RBAC – How to control Management Mailbox access

We had requirement to enable RBAC permission model where we can assign few selective exchange Administrators to access higher management mailbox (Security Concern :))

To achieve this goal, I am going through to explain you step by step.

1. Create two Distribution Group

  • B7_Supporters – This group consists members those are allowed to access management mailbox
  • B7_User – This group consists management mailboxes

Note : Make sure group type is “security” and Scope is “Universal”


2. Now, I will create a “New-ManagementScope” that includes the group of restricted managment users. Management Scopes are used to define who or what the permission should apply to, this could be OU, Security Groups, Servers or Databases, I will be using here security group above

New-ManagementScope -Name “B7_MGMTScope” -RecipientRestrictionFilter {MemberofGroup -eq “cn=B7_Users, ou=Groups,dc=Contoso,dc=com”} -exclusive

3. Once you have created new Management Scope, Assign an management role for the Exchange administrators those are only allowed to mailboxes, In this example I am going to add Mail Recipients management role, but you can add any “Management Role”. You use role assignment to assign permissions

Note : You can use cmdlet “Get- ManagementRole” and choose you suite to your requirement

New-ManagementRoleAssignment -Name “B7_MGMT_Role” -Role “Mail Recipients” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”

Now you are done, Exchange admins those are member of distribution Group “B7_Supporter” would be able to manage mailbox of VIP users, BUT they can only perform operation which is available in Management Role “Mail recipient” (Permission which suite to Service desk folks)

What about, If supporter are trying to move mailboxes or want to perform Import/Export request. Yes, you can create few more Management Role Assignment with other Management Role. In below I would like my exchange admins should be able to move mailboxes too , To do so I will be running below cmdlet.

New-ManagementRoleAssignment -Name “B7_MGMT_Role_MoveMBX” -Role “Move Mailboxes” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”

Now perform few test and you are done it !!!!!! 🙂 Enjoy


2 thoughts on “RBAC – How to control Management Mailbox access

Add yours

  1. I absolutely love your website.. Pleasant colors & theme.
    Did you create this web site yourself? Please reply back as I’m looking to create my own site and want to find out where you got this from or exactly what the theme is called. Kudos!

  2. I see you don’t monetize your website, don’t waste your traffic, you can earn additional bucks
    every month because you’ve got hi quality content.

    If you want to know how to make extra $$$, search for: Mertiso’s tips best adsense alternative

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

Eine Tolle Reise

Here, you all will come to know about me, about my life and of course some common issues these days!!

Office 365 for IT Pros

The only always up-to-date eBook about the Microsoft 365 cloud Office system, covering Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Planner, Azure Active Directory, and more

Chirag Patel MVP MCT

Microsoft 365 Specialist

All about Microsoft 365 & Teams

lEt's eNaBle MoDeRn WoRkPlAcE !

WordPress.com News

The latest news on WordPress.com and the WordPress community.

%d bloggers like this: