Forum Discussion

underQualifried's avatar
underQualifried
Brass Contributor
Nov 04, 2025

Explorer permission to download an email

Global Admin is allegedly not sufficient access to download an email. So I have a user asking for a copy of her emaill, and I'm telling her 'sorry, I don't have that permission', I'm only global admi...
microsoft defender for office 365
Lucaraheller's avatar
Lucaraheller
MCT
Feb 09, 2026

Hi underQualifried​ 

This behavior is frustrating, but it’s not random and it’s not a bug.

Global Administrator does not automatically grant content access inside the Microsoft 365 security and compliance workloads. It gives you tenant-wide administrative control, but it does not implicitly grant data access rights for mailbox content. That separation is intentional and tied to Microsoft’s least-privilege and data-boundary model.

Downloading an email from Explorer (Defender portal or Purview) is considered content access, not configuration access. That means the required permissions come from Exchange Online / Purview RBAC, not just Entra ID directory roles.

That’s why:

– Some Global Admin accounts can download messages
– Others cannot
– There appears to be inconsistency

The difference is almost always due to Exchange RBAC role group membership, not Entra role assignment.

To download an email message without going through full eDiscovery workflow, the account needs one of the following:

– Membership in an Exchange role group that includes Mailbox Search or ApplicationImpersonation
– eDiscovery Manager (Standard)
– eDiscovery Administrator
– Compliance Administrator
– Or a custom role group that includes the necessary content search and preview/export roles

Global Admin alone is not sufficient because it does not automatically add you to the required Exchange or Purview role groups.

The reason this feels broken is because Microsoft split identity administration (Entra), security operations (Defender), and data access (Purview/Exchange) into separate RBAC systems. They do not automatically cascade.

If you want a clean solution without broad compliance access, create a custom role group in Purview with only:

– Content Search
– Preview
– Export

Then assign that group to the specific admins who need mailbox content retrieval capability.

That avoids giving full eDiscovery Administrator or Compliance Administrator access.

The inconsistency across your GA accounts likely means some of them were historically added to Exchange role groups (often Organization Management or Discovery Management) while others were not.

This is less about Defender and more about how Microsoft enforces data access separation from directory-level authority.

In short: Global Admin controls the tenant. It does not automatically grant permission to access user data. That boundary is by design, even if the UX makes it feel unnecessarily complex.