Using Groups to Assign Exchange Admin Roles to Accounts Without Mailboxes

1. Core implementation approach
Assign roles through security groups:
Create a dedicated security group:
powershell
New-DistributionGroup -Name “Exchange-Admins-NoMailbox” -Type Security
2. Add no mailbox users:
powershell
Add-DistributionGroupMember -Identity “Exchange-Admins-NoMailbox” -Member “user1”
3. Assign the administrator role:
powershell
New-ManagementRoleAssignment -SecurityGroup “Exchange-Admins-NoMailbox” -Role “Organization Management”
4. Privilege granularity control
Custom Role Group Creation:
Copy an existing role:
powershell
New-ManagementRole -Parent “Recipient Management” -Name “Limited Recipient Admin”
5. Remove unneeded cmdlets:
powershell
Set-ManagementRoleEntry “Limited Recipient Admin\New-Mailbox” -Parameters Identity -RemoveParameter
6. Special handling of mixed environments
Azure AD Synchronization Considerations:
Ensure local AD security groups are synchronized to Azure AD
Verify the group properties:
powershell
Get-ADSyncGroup -Name “Exchange-Admins-NoMailbox” | Select-Object *
7. Verification Steps
 Test that the permissions take effect:
Log in to the Exchange Management Shell with no mailbox account.
Execute the test command:
powershell
Get-Mailbox -ResultSize 1
Confirm that you can perform authorized operations but cannot access the personal mailbox functionality
8. Best Practices
 Security Recommendation:
Create separate security groups for each role
Enable audit logging:
powershell
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Periodically review group membership:
powershell
Get-DistributionGroupMember “Exchange-Admins-NoMailbox”