Forum Discussion
How to prevent Admin role from accessing another user mailbox?
You cannot prevent Global admins or Exchange admins from accessing other user's mailboxes. Even if you remove the corresponding cmdlets from the RBAC roles or configure exclusive scopes, they can always revert those settings, assuming they know what they're doing. You can prevent users with other roles from doing this.
VasilMichev Thanks for your answer, i think that there should be an option to set more granual permissions to enable a scenario where you may create many very powerful admins (copies of global admin) without certain rights like access to other user mailboxes.
There's isn't. Everyone and anyone that has been granted a Global admin has all the keys to the kingdom. Period. This is why you keep the number of GAs to a minimum and only grant the role to people you fully trust.
And there isn't such thing as "copy of global admin", we cannot create custom Azure AD roles. We can put some controls in place (custom RBAC roles, exclusive scopes, PAM, etc), but again all of these can be overwritten by a GA.
