In Exchange Online, you can use the Exchange admin center to assign admin roles or end-user roles to users. You can perform those same tasks by connecting to Exchange Online using Windows PowerShell. However, there are some tasks that can only be done in Windows PowerShell.
To access the Exchange admin center, in the Office 365 portal, click Admin > Exchange.
To connect to Exchange Online using Windows PowerShell, see Connect to Exchange Online Using Remote PowerShell.
To manage admin roles in the Exchange admin center, select Permissions > Admin roles.
Here you can create and delete custom role groups, assign or remove admin roles from role groups, and manage the membership of role groups. For more information, see the following Help topics:
These are the tasks involving admin roles that you can only do in Windows PowerShell:
- Create custom write scopes: The write scope defines the administrative boundary of the roles assigned to the role group. In other words, the write scope defines where members of the role group can make changes. For built-in admin roles that allow users to modify objects, the default write scope is the entire organization. However, you can create a custom write scope based on recipient filters, also known as a recipient filter scope, to give users targeted administrative permissions. For more information, see Create a Regular or Exclusive Scope.
- Create exclusive write scopes: An exclusive write scope is a type of recipient filter scope that isolates specific mailboxes so they can be managed by designated admins only. For more information, see Create a Regular or Exclusive Scope.
If you make certain customizations to a role group using Windows PowerShell, you'll lose the ability to fully manage the role group using the Exchange admin center. Specifically, you'll have to use Windows PowerShell to add or remove roles from the role group or to modify the write scope of the roles assigned to the role group. Here are the actions that cause this:
- Assigning an end-user role to a role group
- Assigning a role to a role group using a different write scope than the other roles
- Assigning a role to a role group using an exclusive write scope
To add or remove roles from these role groups, you can use the New-ManagementRoleAssignment or Remove-ManagementRoleAssignment cmdlets. To view or change the write scope of the role assignments, use the Get-ManagementRoleAssignment or Set-ManagementRoleAssignment cmdlets.
End user roles
To manage end-user roles in the Exchange admin center, select Permissions > User roles.
Here you can create, modify, and delete role assignment policies, and assign and remove end-user roles from role assignment policies. For more information, see Manage Role Assignment Policies.
By default, an Exchange Online organization has one role assignment policy, and that role assignment policy is automatically designated as the default policy that's applied to all mailboxes you create. Although you can create role assignment policies in the Exchange Control Panel, you specify the default role assignment policy using Windows PowerShell. For more information, see Manage Role Assignment Policies.
You can change the role assignment policy that's applied to an existing mailbox in the Mailbox Settings section in the properties of the mailbox in the Exchange admin center. For more information, see Change the Assignment Policy on a Mailbox.