Sunday , August 2 2020

How to give EWS permissions for BESAdmin in a Multi-Tenant Environment (/Hosting)

In multitenant environment even a admin account cannot access all the users in every tenant mailbox. Even giving AD permissions over those tenant users won’t work.

Let say a BESadmin account needs EWS permission for all the tenants in the Organizations. To do a Calendar sync or sending and receiving Meetings require EWS Permissions

As its in hosted mode. Every tenant Organization will have their own set of permissions

In order to provide EWS permissions for all the Tenant Users you need to create a Custom RBAC

Lets see how to do it.

Step 1:

Creating a Scope

New-ManagementScope -PartnerDelegatedTenantRestrictionFilter {Name -eq '*'} -Name BESEnabledOrgs

Step 2:

Create a Custom Role

New-ManagementRole -Parent PartnerDelegatedTenantManagement -Name EWSAccessforApp 

Step 3:

Assign it to a Service account

New-ManagementRoleAssignment -Role EWSAccessforApp -User "BESAdmin” -CustomConfigWriteScope BESEnabledOrgs


Now Besadmin should work without any issues – Calendar meetings.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Replacing Send Connector Certificate

A special Rpc error occurs on server EXCH1: These certificates are tagged with following Send …


  1. bga rework stations

    hello It’s a nice post.

  2. Nice article!

Leave a Reply

Your email address will not be published.