In my last blog post, I wrote about how the new workload specific role feature in Office 365 grants too much administrative ability when you simply want to restrict access to VIP mailboxes.

In this blog post, I will describe how you can create management “Scopes” to define boundaries so that external helpdesk organizations will not have the ability to manage your executives.

“Exclusive scopes are a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access to manage those objects…
This behavior is similar to how a deny access control entry (ACE) on an Active Directory access control list (ACL) functions.”

This example creates an exclusive recipient filter-based scope that matches any user with “Executives” in the AD department field (this has to be run in a remote powershell session against Exchange Online):

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Department -Eq “Executives” } –Exclusive

or based on Job Tile

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Title –like “*Executive*” } –Exclusive

Or based on a custom attribute (you get the idea…

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { CustomAttribute5 –eq “VIP” } –Exclusive

The next step is to assign the exclusive management to a group of highly trusted administrators. Anyone not on the list cannot manage the VIP mailboxes.

New-RoleGroup -Name “VIP Mailbox Administrators” -Roles “Mail Recipients”

At this point you can add add users or security groups into the VIP Mailbox Administrators role group.

Finally, this next command glues the RoleGroup to the Exclusive scope filter:

New-ManagementRoleAssignment -Name “VIP Mailbox Administrators” -SecurityGroup “VIP Mailbox Administrators” -Role “Mail Recipients” –ExclusiveRecipientWriteScope “Executive Users Exclusive Scope”

 

Going a step further…

The above commands lock out an external helpdesk from being able to manage your executives. But what if you want to restrict your external helpdesk even further, so that the actions they take on the rest of your users are limited as well?

You can create a custom role assignment for your external helpdesk that enables them to manage certain things but not others. For example, if you want to give them the ability to manage Archive rules, you would grant them the  “Retention Management” role.

If you want your external helpdesk to manage ActiveSync policies on mailboxes and remotely wipe lost devices, see this article for more information.

In addition to “Retention Management” and the custom ActiveSync role described above, the other fine-grained roles to consider granting to your external helpdesk would be:

– UM Mailboxes (allows external helpdesk to enable voicemail on new mailboxes)

– View-only Recipients

– View-only configuration (this allows the external helpdesk to view non-recipient configuration such as transport config)

– Distribution Groups (this allows the external helpdesk to create distribution groups)

– Legal Hold (this allows the external helpdesk to place a mailbox on Legal Hold)

– Retention Management (this enables the external helpdesk to setup and manage Archives roles)

Note: If you stop here, the external helpdesk does not have enough permission to grant themselves the “full mailbox” permission to read the inbox contents of the VIP mailboxes, or any mailbox for that matter. By default, there is an implicit deny ACL that prevents an Exchange Admin from having full-mailbox access to read the contents of a mailbox. If you want the external access to be able to read the inbox of any end-user, then a nightly scheduled task can explicitly grant full-mailbox permission to all mailboxes except for the 5 VIP users, because there is already an implicit deny for all admins on the 5 VIP mailboxes. I would not recommend doing this as it should be exceptionally rare when a helpdesk user needs to read the contents of someone’s mailbox. You can consider having them escalate to the internal helpdesk when this need occurs and then it can be controlled.

The external helpdesk would manage Exchange by logging in directly to the ECP here:
https://outlook.office365.com/ecp

This is great – but what if you need your external helpdesk to add or remove O365 licenses? No problem – you can grant them the “User Management Role” in the O365 Admin Portal. This is a great role because it does not have any corresponding role mapping in Exchange Online. So you won’t be giving them any additional privs on mailboxes with this role.

The “User Management Role” in the O365 Admin portal is also how you would allow your external helpdesk to create a mailbox. This is because by simply assigning an Exchange Online license to a user – this is the actual step that does the mailbox creation.

One of my colleagues recommends this SaaS provider “delegate365.com” that can also create exclusive management scopes for you without you having to be an Exchange expert to set this all up. For example, you would just have your external helpdesk logon to delegate365.com to access some but not all of your users. They offer a 30 day free trial that you can use to evaluate whether it would meet your specific needs.