O365 Permissions = EAS Device Quarantine Question

We are wanting to allow our local helpdesk technicians at each of our sites to have the ability to look at users ActiveSync devices thru the O365 tenant portal. By default we quarantine all EAS devices and manually allow/block or delete device access requests.

These users don't have any admin access on the tenant. As mentioned, we JUST want them to have permission to quarantine/unquarantine user devices via the web interface as they wouldn't have powershell access. They shouldn't have access edit any mailbox features other that the mobile devices for users.

How is this managed? Please provide as granular details as possible and perhaps specific how to's.

I assume a new Role and permissions would required? Then users of the local helpdesk be added?

Thanks in advance.
GCTTechsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
You can use the Exchange RBAC. If you want them to ONLY have access to allow/block devices, you can create a custom Role  the cmdlet you need is "Set-CasMailbox" cmdlet.

Here are some articles to get you started:

http://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/dd298043.aspx

And here is a suitable example that will work in your case:

http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
In order to manage quarantined devices, they must be assigned the "Organization Client Access" administrator role as well as one of the following:

View-Only Recipients
User Options
or
Mail Recipients

Full documentation about this is here:
http://help.outlook.com/en-us/140/Ff969895.aspx

Jeff
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.