Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

enable admins to edit distribution groups in the Main admin center

Copper Contributor

I'm trying to limit the level of access that our admins have to all admin centers. Before, they were Exchange Administrators, I moved them to Exchange Recipient Administrators however that doesn't allow them to edit distribution groups in the main admin center, I added them to Groups admins but that doesn't allow them to edit DLs either. I created a custom role in O365 but that only allow them to go to the Exchange admin center to edit distribution groups, they can't do it from the main admin center. I see in Azure AD the option to create a custom role but all I see is permissions for groups and I don't know if that would allow them to manage distribution groups as well. So my question is, how do I allow my admins to manage distribution groups from the main admin center and also from Exchange?

3 Replies
RBAC settings In EXO generally only apply to the Exchange Admin Center, so won’t give these admins access to the Microsoft 365 Admin Center.

You mentioned you already tried giving these folks the Exchange (Service) Administrator role, did this not achieve your goals?

@pvanberlo Yes, as Exchange Administrators they are able to edit distribution groups, and much more. Exchange admins was their role before, I removed them because they can do much more than they actually need like messing with the mail flow, retention policies, exchange admin roles, etc. I thought that Exchange Recipients Administrators (recently released role) would be good but it turns out it doesn't work for distribution lists.

The key here is that you want them to be able to manage a DL in the Microsoft 365 Admin Center, which based on currently available roles means giving them too broad access. Custom roles in Azure AD are nice, but they don’t support all permissions yet so I’m afraid that’s not going to work out either.

The only alternative would be to allow these folks to manage DLs in EAC, there’s a bunch more RBAC permissions that can be set there. I can imagine however that the experience of using EAC is a bit overwhelming for many people though and the M365 Admin Center is a lot easier to use.