IT organizations with decentralized IT support teams typically would want to limit the administrative scope of local IT.
Let’s consider a US-based company that has a local office in Germany and uses local IT to support users.
The local IT support team in Germany should only be able to manage the mailboxes of German employees.
How do we accomplish this?
How to Manage Mailbox Delegation From AD
Delegation of Office 365 Mailbox management is managed via management scopes and role assignment in Azure.
Fortunately, if you set it up properly, you can actually handle Office 365 mailbox delegation with standard group memberships in your on-premises Active Directory.
To achieve this, you need a mail-enabled security group in your AD.
With Easy365Manager, you can create a synchronized mail-enabled security group in just a few seconds:
Create a group in AD, open up group properties and go to the Office 365 tab.
Fill out the alias and click the “Mail Enable…” button:

This action creates a synchronized group in Azure AD that we can use to delegate mailbox management.
Create a Management Scope
The members of the synchronized AD group we just created will be able to manage mailboxes.
But what mailboxes? The management scope defines this.
You can use pretty much any attribute to configure the filter component of the management scope.
To target all users based in Germany, we could use the following command (part of the Exchange Online Management module):
New-ManagementScope HelpdeskDE -RecipientRestrictionFilter {CountryOrRegion -eq 'Germany'}
This command will create a new Management Scope called “HelpdeskDE”, and the output should look similar to this:
PS C:\> New-ManagementScope HelpdeskDE -RecipientRestrictionFilter {CountryOrRegion -eq 'Germany'} Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter ServerFilter ---- -------------------- --------- ------------- --------------- ------------ HelpdeskDE RecipientScope False CountryOrRegion -eq 'Germany'
We could, of course, use any other recipient filter depending on our needs.
Create a Management Role Assignment
The last step is to assign roles to our mail-enabled security group – but limited by the newly created management scope.
Use the following commands to assign the roles, “Mail Recipients”, “Mail Recipient Creation”, and “Distribution Groups”:
New-ManagementRoleAssignment -Role "Mail Recipients" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"
New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"
New-ManagementRoleAssignment -Role "Distribution Groups" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE"
Delegating these three roles should cover our needs in terms of standard mailbox management.
The output from these commands looks similar to the following:
PS C:\> New-ManagementRoleAssignment -Role "Mail Recipients" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE" Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ----------------- Mail Recipients-Helpdesk DE Mail Recipients Helpdesk DE SecurityGroup Direct PS C:\> New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE" Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ----------------- Mail Recipient Creation-Helpdesk DE Mail Recipient Creation Helpdesk DE SecurityGroup Direct PS C:\> New-ManagementRoleAssignment -Role "Distribution Groups" -SecurityGroup "Helpdesk DE" -CustomRecipientWriteScope "HelpdeskDE" Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ----------------- Distribution Groups-Helpdesk DE Distribution Groups Helpdesk DE SecurityGroup Direct
Azure Delegation From Active Directory
That’s it! We have now set up the prerequisites to manage our German helpdesk straight out of Active Directory:
Whenever a new person joins the German helpdesk, we can simply add the person to the Active Directory group “Helpdesk DE” (which may also provide access to various on-premises resources needed by the German IT support team).
This least-privilege approach is very suitable for decentralized support teams and super easy to maintain for Corporate IT.
With the approach lined out and the use of Easy365Manager, you can fully consolidate your AD and Office 365 management and handle everything inside AD Users & Computers.
Managing Office 365 Out of Active Directory
If you really want to make life easy for your local IT staff, set them up with Easy365Manager.
Easy365Manager is a snap-in for AD Users & Computers that allows you to manage Office 365 as part of user properties in AD.
With Easy365Manager, you can reduce training costs and increase productivity.
Consider the delegation of calendar access which otherwise requires complex PowerShell scripting:
Tasks that take several minutes and sometimes involve senior admins are now completed in seconds by your front-end support team.
Download a fully-functional 30-day trial here to test how easy it is to manage Office 365 directly from AD.
Easy365Manager is a simple extension of the AD Users & Computers admin tool, and it makes no changes in either AD or Office 365.
The yearly license fee covers an unlimited number of installations, so your entire IT team can enjoy working fast and intuitively.