Share via


Exchange 2010 Multi-tenant (Tenant's Managing Tenant's)

I want my Tenant users to manage their own Tenants Organization. What a great concept, and in a multi-tenant environment you have the ability to do just that. On a regular on premise Exchange environment you will either have to create your own permission model for tenants to administer their users. You might also have to create your own Hosting Console for on-premise exchange to do this for you. This will require your end tenant users to put in a request to add or remove users since they don't have any administrative rights to your Exchange organization. This is an administrative nightmare and potential security hole if not properly done.

By Default the first mailbox account (administrator) created when running new-organization will have the permissions to manage that organization. Tenant Administrators can manage their organization using Exchange Control Panel or Remote Power Shell.

**Exchange Control Panel (ECP)
**Using ECP is more users friendly since it uses a web GUI to make changes. Administrators can make manage all the day to day tasks in the ECP GUI. For more advance or bulk changes users can use remote PowerShell. Below are the categories provided to you and how to access the ECP console.

Users & Groups
Create the following Mail enabled objects

a. Mailbox's
b. Distribution Groups
c. External Contacts

Roles & Auditing
You can assign users certain management permissions and create your own based on your organization.

a. Administrator Roles
b. User Roles
c. Auditing

Mail Control
You can create Exchange rules that will only affect your Tenant organization.

a. Rules (Transport Rules)
b. Journal (Journal Rules)
c. Delivery Report (Message Tracking)

Phone & Voice
Create ActiveSync plans and manage your ActiveSync users

a. ActiveSync Access
b. ActiveSync Device Policy

Method 1
The Tenant Administrator can access the ECP console by log into OWA.

  1. Select Options in the top right hand corner

  2. Select "See All Options…" 
     

  3. Then in the ECP console change the mail options to "Manage My Organization" 
     

     

Method 2
Your Tenants can bypass logging in directly through OWA and access ECP directly. They can access the ECP virtual directory directly from your published URL by appending ECP to the end of your Domain

https://Your.Domain.com/ECP 
 
You will then be redirect the Forms Based Authentication page for authentication but once authenticated you will be logged on directly to the ECP console. 
 

 

**Exchange Remote Powershell
**
As an Exchange administrator you can manage your Multi-Tenant environment remotely using remote PowerShell. You can also provide this feature for your Tenant administrators. This gives the ability for your more advanced Tenant administrators to have more control with Exchange remote PowerShell. This level of administration should be given with great consideration as your Tenant administrators has the ability to break their organization without your knowledge and make it very difficult for you to recover.

To connect to your Exchange 2010 Multi-Tenant environment you will require Remote PowerShell v2.0 installed on the Server/Workstation.

  1. Open remote powershell v2 and run the following to store the administrator credentials into a variable.

**$Admin=get-credential **
 

  1. Now that we stored your Administrator credentials into the session we will now connect to your Exchange Multi-Tenant Environment using your internet facing URL. Note that you will have to enter your own Public URL and append the PowerShell virtual directory

**$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://host-e2010/powershell/ -Credential $admin -Authentication Basic **
 

 

  1. Then you will import the session into your PowerShell.

**Import-PSSession $Session **
 

 

As an Exchange Organization Administrator you can see the advantages of using Remote PowerShell. There's no need remote into your internal network to manage your Exchange Environment. You will have full access as if you were using the Exchange Management Shell directly on the Exchange Server.

As a Tenant Administrator, your permission set is scoped to your Tenant organization. The commands you will have access to will be based on the RBAC permissions already assigned to you. So you will not have any of the Organization Commands but will have access to the commands used in your ECP.  When using the Root Exchange administrator account you can manage tenant organizations by using the -organization switch within the command.
 
Example:
In the Left I've logged in using the Exchange Administrator using Exchange Management Shell. In the Right I've logged in using the Tenant administrator account using Remote Powershell for Tenant1. In both windows I'm pulling up the Mailbox users for my Tenant1 Organization. As you can see with the Exchange Administrator account I have to run the -organization switch to pull up the mailboxes. The Tenant administrator is already scoped and running get-mailbox pulls up the current mailbox users. 

Get-Mailbox -Organization "OrgName"
 

This article is in reference to Exchange 2010 Multi-tenant deployments when the Exchange organization was installed with the /hosting switch.  Please reference Exchange Server 2010 Hosting Deployment to determine if your Exchange organization has been deployed in /hosting mode.

Exchange 2010 Multi-Tenant Hosting Wiki

  • Ed Bringas