Forum Discussion
Explorer permission to download an email
Global Admin is allegedly not sufficient access to download an email. So I have a user asking for a copy of her emaill, and I'm telling her 'sorry, I don't have that permission', I'm only global admin'
What?
The documentation basically forces you to use the new terrible 'role group' system. I see various 'roles' that you need to add to a 'role group' in order to do this.. Some mention Preview, some mention Security Administrator, some mention Security Operator. I've asked copilot 100 different times, and he keeps giving me made up roles. But then linking to the made up role.
How is such a basic functionality broken? It makes 0 sense. I don't want to submit this email - it's not malware or anything. I just want to download the **bleep** thing, and I don't want to have to go through the whole poorview process. This is really basic stuff. I can do this on about 10% of my GA accounts. There's no difference in the permissions - it just seems inconsistent.
6 Replies
This behavior is frustrating, but it’s not random and it’s not a bug.
Global Administrator does not automatically grant content access inside the Microsoft 365 security and compliance workloads. It gives you tenant-wide administrative control, but it does not implicitly grant data access rights for mailbox content. That separation is intentional and tied to Microsoft’s least-privilege and data-boundary model.
Downloading an email from Explorer (Defender portal or Purview) is considered content access, not configuration access. That means the required permissions come from Exchange Online / Purview RBAC, not just Entra ID directory roles.
That’s why:
– Some Global Admin accounts can download messages
– Others cannot
– There appears to be inconsistencyThe difference is almost always due to Exchange RBAC role group membership, not Entra role assignment.
To download an email message without going through full eDiscovery workflow, the account needs one of the following:
– Membership in an Exchange role group that includes Mailbox Search or ApplicationImpersonation
– eDiscovery Manager (Standard)
– eDiscovery Administrator
– Compliance Administrator
– Or a custom role group that includes the necessary content search and preview/export rolesGlobal Admin alone is not sufficient because it does not automatically add you to the required Exchange or Purview role groups.
The reason this feels broken is because Microsoft split identity administration (Entra), security operations (Defender), and data access (Purview/Exchange) into separate RBAC systems. They do not automatically cascade.
If you want a clean solution without broad compliance access, create a custom role group in Purview with only:
– Content Search
– Preview
– ExportThen assign that group to the specific admins who need mailbox content retrieval capability.
That avoids giving full eDiscovery Administrator or Compliance Administrator access.
The inconsistency across your GA accounts likely means some of them were historically added to Exchange role groups (often Organization Management or Discovery Management) while others were not.
This is less about Defender and more about how Microsoft enforces data access separation from directory-level authority.
In short: Global Admin controls the tenant. It does not automatically grant permission to access user data. That boundary is by design, even if the UX makes it feel unnecessarily complex.
Just to clarify, there are actually two different things getting mixed together here, which is why it feels inconsistent.
- If you’re talking about downloading from the Defender email entity page, that’s controlled by Defender roles (Security Admin / Security Operator or a custom role group with Preview). Global Admin alone doesn’t always cover this.
- If you’re talking about actually exporting the email content, then Purview eDiscovery is the reliable way, which requires eDiscovery Manager or Compliance Administrator.
Global Admin doesn’t have default access to mailbox content by design, and the reason this works in some tenants and not others is usually legacy role assignments or older tenant setups.
Yes i confirm the answer of GoXATAKAN, in documentation at this link https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page you can find a role to "Preview" and "Download" message email.
Regards,
Guido
Hello underQualifried,
The Purview eDiscovery feature can help you resolve this issue.
You must have the eDiscovery Manager or Compliance Administrator role to access the eDisovery tool. Once the required permissions are assigned, go to the Purview portal open eDiscovery and create a new case.
After creating the case, go to the Search tab to create a new search. Add the data sources by selecting the user's UPN and choosing Mailbox only as the location, then save and close.
Next, use the condition builder to filter by subject line and run query. Once the search completes, export the results. This will provide you with the user's email details.
As i recall, Compliance Administrator role can "preview" and also "download email". Give it a try.
Hi underQualifried,
Global Admin rights don’t grant access to download or export emails anymore. Microsoft separated admin and data access, so you now need specific Purview eDiscovery permissions. To do this, add yourself to the eDiscovery Manager role group (with Export, Preview, and Search and Purge roles) in the Compliance portal (Purview) - then you’ll be able to download the email.
