Forum Discussion
Limiting access based on domain
I have 1 tenant with 12 domains. I would like to give 1 email account on each domain access to change users under their domain, but only to their domain. Possible?
I am more than happy to play with a user account on our live tenant, but I am seriously new to this, and I find the documentation on anything related to this is missing or outdated.
Well, I tried creating an AU, added a group of members specific to the domain of users I want to manage, and it still shows every user.
Without detailed instructions, and decent documents, I find working with Azure or Exchange to be all trial and error. You would think the people that designed these systems would at least document how it works.
Without detailed instructions, and decent documents, I find working with Azure or Exchange to be all trial and error. You would think the people that designed these systems would at least document how it works.
- Keep in mind that if you already have an admin role assigned, you will not be subject to the AU restrictions, so best test with a fresh account. Look at the top right corner of the screen, when on the Users > Active users page in the M365 admin center. If the user is assigned to one or more "scoped" roles, you will see the "Select administrative unit" ("No unit selected") dropdown there. With the default selection, you will see all the objects. Switch to the AU-based scope you've created to see the limited list of users/objects.
Thanks, I see that. But at what step do I add it to a specific domain. I want THIS user to only administer the emails of their own domain. We will have 12 domains added to the 1 tenant.
- You cannot designate domains per se, instead you enumerate all users "associated" with specific domain and add them as members of the given AU. Rinse and repeat for all other domains.
