The management scope provides a way to efficiently manage access, polices, and compliance for the subscriptions associated with the group. Settings at this level apply to subscriptions within the group. The name of the management scope you create will be the name you used when you apply access and policies to the scope.

The first step in creating a new management scope is to get the recipient restriction filter, which is a unique string that sets up the mail-enabled security group for applying permissions and scope.

1. In PowerShell, enter: Get-DistributionGroup -Identity "<mail-enabled security group email>" | Select-Object -ExpandProperty DistinguishedName

   • Identity is mail-enabled security group email for the tenant.

2. To create the new management scope, enter: New-Managementscope -Name <String> -RecipientRestrictionFilter “MemberOfGroup -eq '<RecipientRestrictionFilter>'”.

   • Name is A name you assign to the scope that you'll use when granting access and policies to the scope.

   • RecipientRestrictionFilter is results from Step 1.

An example

RecipientRestrictionFilter would be

"MemberOfGroup -eq 'CN=CloudEmmDaemon20231103203950,OU=yourdomain.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR19A005,DC=CUSTOM,DC=OUTLOOK,DC=COM'"

The next step is to Assign management roles.