Recently, I created a new mobile device policy for a client where all new connections to Office 365 ActiveSync resulted in the device getting quarantined. An administrator would then need to go in and either Allow Access, Deny Access or leave the device in quarantine. The reason for this was to have more control on who was accessing company emails and on which device. We did not want users to connect to corporate emails on their personal devices.
Question that arose after this was successfully implemented was how do we manage this going forward. We wanted the Service Desk staff to manage Office 365 Active Sync but we did not want to give them full Exchange Online Admin Rights.
Fear not, it is possible to provide the users with limited access rights to the Exchange Admin Console giving them the ability to perform their duties safely.
Instructions on how this is achieved is below but first, connect to your Office 365 with PowerShell
The first thing we need to do is to create a new management role ActiveSync with Organization Client Access as its parent.
You can call this Role Group whatever you want - although you can call it B-FortyOne if you like :)
Something that we haven't set permission for so far is enable and disable ActiveSync since the Set-CASMailbox role entry in Organization Client Access does not include this parameter. So let's now go ahead and create a new role called ActiveSyncMailboxManagement with Mail Recipients as its parent