Not sure if I'm missing something obvious here but I'm having trouble getting Management Scopes in Exchange Online to work as expected.
I'm hoping to delegate admin rights for a group of users in a geographic area to accounts that are not Exchange Online / O365 admins in general, but who can do certain limited tasks for the target mailboxes.
So I've identified the users as a member of a MSOL group, tried to set up a Management scope based on that group (see below) and assigned a 'normal' user to be an admin of that scope. However, while this user can go to https://outlook.office365.com/ecp and see the Exchange Admin centre and can browse users, they cannot change any of the users I would expect to be in that management scope. Where am I going wrong?
DG = get-msolgroup -objectid <guid>
(note I've tried targetting a normal Distribution list and a dynamic DL with no change to the end result).
New-ManagementScope "robm's Exchange Management Scope" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DisplayName)'"
New-RoleGroup -Name “robm User Admins” -Roles “Mail Recipients”, “Distribution Groups”, “Mail Recipient Creation” -CustomRecipientWriteScope "robm's Exchange Management Scope"
Everything appears to run ok, everything appears to have been created... I'm just not able to administer the users afterwards.
I think this issue may be caused by -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DisplayName)'" You could use {RecipientType -eq "UserMailbox"} for test, if this works, we could make sure this is the cause.
After some considerable back-and-forth with Microsoft support, the issue is that for Exchange Online the group you're using for your scope needs to be specified by distinguished name.
e.g.