Forum Discussion

Curious_Kevin16's avatar
Curious_Kevin16
Iron Contributor
Jul 31, 2025

Exchange RBAC Challenge: Restricting Admin Level Access to Selected Mailboxes

Hi Exchange Brain Trust, I'm looking to implement a restriction for a specific group of admins (let's say Service Desk L1 team) so they do not have administrative access to executive EXO mailboxes (...
admin
exchange online
office 365
AriasJose's avatar
AriasJose
Brass Contributor
Jul 31, 2025

This is a common challenge in organizations that need to balance operational support with data privacy and executive confidentiality. While Exchange Online offers powerful role-based access control (RBAC), it doesn't natively support mailbox-level exclusions within a broader access scope. Here's how you can work around that limitation.

Understanding the Limitations

  1. RBAC Scopes: These define who an admin can manage, but they don’t restrict read access once a role is assigned.
  2. Administrative Units (AUs): Useful in Azure AD for scoping user management, but they don’t apply to Exchange mailbox access.
  3. Application Access Policies: Only apply to app-based access (not human admins), and only for application permissions.

The Workaround: Explicitly Deny Mailbox Access

To block access to specific mailboxes (like those of executives), you can use mailbox permissions to explicitly deny access—even if broader permissions are granted elsewhere.

Step-by-Step Instructions

  1. Create a security group for your Service Desk L1 team if one doesn’t already exist.
  2. Remove any existing Full Access permissions to the executive mailboxes:
    Remove-MailboxPermission -Identity "email address removed for privacy reasons" -User "ServiceDeskL1Group" -AccessRights FullAccess
  3. Explicitly deny access to those mailboxes:
    Add-MailboxPermission -Identity "email address removed for privacy reasons" -User "ServiceDeskL1Group" -AccessRights FullAccess -Deny:$true

This deny rule overrides any inherited or assigned access, effectively blocking the group from accessing the specified mailboxes.

Optional: Split Admin Roles

If your organization supports it, consider splitting admin responsibilities:

  • Assign the L1 team to a custom management scope that excludes executive mailboxes.
  • Assign broader access (including executives) to a higher-tier admin group (e.g., L2 or L3).

This layered approach ensures that only trusted personnel have access to sensitive mailboxes.

Conclusion

While Exchange Online doesn’t offer a built-in way to exclude specific mailboxes from admin access, using explicit deny permissions provides a reliable workaround. It’s a practical solution that helps maintain both operational efficiency and executive privacy.

Resources