I have locked down the ECP for our NOC to only be able to create Mail Recipients (Mailboxes, Contacts, Resources, and Shared).  I cannot figure out how to get rid of the Tools section which allows for the BPA to be run.  Has anyone figured out how to remove that?  I cannot find the Cmdlets associated with it.

Hi Razor,

As BPA doesn't solely depend on Exchange to test it and uses other components as well, hence blocking it fully with RBAC might not be possible.

Its more like a tool seperately running on the system. I don't see any proper documentation on exact account permissions required to run it.

RBAC only restrict you from running exchange related commands via exchange consoles, provided you don't have any external ACL permissions on Exchange.

Below are some requirements, which makes me believe this.

Office 365 Best Practices Analyzer for Exchange Server 2013 Requirements

The computer you run the checks on needs to meet these requirements. We automatically verify you are ready to run the checks when you download the tool.

• Windows Server 2008 R2 or Windows Server 2012 running Exchange Server 2013
• Internet Explorer 9.0 or later      
• PowerShell version 3.0  or later
• Windows RM 3.0 or later
• Azure Active Directory PowerShell module
• Microsoft Online Services Sign-In Assistant
•     Screen Resolution: 1024x768 minimum

Hi,

From your description, I would like to clarify the following thing:

If you don't want the account to run ExBPA successfully, you can remove him from a member of Domain Admins group and view-only organization management role group.

Hope this can be helpful to you.

Best regards,