Block Admin Access to Specific Exchange Mailbox

If you want to do something like this then what I would recommend is create a new Role Group and apply permissions to the mailbox database servers that you want the admins to have access to. You can also assign permissions for other tasks like Hygiene Management or Compliance Management etc for additional permissions.

But do not add them to Organizational Management or they will have full permissions on his mailbox. Even if you deny permissions they will be able to undo the changes.

I would also recommend enable Auditing as well. This way you can also track who as modified permissions to mailboxes.

Creating New Role Groups
https://technet.microsoft.com/en-us/library/jj657480%28v=exchg.150%29.aspx

Enable Mailbox Auditing
https://technet.microsoft.com/en-us/library/ff461937%28v=exchg.150%29.aspx

Will.

Vasil:  Looking at the technet articles it sounds like exclusive scopes are what i want.  The articles talk mostly theory however, and I am not experienced with the cmdlets.  Would it be possible for you to give me an example of what it would look like?  Our O365 environment is currently setup with all default settings.  It looks like what I'd want to do is create a new admin role group, assign it all the roles, but then create an exclusive scope that limits access to the owner's mailbox.  Then I would assign the new admin users to that role group.  Does that sound right, or am I missing it?  :-)

Vasil:  I must be missing something.  I setup a test user.  I followed the instructions you gave.  I added the new admins to the default Organization Management group, but NOT the new CEO admin group.  However, when I login as one of the new admins they still have full access to the test user (who should be restricted based on the new scope).

I think I might have it working now.  It appears it takes some time for the settings to take effect.  Do you know if that is the case?  And if so, is there a way to force and update?  That would be very helpful in testing situations.  :-)

You need to relog in order for the new 'stripped down' session to take effect.

OK.  It appears that I may have a syntax problem.  It appears to work when I add a single email address to the list, but if I add multiple addresses then it does not work.  Here is the format it shows when I do a Get-ManagementScope "Owner Scope"

RecipientFilter          : EmailAddresses -eq 'test1@company.com,test2@comapny.com'

It is definitely the content of the  RecipientFilter.  As long as I only have 1 email address in there it works fine.  The technet article says to separate multiple addresses with a comma, but as soon as I do that it no longer works.  Any idea what I'm missing, or typing wrong?

If you want to include multiple addresses, either use wildcards or the 'or' clause:

EmailAddresses -eq 'test1@company.com' -or EmailAddresses -eq 'test2@comapny.com'

Select allOpen in new window

Vasil:  The restriction now works for multiple email addresses following the syntax you gave me.  Thanks!

The problem now is that the other admins are not able to access certain features (notably message trace) unless I make them Organization Managers (but then they could just add themselves to the CEO admin role -- so that doesn't work.)  Any help would be appreciated.

You can just grant them access to the said roles or particular cmdlets.

I get that, but it's not working as expected.  For example... I have created a test admin role for my test user as follows:

Assigned Roles
Audit Logs
Distribution Groups
Information Rights Management
Journaling
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Message Tracking
Migration
Move Mailboxes
Org Custom Apps
Org Marketplace Apps
Organization Client Access
Organization Transport Settings
Public Folders
Recipient Policies
Reset Password
Retention Management
Team Mailboxes
Transport Hygiene
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
User Options

Members
Test 1

Yet, when the test users logs in it does not have access to message tracking.