Forum Discussion
Exchange Online RBAC permissions for TenantAdmins not working as expected
I've come across similar permission issues before but I'll use the latest example. In a M365 tenant I wanted to import a PST file. When I went to the Compliance > Information Governance > Import tab ...
The Compliance center uses a different set of roles/role groups than what you see in Exchange, their membership is not matched. Use the relevant controls in the Compliance Center UI, not the Exchange admin center ones.
I don't think that's accurate. In this case the fix was to assign the global admin user to the Organization Management rolegroup in EAC. It was the Mailbox Import Export role that was needed, which is an Exchange role. I didn't have to do anything with Compliance permissions to make it work.
The root of my question really comes down to permission inheritance. If a user is assigned to a rolegroup, in this case TenantAdmins (or more specifically TenantAdmins_-1382031418 for this tenant), and TenantAdmins belongs to another rolegroup such as Organization Management, should the user inherit all of the permissions of the Organization Management rolegroup?
The root of my question really comes down to permission inheritance. If a user is assigned to a rolegroup, in this case TenantAdmins (or more specifically TenantAdmins_-1382031418 for this tenant), and TenantAdmins belongs to another rolegroup such as Organization Management, should the user inherit all of the permissions of the Organization Management rolegroup?