Blog Post

Exchange Team Blog
4 MIN READ

Troubleshooting RBAC configuration issues in Exchange Online

The_Exchange_Team's avatar
Jan 31, 2022

In Exchange Online, the set of tasks that an administrator can perform depends on the permissions that are granted to an administrator using Role Based Access Control (RBAC). For example, a management role called Mail Recipients defines the tasks that someone can perform on a set of user mailboxes, mail users, contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is granted permissions provided by the management role.

Sometimes you might encounter issues where an administrator is not able to perform some tasks even though it seems the required roles are assigned. That, however, might not be the case and misconfigured/custom RBAC might be the culprit. This blog post is here to help you troubleshoot such problems by sharing common RBAC misconfiguration issues.

Automated RBAC diagnostic checks

To help troubleshoot RBAC issues faster, we have now released two automated self-serve diagnostic checks that you can use when troubleshoot Exchange Online RBAC issues for your users. You can launch the diagnostic as an Administrator by either clicking on the below buttons or going to Help & Support in Microsoft 365 admin center and searching for a specific phrase, as follows:

Diagnostic Direct link In Help & Support, search for
Compare Exchange Online RBAC roles of two users (working and not working). Run Tests: EXO RBAC compare users
Check if a user has Exchange Online RBAC rights to run a specific cmdlet and parameter. Run Tests: EXO RBAC test user

Most frequent RBAC configuration issues
Here are some issues that admins may encounter due to RBAC misconfiguration, along with troubleshooting steps.
Can’t enable litigation hold on mailboxes via PowerShell or modern EAC (Exchange admin center)
In this scenario, the option to enable litigation hold is not available for an admin, and an error occurs when trying to enable litigation hold using PowerShell.

PowerShell Error:

Set-Mailbox xxx@contoso.com -LitigationHoldEnabled $true -LitigationHoldDuration 1425 -RetainDeletedItemsFor 30
A parameter cannot be found that matches parameter name 'LitigationHoldEnabled'. + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException + FullyQualifiedErrorId : NamedParameterNotFound,Set-Mailbox + PSComputerName : outlook.office365.com

First, we need to determine the roles required to run Set-Mailbox with the LitigationHoldEnabled parameter:

What this tells us is that users must have at least 1 of the 3 above listed roles to perform this task.

Now let’s check the Role Assignments for these roles:

The figure above shows the expected output; unless you have custom RBAC configured or you have customized the Exchange default management role groups, you need to pay attention to the value RoleAssignmentDelegationType, which could be Regular or DelegatingOrgWide.

The above example shows that the Retention management role assignment is a regular role assignment. A regular role assignment means it allows members of the Compliance Management, Records Management and Organization Management role groups (the role assignees) to access the management role entries, the cmdlets, and the cmdlet parameters associated with the Retention Management role.

Similarly, we can run the command for the remaining 2 roles to determine where the issue exists and assign the affected Role group with a Regular role assignment to fix the problem.

 

In this case, the problem was caused by misconfiguration of Organization Management role group for the Legal Hold role (the Regular role assignment was missing for Organization management). You can see the difference between working and non-working scenarios below.

The solution was to add the regular role assignment (Legal Hold) back to the Organization Management role group using the Exchange admin center.

Unable to convert user mailbox to shared mailbox or vice versa using PowerShell or modern EAC
In this scenario, the option to convert a user mailbox to a shared mailbox is not available for an admin, and an error occurs when trying to convert the mailbox using PowerShell.

PowerShell Error:

Set-Mailbox xxx@contoso.com -Type Shared
A parameter cannot be found that matches parameter name 'Type'.
+ CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-Mailbox
+ PSComputerName : outlook.office365.com

In this case, the Mail Recipients role is missing the RoleAssignment type of Regular:

An admin can take the same approach used for the first issue to fix this issue, as well.
Unable to create connectors using PowerShell or modern EAC
In this scenario, the option to create connectors is not available for an admin, and an error occurs when trying to create a connector using PowerShell.

PowerShell Error:

System.Management.Automation.CommandNotFoundException: The term 'New-InboundConnector' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

In this scenario, the Remote and Accepted Domains role is missing the RoleAssignment type of Regular:

An admin can take the same approach used for the first issue to fix this issue, as well.

For more information about Role Assignments, see Understanding management role assignments.

We hope you find this information helpful when troubleshooting issues caused by RBAC configuration issues.

Hitesh Sharma
Exchange Online Support Engineer

Updated Jul 06, 2023
Version 4.0
  • Test-RRR's avatar
    Test-RRR
    Brass Contributor

    I wonder if the fourth screenshot is wrong. According to the text there shouldn't be an entry  with "regular" for  "Organization Management" - but there is one.

     

    In the followering right/wrong Screenshot (I suppose the first is the right and the second the wrong) in the second part we have no entry  with "regular" for  "Organization Management"  - so i think the second part of the sceenshot whith only two entrys should be the screenshot above.

  • Test-RRR Thanks for taking time to read through the blog and sharing your inputs.

    All the 4 screenshots above are from ideal/working scenario thus shows "Regular" entry and for working non-working scenario comparison we have combined it in a single screenshot where one Role is missing the entry with RoleAssignmentDelegationType "Regular". Hope this clears the confusion!