Admin Role and RBAC

Hiorns, Neil 26 Reputation points
2022-03-03T14:22:17.24+00:00

We are currently in Hybrid mode, Exchange 2016 CU22 & Exchange Online.

We wish to enable Admin Roles using RBAC so that a local administrator (not Enterprise Exchange Admins) is able to edit/amend mailboxes that are from their country or site. In the On-Premise environment we used the OU as the write-scope and obviously this is not possible in AAD so tried creating scopes using either Group membership or Company name using New-ManagmentScope. I was able to create the scopes and then created the associated admin roles, however, they do not work as indented as still able to change settings of mailboxes that they should not have write access to.

Also, should these local admins be members of the "Exchange Administrator" or "Exchange Recipient Administrator" Azure AD roles or neither?

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,913 questions
0 comments No comments
{count} votes

Accepted answer
  1. KyleXu-MSFT 26,211 Reputation points
    2022-03-04T03:11:25.96+00:00

    @Hiorns, Neil

    If those mailboxes to be managed are hosted on Exchange online, you will need to create Management Scope on Exchange online.

    There doesn't exist OU on Exchange online, so we need to scope mailboxes with some other attributes. Such as we could set the "CustomAttribute1" attributes as "1" for mailboxes which belong to country A, then we will could create a Management Scope on Exchange online:

    New-ManagementScope -Name CustomAttribute1 -RecipientRestrictionFilter "(CustomAttribute1 -eq '1')"  
    

    179933-qa-kyle-10-54-46.png

    We can know this management scope can only manage two mailboxes:

    179818-qa-kyle-10-53-20.png

    Then we could create a management role assignment based on the customed management scope:

    New-ManagementRoleAssignment -Name TestManage  -Role "User Options" -User Onlineuser2 -CustomRecipientWriteScope CustomAttribute1  
    

    179916-qa-kyle-10-59-13.png

    The result:

    When try to manage OnlneUser1, we could manage it successfully:
    179877-qa-kyle-11-01-46.png

    When trying to manage a mailbox which is out of the management scope, those attributes are greyed out:
    179943-qa-kyle-11-05-12.png

    If those mailboxes are migrated from Exchange on-premises to Exchange online, most attributes need to be managed from local AD. RBAC (Exchange online and Exchange on-premises) is not appropriate for them.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



0 additional answers

Sort by: Most helpful