Exchange Online: Exclusive Management Scopes for eDiscovery

Exchange Online offers organizations a simple interface for performing eDiscovery and legal holds across mailboxes.  By default, the global administrator for the Office 365 tenant has the ability to add users to a Discovery Management admin role which provides them legal hold and mailbox search capabilities across the organization.  These discovery managers can perform eDiscovery and apply legal holds to any content stored within the Exchange Online mailboxes.

Note: to place content on in-place hold the mailbox must have an Exchange Online Plan 2 or an Exchange Online Archiving license assigned.

What happens if an organization needs to have a separation of discovery and management capabilities for groups of mailboxes?  With Exchange it is possible to create exclusive management scopes which only allow people in defined roles attached to these scopes to have the ability to perform discovery or management functions.  In Exchange Online an exclusive management scope allows you to define groups of mailboxes based on AD property filters or OUs.  TechNet defines an exclusive scope as “a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access to manage those objects. “ 

An example of where discovery and management separation may need to occur is in a United States county government.   A county government has many departments including public safety and courts.  The county government may want to have one person who can do discovery and legal holds on public safety and courts mailboxes and another person who can perform the same on all other mailboxes.  These two discovery managers must never have the ability to perform searches or place content on legal hold for the other person’s group. 

To get started setting up exclusive management scopes you will need to prepare a local computer with the necessary PowerShell pre-requisites for Exchange Online management.   See my prior blog post on PowerShell for Office 365 for more details.   I highly recommend that you test out exclusive management scopes in a trial Office 365 environment first to ensure that they work as you expect.   If you follow the steps in this article you do so at your own risk.  Changing the configuration of Exchange Online may have unexpected consequences within your environment.

Connecting to Exchange Online via PowerShell can be done using the following 3 commands:

  • $LiveCred = Get-Credential
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
  • Import-PSSession $Session

Now that the connection to Exchange Online is established, it is possible to create new exclusive management scopes.  In this example I am creating 2 management scopes, one for Organization A and another for Organization B.   These scopes are filtered using the Active Directory DisplayName property and the mailbox type (RecipientType / RecipientTypeDetails).    In my demo environment I have added  the text “(ORGA)” or “(ORGB)” to the DisplayName property of user accounts in order to filter them into the correct exclusive management scopes.

  • New-ManagementScope “Organization A Exclusive Scope” -RecipientRestrictionFilter {((RecipientType -eq ‘UserMailbox’) -and (DisplayName -Like “*(ORGA)”)) -or ((RecipientTypeDetails -eq ‘DiscoveryMailbox’) -and (DisplayName -eq ‘Organization A eDiscovery Mailbox’))} -Exclusive –Force
  • New-ManagementScope “Organization B Exclusive Scope” -RecipientRestrictionFilter {((RecipientType -eq ‘UserMailbox’) -and (DisplayName -Like “*(ORGB)”)) -or ((RecipientTypeDetails -eq ‘DiscoveryMailbox’) -and (DisplayName -eq ‘Organization B eDiscovery Mailbox’))} -Exclusive –Force

Note: currently Exchange Online management scopes can only be filtered using the DisplayName property or an Active Directory Organizational Unit (OU).  Using any other Active Directory property will appear to work during the creation of the scope, however, it will cause errors when a discovery manager attempts to perform an eDiscovery query.

With the exclusive management scopes created it is now time to create admin role groups for ORGA and ORGB administration and discovery management.  The commands shown below will create the admin role groups which are not yet associated with the exclusive management scopes.  During the creation of the groups you can add members to the groups.  In my example I add the “Organization Management” group to the Organization A/B administrators group.  I also add a person with the username AlexD to the Organization A Discovery Management group and a person with the username RobinC to the Organization B Discovery Management group.   Alex and Robin are the discovery managers for their respective management scopes.

  • New-RoleGroup -Name “Organization A Administrators” -Roles “Mail Recipients”,”User Options”,”Mail Recipient Creation”,”Recipient Policies”, “Reset Password” -Members “Organization Management” –Force
  • New-RoleGroup -Name “Organization A Discovery Management” -Roles “Legal Hold”, “Mailbox Search” -Members “AlexD” –Force
  • New-RoleGroup -Name “Organization B Administrators” -Roles “Mail Recipients”,”User Options”,”Mail Recipient Creation”,”Recipient Policies”, “Reset Password” -Members “Organization Management” –Force
  • New-RoleGroup -Name “Organization B Discovery Management” -Roles “Legal Hold”, “Mailbox Search” -Members “RobinC” –Force

With both the exclusive management scopes and the admin role groups created I can associate them together to ensure that the administrators and discovery managers can only manage mailboxes in the scope assigned to their admin role.

  • Get-ManagementRoleAssignment -RoleAssignee “Organization A Administrators” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization A Exclusive Scope” –Force
  • Get-ManagementRoleAssignment -RoleAssignee “Organization A Discovery Management” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization A Exclusive Scope” –Force
  • Get-ManagementRoleAssignment -RoleAssignee “Organization B Administrators” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization B Exclusive Scope” –Force
  • Get-ManagementRoleAssignment -RoleAssignee “Organization B Discovery Management” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization B Exclusive Scope” -Force

The discovery managers will need their own independent discovery mailboxes with appropriate permissions so that they can work securely and independently of each other.  The final set of PowerShell script commands below create discovery mailboxes for Organization A and Organization B and then sets permissions.   Notice that I am denying access to the overall default Discovery Management role and ensuring only the Discovery managers for Organization A and B have access to only their discovery mailbox.

  • New-Mailbox “Organization A eDiscovery Mailbox” –Discovery
  • Add-MailboxPermission “Organization A eDiscovery Mailbox” -user “Organization A Discovery Management” -AccessRights FullAccess
  • Add-MailboxPermission “Organization A eDiscovery Mailbox” -user “Organization B Discovery Management” -AccessRights FullAccess –Deny
  • Add-MailboxPermission “Organization A eDiscovery Mailbox” -user “Discovery Management” -AccessRights FullAccess -Deny
  • New-Mailbox “Organization B eDiscovery Mailbox” –Discovery
  • Add-MailboxPermission “Organization B eDiscovery Mailbox” -User “Organization B Discovery Management” -AccessRights FullAccess
  • Add-MailboxPermission “Organization B eDiscovery Mailbox” -user “Organization A Discovery Management” -AccessRights FullAccess –Deny
  • Add-MailboxPermission “Organization B eDiscovery Mailbox” -user “Discovery Management” -AccessRights FullAccess -Deny

Creating exclusive management scopes and assigning them to admin roles using PowerShell is a simple process.  Is this the best solution to address the need for separating the management and discovery admin roles to exclusive groups of mailboxes?  It really depends on the organizations need for central management vs. the need to have separation of administration duties.  In some cases it might make more sense to have multiple Office 365 tenants in order to provide complete separation between organizational entities.

Below is a short video that demonstrates the steps outlined in this article.

 

 

Download the sample PowerShell script

2 thoughts on “Exchange Online: Exclusive Management Scopes for eDiscovery”

  1. You state that “Exchange Online management scopes can only be filtered using the DisplayName property or an Active Directory Organizational Unit (OU)”. But when I attempt to create a management scope using: New-ManagementScope -Name “Executive Mailboxes” -RecipientRoot “mydomain.com/Executives”, I get an error that the OU cannot be found. Does this actually work for Exchange online? I was under the impression that OU’s are not replicated from the on premise AD.

  2. Hey Mike, nice article, very detailed. The video and script will also be very useful for people trying to learn about the subject.

    Two things to note:

    – If the objective is to only limit eDiscovery functionality, you can do this via normal management scopes as described here: http://technet.microsoft.com/en-us/library/dn741464(v=exchg.150).aspx. In my opinion, using exclusive scopes will overcomplicate things and it almost guarantees that you will run into issues with managing those mailboxes in the long run, especially with Exchange Online.

    – Exchange Online management scopes (including exclusive ones) DO work with parameters other than DisplayName. The issue you had most likely is because of ‘incompatible’ filters, such as “(RecipientType -eq “UserMailbox”) -and (Company -eq “Microsoft”)”. If you put the (RecipientType -eq “UserMailbox”) condition, you must use only parameters available to the mailbox object, and in the example above the Company parameter is not available for mailboxes. If you combine it with the Office parameter however, it will work. Or if you skip the RecipientType check.

Leave a Reply