Forum Discussion
Exchange Online access via PIM
Hi,
We are looking to grant more granular access to the Exchange Online portal for our support teams instead of the Exchange Admin Entra role. The idea is to set up cloud security groups, onboard them to PIM and grant the users eligible assignments. The groups would be then assigned to the Exchange Online role groups (RBAC) in the Exchange Portal. It appears though that Exchange Portal requires mail-enabled security groups and mail-enabled security groups cannot be onboarded to PIM.
Does anyone know if this is by design?
What is the alternative solution to grant JIT access to the Exchange Portal instead of the Entra role or the standing access of the users assigned directly to the RBAC roles on the Exchange Portal? Many thanks.
2 Replies
There's also an Exchange Recipient Admin Role assignable in Entra ID. It has less permissions than the Exchange Admin Role.
First, log in to the Azure management backend, find Privileged Identity Management in Azure AD, and set up privilege policies for the role of administrator: users have to use double verification such as SMS authentication code when applying for privileges, and can only use the privileges temporarily for 8 hours after approval.
