Monthly Archives: July 2015

Limiting access to Executive Mailboxes in Exchange Online

In my last blog post, I wrote about how the new workload specific role feature in Office 365 grants too much administrative ability when you simply want to restrict access to VIP mailboxes.

In this blog post, I will describe how you can create management “Scopes” to define boundaries so that external helpdesk organizations will not have the ability to manage your executives.

Exclusive scopes are a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access to manage those objects…
This behavior is similar to how a deny access control entry (ACE) on an Active Directory access control list (ACL) functions.”

This example creates an exclusive recipient filter-based scope that matches any user with “Executives” in the AD department field (this has to be run in a remote powershell session against Exchange Online):

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Department -Eq “Executives” } –Exclusive

or based on Job Tile

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Title –like “*Executive*” } –Exclusive

Or based on a custom attribute (you get the idea…

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { CustomAttribute5 –eq “VIP” } –Exclusive


The next step is to assign the exclusive management to a group of highly trusted administrators. Anyone not on the list cannot manage the VIP mailboxes.

New-RoleGroup -Name “VIP Mailbox Administrators” -Roles “Mail Recipients”

At this point you can add add users or security groups into the VIP Mailbox Administrators role group.


Finally, this next command glues the RoleGroup to the Exclusive scope filter:

New-ManagementRoleAssignment -Name “VIP Mailbox Administrators” -SecurityGroup “VIP Mailbox Administrators” -Role “Mail Recipients” –ExclusiveRecipientWriteScope “Executive Users Exclusive Scope”



Going a step further…

The above commands lock out an external helpdesk from being able to manage your executives. But what if you want to restrict your external helpdesk even further, so that the actions they take on the rest of your users are limited as well?

You can create a custom role assignment for your external helpdesk that enables them to manage certain things but not others. For example, if you want to give them the ability to manage Archive rules, you would grant them the  “Retention Management” role.

If you want your external helpdesk to manage ActiveSync policies on mailboxes and remotely wipe lost devices, see this article for more information.

In addition to “Retention Management” and the custom ActiveSync role described above, the other fine-grained roles to consider granting to your external helpdesk would be:

– UM Mailboxes (allows external helpdesk to enable voicemail on new mailboxes)

– View-only Recipients

– View-only configuration (this allows the external helpdesk to view non-recipient configuration such as transport config)

– Distribution Groups (this allows the external helpdesk to create distribution groups)

– Legal Hold (this allows the external helpdesk to place a mailbox on Legal Hold)

– Retention Management (this enables the external helpdesk to setup and manage Archives roles)

Note: If you stop here, the external helpdesk does not have enough permission to grant themselves the “full mailbox” permission to read the inbox contents of the VIP mailboxes, or any mailbox for that matter. By default, there is an implicit deny ACL that prevents an Exchange Admin from having full-mailbox access to read the contents of a mailbox. If you want the external access to be able to read the inbox of any end-user, then a nightly scheduled task can explicitly grant full-mailbox permission to all mailboxes except for the 5 VIP users, because there is already an implicit deny for all admins on the 5 VIP mailboxes. I would not recommend doing this as it should be exceptionally rare when a helpdesk user needs to read the contents of someone’s mailbox. You can consider having them escalate to the internal helpdesk when this need occurs and then it can be controlled.

The external helpdesk would manage Exchange by logging in directly to the ECP here:

This is great – but what if you need your external helpdesk to add or remove O365 licenses? No problem – you can grant them the “User Management Role” in the O365 Admin Portal. This is a great role because it does not have any corresponding role mapping in Exchange Online. So you won’t be giving them any additional privs on mailboxes with this role.

The “User Management Role” in the O365 Admin portal is also how you would allow your external helpdesk to create a mailbox. This is because by simply assigning an Exchange Online license to a user – this is the actual step that does the mailbox creation.

One of my colleagues recommends this SaaS provider “” that can also create exclusive management scopes for you without you having to be an Exchange expert to set this all up. For example, you would just have your external helpdesk logon to to access some but not all of your users. They offer a 30 day free trial that you can use to evaluate whether it would meet your specific needs.

How to use the Workload-specific roles for delegated administration of Office 365

Many customers would like to reduce the number of Office 365 Global Admins to a small handful, while granting service specific admin roles to designated administrators.

Workload-specific admin roles began rolling out on June 11th, 2015 and provide more flexibility to organizations that want to structure admin access to Exchange Admin Center, SharePoint Admin Center, and Skype for Business Admin Center. For example, an Exchange admin will no longer require Office 365 global admin rights to manage Exchange Online. You can now give your SharePoint admin the ability to manage SharePoint site collections without giving them rights over your Exchange environment.

I’m going to grant John Doe the Limited Admin role of Exchange Administrator.


In addition to being an Exchange Administrator, John will also have the ability to perform six tasks in the Office 365 Admin portal:

  • View organization and user information
  • Manage support tickets
  • View users and roles
  • View user licenses
  • View service health and message center posts
  • Manage reporting

Limiting Access to Executive Mailboxes

Now, let’s assume a company wants to grant Exchange Administrators access to all mailboxes except a group of VIP users. In this case, you should not grant the user the limited role of Exchange Administrator, because that would give them too much access (Organizational Administration – the highest rights within Exchange). Instead of granting them rights within the Office 365 Admin Portal, you should instead create a role in the Exchange Admin center such as “View-Only Organization Management” and then grant them full mailbox access on all users except for the VIP users. This script could be scheduled to run as a scheduled task so that these limited admins would be granted access to new employees (or you would update the new employee onboarding account creation process to grant these admins full mailbox access to the new employees).

For these limited admins, they will not logon to the Office 365 Admin center ( but instead they will logon directly to the Exchange Online Control Panel at