RBAC role to Manage end user contacts through (Exchange Control Panel)

There might be a requirement to delegate the management of contacts for all the staffs, especially for the HR team. Since the staff's position title change, phone numbers, city, extension, address change will happen randomly for all the staffs.

It's better to delegate this task alone to the HR team member so that the help desk calls for changing this information will be reduced. Also, there is no need to wait for a period of time to make these changes from the help desk team.

Basically, we can create a custom RBAC role and assign this to an HR staff who would be able to manage this task through ECP.

Create a new management role:

New-ManagementRole -Parent “Mail Recipients” -Name “Contact Management”

https://exchangequery.files.wordpress.com/2015/06/rbac1.png?w=891&h=92

Now we need to create a new role group.

Create a new role group:

New-RoleGroup –Name “Contact Editor” –Roles “Contact Management”

https://exchangequery.files.wordpress.com/2015/06/rbac21.png?w=891&h=89

Remove all of the unwanted cmdlets from our newly created role, since we need to give the bare minimum permission of modifying only the contacts.

Get-managementRoleEntry “Contact Management\*” | where { $_.Name –ne “Set-User”} | Remove-ManagementRoleEntry

Add only the required entries for the new role.

Set-ManagementRoleEntry “Contact Management\Set-User” -Parameters “Phone,city,phone,fax,mobilephone,department,title,street address”

https://exchangequery.files.wordpress.com/2015/06/rbac4.png?w=891&h=36

New-ManagementRoleAssignment -Role Contact Management -User TestITHRAdmin

https://exchangequery.files.wordpress.com/2015/06/rbac7.png?w=891&h=93

Run the below command to check and ensure that only set-user  editor rights are assigned Get-managementRoleEntry “Contact Management\” 
https://exchangequery.files.wordpress.com/2015/06/rbac6.png?w=891&h=80

When this RBAC role person can log in to ECP and he would be able to manage only the AD contacts.