Forum Discussion
Solved
Using Groups to Assign Exchange Admin Roles to Accounts Without Mailboxes
Exchange Online. Cloud-only environment. I'm trying to figure out the best way to assign Exchange admin roles to various IT staff in our organization. All of our IT staff have dedicated admin accounts for admin tasks, and these accounts do not have mailboxes. Ideally, I'm trying to make things so that when I add an IT tech's admin account to a group, they get the necessary Exchange roles.
I have an Exchange admin role. But I see that only mail-enabled security groups can be assigned to these roles (and direct user assignment which I'm trying to avoid). No problem. So I try to create a mail-enabled security group and add these admin accounts (no mailbox) as members of the mail-enabled security group. I can't because the accounts don't have mailboxes.
Is there a better way to do this? Any recommendations?
1. Core implementation approach
Assign roles through security groups:
Create a dedicated security group:
powershell
New-DistributionGroup -Name “Exchange-Admins-NoMailbox” -Type Security
2. Add no mailbox users:
powershell
Add-DistributionGroupMember -Identity “Exchange-Admins-NoMailbox” -Member “user1”
3. Assign the administrator role:
powershell
New-ManagementRoleAssignment -SecurityGroup “Exchange-Admins-NoMailbox” -Role “Organization Management”
4. Privilege granularity control
Custom Role Group Creation:
Copy an existing role:
powershell
New-ManagementRole -Parent “Recipient Management” -Name “Limited Recipient Admin”
5. Remove unneeded cmdlets:
powershell
Set-ManagementRoleEntry “Limited Recipient Admin\New-Mailbox” -Parameters Identity -RemoveParameter
6. Special handling of mixed environments
Azure AD Synchronization Considerations:
Ensure local AD security groups are synchronized to Azure AD
Verify the group properties:
powershell
Get-ADSyncGroup -Name “Exchange-Admins-NoMailbox” | Select-Object *
7. Verification Steps
Test that the permissions take effect:
Log in to the Exchange Management Shell with no mailbox account.
Execute the test command:
powershell
Get-Mailbox -ResultSize 1
Confirm that you can perform authorized operations but cannot access the personal mailbox functionality
8. Best Practices
Security Recommendation:
Create separate security groups for each role
Enable audit logging:
powershell
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Periodically review group membership:
powershell
Get-DistributionGroupMember “Exchange-Admins-NoMailbox”
1. Core implementation approach
Assign roles through security groups:
Create a dedicated security group:
powershell
New-DistributionGroup -Name “Exchange-Admins-NoMailbox” -Type Security
2. Add no mailbox users:
powershell
Add-DistributionGroupMember -Identity “Exchange-Admins-NoMailbox” -Member “user1”
3. Assign the administrator role:
powershell
New-ManagementRoleAssignment -SecurityGroup “Exchange-Admins-NoMailbox” -Role “Organization Management”
4. Privilege granularity control
Custom Role Group Creation:
Copy an existing role:
powershell
New-ManagementRole -Parent “Recipient Management” -Name “Limited Recipient Admin”
5. Remove unneeded cmdlets:
powershell
Set-ManagementRoleEntry “Limited Recipient Admin\New-Mailbox” -Parameters Identity -RemoveParameter
6. Special handling of mixed environments
Azure AD Synchronization Considerations:
Ensure local AD security groups are synchronized to Azure AD
Verify the group properties:
powershell
Get-ADSyncGroup -Name “Exchange-Admins-NoMailbox” | Select-Object *
7. Verification Steps
Test that the permissions take effect:
Log in to the Exchange Management Shell with no mailbox account.
Execute the test command:
powershell
Get-Mailbox -ResultSize 1
Confirm that you can perform authorized operations but cannot access the personal mailbox functionality
8. Best Practices
Security Recommendation:
Create separate security groups for each role
Enable audit logging:
powershell
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Periodically review group membership:
powershell
Get-DistributionGroupMember “Exchange-Admins-NoMailbox”
