This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 78%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Is there a way to manage a subset of exchange mailboxes and only allow certain admins to manage these mailboxes? We cannot put these users in a group or do a custom attribute because help desk will be able to modify it.
@Michael Hailemariam
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.
Hi, this solution only works for exchange on prem and does not work for exchange online
You can create management scope in order to restrict what given admin (or your help desk) can do: https://learn.microsoft.com/en-us/exchange/understanding-management-role-scopes-exchange-2013-help
You can also create "exclusive" scopes, which will allow only specific admins to manage the given subset - everyone else will be denied access. https://learn.microsoft.com/en-us/exchange/understanding-exclusive-scopes-exchange-2013-help
Keep in mind that this only covers Exchange, in Office 365 you need to also think about Azure AD/Microsoft 365 Admin center. The analog of management scopes therein is AU-scoped role assignments: https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles
As michev said, you could use RBAC Management Scope to limit which mailboxes they could manage. Such as:
New-ManagementScope -Name "Mailboxes" -RecipientRestrictionFilter "PrimarySmtpAddress -eq 'user@domain.com'"
Then apply this Management Scope to RBAC group for admin:
Please note: Management Scope only works for Exchange admin which assigned permission by Exchange RBAC, It doesn't works for Exchange admin which assigned permission by Office 365 admin center.
For more detailed information, you could have a look about those two articles:
New-ManagementScope
Filterable properties for the RecipientFilter parameter on Exchange cmdlets
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi, this solution only works for exchange on prem and does not work for exchange online
It also could works for Exchange online, as above said, don't assign Exchange permission to this mailbox from Office 365 admin center. Which means create this mailbox as user mailbox rather than admin mailbox.
You need to assign permission to this mailbox from Exchange admin center with RBAC permission.