Forum Discussion

nverma2023's avatar
nverma2023
Copper Contributor
Nov 13, 2023

Removing self from Global Administrator built-in role is not allowed

Hi - I am using Java APIs to assign "Security Administrator". The java code looks like this.         final DirectoryObject dirObjectCreated = Objects.requireNonNull(graphClient ...
nverma2023's avatar
nverma2023
Copper Contributor
Nov 13, 2023

VasilMichev 

Yes I am. I can assure you that I am passing the correct ID.

I think the error message is generic if you try to remove any admin (Security Admin or Office Administrator etc)

VasilMichev's avatar
VasilMichev
MVP
Nov 13, 2023

Still, double-check things. I just tried to reproduce the issue, and I have no problem removing any additional roles assigned to the (only) Global admin. Only when trying to remove the GA role I get the error above.

 

 

  • nverma2023's avatar
    nverma2023
    Copper Contributor
    Nov 14, 2023
    I fired these queries and changing the ID is resulting in the same error. Please see below.

    GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq 'be2ca6a9-d999-4e94-9123-eac0946944f7'
    Returns
    {
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments",
    "value": [
    {
    "id": "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1",
    "principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
    "directoryScopeId": "/",
    "roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d"
    },
    {
    "id": "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1",
    "principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
    "directoryScopeId": "/",
    "roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de"
    }
    ]
    }


    Then DELETE
    https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1
    returns
    "error": {
    "code": "Request_BadRequest",
    "message": "Removing self from Global Administrator built-in role is not allowed.",
    "innerError": {
    "date": "2023-11-14T09:25:33",
    "request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9",
    "client-request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9"
    }
    }
    }
    I know the ID of security admin is "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" but I have tried both "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" and "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1" and I get the same error.
    • VasilMichev's avatar
      VasilMichev
      MVP
      Nov 14, 2023
      Well, the user in question doesn't even have the GA role assigned, so obviously it's something else. Open a support case, no point guessing.
  • nverma2023's avatar
    nverma2023
    Copper Contributor
    Nov 14, 2023
    Thanks Vasil. That Beta API and we can't use it in production system.
    Is that a suggested way?

Resources