Wednesday, 17 April 2013

Customizing Role Assignment Policies for multi-tenants in Exchange Server 2013: Gal Pictures

When dealing with multi-tenants in Exchange Server 2013 (RTM and CU1) with a Hosting Control Panel that can only feed data into Exchange, rather than taking data back out of it to back-fill the Portal we have to lock down certain elements to only allow a customer to edit certain aspects via their desginated Panel Provider.
Take Exchange 2013, by default in most multi-tenant Hosting Orgs “MyContactInformation”, “MyPersonalInformation”, “MyMobileInformation” and “MyAddressInformation” and disabled, only allowing a tenant to configure this from the Hosting Control Panel.
The biggest issue this presents is that this means a user cannot change their Photo within OWA, as this is locked into “MyContactInformation”
1. A user cannot change their picture and thus it is empty, giving an unfulling experience in Outlook, OWA and Lync.
2. The logged in user can’t change their picture
3. Additionally other information is locked down also
So if we log into the EAC we can see this is because the Default Role Assignment Policy has “MyContactInformation”, “MyPersonalInformation”, “MyMobileInformation” and “MyAddressInformation” disabled. Standard practice in nearly all Enterprise Hosting environments.
So how can we keep this aspect locked down, allowing co-existence with a Control Panel but allowing tenants to actually upload pictures to get a more fulfilling experience?
Let takes a look at the Management Roles in question in PowerShell. We can do this simply by using “Get-ManagementRole”
So we can see above that “MyContactInformation” owns “Set-UserPhoto”, “Remove-UserPhoto” and “Get-UserPhoto”. We can take this built in Management Role and create a custom one from it, to allow pictures to be uploaded and used.
Let’s create a new Management Role using “New-ManagementRole”. We’ll call it “Oliver Test” and create it from the parent “MyContactInformation”
Now if I view this new Management Role I can see it has all the cmdlets from the parent.
I can now start to customise it by removing certain cmdlet elements. You can see I am using “Get-MangementRoleEntry”, specifing the cmdlet I do not want, and then removing it with “Remove-ManagementRoleEntry”
Once I have cleaned up my Management Role “Oliver Test”, let’s look at what I have left. You can see I now have just the cmdlets needed to allow photos to be uploaded and removed and edited if desired.
Logging back into the EAC I can now see this new Management Role under the Default Role Assignment Policy. I check it to enable it.
Logging back into my tenant user I am now able to change my photo, allowing picture integration into Outlook, OWA and Lync.
Checking the rest of my details you can see as before I cannot edit them, keeping the unity of your Hosting Control Panel which should control these settings.
Finally let’s log into OWA and Lync and see the new experience!
I hope this helps Hosters to integrate pictures into Exchange 2013 Enterprise. I will look to push a new blog out in a few weeks for managing different Role Assignments Policies per tenant in Exchange 2013 Enterprise.
Have a great week!

Take care!
Oliver Moazzezi - MVP Exchange Server