Exchange Online RBAC

%3CLINGO-SUB%20id%3D%22lingo-sub-2900295%22%20slang%3D%22en-US%22%3EExchange%20Online%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2900295%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20the%20process%20of%20migrating%20to%20Exchange%20Online%20(from%20Exchange%202016)%20and%20what%20to%20know%20the%20best%20way%20to%20apply%20RBAC.%20In%20the%20On%20Premise%20configuration%20we%20limited%20the%20local%20admins%20to%20only%20be%20able%20to%20edit%20mailboxes%20within%20their%20Organizational%20Unit%2C%20basically%20by%20the%20Write%20Scope.%3C%2FP%3E%3CP%3EObviously%20AAD%20does%20not%20have%20OUs%20so%20wondering%20what%20the%20the%20best%20way%20to%20restrict%20access%3F%20I%20have%20tried%20Set-ManagementScope%20and%20the%20%22RecipientFilter%22%2C%20does%20anyone%20have%20the%20best%20way%20to%20use%20the%20use%20the%20%22RecipientFilter%22%20-%20namely%20use%20Company%20Name%2C%20Location%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20should%20we%20use%20this%20in%20conjunction%20with%20the%20%22Exchange%20recipient%20administrators%22%20role%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2900295%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

We are in the process of migrating to Exchange Online (from Exchange 2016) and what to know the best way to apply RBAC. In the On Premise configuration we limited the local admins to only be able to edit mailboxes within their Organizational Unit, basically by the Write Scope.

Obviously AAD does not have OUs so wondering what the the best way to restrict access? I have tried Set-ManagementScope and the "RecipientFilter", does anyone have the best way to use the use the "RecipientFilter" - namely use Company Name, Location etc.

 

Also, should we use this in conjunction with the "Exchange recipient administrators" role?

1 Reply
That's totally up to you - whatever attribute makes sense. Some more convoluted scenarios, such as restricting permissions for eDiscovery, only support "member of group" type of scopes, but for the generic roles attributes such as Department, Company, Office and so on work just fine.