Update find-exchange-cmdlet-permissions.md

chrisda · chrisda · commit d63b7cf715f3 · 2021-01-07T11:07:37.000-08:00
Issue #7037
diff --git a/exchange/docs-conceptual/find-exchange-cmdlet-permissions.md b/exchange/docs-conceptual/find-exchange-cmdlet-permissions.md
@@ -33,18 +33,20 @@ You can use PowerShell to find the permissions required to run any Exchange or E
 
 ## Use PowerShell to find the permissions required to run a cmdlet
 
-1. Open the PowerShell environment where you want to run the cmdlet.
+1. If you haven't already, open the Exchange PowerShell environment that you're interested in:
 
    - **Exchange Online**: [Connect to Exchange Online PowerShell](connect-to-exchange-online-powershell.md).
 
    - **Exchange Server**: [Open the Exchange Management Shell](open-the-exchange-management-shell.md) or [Connect to Exchange servers using remote PowerShell](connect-to-exchange-servers-using-remote-powershell.md).
 
-2. Run the following command to identify the cmdlet and, optionally, one or more parameters on the cmdlet. Be sure to replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the actual cmdlet and parameter names you are interested in. If you specify multiple parameters separated by commas, only the roles that include **all** of the parameters are returned.
+2. Replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the values that you want to use, and run the following command:
 
    ```powershell
    $Perms = Get-ManagementRole -Cmdlet <Cmdlet> [-CmdletParameters <Parameter1>,<Parameter2>,...]
    ```
 
+   **Note**: If you specify multiple parameters separated by commas, only roles that include the cmdlet with **all** of the parameters are returned.
+
 3. Run the following command:
 
    ```powershell
@@ -57,78 +59,95 @@ The results contain the following information:
 
 - **Role**: Indicates the role that gives access to the cmdlet or the combination of cmdlet and parameters. Note that role names that begin with "My" are user roles that allow regular users to operate on objects they own (for example, their own mailbox or their distribution groups).
 
-- **RoleAssigneeType** and **RoleAssigneeName**: These values are inter-related. **RoleAssigneeType** is the type of object that has the role assigned to it, and **RoleAssigneeName** is the name of the object. **RoleAssigneeType** can be a role group, role assignment policy, security group, or user. Typically, administrator roles are assigned to role groups.
+- **RoleAssigneeType** and **RoleAssigneeName**: These values are inter-related:
+  - **RoleAssigneeType** is the type of object that has the role assigned to it. For administrator roles, this value is typically a role group, but it can also be a role assignment policy, a security group, or a user.
+  - **RoleAssigneeName** is the name of the role group, role assignment policy, security group, or user.
 
 ## Troubleshooting
 
 What if there are no results?
 
 - Verify that you entered the cmdlet and parameter names correctly.
 
-- You might have entered too many parameters, and all of the parameters on the cmdlet aren't defined in a single role. Try specifying only the cmdlet name in Step 2, and run Step 3 to verify that the cmdlet is available in your environment. Then, add parameters one at a time to Step 2 before running Step 3.
+- The parameters that you specified aren't defined for a cmdlet in a single role. Try specifying only the cmdlet name in the first command before you run the second command. Then, add the parameters one at a time to the first command before you run the second command until the command returns no results.
 
-- These possible causes have the same solution:
+Otherwise, no results are likely caused by one of the following conditions:
 
-  - You might have entered a cmdlet or parameters that are defined in a role that isn't assigned to anyone by default.
+- The cmdlet or parameters are defined in a role that isn't assigned to any role group by default.
+- The cmdlet or parameters aren't available in your environment. For example, you specified an Exchange Online cmdlet or Exchange Online parameters in an on-premises Exchange environment.
 
-  - You might have entered a cmdlet or parameter that isn't available in your environment. For example, when you enter an Exchange Online cmdlet or parameters in an on-premises Exchange 2016 environment.
+To find the roles in your environment (if any) that contain the cmdlet or parameters, replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the values that you want to use and run the following command:
 
-  Run the following command to find the role that contains the cmdlet or parameters. Be sure to replace `<Cmdlet>` and optionally, `<Parameter1>,<Parameter2>,...` with the actual cmdlet and parameter names you are interested in. Note that you can use wildcard characters (*) in the cmdlet and parameter names (for example, `*-Mailbox*`).
+```powershell
+Get-ManagementRoleEntry -Identity *\<Cmdlet>  [-Parameters <Parameter1>,<Parameter2>,...]
+```
 
-  ```powershell
-  Get-ManagementRoleEntry -Identity *\<Cmdlet>  [-Parameters <Parameter1>,<Parameter2>,... ]
-  ```
+**Note**: You can use wildcard characters (*) in the cmdlet and parameter names (for example, `*-Mailbox*`).
 
-  - If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't available in your environment.
+If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't available in your environment.
 
-  - If the command returns one or more entries for **Name**, **Role**, and **Parameters**, the cmdlet (or parameters on the cmdlet) is available in your environment, but the required role isn't assigned to anyone. To see all roles that aren't assigned to anyone, run the following command:
+If the command returns results, the cmdlet or parameters are available in your environment, but the required role isn't assigned to any role groups. To see all roles that aren't assigned to any role groups, run the following command:
 
-    ```powershell
-    $na = Get-ManagementRole ; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -Delegating $false) -eq $null) {$_.Name}}
-    ```
+```powershell
+$na = Get-ManagementRole; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -Delegating $false) -eq $null) {$_.Name}}
+```
 
 ## Related procedures
 
-- Management role scopes define where cmdlets can operate (in particular, write scopes).
+### Include management role scopes
+
+Management role scopes (in particular, write scopes) define where cmdlets can operate. For example, the entire organization or only on specific user objects.
+
+To include scope information in the [Use PowerShell to find the permissions required to run a cmdlet](#use-powershell-to-find-the-permissions-required-to-run-a-cmdlet) output, add `*Scope*` to the second command:
+
+```powershell
+$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List Role,RoleAssigneeType,RoleAssigneeName,*Scope*}
+```
+
+For more information about management role scopes, see [Understanding management role scopes](https://docs.microsoft.com/exchange/understanding-management-role-scopes-exchange-2013-help).
+
+### Find all roles assigned to a specific user
+
+To see all roles assigned to a specific user, replace `<UserIdentity>` with the name, alias, or email address of the user and run the following command:
+
+```powershell
+Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
+```
 
-  To include scope information in Step 2, substitute the following command:
+For example:
 
-  ```powershell
-  $Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List Role,RoleAssigneeType,RoleAssigneeName,*Scope*}
-  ```
+```powershell
+Get-ManagementRoleAssignment -RoleAssignee julia@contoso.com -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
+```
 
-- To see all roles assigned to a specific user, run the following command:
+**Note**: The _RoleAssignee_ parameter returns both direct role assignments to users (uncommon) and indirect role assignments granted to the user through their membership in role groups.
 
-  ```powershell
-  Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
-  ```
+### Find all users who have a specific role assigned
 
-  For example:
+To see all users who have a specific role assigned to them, replace `<Role name>` with the name of the role and run the following command:
 
-  ```powershell
-  Get-ManagementRoleAssignment -RoleAssignee julia@contoso.com -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType
-  ```
+```powershell
+Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
+```
 
-- To see all users who are assigned a specific role, run the following command:
+For example:
 
-  ```powershell
-  Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
-  ```
+```powershell
+Get-ManagementRoleAssignment -Role "Mailbox Import Export"  -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
+```
 
-  For example:
+### Find the members of a role group
 
-  ```powershell
-  Get-ManagementRoleAssignment -Role "Mailbox Import Export"  -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
-  ```
+To see the members of a specific role group, replace `<Role group name>` with the name of the role group and run the following command:
 
-- To see the members of a specific role group, run the following command:
+```powershell
+Get-RoleGroupMember "<Role group name>"
+```
 
-  ```powershell
-  Get-RoleGroupMember "<Role group name>"
-  ```
+For example:
 
-  For example:
+```powershell
+Get-RoleGroupMember "Organization Management"
+```
 
-  ```powershell
-  Get-RoleGroupMember "Organization Management"
-  ```
+**Note**: To see the names of all available role groups, run `Get-RoleGroup`.
