Forum Discussion
Define Exchange admin roles for specific AU (administrative unit) users
Hi,
We are trying to separate a customer's internal companies by using AU's in AAD. This AU contains cloud-only users. However, the predefined roles in AAD are not what we're looking for. We'd like to have a more granular approach by adding Exchange admin roles to specifically administrate distribution groups and O365 groups, but these users (Helpdesk) should only be allowed to create or edit groups that are within their specific AU, not the entire tenant.
I've tried to fiddle with this by creating new management scopes in PowerShell but it does not seem possible to create a scope which only applies for the AU.
Any ideas? Thanks a lot in advance.
2 Replies
- That's not possible, but you can use Exchange's RBAC model to achieve something similar via the native management scopes. Copy the criteria you use for the AU, or populate one of the customattrbiteXXX or base it on group membership.
VasilMichev Exchange has the Get-AdministrativeUnit command in ExchangeOnline powershell.
I can't use the "name" listed under this command with the New-ManagementRoleAssignment command to give RBAC to a user in that AU?
