Privileged Access-Management

As the first step, we need to create a group to approve the privilege access requests. If you already have an IT admin/management group, you can 

Create Admin Group

1.Log in to Office 365 Admin panel as a global administrator

2.Then go to Groups

3.Then click on Add a Group

4.In the new group window, select mail-enabled security as the group type. Then provide a name for the group. you also can add a description if you like. At the end click on Add to proceed. 

5.Once a group is created, search for the group and click on it. 

6.Click on Edit next to Members.

7.Then click on Add members.

8.Add the required users to the list and then click on Save. 

Enable privileged access

1.Log in to Office 365 Admin panel as a global administrator

2.Go to Settings | Security & privacy | Privileged Access, and then click on Edit

3.Turn on Require approvals for privilege tasks and select newly created group as default approver group. At the end click on Save to apply changes. 

Create a Policy 

The next step is to create a new access policy. you can have up to 30 policies. 

 1.Log in to Office 365 Admin panel as a global administrator

2.Go to Settings | Security & privacy | Privileged Access and then click on Manage access policies and requests 

3.Click on Configure Policies 

4.Click on Add a Policy 

5.In a new policy window,

Policy type: Select Task, Role, or Role Group

Policy scope: Exchange

Policy name: This will change based on the option you selected for policy type.

Approval type: select Manual or Auto

Approval group: Select the approvers' group created in the previous step

In my demo, I am creating a policy to control mailbox permissions. When someone tries to add mailbox permissions it will ask for approval. I set it as a manual approval policy so someone from approval grove needs to allow it. 

So, let's go ahead and test it.

In my setup, I have gone ahead and log in as a Global Administrator to Office 365 portal. Then I launched the exchange admin panel. 

Then I have opened a user account and went to mailbox delegation.

Then I try to add full access permission to a mailbox.

Then as expected, it didn't allow. 

Now we need to request the permissions. To do that, go to Settings | Security & privacy | Privileged Access and then click on Manage access policies and requests

Then click on New request

Fill the form to match the policy. We also need to specify the time it should valid for. Then, to complete the request click on Save

As expected, Users in the approval group receive an email about the request.

When I log in as approval, I can see this new pending request under Security & privacy window.

Open the request and click on Approve

Then the end user gets an email with the decision. 

And now as expected, the user can add the mailbox permissions without issue. 

After 1 hour the permissions will be revoked automatically. However, if required admin can revoke permissions by using revoke option under the request.

Or you can also request using PowerShell

Connect-ExchangeOnline -UserPrincipalName AdeleV@M365x953294.OnMicrosoft.com

New-ElevatedAccessRequest -Task 'Exchange\New-MoveRequest' -Reason 'Attempting to fix the user mailbox error' -DurationHours 4

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.