Forum Discussion
Exchange RBAC Challenge: Restricting Admin Level Access to Selected Mailboxes
Hi Exchange Brain Trust,
I'm looking to implement a restriction for a specific group of admins (let's say Service Desk L1 team) so they do not have administrative access to executive EXO mailboxes (e.g., email address removed for privacy reasons, email address removed for privacy reasons), while retaining access to all other mailboxes.
I've explored built-in RBAC configurations, Administrative Units, and role assignments in Exchange, but haven’t found a solution that meets this requirement. Any guidance or suggestions would be greatly appreciated.
Thanks in advance!
4 Replies
This is a common challenge in organizations that need to balance operational support with data privacy and executive confidentiality. While Exchange Online offers powerful role-based access control (RBAC), it doesn't natively support mailbox-level exclusions within a broader access scope. Here's how you can work around that limitation.
Understanding the Limitations
- RBAC Scopes: These define who an admin can manage, but they don’t restrict read access once a role is assigned.
- Administrative Units (AUs): Useful in Azure AD for scoping user management, but they don’t apply to Exchange mailbox access.
- Application Access Policies: Only apply to app-based access (not human admins), and only for application permissions.
The Workaround: Explicitly Deny Mailbox Access
To block access to specific mailboxes (like those of executives), you can use mailbox permissions to explicitly deny access—even if broader permissions are granted elsewhere.
Step-by-Step Instructions
- Create a security group for your Service Desk L1 team if one doesn’t already exist.
- Remove any existing Full Access permissions to the executive mailboxes:
Remove-MailboxPermission -Identity "email address removed for privacy reasons" -User "ServiceDeskL1Group" -AccessRights FullAccess - Explicitly deny access to those mailboxes:
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User "ServiceDeskL1Group" -AccessRights FullAccess -Deny:$true
This deny rule overrides any inherited or assigned access, effectively blocking the group from accessing the specified mailboxes.
Optional: Split Admin Roles
If your organization supports it, consider splitting admin responsibilities:
- Assign the L1 team to a custom management scope that excludes executive mailboxes.
- Assign broader access (including executives) to a higher-tier admin group (e.g., L2 or L3).
This layered approach ensures that only trusted personnel have access to sensitive mailboxes.
Conclusion
While Exchange Online doesn’t offer a built-in way to exclude specific mailboxes from admin access, using explicit deny permissions provides a reliable workaround. It’s a practical solution that helps maintain both operational efficiency and executive privacy.
Exclusive scopes is what you need: https://learn.microsoft.com/en-us/exchange/understanding-exclusive-scopes-exchange-2013-help
Keep in mind that anyone with sufficient permissions to manage scopes/role assignments can grant himself access. For even better protection, you can configure PAM too... but a GA can override that as well.
VasilMichev Appreciate the prompt response!. this capability appears to be Exchange Server only. I failed to find anything guides on Exclusive Access for Exchange Online mailboxes.
It's available in Exchange Online as well, they haven't bothered to create a separate article.
