Exchange Online access via PIM
Hi, We are looking to grant more granular access to the Exchange Online portal for our support teams instead of the Exchange Admin Entra role. The idea is to set up cloud security groups, onboard them to PIM and grant the users eligible assignments. The groups would be then assigned to the Exchange Online role groups (RBAC) in the Exchange Portal. It appears though that Exchange Portal requires mail-enabled security groups and mail-enabled security groups cannot be onboarded to PIM. Does anyone know if this is by design? What is the alternative solution to grant JIT access to the Exchange Portal instead of the Entra role or the standing access of the users assigned directly to the RBAC roles on the Exchange Portal? Many thanks.
Do Exchange administrators have to be system administrators on Exchange servers?
Hello, I asked this question before on TechNet (https://social.technet.microsoft.com/Forums/de-DE/a48fa3a9-df42-43ca-bc4f-24035853dd64/system-administrator-rights?forum=Exch2016GD). After some confusing mentions of domain admins, the consensus appeared to be that no, Exchange administrators do not have to be system administrators, but nobody knows how it is supposed to work. The problem is that there are several directories on Exchange servers which Exchange admins apparently need to access on a regular basis that the installer nevertheless configured with ACLs with access for sys admins only. Our Exchange team in-house tells me that ACLs on those directories cannot be changed because Microsoft does not support Exchange installations where those ACLs have been changed. Can anybody confirm whether Exchange admins have to be sys admins (and how this squares with RBAC guidelines) or how this is supposed to work? It is apparently not a question that comes up a lot. Are Exchange admins usually sys admins? How do other companies handle this? Are all admins of all applications always sys admins?
