Exchange Multi-Mailbox Search – Segregation of duties


The security or legal team needs access to search corporate mailboxes for keywords in order to investigate a security or legal incident.

Giving that person the ability to view and access other mailboxes without proper auditing is something most organization fear to do, even if that person is trusted and is a senior person.

Microsoft Exchange platform starting from Exchange 2010 I guess, comes with a new feature called Multi Mailbox Search . The problem with giving a person the ability to do searching on corporate mailboxes is still the same.

How Multi Mailbox Search works

I will not go through the details of how this feature works, as you can read on TechNet about it. Instead I will highlight couple of points:

Exchange 2010 introduces the Discovery Management Role and the Discovery Search Mailbox.  By default no users are members of this role and the user associated with the Discovery Search Mailbox is disabled and it cannot receive e-mail.

  • You start by granting a domain user “John” the role of Discovery Management in Exchange by running:

Add-RoleGroupMember -Identity “Discovery Management” -Member John

  • Then John can go to his Outlook Web App > Exchange Control Panel, and he will have access to the Reporting section under My Organization

Multi Mailbox Search

  • From there John can specify a search criteria as shown below.

Multi Mailbox Search 2

  • The results of the search will be sent to the built in system mailbox called (Discovery Search Mailbox).

John is granted automatically access to that (Discovery Search Mailbox) where he can view the results. This is because the (Discovery Search Mailbox) is configured by default with (contoso\Discovery Management) group having Full Mailbox Access. John is added automatically to that group once he is granted the “Discovery Management” Exchange Role previously.

Note: The problem with this approach is that John can perform any search or mailbox discovery on corporate mailboxes without proper control or auditing and this is extremely something to worry about.


The solution is simply a segregation of duties, where one person performs the search and other person gets access to view the result.

In this scenario, John can only go to his OWA experience and perform the multi-mailbox search with any criteria he wants, and the results will be sent to the (Discovery Search Mailbox). John should not have access to that system mailbox, and thus cannot view the results of his own search.

Now, Sue is another security administrator and she is granted full mailbox access to the (Discovery Search Mailbox) and she can see the result of the multi-mailbox search performed by John. This means that one person can do the search and cannot view the results, where the other person can view the results but cannot do the search. In other words, we require two different people to act in order to do such multi-mailbox search on corporate mailboxes.

How to do it:

  • For John, we will add him to the “Discovery Management” Exchange Role

Add-RoleGroupMember -Identity “Discovery Management” -Member John

  • For Sue, go to Exchange Management Console, search for “Discovery Search Mailbox”, right click and click “Manage Full Access Permission” and do the following:
    • Remove CONTOSO\Discovery Management
    • Add CONTOSO\Sue

Multi Mailbox Search 3

  • Ask John to do the multi-mailbox search from his OWA experience
  • Once done, the results are sent to the “Discovery Search Mailbox”, and John cannot view it although he is member of the (Discovery Management) role, but he cannot access it as we removed the full mailbox access from that mailbox for the AD security group “Discovery Management”.
  • Now John will call Sue and asks her to access that discovery mailbox by typing:

Note: you can get the discovery mailbox SMTP. You can figure out this SMTP by searching for the “Discovery Search Mailbox” in the Exchange Management Console and view the SMTP address from there.

Multi Mailbox Search 5

One comment on “Exchange Multi-Mailbox Search – Segregation of duties

  1. Good day! I could have sworn I’ve been to this site before but after reading through some of the post I realized
    it’s new to me. Anyways, I’m definitely happy I found it and I’ll be bookmarking and checking back often!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s