Forum Discussion

Steve Hernou's avatar
Steve Hernou
Iron Contributor
Jul 16, 2021

Parts of Exchange Admin Center are not accessible when using Azure AD group based role assignment

Hi

We're trying out the Azure AD role assignable groups (preview) to facilitate onboarding new IT staff but I noticed some strange behaviour.

When assigning the Exchange Admin role to accounts via Azure AD role assignable group, certain portions of the Exchange Admin Center give an error 500 (Public Folders, the right portion of the GUI where you can change settings) and some give error '403 access denied' (Rules + Public Folder Mailboxes).

The Azure AD group becomes member of the Exchange Admin Role 'group' which in turn is member of the Exchange Online Organization Management role group. I'm thinking maybe something with nesting of groups but not sure why most of the ECP then works except those 3 things (that I have found so far).

If I add my account individually to the Org.Mgt. role group in Exchange Online, I again have full access but that beats the point of using Azure AD role assignable groups of course 🙂

 

So not sure if it's a bug or something that needs fixing. 

  • IIRC, groups are only supported in the new EAC. Have you tried that, or is that where you're seeing the issues? Incidentally, the UI bits you mentioned above are all 'borrowing' the 'classic' EAC controls, so it might just be that.
    • Steve Hernou's avatar
      Steve Hernou
      Iron Contributor
      Hi Vasil, sorry for the delayed response. Was on holiday 🙂
      I am seeing the issues in the new EAC, the classic one isn't even accessible when using groups, you get error 403 when going to the classic EAC URL.
      It will most likely indeed be because those parts of EAC still surface the classic interface... I hope someone from product group is reading this so this gets (is being?) worked on.
    • Steve Hernou's avatar
      Steve Hernou
      Iron Contributor
      Emma313
      Thanks for finding this useful bit of info 🙂 I hope they fix this inconsistency soon.
  • aliat_IMANAMI's avatar
    aliat_IMANAMI
    Brass Contributor

    Steve Hernou 

    It's more like a compatibility issue between old and new exchange admin center with that permission set. Some of the settings have been moved to new places and that could be it.
     
    Quick workaround could be to switch it back to classic admin center and it will start working if still it doesn't then you have to open a ticket with MS internally to get this sorted. 
    Here is an example of new and old admin center