0

Related to this: Exchange Online RBAC - How to limit the read scope of a management role?.

We need to allow some administrators to manage only a subset of all mailboxes in Exchange Online; we achieved this using a management scope.

Everything works as expected if the limited administrators access the Exchange Admin Center (https://admin.exchange.microsoft.com); however, they are unable to access the main Microsoft 365 Admin Center (https://admin.microsoft.com). It looks like in order to access that you have to be granted one of the standard Microsoft 365 admin roles: having only an Exchange-specific custom role will not help you.

How can we allow those limited administrators to access the Microsoft 365 Admin Center (without granting them additional rights, of course)?

Massimo
  • 68,714
  • 56
  • 196
  • 319

4 Answers4

1

You can assign the global reader role to users who need to be limited.

Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings.

Refer to this document for your reference.

Aaron
  • 359
  • 4
  • This works to access the Admin Center, but then under "Teams & groups" "Shared mailboxes" is not available. Which basically defeats the whole purpose of accessing the Admin Center in the first place... – Massimo Jul 26 '22 at 08:43
  • And yes, the users have the rights to manage at least some of them. – Massimo Jul 26 '22 at 08:44
1

According to my test, it seems it’s by designed. The shared mailbox is missing. And the user can’t edit any settings in it. If you can edit it, it may be caused by the exchange permissions.

At last if you need to see the shared mailbox, you can go to classic exchange admin centre to check it. classic admin centre admin centre https://outlook.office365.com/ecp/?form=eac&mkt=en-US

Aaron
  • 359
  • 4
  • Thanks, I already know shared mailboxes can be managed in the Exchange Admin Center (if permissions allow). I was hoping to be able to use the UI in the main Admin Center, which is a more user friendly. – Massimo Jul 26 '22 at 10:42
1

Got it. After you assign the global reader permission, You need also to assign Message centre reader role to users. Then the user can check the shared mailbox under the Teams&Groups.

enter image description here

Aaron
  • 359
  • 4
  • I haven't test what if remove the global reader role and only assign the Message centre reader role. – Aaron Jul 27 '22 at 09:59
  • Great. Unfortunately, when trying to edit a shared mailbox it says you don't have permissions to save changes... although you actually *have*. Looks like the main Admin Center just doesn't understand custom Exchange admin roles :( – Massimo Jul 27 '22 at 12:48
0

This can be achieved by assigning the "Global Reader" role, but for some reason it is not enough to show the "Shared mailboxes" section under "Teams & groups". This can be fixed by also assigning the "Message Center Reader" role.

Unfortunately, even with both roles the GUI will not allow any change on any mailbox, be it shared or otherwise, complaining about lack of permissions to save changes:

enter image description here

Looks like the main Microsoft 365 Admin Center just doesn't understand custom management roles in Exchange Online :(

Massimo
  • 68,714
  • 56
  • 196
  • 319