Delegation with Office 365 Management Scopes

Delegation with Office 365 Management Scopes

IT organizations with decentralized IT support teams typically would want to limit the administrative scope of local IT.

Let’s consider a US-based company that has a local office in Germany and uses local IT to support users.

The local IT support team in Germany should only be able to manage the mailboxes of German employees.

How do we accomplish this?

How to Manage Mailbox Delegation From AD

Delegation of Office 365 Mailbox management is managed via management scopes and role assignment in Azure.

Fortunately, if you set it up properly, you can actually handle Office 365 mailbox delegation with standard group memberships in your on-premises Active Directory.

To achieve this, you need a mail-enabled security group in your AD.

With Easy365Manager, you can create a synchronized mail-enabled security group in just a few seconds:

Create a group in AD, open up group properties and go to the Office 365 tab.

Fill out the alias and click the “Mail Enable…” button:

Mail-enable an on-premises group

This action creates a synchronized group in Azure AD that we can use to delegate mailbox management.

Create a Management Scope

The members of the synchronized AD group we just created will be able to manage mailboxes.

But what mailboxes? The management scope defines this.

You can use pretty much any attribute to configure the filter component of the management scope.

To target all users based in Germany, we could use the following command (part of the Exchange Online Management module):

New-ManagementScope HelpdeskDE -RecipientRestrictionFilter {CountryOrRegion -eq 'Germany'}

This command will create a new Management Scope called “HelpdeskDE”, and the output should look similar to this:

PS C:\> New-ManagementScope HelpdeskDE -RecipientRestrictionFilter {CountryOrRegion -eq 'Germany'}

Name       ScopeRestrictionType Exclusive RecipientRoot RecipientFilter               ServerFilter
----       -------------------- --------- ------------- ---------------               ------------
HelpdeskDE RecipientScope       False                   CountryOrRegion -eq 'Germany'

We could, of course, use any other recipient filter depending on our needs.

Create a Management Role Assignment

The last step is to assign roles to our mail-enabled security group – but limited by the newly created management scope.

Use the following commands to assign the roles, “Mail Recipients”, “Mail Recipient Creation”, and “Distribution Groups”:

New-ManagementRoleAssignment -Role "Mail Recipients" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"
New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"
New-ManagementRoleAssignment -Role "Distribution Groups" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"

Delegating these three roles should cover our needs in terms of standard mailbox management.

The output from these commands looks similar to the following:

PS C:\> New-ManagementRoleAssignment -Role "Mail Recipients" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"

Name                         Role            RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserName
----                         ----            ----------------  ----------------  ----------------  -----------------
Mail Recipients-Helpdesk DE  Mail Recipients Helpdesk DE       SecurityGroup     Direct

PS C:\> New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"

Name                                 Role                     RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserName
----                                 ----                     ----------------  ----------------  ----------------  -----------------
Mail Recipient Creation-Helpdesk DE  Mail Recipient Creation  Helpdesk DE       SecurityGroup     Direct

PS C:\> New-ManagementRoleAssignment -Role "Distribution Groups" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"

Name                             Role                 RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserName
----                             ----                 ----------------  ----------------  ----------------  -----------------
Distribution Groups-Helpdesk DE  Distribution Groups  Helpdesk DE       SecurityGroup     Direct

Azure Delegation From Active Directory

That’s it! We have now set up the prerequisites to manage our German helpdesk straight out of Active Directory:

Whenever a new person joins the German helpdesk, we can simply add the person to the Active Directory group “Helpdesk DE” (which may also provide access to various on-premises resources needed by the German IT support team).

This least-privilege approach is very suitable for decentralized support teams and super easy to maintain for Corporate IT.

With the approach lined out and the use of Easy365Manager, you can fully consolidate your AD and Office 365 management and handle everything inside AD Users & Computers.

Managing Office 365 Out of Active Directory

If you really want to make life easy for your local IT staff, set them up with Easy365Manager.

Easy365Manager is a snap-in for AD Users & Computers that allows you to manage Office 365 as part of user properties in AD.

With Easy365Manager, you can reduce training costs and increase productivity.

Consider the delegation of calendar access which otherwise requires complex PowerShell scripting:

Tasks that take several minutes and sometimes involve senior admins are now completed in seconds by your front-end support team.

Download a fully-functional 30-day trial here to test how easy it is to manage Office 365 directly from AD.

Easy365Manager is a simple extension of the AD Users & Computers admin tool, and it makes no changes in either AD or Office 365.

The yearly license fee covers an unlimited number of installations, so your entire IT team can enjoy working fast and intuitively.