RBAC: Associating a Command With a Specific Groups

NOTE: This post – drafted, composed, written, and published by me – originally appeared on https://blogs.technet.microsoft.com/johnbai and is potentially (c) Microsoft.

In some scenarios, it becomes prudent to know what Role is able to run which command. We can found out which groups are able to run which commands via the following syntax:

Get-ManagementRoleEntry *\<command>

For example, if you wanted to know who could run ‘Get-CalendarDiagnosticLog’, you would run the following command:

Get-ManagementRoleEntry *\Get-CalendarDiagnosticLog

If you want to check a list of commands, such as when you’re following official documentation, you can create a text file with each command on a separate line and obtain a list of groups:

Get-Content .\CMDs.txt | ForEach-Object{Write-Host -ForegroundColor Green $_;Get-ManagementRoleEntry *\$_ | FT -AutoSize}