Block Admin Access to Specific Exchange Mailbox

Our company is using Office 365 (E3) for hosted Exchange.  We have brought on a couple new admins and the owner does not want them to be able to access his email.  However, we still want them to have full permissions to configure other users and work with the Exchange server in general.  Is there a way to block admin access to specific mailboxes?  Perhaps by putting the users in some sort of security grouping and then limiting the admins to those groups?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you want to do something like this then what I would recommend is create a new Role Group and apply permissions to the mailbox database servers that you want the admins to have access to. You can also assign permissions for other tasks like Hygiene Management or Compliance Management etc for additional permissions.

But do not add them to Organizational Management or they will have full permissions on his mailbox. Even if you deny permissions they will be able to undo the changes.

I would also recommend enable Auditing as well. This way you can also track who as modified permissions to mailboxes.

Creating New Role Groups

Enable Mailbox Auditing

Vasil Michev (MVP)Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slattdogAuthor Commented:
Vasil:  Looking at the technet articles it sounds like exclusive scopes are what i want.  The articles talk mostly theory however, and I am not experienced with the cmdlets.  Would it be possible for you to give me an example of what it would look like?  Our O365 environment is currently setup with all default settings.  It looks like what I'd want to do is create a new admin role group, assign it all the roles, but then create an exclusive scope that limits access to the owner's mailbox.  Then I would assign the new admin users to that role group.  Does that sound right, or am I missing it?  :-)
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Vasil Michev (MVP)Commented:
You just need to create a new management scope:

New-ManagementScope "Executive CEO Scope" -RecipientRestrictionFilter { Department -Eq "Executives" } -Exclusive

Open in new window

Once the scope is created, the mailbox(es) will be 'locked' so nobody will be able to manage them. To grant access, you need to create a new role group and assignment:

New-RoleGroup -Name “CEO admin” -Roles “Mail Recipients”,”User Options”,”Mail Recipient Creation”,”Recipient Policies”, “Reset Password” -Members “Organization Management”

Open in new window

Get-ManagementRoleAssignment -RoleAssignee “CEO admin” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Executive CEO Scope”

Open in new window

Of course, make sure to adjust the needed roles/cmdlets. And test against a normal mailbox first! :)
slattdogAuthor Commented:
Vasil:  I must be missing something.  I setup a test user.  I followed the instructions you gave.  I added the new admins to the default Organization Management group, but NOT the new CEO admin group.  However, when I login as one of the new admins they still have full access to the test user (who should be restricted based on the new scope).
slattdogAuthor Commented:
I think I might have it working now.  It appears it takes some time for the settings to take effect.  Do you know if that is the case?  And if so, is there a way to force and update?  That would be very helpful in testing situations.  :-)
Vasil Michev (MVP)Commented:
You need to relog in order for the new 'stripped down' session to take effect.
slattdogAuthor Commented:
OK.  It appears that I may have a syntax problem.  It appears to work when I add a single email address to the list, but if I add multiple addresses then it does not work.  Here is the format it shows when I do a Get-ManagementScope "Owner Scope"

RecipientFilter          : EmailAddresses -eq ','
slattdogAuthor Commented:
It is definitely the content of the  RecipientFilter.  As long as I only have 1 email address in there it works fine.  The technet article says to separate multiple addresses with a comma, but as soon as I do that it no longer works.  Any idea what I'm missing, or typing wrong?
Vasil Michev (MVP)Commented:
If you want to include multiple addresses, either use wildcards or the 'or' clause:

EmailAddresses -eq '' -or EmailAddresses -eq ''

Open in new window

slattdogAuthor Commented:
Vasil:  The restriction now works for multiple email addresses following the syntax you gave me.  Thanks!

The problem now is that the other admins are not able to access certain features (notably message trace) unless I make them Organization Managers (but then they could just add themselves to the CEO admin role -- so that doesn't work.)  Any help would be appreciated.
Vasil Michev (MVP)Commented:
You can just grant them access to the said roles or particular cmdlets.
slattdogAuthor Commented:
I get that, but it's not working as expected.  For example... I have created a test admin role for my test user as follows:

Assigned Roles
Audit Logs
Distribution Groups
Information Rights Management
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Message Tracking
Move Mailboxes
Org Custom Apps
Org Marketplace Apps
Organization Client Access
Organization Transport Settings
Public Folders
Recipient Policies
Reset Password
Retention Management
Team Mailboxes
Transport Hygiene
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
User Options

Test 1

Yet, when the test users logs in it does not have access to message tracking.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.