we have mailboxes in exchange online which must strictly confidential. these mailboxes must be protected separately. no global administrator isn't allowed assign access rights. is there a simple way to protect these mailboxes so that only a special global administrator can assign rights there? For example special RBAC rolle? Did anyone else do this before?
Exclusive scopes are the way to go, with the remark that any Global admin can simply reverse the configuration and still gain access, if he knows what he's doing. So as usual, the most important factor is trust.