question

Ig132435 avatar image
0 Votes"
Ig132435 asked LucasLiu-MSFT commented

delegated administration for a scope of users

In our M365 tenant we have multiple domains.
In Exchange Online I've been able to use a management role, group, assignment, and scope to allow a user make changes to mailbox properties in a specific domain only in ECP.
However, this user is still able to view mailbox properties in all the other domains.

Is there a way to hide the mailboxes that are not in the scope from this user in ECP?

office-exchange-online-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Ig132435 ,
Do suggestions help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

Thanks for your understanding.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Hi @Ig132435 ,
I am writing here to confirm with you how thing going now?



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered LucasLiu-MSFT commented

No, thats the way RBAC works. This article says 2013, but the concept is the same:

https://docs.microsoft.com/en-us/exchange/understanding-management-role-scopes-exchange-2013-help



You can't change the implicit scopes defined on management roles. You can, however, override the implicit write scope and configuration scope on a management role. When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Ig132435 ,
Agree with what Andy said, and even if we apply the custom scopes, the implicit read scope on management roles continue to apply and the resulting custom scope must not exceed the boundaries of the implicit read scope.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·