delegated administration for a scope of users

Ig132435 1 Reputation point
2021-03-18T17:51:24.3+00:00

In our M365 tenant we have multiple domains.
In Exchange Online I've been able to use a management role, group, assignment, and scope to allow a user make changes to mailbox properties in a specific domain only in ECP.
However, this user is still able to view mailbox properties in all the other domains.

Is there a way to hide the mailboxes that are not in the scope from this user in ECP?

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,374 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 145.1K Reputation points MVP
    2021-03-18T18:01:07.573+00:00

    No, thats the way RBAC works. This article says 2013, but the concept is the same:

    https://learn.microsoft.com/en-us/exchange/understanding-management-role-scopes-exchange-2013-help

    You can't change the implicit scopes defined on management roles. You can, however, override the implicit write scope and configuration scope on a management role. When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies.