cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Define Exchange admin roles for specific AU (administrative unit) users

teddanioni
Copper Contributor

‎Sep 16 2021 01:50 AM

‎Sep 16 2021 01:50 AM

Define Exchange admin roles for specific AU (administrative unit) users

Hi,

 

We are trying to separate a customer's internal companies by using AU's in AAD. This AU contains cloud-only users. However, the predefined roles in AAD are not what we're looking for. We'd like to have a more granular approach by adding Exchange admin roles to specifically administrate distribution groups and O365 groups, but these users (Helpdesk) should only be allowed to create or edit groups that are within their specific AU, not the entire tenant.

 

I've tried to fiddle with this by creating new management scopes in PowerShell but it does not seem possible to create a scope which only applies for the AU.

 

Any ideas? Thanks a lot in advance.

Labels:
1,301 Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎Sep 16 2021 08:27 AM

‎Sep 16 2021 08:27 AM

Re: Define Exchange admin roles for specific AU (administrative unit) users

That's not possible, but you can use Exchange's RBAC model to achieve something similar via the native management scopes. Copy the criteria you use for the AU, or populate one of the customattrbiteXXX or base it on group membership.
0 Likes
Reply
KRKHiram

‎Jul 22 2022 01:35 PM

‎Jul 22 2022 01:35 PM

Re: Define Exchange admin roles for specific AU (administrative unit) users

@Vasil Michev Exchange has the Get-AdministrativeUnit command in ExchangeOnline powershell.

I can't use the "name" listed under this command with the New-ManagementRoleAssignment command to give RBAC to a user in that AU? 

0 Likes
Reply