How to prevent Admin role from accessing another user mailbox?

%3CLINGO-SUB%20id%3D%22lingo-sub-450876%22%20slang%3D%22en-US%22%3EHow%20to%20prevent%20Admin%20role%20from%20accessing%20another%20user%20mailbox%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-450876%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20management%20want%20to%20be%20assured%20that%20no%20other%20user%20have%20access%20to%20view%20another%20user%20mailbox%20items.%20The%20%22other%20user%22%20means%20of%20course%20someone%20with%20administrative%20rights%20from%20IT%20dept.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20that%20this%20req%20could%20be%20accomplished%20by%20creating%20an%20admin%20role%20quite%20powerful%20as%20Global%20administrator%20but%20without%20certain%20rights%20(ex.delegation%20rights%20to%20others%20mailboxes).%20Global%20admin%20credentials%20would%20then%20be%20stored%20in%20a%20safe%20place%20and%20used%20in%20case%20of%20extra%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20advice%20me%20if%20o365%20rights%20management%20allows%20me%20to%20do%20that.%3C%2FP%3E%3CP%3EAlso%20is%20it%20a%20proper%20way%20to%20handle%20this%20requirement%2C%20maybe%20there%20is%20some%20simpler%20way%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-450876%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-451382%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20prevent%20Admin%20role%20from%20accessing%20another%20user%20mailbox%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-451382%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20cannot%20prevent%20Global%20admins%20or%20Exchange%20admins%20from%20accessing%20other%20user's%20mailboxes.%20Even%20if%20you%20remove%20the%20corresponding%20cmdlets%20from%20the%20RBAC%20roles%20or%20configure%20exclusive%20scopes%2C%20they%20can%20always%20revert%20those%20settings%2C%20assuming%20they%20know%20what%20they're%20doing.%20You%20can%20prevent%20users%20with%20other%20roles%20from%20doing%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-456920%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20prevent%20Admin%20role%20from%20accessing%20another%20user%20mailbox%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-456920%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20your%20answer%2C%20i%20think%20that%20there%20should%20be%20an%20option%20to%20set%20more%20granual%20permissions%20to%20enable%20a%20scenario%20where%20you%20may%20create%20many%20very%20powerful%20admins%20(copies%20of%20global%20admin)%20without%20certain%20rights%20like%20access%20to%20other%20user%20mailboxes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-457067%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20prevent%20Admin%20role%20from%20accessing%20another%20user%20mailbox%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-457067%22%20slang%3D%22en-US%22%3E%3CP%3EThere's%20isn't.%20Everyone%20and%20anyone%20that%20has%20been%20granted%20a%20Global%20admin%20has%20all%20the%20keys%20to%20the%20kingdom.%20Period.%20This%20is%20why%20you%20keep%20the%20number%20of%20GAs%20to%20a%20minimum%20and%20only%20grant%20the%20role%20to%20people%20you%20fully%20trust.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20there%20isn't%20such%20thing%20as%20%22copy%20of%20global%20admin%22%2C%20we%20cannot%20create%20custom%20Azure%20AD%20roles.%20We%20can%20put%20some%20controls%20in%20place%20(custom%20RBAC%20roles%2C%20exclusive%20scopes%2C%20PAM%2C%20etc)%2C%20but%20again%20all%20of%20these%20can%20be%20overwritten%20by%20a%20GA.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-506676%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20prevent%20Admin%20role%20from%20accessing%20another%20user%20mailbox%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-506676%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F320840%22%20target%3D%22_blank%22%3E%40Admin_001%3C%2FA%3E%26nbsp%3Bhi%20there!%26nbsp%3B%20Depending%20on%20what%20O365%20license%20you%20have%20you%20can%20also%20set%20up%20an%20alert%20to%20monitor%20mailbox%20access-%20in%20order%20for%20this%20to%20work%20you%20will%20have%20to%20enable%20audit%20logging%20first.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20alert%20can%20be%20create%20in%20the%20Security%20%26amp%3B%20Compliance%20Admin%20center-%20screen%20shot%20attached.%20Let%20me%20know%20if%20that%20works!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

Our management want to be assured that no other user have access to view another user mailbox items. The "other user" means of course someone with administrative rights from IT dept.

 

I thought that this req could be accomplished by creating an admin role quite powerful as Global administrator but without certain rights (ex.delegation rights to others mailboxes). Global admin credentials would then be stored in a safe place and used in case of extra need.

 

Please advice me if o365 rights management allows me to do that.

Also is it a proper way to handle this requirement, maybe there is some simpler way?

 

Thanks in advance

4 Replies
Highlighted

You cannot prevent Global admins or Exchange admins from accessing other user's mailboxes. Even if you remove the corresponding cmdlets from the RBAC roles or configure exclusive scopes, they can always revert those settings, assuming they know what they're doing. You can prevent users with other roles from doing this.

Highlighted

@Vasil Michev  Thanks for your answer, i think that there should be an option to set more granual permissions to enable a scenario where you may create many very powerful admins (copies of global admin) without certain rights like access to other user mailboxes.

Highlighted

There's isn't. Everyone and anyone that has been granted a Global admin has all the keys to the kingdom. Period. This is why you keep the number of GAs to a minimum and only grant the role to people you fully trust.

 

And there isn't such thing as "copy of global admin", we cannot create custom Azure AD roles. We can put some controls in place (custom RBAC roles, exclusive scopes, PAM, etc), but again all of these can be overwritten by a GA. 

Highlighted

@Admin_001 hi there!  Depending on what O365 license you have you can also set up an alert to monitor mailbox access- in order for this to work you will have to enable audit logging first.

 

The alert can be create in the Security & Compliance Admin center- screen shot attached. Let me know if that works!