Create Exclusive Write Scopes

  • Article

Applies to: Office 365 for enterprises, Live@edu

An exclusive write scope isolates specific mailboxes so they can be managed by designated administrators only. For example, you can use an exclusive write scope to isolate the mailboxes for executives or Exchange Online administrators in your organization. Help desk personnel or other administrators who can otherwise manage mailboxes in your organization can't modify the mailboxes of the executives or Exchange Online administrators defined by the exclusive write scope.

An exclusive write scope is a custom write scope based on recipient filters. You create exclusive write scopes using Windows PowerShell. A recipient filter requires use of OPATH, the filtering syntax used by Windows PowerShell.

Before you begin

  • As soon as you create an exclusive write scope, the mailboxes that match the recipient filter used by the scope can no longer be modified by any administrator, including Exchange Online administrators. All administrators who need to modify or delete mailboxes defined by the exclusive write scope must have the appropriate administrator roles assigned to them using that exclusive write scope.
    However, it's possible that different exclusive write scopes have some mailboxes in common. An administrator who has roles assigned to them using an exclusive write scope can manage all mailboxes that are defined by that exclusive write scope, regardless of any other exclusive write scopes that may also include some or all of the same mailboxes. For example, suppose an exclusive write scope uses the recipient filter "Title equals Manager", and a different exclusive write scope uses the recipient filter "Department equals Finance". Administrators with roles assigned to them using the exclusive write scope "Title equals Manager" can manage mailboxes with the department "Finance" if the title is "Manager". Likewise, administrators with roles assigned to them using the exclusive write scope "Department equals Finance" can manage mailboxes with the title "Manager" if the department is "Finance".
  • To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.
  • For detailed information about the recipient filter syntax, including the operators and filterable recipient properties, see Create Dynamic Distribution Groups Using Customized Filters.

Create an exclusive write scope

Run the following command:

New-ManagementScope -Name <name> -RecipientRestrictionFilter {<filter>} -Exclusive

Example   Here's a command that creates an exclusive write scope named "Vancouver Executives" that specifies all mailboxes in Vancouver whose departments start with "Executive":

New-ManagementScope -Name "Vancouver Executives" -RecipientRestrictionFilter {(RecipientType -eq 'UserMailbox') -and (City -eq 'Vancouver') -and (Department -like 'Executive*')} -Exclusive

Note   To list the mailboxes defined by this exclusive write scope, run the following command:

Get-User | where {($_.RecipientType -eq 'UserMailbox') -and ($_.City -eq 'Vancouver') -and ($_.Department -like 'Executive*')}

Use the exclusive write scope

After you create the exclusive write scope, you need to associate the scope with a role assignment. A role assignment associates a management role to a role group, security group, or mailbox. Assigning a role to a role group grants members of the role group permissions to use the Windows PowerShell cmdlets and parameters defined in the role. The write scope of the role assignment controls where the roles can be used.

Continuing the previous example, let's do the following:

  1. Create a new role group named "Vancouver Executive Administrators" and add the mailboxes of the users you want to manage the "Vancouver Executives" role group.
  2. Replace the default write scope used to assign all the roles to the role group with the exclusive write scope "Vancouver Executives".

Create the new role group and add members

  1. In the Exchange Control Panel, select Manage My Organization > Roles & Auditing > Administrator Roles, and click New.
  2. Enter the following information in the New Role Group window:
    1. Name   Vancouver Executive Administrators
    2. Description   This role allows specified administrators to manage important users isolated by the "Vancouver Executives" exclusive write scope.
    3. Roles   Click Add. Select the following roles, and click Add:
      • Audit Logs
      • Legal Hold
      • Mail Recipient Creation
      • Mail Recipients
      • Reset Password
      • Retention Management
      • UM Mailboxes
      • User Options
      When you are finished, click OK.
    4. Members   Click Add. Add the "Organization Management" role group, and other users or groups you want to modify the mailboxes of the "Vancouver Executives". To add members to the role group, select the user or group, and click Add. Repeat this procedure for each user or group.
  3. When you are finished, click OK, and then click Save.

Note   Not all roles are available in all organizations. As explained earlier, the exclusive write scope isolates the mailboxes defined by the scope. You need to add any administrator role that allows administrators to modify or delete mailboxes.

Specifically, you need to add all administrator roles that use the Set-Mailbox or the Remove-Mailbox cmdlets. To view these roles, in Windows PowerShell, run the following commands:

Get-ManagementRoleEntry *\Set-Mailbox | where {$_.Role -notlike 'My*'}
Get-ManagementRoleEntry *\Remove-Mailbox| where {$_.Role -notlike 'My*'}

Other roles, such as view-only roles or roles that allow modification of organization objects, such as transport rules, aren't required. Also, end-user roles can't be used with exclusive write scopes.

Replace the default write scope of all role assignments on the role group with the exclusive write scope

In Windows PowerShell, run the following command:

Get-ManagementRoleAssignment -RoleAssignee <role group> | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope <exclusive write scope>

In this example, the name of the role group is "Vancouver Executive Administrators" and the exclusive write scope is "Vancouver Executives". Run the following command:

Get-ManagementRoleAssignment -RoleAssignee "Vancouver Executive Administrators" | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope "Vancouver Executives"

Things to think about

  • If an unspecified administrator tries to change a mailbox property that would make the mailbox defined by the exclusive write scope, the change will fail. For example, if the exclusive write scope uses the recipient filter "Title equals Manager", unspecified administrators or help desk personnel can't change the Title attribute of a mailbox to the value "Manager".

  • Users added to the role group may need to sign out and sign in again to be given access to modify the mailboxes defined by the exclusive write scope.

  • After you apply the exclusive write scope to the roles assigned to the role group, you can't add or remove roles in the Exchange Control Panel. You must use Windows PowerShell.
    To add a role to the role group, run the following command:

    New-ManagementRoleAssignment -SecurityGroup <role group> -Role <role name> -ExclusiveRecipientWriteScope <exclusive write scope>

    To remove a role from the role group, run the following command:

    Get-ManagementRoleAssignment -RoleAssignee <role group> -Role <role name> -Delegating $false | Remove-ManagementRoleAssignment