Administration Exchange local admins

%3CLINGO-SUB%20id%3D%22lingo-sub-1098039%22%20slang%3D%22en-US%22%3EAdministration%20Exchange%20local%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098039%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Ewe%20have%20about%201500%20users%20with%20O365%20and%20we%20are%20moving%20now%20all%20on%20prem%20users%20from%20exchange%202010%20to%20O365%20(E3).%20We%20also%20have%20the%20geo%20location%20option%20for%20europe.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%3A%20We%20have%20a%20global%20Exchange%20admin%20account.%20But%20we%20need%20to%20define%20local%20exchange%20administrators%20for%20each%20country%20enabling%20the%20admin%20to%20create%2C%20delete%20exchange%20users%20for%20his%20region.%20Like%201%20exchange%20admin%20for%20UK%2C%201%20exchange%20admin%20for%20Germany%20etc.%26nbsp%3BHow%20can%20we%20set%20up%20roles%3F%20users%3F%20for%20this%20purpose.%20Thanks!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1098039%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%20Exchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098062%22%20slang%3D%22en-US%22%3ERe%3A%20Administration%20Exchange%20local%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098062%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511474%22%20target%3D%22_blank%22%3E%40cf_2020%3C%2FA%3E%26nbsp%3B!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20dont%20think%20this%20is%20possible.%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20Geo-Administrator%20%22role%22%20that%20gives%20users%20administrator%20access%20of%20a%20certain%20geo%20location.%20But%20this%20role%20is%20only%20applicable%20for%20OneDrive%20and%20SharePoint.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20that%20Exchange%20is%20not%20able%20to%20be%20managed%20in%20this%20kind%20of%20behavior.%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20best%20bet%20would%20be%20to%20perhaps%20set%20up%20management%20scopes%20for%20each%20geo%20location%20and%20then%20add%20the%20admins%20to%20those%20scopes.%26nbsp%3B%3CBR%20%2F%3EThis%20would%20in%20theory%20make%20it%20possible%20for%20them%20to%20only%20manage%20their%20locations%20users.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20you%20need%20further%20assistance%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20RegardsOliwer%20Sj%C3%B6berg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098250%22%20slang%3D%22en-US%22%3ERe%3A%20Administration%20Exchange%20local%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098250%22%20slang%3D%22en-US%22%3E%3CP%3EDepends%20on%20what%20exactly%20you%20want.%20Technically%20speaking%2C%20creating%20new%20mailboxes%20in%20O365%20is%20done%20by%20assigning%20a%20license%2C%20which%20is%20an%20Azure%20AD%20operation.%20Thus%20you%20need%20the%20corresponding%20Azure%20AD%2FOffice%20365%20admin%20role%2C%20and%20those%20are%20challenging%20to%20scope%20down%20to%20a%20subset%20of%20users.%20Best%20you%20can%20do%20in%20this%20regard%20is%20use%20Administrative%20units%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-administrative-units%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-administrative-units%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAUs%20are%20quite%20limited%20though%2C%20so%20don't%20expect%20wonders.%20Now%2C%20it%20you%20only%20want%20to%20delegate%20Exchange-related%20tasks%20(sans%20provisioning%20user%20mailboxes)%2C%20you%20can%20do%20just%20fine%20as%20Exchange%20Online's%20RBAC%20model%20is%20very%20robust%20and%20you%20can%20create%20custom%20management%20scopes%20limited%20to%20a%20particular%20country%20or%20department.%20Pretty%20much%20the%20same%20procedures%20as%20with%20on-premises%20server%20apply.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hello,

we have about 1500 users with O365 and we are moving now all on prem users from exchange 2010 to O365 (E3). We also have the geo location option for europe.

 

Q: We have a global Exchange admin account. But we need to define local exchange administrators for each country enabling the admin to create, delete exchange users for his region. Like 1 exchange admin for UK, 1 exchange admin for Germany etc. How can we set up roles? users? for this purpose. Thanks!  

2 Replies
Highlighted

Hello@cf_2020 ! 

 

I dont think this is possible. 

There is a Geo-Administrator "role" that gives users administrator access of a certain geo location. But this role is only applicable for OneDrive and SharePoint. 

 

I believe that Exchange is not able to be managed in this kind of behavior. 

Your best bet would be to perhaps set up management scopes for each geo location and then add the admins to those scopes. 
This would in theory make it possible for them to only manage their locations users. 

 

Let me know if you need further assistance

 

Kind Regards
Oliwer Sjöberg

Highlighted

Depends on what exactly you want. Technically speaking, creating new mailboxes in O365 is done by assigning a license, which is an Azure AD operation. Thus you need the corresponding Azure AD/Office 365 admin role, and those are challenging to scope down to a subset of users. Best you can do in this regard is use Administrative units: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-administrative-...

 

AUs are quite limited though, so don't expect wonders. Now, it you only want to delegate Exchange-related tasks (sans provisioning user mailboxes), you can do just fine as Exchange Online's RBAC model is very robust and you can create custom management scopes limited to a particular country or department. Pretty much the same procedures as with on-premises server apply.