Link to home
Start Free TrialLog in
Avatar of slattdog
slattdogFlag for United States of America

asked on

Block Admin Access to Specific Exchange Mailbox

Our company is using Office 365 (E3) for hosted Exchange.  We have brought on a couple new admins and the owner does not want them to be able to access his email.  However, we still want them to have full permissions to configure other users and work with the Exchange server in general.  Is there a way to block admin access to specific mailboxes?  Perhaps by putting the users in some sort of security grouping and then limiting the admins to those groups?
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
If you want to do something like this then what I would recommend is create a new Role Group and apply permissions to the mailbox database servers that you want the admins to have access to. You can also assign permissions for other tasks like Hygiene Management or Compliance Management etc for additional permissions.

But do not add them to Organizational Management or they will have full permissions on his mailbox. Even if you deny permissions they will be able to undo the changes.

I would also recommend enable Auditing as well. This way you can also track who as modified permissions to mailboxes.

Creating New Role Groups
https://technet.microsoft.com/en-us/library/jj657480%28v=exchg.150%29.aspx

Enable Mailbox Auditing
https://technet.microsoft.com/en-us/library/ff461937%28v=exchg.150%29.aspx

Will.
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

Vasil:  Looking at the technet articles it sounds like exclusive scopes are what i want.  The articles talk mostly theory however, and I am not experienced with the cmdlets.  Would it be possible for you to give me an example of what it would look like?  Our O365 environment is currently setup with all default settings.  It looks like what I'd want to do is create a new admin role group, assign it all the roles, but then create an exclusive scope that limits access to the owner's mailbox.  Then I would assign the new admin users to that role group.  Does that sound right, or am I missing it?  :-)
SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

Vasil:  I must be missing something.  I setup a test user.  I followed the instructions you gave.  I added the new admins to the default Organization Management group, but NOT the new CEO admin group.  However, when I login as one of the new admins they still have full access to the test user (who should be restricted based on the new scope).
Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

I think I might have it working now.  It appears it takes some time for the settings to take effect.  Do you know if that is the case?  And if so, is there a way to force and update?  That would be very helpful in testing situations.  :-)
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
You need to relog in order for the new 'stripped down' session to take effect.
Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

OK.  It appears that I may have a syntax problem.  It appears to work when I add a single email address to the list, but if I add multiple addresses then it does not work.  Here is the format it shows when I do a Get-ManagementScope "Owner Scope"

RecipientFilter          : EmailAddresses -eq 'test1@company.com,test2@comapny.com'
Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

It is definitely the content of the  RecipientFilter.  As long as I only have 1 email address in there it works fine.  The technet article says to separate multiple addresses with a comma, but as soon as I do that it no longer works.  Any idea what I'm missing, or typing wrong?
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
If you want to include multiple addresses, either use wildcards or the 'or' clause:

EmailAddresses -eq 'test1@company.com' -or EmailAddresses -eq 'test2@comapny.com'

Open in new window

Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

Vasil:  The restriction now works for multiple email addresses following the syntax you gave me.  Thanks!

The problem now is that the other admins are not able to access certain features (notably message trace) unless I make them Organization Managers (but then they could just add themselves to the CEO admin role -- so that doesn't work.)  Any help would be appreciated.
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
You can just grant them access to the said roles or particular cmdlets.
Avatar of slattdog
slattdog
Flag of United States of America image

ASKER

I get that, but it's not working as expected.  For example... I have created a test admin role for my test user as follows:

Assigned Roles
Audit Logs
Distribution Groups
Information Rights Management
Journaling
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Message Tracking
Migration
Move Mailboxes
Org Custom Apps
Org Marketplace Apps
Organization Client Access
Organization Transport Settings
Public Folders
Recipient Policies
Reset Password
Retention Management
Team Mailboxes
Transport Hygiene
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
User Options

Members
Test 1

Yet, when the test users logs in it does not have access to message tracking.