission PowerShell - Default Mail Recipients View

Exchange Online Migrate Mailbox Permission PowerShell – Default Mail Recipients View

As you can see, we miss the “Migration” tab. This is due to a lack of permissions.

Exchange Online Migrate Mailbox Permission PowerShell

To be able to migrate users, track progress and export reporting, we need to give the connected user access to the following cmdlets:

  • Start-MigrationUser
  • Get-MigrationUser
  • Remove-MigrationUser
  • Stop-MigrationUser
  • Set-MigrationUser
  • Get-MigrationUserStatistics
  • Remove-MigrationBatch
  • Set-MigrationBatch
  • Stop-MigrationBatch
  • Start-MigrationBatch
  • Get-MigrationBatch
  • Complete-MigrationBatch
  • New-MigrationBatch
  • Export-MigrationReport
  • Get-MigrationStatistics
  • Get-MigrationEndpoint

To do this, we’ll use PowerShell as follow:

#Create the new management role
New-ManagementRole -Name 'Mailbox Migration' -Parent 'Migration'
#Remove all unwanted cmdlets
Get-ManagementRoleEntry -Identity 'Mailbox Migration\*' | Where-Object -FilterScript { ($_.Name -notlike '*-MigrationBatch') -and 
    ($_.Name -notlike '*-MigrationUser') -and 
    ($_.Name -ne 'Export-MigrationReport') -and 
    ($_.Name -ne 'Get-MigrationStatistics') -and 
    ($_.Name -ne 'Get-MigrationEndpoint')} | % {
    Remove-ManagementRoleEntry -Identity "Mailbox Migration\$($_.Name)" -Confirm:$false
}
#Assign the management role to a role group (for GUI visibility) and add members
New-RoleGroup -Name 'Mailbox Migration' -Description 'Allow mailbox migration' -Members user@itfordummies.net -Roles 'Mailbox Migration'

Note: Replace user@itfordummies.net with your users.

Those three lines will create all the necessary management objects to delegate those cmdlets. Logoff, wait ~15 minutes, logon, and now the tab is visible:

Exchange Online Migrate Mailbox Permission PowerShell - Mofified Mail Recipients View

Exchange Online Migrate Mailbox Permission PowerShell – Mofified Mail Recipients View

If it’s too soon, you’ll get:

Exchange Online Migrate Mailbox Permission PowerShell - 15 minutes delay

Exchange Online Migrate Mailbox Permission PowerShell – 15 minutes delay

When the tab is there, you can try to perform a migration:

Exchange Online Migrate Mailbox Permission PowerShell - Delegated Migration Tab

Exchange Online Migrate Mailbox Permission PowerShell – Delegated Migration Tab

Now, your IT support can perform migration, without being able to modify the migration configuration. We removed the following cmdlets from the management role:

  • Write-AdminAuditLog
  • Set-Notification
  • Set-MailUser
  • Get-Notification
  • Get-Clutter
  • Set-Clutter
  • Set-MigrationConfig
  • Set-MigrationEndpoint
  • Get-MigrationConfig
  • Remove-MigrationEndpoint
  • Test-MigrationServerAvailability
  • New-MigrationEndpoint

Conclusion

We saw how to delegate to your IT support only the required permission for mailbox migration, but you can do the same thing for every Exchange Online permission you want to delegate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.