Forum Discussion

rodoj's avatar
rodoj
Copper Contributor
Oct 05, 2020
Solved

Exchange online Admin Console (EAC) not accessible (403) with Exchange Admin permission

Hi Everyone, We are currently reordering our permission structure and want to use security groups to manage our roles. So we created a few security groups in Azure and assigned the necessary roles t...
admin
exchange online
  • rodoj's avatar
    rodoj
    Oct 06, 2020

    I think you still misunderstanding me. Yes, we are using sec groups to collect the people who are using more than one Azure ad role and we assign the Azure roles to the group, and then the members will inherit the roles. So, I know that the EAC do not recognize the sec groups memberships, it's a fact, but we are using roles, to give permission for the resource, not groups. 

    As you can see on the picture, the account has the Exchange administrator role, and this should recognize by the EAC. We are using https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept to manage the roles.

     

    And now, I have to say thank you for your comments! 😄 Because I have read again the site that I put in this comment as link, and I found the solution in the "Known issues" section:

      

    So, thank you for the help! 😄 

VasilMichev's avatar
VasilMichev
MVP
Oct 06, 2020

Exchange doesnt recognize Azure security groups, which probably explains what you are seeing. Well it does, but it's a mixed bag, and I think the official answer is still "unsupported". Try using mail-enabled security groups instead.

rodoj's avatar
rodoj
Copper Contributor
Oct 06, 2020

Hello VasilMichev,

Thank you for your answer. 

Maybe I described wrong what we want to set. We are utilizing Azure security groups and assign the Azure roles to the groups, thus the members of the groups will get the Azure roles. I know that is a preview feature, but it's working. I've checked and the admins have the appropriate roles in Azure Active Directory that the group provides for them. The exchange does recognize the Azure roles, and we have set the Exchange administrator roles the affected admins and that's the problem because they have no permission to open the EAC with the Exchange administrator role.

  • VasilMichev's avatar
    VasilMichev
    MVP
    Oct 06, 2020

    Or in other words EAC does not recognize the assignment via security groups 🙂 You can open a support case to get an official answer.

    • rodoj's avatar
      rodoj
      Copper Contributor
      Oct 06, 2020

      I think you still misunderstanding me. Yes, we are using sec groups to collect the people who are using more than one Azure ad role and we assign the Azure roles to the group, and then the members will inherit the roles. So, I know that the EAC do not recognize the sec groups memberships, it's a fact, but we are using roles, to give permission for the resource, not groups. 

      As you can see on the picture, the account has the Exchange administrator role, and this should recognize by the EAC. We are using https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept to manage the roles.

       

      And now, I have to say thank you for your comments! 😄 Because I have read again the site that I put in this comment as link, and I found the solution in the "Known issues" section:

        

      So, thank you for the help! 😄 

Resources