Forum Discussion

nverma2023's avatar
nverma2023
Copper Contributor
Nov 13, 2023

Removing self from Global Administrator built-in role is not allowed

Hi - I am using Java APIs to assign "Security Administrator". The java code looks like this.         final DirectoryObject dirObjectCreated = Objects.requireNonNull(graphClient ...
VasilMichev's avatar
VasilMichev
MVP
Nov 13, 2023
Are you passing the correct ID? The error message above suggests that you are trying to remove the Global admin role, not Security admin one.
nverma2023's avatar
nverma2023
Copper Contributor
Nov 13, 2023

VasilMichev 

Yes I am. I can assure you that I am passing the correct ID.

I think the error message is generic if you try to remove any admin (Security Admin or Office Administrator etc)

  • VasilMichev's avatar
    VasilMichev
    MVP
    Nov 13, 2023

    Still, double-check things. I just tried to reproduce the issue, and I have no problem removing any additional roles assigned to the (only) Global admin. Only when trying to remove the GA role I get the error above.

     

     

    • nverma2023's avatar
      nverma2023
      Copper Contributor
      Nov 14, 2023
      I fired these queries and changing the ID is resulting in the same error. Please see below.

      GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq 'be2ca6a9-d999-4e94-9123-eac0946944f7'
      Returns
      {
      "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments",
      "value": [
      {
      "id": "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1",
      "principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
      "directoryScopeId": "/",
      "roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d"
      },
      {
      "id": "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1",
      "principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
      "directoryScopeId": "/",
      "roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de"
      }
      ]
      }


      Then DELETE
      https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1
      returns
      "error": {
      "code": "Request_BadRequest",
      "message": "Removing self from Global Administrator built-in role is not allowed.",
      "innerError": {
      "date": "2023-11-14T09:25:33",
      "request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9",
      "client-request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9"
      }
      }
      }
      I know the ID of security admin is "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" but I have tried both "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" and "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1" and I get the same error.
      • VasilMichev's avatar
        VasilMichev
        MVP
        Nov 14, 2023
        Well, the user in question doesn't even have the GA role assigned, so obviously it's something else. Open a support case, no point guessing.
    • nverma2023's avatar
      nverma2023
      Copper Contributor
      Nov 14, 2023
      Thanks Vasil. That Beta API and we can't use it in production system.
      Is that a suggested way?

Resources