If you new to Modern Public Folders, here is a good article to get you started:
In this article, we will focus on Modern Public Folders in a multi-tenant environment. We will be going through how to achieve multi-tenancy with Microsoft Exchange 2013 / 2016.
It is important to note, there are numerous methods for setting up Public Folder in a multi tenant environment.
In the example below we have:
- One root Public Folder per tenant/company
- One Public Folder Mailbox per tenant/company
- One security group to represent all users from each tenant/company
- Access based enumeration to each tenant/company can only see their root level Public Folder.
When we are talking about Hierarchy, we are not talking about Public Folder content, only the folder structure which makes up the Public Folders.
First thing we need to create is a master Public Folder Hierarchy mailbox. In a multi-tenant environment I generally recommend no content be placed in the master Public Folder Hierarchy mailbox and it only be used to maintain the writeable copy of the Public Folder Hierarchy.
As the first Public Folder mailbox created is always the Master Hierarchy, simply use the New-Mailbox command to create the mailbox. I always recommend clearly naming this mailbox so it is easily identifiable as the Public Folder Mailbox Hierarchy mailbox. This was done by giving it the name of "MasterHierarchy".
Next create a Public Folder mailbox for each tenant/company. The intent here is all content for each company will be stored in their respective public folder mailbox. In this example we will be using my company Avantgarde Technologies as an example tenant. I'm using the naming convention CompanyPF for each respective Public Folder mailbox.
Next create a new Public Folder at the root "\" of the Hierarchy. Make sure you specify the Public Folder mailbox you want to store the Public Folder in or by default Exchange will automatically pick any Public Folder mailbox which could be the Master Hierarchy mailbox or another tenants mailbox.
The name of the Public Folder specified below is the name the tenant will see in Outlook.
By default, all root public folders can be seen by all tenants. To ensure no tenants can see the "Avantgarde Technologies" root level Public Folder, remove the Default user Access Rights as shown in the screenshot below. This will ensure no one can see this Public Folder.
Lastly, ensure you have a Security Group containing all users from the tenant/company. Grant the group access to the root level Public Folder - I recommend Owner or PublishingEditor rights or refer to the following TechNet article about other Public Folder permissions you can grant here.
Only users of the "Avantgarde Users" security group will be able to see the root Public Folder Avantgarde Technologies and all other Tenants in the environment will be hidden to the Avantgarde Technologies employees.
To add additional tenants to the environment, repeat the process documented above. Make sure you ensure that:
- All root level public folders have the default user permissions removed straight away to protect privacy of each tenant on your Exchange environment.
- When creating the root level public folders in PowerShell you manually specify the correct Public Folder mailbox or Exchange will pick one at random.
- Consider using provisioning scripts to remove user error and protect yourself against privacy breaches.
One last thing I want to touch on is the "-DefaultPublicFolderMailbox" of the Set-Mailbox command. Many people when they initially go about setting up Public Folders for multi-tenant Exchange they think about creating a public folder mailbox for each tenant then using "-DefaultPublicFolderMailbox" for all user mailboxes of each tenant. Before writing this article I googled around to see if there was already an article similar, and saw people were attempting this incorrect method of deployment. The reason this approach will not work is as mentioned earlier, all Public Folder Mailboxes have a "read only" copy of the entire Public Folder Hierarchy (meaning all Public Folders in the Exchange Organisation). This means "yes they do have the Public Folder structure of other tenants/companies in the environment". We want to ensure tenants only see public folders related to their company by locking down permissions to meet privacy reasons.
I hope this article has been informative for you and I would like to thankyou for reading.
Click here for IT Support in Perth with Microsoft Exchange