PIN can be reset on a Unified Messaging (UM)-enabled mailbox for a user outside a scoped OU

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard Edition


In a Microsoft Exchange Server 2016 environment, consider the following scenario:

  • You create a Role Based Access Control (RBAC) management role by adding certain management role entries that are based on the Unified Messaging (UM) Mailboxes role, such as the Set-UMMailboxPIN cmdlet.
  • You create a management scope by using a recipient restriction filter and specify a particular organizational unit (OU) to the filter.

  • You create a management role group that has this management role and management scope assigned.

In this scenario, when admin members in the management role group run the Set-UMMailboxPIN cmdlet, they can reset the PINs on the UM-enabled mailboxes for users who are outside the scoped OU.


This issue occurs because the recipient restriction filter isn't correctly handled during running the cmdlet.


To fix this issue, install Cumulative Update 9 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.