Share via

How to limit access to Admin Rights for our IT users

Anonymous
2022-12-19T07:10:50+00:00

We want our IT Users to be able to ONLY do the following actions:

  • Create New Email users
  • Modify Users (Name, groups, out of office, forwards, password reset/change, MFA)
  • Assign licenses to users or remove them
  • Be able to add, delete, modify Contacts (even if they are outside the organization)
  • Be able to create Distribution Groups and assign members to it

We dont want the IT users to have any other rights especially the Mail Flow options in Admin Exchange

The specific custom rules or options that microsoft provides gives full access to the Exchange Admin platform and that's not good.

Any suggestions are welcomed.

Thank you all for your time

Microsoft 365 and Office | Subscription, account, billing | For business | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Vincent Choy 10,855 Reputation points Volunteer Moderator
    2022-12-20T12:36:05+00:00

    Exchange allows you to create custom admin roles that you can specify what they can or cannot manage.

    Assign these custom roles to the admins who manage the Exchange.

    Depending on version of Exchange Admin you see...what you want to do is to get to "Admin Roles"

    For example for me its Exchange Admin-> Permissions->Admin Roles

    From here create a new role by clicking +

    Once u fill up the initial information, you can then choose what permissions your admins are entitled to -

    Select the exchange functions this role can manage,

    I've look through what you requested, you will likely need to tick

    • Mail Recipient Creation
    • Mail Recipients
    • Distribution Groups

    Adding license is a requires a different admin

    Give your users this role to manage the Exchange environment.

    Be sure not to check any function you don't want them to be able to use, including transport rules (mail flow)

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-12-19T15:35:13+00:00

    Thank you for your response.

    I dont want the users to be able to access any Mail Flow features available in the Exchange Admin Portal.

    Image

    However, I want the users to be able to see the Contacts and Group/Distribution option so that they can do the Administration part (Adding contancts, removing them, modifying them, adding distribution groups, adding members to distributions, removing them and etc.)

    Further to this they should also be able to have the User Administrator option.

    If I select any of the Admin Role options so that they can see the Contacts and Groups/Distributions they automatically have full access to the Exchange Admin Portal.

    Any insights or ideas are welcomed.

    Thank you

    John

    Was this answer helpful?

    0 comments
  2. Vincent Choy 10,855 Reputation points Volunteer Moderator
    2022-12-19T07:56:38+00:00

    Have you had a look at Exchange Admin Center -> Roles -> Admin Roles -> Add Role Group?

    I had a look and you can assign or deny certain admin rights.

    Transport Rules is one of them that you can assign or deny

    Was this answer helpful?

    0 comments