• Brad Linch

Scoped Access for Exchange Online

There are several reasons why an organization might want to restrict access in their Exchange environment. The use-case this post focuses on is for backing up and restoring Exchange mailboxes. For example, your company is global, and you don't want users in North America backing up or restoring mailboxes in Europe and vice versa.


There are three main factors to managing permissions delegation in Exchange that need to be understood first.

  1. Management Scopes - are objects that can be accessed by the user/role assigned

  2. Dynamic Distribution Groups - a set of advanced filtering criteria for grouping mailboxes together for ease of management

  3. Role groups - a set of permissions assigned to a user (service account) that determine the level of access in Exchange

Setup Required in Exchange Admin Center and PowerShell

Let's start with connecting to Exchange via PowerShell.

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

First, create Management Scopes and Dynamic Distribution Groups via PowerShell. The rest can be done in the Exchange/O365 Admin Center. The below management scope will create a scope for all user mailboxes located in United States or Canada.

New-ManagementScope -Name "North America Backup Scope" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox" -and Co -eq "United States" -or Co -eq "Canada"}

Next, Dynamic Distribution Groups makes management of backups simpler by grouping users together for automation purposes. The below will group user mailboxes located in UK and Denmark for the sites we have in Europe. If your company has users in other European countries certainly add them here.

Get-DynamicDistributionGroup "Europe_Employees" | Set-DynamicDistributionGroup -RecipientFilter {RecipientType -eq "UserMailbox" -and Co -eq "United Kingdom" -or Co -eq "Denmark"}    

Below you can see the three Management Scopes I created. Each one filtered by their respective regions. We will apply these scopes to Admin Roles later on. In addition, we can see the Dynamic Distribution Groups created for each region, and the below commands will verify the correct user mailboxes are grouped accurately.

$group = "NA_Employees"
Get-Recipient -RecipientPreviewFilter (Get-DynamicDistributionGroup $group).RecipientFilter

That's enough with PowerShell for today. Login to Exchange Admin Center and create a role for each scope created. In addition, define the permissions these roles should have. In the case of a backup server per region the roles must have ApplicationImpersonation, Mailbox Search, View-Only Configuration and View-Only Recipients. If there will be one central backup server and each region is responsible for their own restores than only ApplicationImpersonation is needed. Lastly assign a user to each role. This is essentially a service account that will be used for backup and restore in each region. This user doesn't need to be licensed.

Backup Job Settings in Veeam

Once the pre-work is done in Exchange Admin Center logon to Veeam and add-in your Exchange Organization using the service account created. Below is my service account for mailboxes in North America. Do NOT check, "Grant this account required roles and permissions."

The below warning is a sign the service account has been created and added correctly. It's telling us that "backupsvcna" doesn't have scoped access to everything in the organization which is correct. It should only have access to mailboxes in NA.

To confirm this is setup properly create a backup job based on the North America Dynamic Distribution Group created earlier. This group should hold all user mailboxes in North America. In addition, add in a few users that are based outside NA to confirm it works.

We can see below it failed to process Johanna, Lee and Pradeep who are all based outside of North America.

Repeat this process for each backup server using the respective service account for each region. We can confirm the Europe service account is correct.

And the Asia service account is correct.

In summary, management scopes are a great way for global companies to keep data in-region. If/when Microsoft develops more granular APIs for Exchange Web Services (EWS) than this blog will become a moot point as backup vendors will be able to leverage those APIs, but today EWS APIs can only call everything within an organization. There is no way to call on a specific region or country.


#O365 #exchange #backup #restore #scopedaccess #dynamicgroups

77 views
  • LinkedIn

©2020 by LinchTips