cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Online RBAC permissions for TenantAdmins not working as expected

Chris McFarling
Brass Contributor

‎Nov 08 2021 07:38 AM

‎Nov 08 2021 07:38 AM

Exchange Online RBAC permissions for TenantAdmins not working as expected

I've come across similar permission issues before but I'll use the latest example. In a M365 tenant I wanted to import a PST file. When I went to the Compliance > Information Governance > Import tab a message stated that I didn't have the necessary permissions to create an import job. I was logged in as a global admin.

What I don't understand is that the Organization Management role group seemingly should have given my global admin access to the functionality, which requires the Mailbox Import Export role. The Assigned tab for the Organization Management role group showed TenantAdmins and the Permissions tab has nearly every role enabled, including Mailbox Import Export.

From my understanding every global admin is a member of TenantAdmins. So assuming my admin user account belongs to TenantAdmins and TenantAdmins is assigned the Mailbox Import Export role, my admin user account should also be assigned the Mailbox Import Export role. But it wasn't working.

I had to add my individual admin account to the Assigned tab for the Organization Management role group. Why is that the case though? Why didn't it simply work with the default config? Am I overlooking something or is this some RBAC glitchiness?

1,074 Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎Nov 08 2021 08:31 AM

‎Nov 08 2021 08:31 AM

Re: Exchange Online RBAC permissions for TenantAdmins not working as expected

The Compliance center uses a different set of roles/role groups than what you see in Exchange, their membership is not matched. Use the relevant controls in the Compliance Center UI, not the Exchange admin center ones.
0 Likes
Reply
Chris McFarling

‎Nov 08 2021 10:08 AM

‎Nov 08 2021 10:08 AM

Re: Exchange Online RBAC permissions for TenantAdmins not working as expected

I don't think that's accurate. In this case the fix was to assign the global admin user to the Organization Management rolegroup in EAC. It was the Mailbox Import Export role that was needed, which is an Exchange role. I didn't have to do anything with Compliance permissions to make it work.

The root of my question really comes down to permission inheritance. If a user is assigned to a rolegroup, in this case TenantAdmins (or more specifically TenantAdmins_-1382031418 for this tenant), and TenantAdmins belongs to another rolegroup such as Organization Management, should the user inherit all of the permissions of the Organization Management rolegroup?
0 Likes
Reply