Recently I had a client request to remove the ability for their Office 365 users to create distribution lists on their own, yet continue to be able to manage their membership in distribution lists they are already a part of or IT has created. In order to maintain a company standard, this customer wanted to have IT create all distribution lists, then give admins of that list the ability to maintain it's membership.
This company was using DirSync, so the majority of their distribution lists are synced from AD, this example applies only to cloud managed distribution lists.
The default setting in EAC > permissions > user roles > Default Role Assignment Policy is to have "MyDistributionGroups" selected, which "enables individual users to create, modify and view distribution groups and modify, view, remove, and add members to distribution groups they own."
My goal was just to remove the ability to create these lists. Here are the steps to accomplish that.
Connect to O365 via powershell using this article
Create a name for the Management Role, this allows it to be available to the Default Policy.New-ManagementRole -Parent 'MyDistributionGroups' -name 'removeCreateGroupRights'
Remove the ability to create a new distribution group from the new Management Role.
Remove-ManagementRoleEntry "removeCreateGroupRights\New-DistributionGroup"
Once this is complete, you need to go to the default policy in Permissions > User Roles > Default policy and Uncheck “MyDistributionGroups” and check “'removeCreateGroupRights”. If you leave both checked, nothing actually changes.
Wait about 15 – 20 minutes and log in as a normal user and go to Settings > Groups, the + sign to create a new group will no longer be there. **This can take up to 48 hours to propagate, but it's usually done in the < 30 minute time from my experience**
How to back out of this change
Check the box "MyDistributionGroups" to return to the original permissions. *This takes about 15 - 20 minutes to apply again.
Remove the new Management Role
Remove-ManagementRole removeCreateGroupRights
After changes
Once all permissions have finished applying, everything will look/work exactly the same for the end user with the exception of the + to allow them to create a group no longer being available.
No comments:
Post a Comment