In Exchange Online, the set of tasks that an administrator can perform depends on the permissions that are granted to an administrator using Role Based Access Control (RBAC). For example, a management role called Mail Recipients defines the tasks that someone can perform on a set of user mailboxes, mail users, contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is granted permissions provided by the management role.
Sometimes you might encounter issues where an administrator is not able to perform some tasks even though it seems the required roles are assigned. That, however, might not be the case and misconfigured/custom RBAC might be the culprit. This blog post is here to help you troubleshoot such problems by sharing common RBAC misconfiguration issues.
Automated RBAC diagnostic checks
To help troubleshoot RBAC issues faster, we have now released two automated self-serve diagnostic checks that you can use when troubleshoot Exchange Online RBAC issues for your users. You can launch the diagnostic as an Administrator by either clicking on the below buttons or going to Help & Support in Microsoft 365 admin center and searching for a specific phrase, as follows:
In Help & Support, search for
Compare Exchange Online RBAC roles of two users (working and not working).
Run Tests: EXO RBAC compare users
Check if a user has Exchange Online RBAC rights to run a specific cmdlet and parameter.
Run Tests: EXO RBAC test user
Most frequent RBAC configuration issues Here are some issues that admins may encounter due to RBAC misconfiguration, along with troubleshooting steps. Can’t enable litigation hold on mailboxes via PowerShell or modern EAC (Exchange admin center) In this scenario, the option to enable litigation hold is not available for an admin, and an error occurs when trying to enable litigation hold using PowerShell.
Set-Mailbox email@example.com -LitigationHoldEnabled $true -LitigationHoldDuration 1425 -RetainDeletedItemsFor 30 A parameter cannot be found that matches parameter name 'LitigationHoldEnabled'. + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException + FullyQualifiedErrorId : NamedParameterNotFound,Set-Mailbox + PSComputerName : outlook.office365.com
First, we need to determine the roles required to run Set-Mailbox with the LitigationHoldEnabled parameter:
What this tells us is that users must have at least 1 of the 3 above listed roles to perform this task.
Now let’s check the Role Assignments for these roles:
The figure above shows the expected output; unless you have custom RBAC configured or you have customized the Exchange default management role groups, you need to pay attention to the value RoleAssignmentDelegationType, which could be Regular or DelegatingOrgWide.
The above example shows that the Retention management role assignment is a regular role assignment. A regular role assignment means it allows members of the Compliance Management, Records Management and Organization Management role groups (the role assignees) to access the management role entries, the cmdlets, and the cmdlet parameters associated with the Retention Management role.
Similarly, we can run the command for the remaining 2 roles to determine where the issue exists and assign the affected Role group with a Regular role assignment to fix the problem.
In this case, the problem was caused by misconfiguration of Organization Management role group for the Legal Hold role (the Regular role assignment was missing for Organization management). You can see the difference between working and non-working scenarios below.
The solution was to add the regular role assignment (Legal Hold) back to the Organization Management role group using the Exchange admin center.
Unable to convert user mailbox to shared mailbox or vice versa using PowerShell or modern EAC In this scenario, the option to convert a user mailbox to a shared mailbox is not available for an admin, and an error occurs when trying to convert the mailbox using PowerShell.
Set-Mailbox firstname.lastname@example.org -Type Shared A parameter cannot be found that matches parameter name 'Type'. + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException + FullyQualifiedErrorId : NamedParameterNotFound,Set-Mailbox + PSComputerName : outlook.office365.com
In this case, the Mail Recipients role is missing the RoleAssignment type of Regular:
An admin can take the same approach used for the first issue to fix this issue, as well. Unable to create connectors using PowerShell or modern EAC In this scenario, the option to create connectors is not available for an admin, and an error occurs when trying to create a connector using PowerShell.
System.Management.Automation.CommandNotFoundException: The term 'New-InboundConnector' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
In this scenario, the Remote and Accepted Domains role is missing the RoleAssignment type of Regular:
An admin can take the same approach used for the first issue to fix this issue, as well.