SECOPS: Understanding and Mitigating Risks Associated with Users Accessing Exchange Online for Administration

· M365

This article explores the Role-Based Access Control (RBAC) system in Exchange Online, highlights potential issues, and provides guidance on creating custom “Role group” and scoped “Role assignment ” to mitigate these risks effectively.

Introduction to RBAC in Exchange Online

Exchange Online incorporates a built-in Role-Based Access Control (RBAC). This system enables administrators to delegate specific “Roles” or “Roles groups”(group of Roles) to user accounts based on their need.

For example, the built-in “Help Desk” role group in Exchange Online encompasses permissions that allow users to:

  • Reset passwords
  • Manage mailbox settings
  • Perform basic troubleshooting for user accounts
broken image

Issues with default built-in “Role group” in Exchange Online

One of the primary issues with the default built-in RBAC “Role group” in Exchange Online is that they often come with broader permissions (roles) than necessary for specific tasks. For instance, applications such as meeting room management solutions or certain users may require permissions to perform a single task or manage specific mailboxes. However, the default “role groups” in Exchange Online typically grant extensive permissions across all mailboxes and users, which poses security risks.

To address these risks, it is crucial to tailor permissions to the specific needs of the users or applications.

Example 1 : Creating Custom Roles in Exchange Online for a SOC Team

Suppose you want to create a custom “Role Group” for the Security Operations Center (SOC) team to allow them to only manage the block and allow list of Exchange Online.

Follow these steps:

  1. Access the Exchange Admin Center: Navigate to the Exchange Admin Center at
  2. Create the Custom “Role Group”: Define a new “role group” with the specific role required by the SOC team. This involves selecting the relevant role “AllowBlockList manager” and adding it to the new “role group”.
broken image

3. Assign the Role Group: Once the custom “role group” is created, assign it to the appropriate user accounts.

Example 2 : Granting Specific Roles to Users on a Limited Scope of Mailboxes

In certain scenarios, roles need to be granted only on a specific set of mailboxes. For example, applications often require the “ApplicationImpersonation” role to interact with meeting room mailboxes. However, this permission can be misused to impersonate any user in Exchange Online, making it essential to restrict its scope.

To limit the “ApplicationImpersonation” role to only meeting room mailboxes, follow these steps:

  1. Create a Management Scope: Define a management scope that includes only the meeting room mailboxes :

New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}

2. Grant the Role with Restricted Scope: Assign the “ApplicationImpersonation” role to the user account used by the meeting rooms management solution, limited to the meeting room mailboxes :

New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "ResourceMailboxes"

By creating a management scope and assigning roles to it, administrators can ensure that users and applications only have access to the mailboxes they need to manage, thereby reducing security risks.

Example 3: Granting Specific Roles to Users on a Limited Scope of Mailboxes owned by VIP

The following example demonstrates how to create and use an exclusive management scope in PowerShell:

New-ManagementScope -Name "VIP Exec Users" -RecipientRestrictionFilter "Title -like 'VP*'" -Exclusive

This command establishes an exclusive scope named “VIP Exec Users”. It targets users whose job titles include the string “VP ”.

Upon creation of this scope, all users are immediately restricted from modifying the recipients within this scope until it is linked to a management role assignment.

Note : If there are other role assignments tied to different exclusive scopes targeting the same recipients, those assignments will still be able to modify the recipients.)

Next, the exclusive scope is linked to a role assignment using the following command:

New-ManagementRoleAssignment -SecurityGroup "VIP IT Admins" -Role "Mail Recipients" -CustomRecipientWriteScope "VIP Exec Users"

This command assigns the “Mail Recipients” management role to the “VIP IT Admins” security group, associating it with the “VIP Exec Users” scope.

The “VIP IT Admins” security group consists of administrators authorized to manage the mailboxes of high-level executives. As a result, only administrators in the “VIP IT Admins” security group can modify users with “VP ” in their title.

Effective management of administrative permissions in Exchange Online is critical for maintaining security and operational efficiency. While the built-in RBAC role group provide a convenient starting point, they often grant excessive permissions. By understanding the specific needs of users and applications, administrators can create custom role group or role assignment and restrict permissions to the necessary scope, mitigating risks associated with over-permissioning. Implementing these practices ensures a more secure and well-governed Exchange Online environment.