We had requirement to enable RBAC permission model where we can assign few selective exchange Administrators to access higher management mailbox (Security Concern :))
To achieve this goal, I am going through to explain you step by step.
1. Create two Distribution Group
- B7_Supporters – This group consists members those are allowed to access management mailbox
- B7_User – This group consists management mailboxes
Note : Make sure group type is “security” and Scope is “Universal”
2. Now, I will create a “New-ManagementScope” that includes the group of restricted managment users. Management Scopes are used to define who or what the permission should apply to, this could be OU, Security Groups, Servers or Databases, I will be using here security group above
New-ManagementScope -Name “B7_MGMTScope” -RecipientRestrictionFilter {MemberofGroup -eq “cn=B7_Users, ou=Groups,dc=Contoso,dc=com”} -exclusive
3. Once you have created new Management Scope, Assign an management role for the Exchange administrators those are only allowed to mailboxes, In this example I am going to add Mail Recipients management role, but you can add any “Management Role”. You use role assignment to assign permissions
Note : You can use cmdlet “Get- ManagementRole” and choose you suite to your requirement
New-ManagementRoleAssignment -Name “B7_MGMT_Role” -Role “Mail Recipients” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”
Now you are done, Exchange admins those are member of distribution Group “B7_Supporter” would be able to manage mailbox of VIP users, BUT they can only perform operation which is available in Management Role “Mail recipient” (Permission which suite to Service desk folks)
What about, If supporter are trying to move mailboxes or want to perform Import/Export request. Yes, you can create few more Management Role Assignment with other Management Role. In below I would like my exchange admins should be able to move mailboxes too , To do so I will be running below cmdlet.
New-ManagementRoleAssignment -Name “B7_MGMT_Role_MoveMBX” -Role “Move Mailboxes” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”
Now perform few test and you are done it !!!!!! 🙂 Enjoy
All about Microsoft 365 & Teams 
I absolutely love your website.. Pleasant colors & theme.
Did you create this web site yourself? Please reply back as I’m looking to create my own site and want to find out where you got this from or exactly what the theme is called. Kudos!
I see you don’t monetize your website, don’t waste your traffic, you can earn additional bucks
every month because you’ve got hi quality content.
If you want to know how to make extra $$$, search for: Mertiso’s tips best adsense alternative