Forum Discussion

cjonesdnb's avatar
cjonesdnb
Copper Contributor
Jan 31, 2020

Unable to Access policies in Security and Compliance

Ill try to summarize our issue as best I can but will admit it may require more info than I am providing. Hopefully, based on the issue, theres enough to provide suggestions on where we should focus our efforts to troubleshoot further.

Im currently troubleshooting an issue while assigned the Security Administrator role through Azure privileged identity management. When accessing the Security and Compliance portal it appears we can perform all necessary functions except modify / view any of the policies. The policy tab is visible under Threat Management but viewing any policy produces an error message and each error is pretty similar.

For example, Anti-malware policy error:

 

The requested search root 'NAMPR12A003.PROD.OUTLOOK.COM/ConfigurationUnits/xyz365.onmicrosoft.com/Configuration/Transport Settings/Rules/MalwareFilterVersioned' is not within the scope of this operation. Cannot perform searches outside the scope 'namprd12.prod.outlook.com/Configuration/Services/Microsoft Exchange/ExchangeLabs'.

 

We have a hybrid enterprise deployment and we utilize on prem accounts that authenticate through SSO. Our Exchange and Cloud Services team are limited in identifying root cause. The role assignment through Azure "should" have necessary permissions as stated:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles

This still reads like a permissions issue and we were going to try requesting to be added to Hygiene management in Exchange as we thought maybe were missing necessary privileges In Exchange related to Anti malware /Anti Spam. Any suggestions or recommendations are welcome to steer us in the right direction and are appreciated. Thanks in advance! 

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    I have seen this issue while I had my permission assigned through Priviliged Identity Management, is that the case?
      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        I have seen that you need to wait opto 45 minutes before PIM rights are propagated to Sec&Compl

        Try waiting a while and logging out and back in

Resources