This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
In our M365 tenant we have multiple domains.
In Exchange Online I've been able to use a management role, group, assignment, and scope to allow a user make changes to mailbox properties in a specific domain only in ECP.
However, this user is still able to view mailbox properties in all the other domains.
Is there a way to hide the mailboxes that are not in the scope from this user in ECP?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Ig132435 ,
Do suggestions help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Ig132435 ,
I am writing here to confirm with you how thing going now?
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
No, thats the way RBAC works. This article says 2013, but the concept is the same:
https://learn.microsoft.com/en-us/exchange/understanding-management-role-scopes-exchange-2013-help
You can't change the implicit scopes defined on management roles. You can, however, override the implicit write scope and configuration scope on a management role. When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies.
Hi @Ig132435 ,
Agree with what Andy said, and even if we apply the custom scopes, the implicit read scope on management roles continue to apply and the resulting custom scope must not exceed the boundaries of the implicit read scope.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.