Forum Discussion
Removing self from Global Administrator built-in role is not allowed
Hi - I am using Java APIs to assign "Security Administrator".
The java code looks like this.
final DirectoryObject dirObjectCreated = Objects.requireNonNull(graphClient
.directoryRoles(ROLE_TEMPLATE_ID + "=" + SECURITY_ADMIN_TEMPLATE_ID)
.members()
.references())
.buildRequest()
.post(directoryObject);
This works fine.
When I try to remove this "Security Administrator", I am getting the error
Removing self from Global Administrator built-in role is not allowed.
I have tried following URL
Method: DELETE
URL: https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/y-RKG-FULL-ID
We prevent users from deleting their own Global Administrator role to avoid a scenario where a tenant has zero Global Administrators. Removing other roles assigned to self is allowed.
"roles": [
"Mail.ReadWrite",
"Domain.ReadWrite.All",
"Group.Read.All",
"Directory.Read.All",
"User.Read.All",
"Domain.Read.All",
"RoleManagement.ReadWrite.Directory",
"Application.Read.All"
]
Question: How can I remove "Security Administrator" role?
6 Replies
- Are you passing the correct ID? The error message above suggests that you are trying to remove the Global admin role, not Security admin one.
Yes I am. I can assure you that I am passing the correct ID.
I think the error message is generic if you try to remove any admin (Security Admin or Office Administrator etc)
Still, double-check things. I just tried to reproduce the issue, and I have no problem removing any additional roles assigned to the (only) Global admin. Only when trying to remove the GA role I get the error above.
