Exchange Online RBAC permissions for TenantAdmins not working as expected

%3CLINGO-SUB%20id%3D%22lingo-sub-2939551%22%20slang%3D%22en-US%22%3EExchange%20Online%20RBAC%20permissions%20for%20TenantAdmins%20not%20working%20as%20expected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2939551%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20come%20across%20similar%20permission%20issues%20before%20but%20I'll%20use%20the%20latest%20example.%20In%20a%20M365%20tenant%20I%20wanted%20to%20import%20a%20PST%20file.%20When%20I%20went%20to%20the%20Compliance%20%26gt%3B%20Information%20Governance%20%26gt%3B%20Import%20tab%20a%20message%20stated%20that%20I%20didn't%20have%20the%20necessary%20permissions%20to%20create%20an%20import%20job.%20I%20was%20logged%20in%20as%20a%20global%20admin.%3C%2FP%3E%3CP%3EWhat%20I%20don't%20understand%20is%20that%20the%26nbsp%3B%3CSTRONG%3EOrganization%20Management%3C%2FSTRONG%3E%26nbsp%3Brole%20group%20seemingly%20should%20have%20given%20my%20global%20admin%20access%20to%20the%20functionality%2C%20which%20requires%20the%26nbsp%3B%3CSTRONG%3EMailbox%20Import%20Export%3C%2FSTRONG%3E%26nbsp%3Brole.%20The%20Assigned%20tab%20for%20the%20Organization%20Management%20role%20group%20showed%26nbsp%3B%3CSTRONG%3ETenantAdmins%26nbsp%3B%3C%2FSTRONG%3Eand%20the%20Permissions%20tab%20has%20nearly%20every%20role%20enabled%2C%20including%20Mailbox%20Import%20Export.%3C%2FP%3E%3CP%3EFrom%20my%20understanding%20every%20global%20admin%20is%20a%20member%20of%20TenantAdmins.%20So%20assuming%20my%20admin%20user%20account%20belongs%20to%20TenantAdmins%20and%20TenantAdmins%20is%20assigned%20the%20Mailbox%20Import%20Export%20role%2C%20my%20admin%20user%20account%20should%20also%20be%20assigned%20the%20Mailbox%20Import%20Export%20role.%20But%20it%20wasn't%20working.%3C%2FP%3E%3CP%3EI%20had%20to%20add%20my%20individual%20admin%20account%20to%20the%20Assigned%20tab%20for%20the%20Organization%20Management%20role%20group.%20Why%20is%20that%20the%20case%20though%3F%20Why%20didn't%20it%20simply%20work%20with%20the%20default%20config%3F%20Am%20I%20overlooking%20something%20or%20is%20this%20some%20RBAC%20glitchiness%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2939551%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2939875%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20RBAC%20permissions%20for%20TenantAdmins%20not%20working%20as%20expected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2939875%22%20slang%3D%22en-US%22%3EThe%20Compliance%20center%20uses%20a%20different%20set%20of%20roles%2Frole%20groups%20than%20what%20you%20see%20in%20Exchange%2C%20their%20membership%20is%20not%20matched.%20Use%20the%20relevant%20controls%20in%20the%20Compliance%20Center%20UI%2C%20not%20the%20Exchange%20admin%20center%20ones.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2940304%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20RBAC%20permissions%20for%20TenantAdmins%20not%20working%20as%20expected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2940304%22%20slang%3D%22en-US%22%3EI%20don't%20think%20that's%20accurate.%20In%20this%20case%20the%20fix%20was%20to%20assign%20the%20global%20admin%20user%20to%20the%20Organization%20Management%20rolegroup%20in%20EAC.%20It%20was%20the%20Mailbox%20Import%20Export%20role%20that%20was%20needed%2C%20which%20is%20an%20Exchange%20role.%20I%20didn't%20have%20to%20do%20anything%20with%20Compliance%20permissions%20to%20make%20it%20work.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20root%20of%20my%20question%20really%20comes%20down%20to%20permission%20inheritance.%20If%20a%20user%20is%20assigned%20to%20a%20rolegroup%2C%20in%20this%20case%20TenantAdmins%20(or%20more%20specifically%20TenantAdmins_-1382031418%20for%20this%20tenant)%2C%20and%20TenantAdmins%20belongs%20to%20another%20rolegroup%20such%20as%20Organization%20Management%2C%20should%20the%20user%20inherit%20all%20of%20the%20permissions%20of%20the%20Organization%20Management%20rolegroup%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

I've come across similar permission issues before but I'll use the latest example. In a M365 tenant I wanted to import a PST file. When I went to the Compliance > Information Governance > Import tab a message stated that I didn't have the necessary permissions to create an import job. I was logged in as a global admin.

What I don't understand is that the Organization Management role group seemingly should have given my global admin access to the functionality, which requires the Mailbox Import Export role. The Assigned tab for the Organization Management role group showed TenantAdmins and the Permissions tab has nearly every role enabled, including Mailbox Import Export.

From my understanding every global admin is a member of TenantAdmins. So assuming my admin user account belongs to TenantAdmins and TenantAdmins is assigned the Mailbox Import Export role, my admin user account should also be assigned the Mailbox Import Export role. But it wasn't working.

I had to add my individual admin account to the Assigned tab for the Organization Management role group. Why is that the case though? Why didn't it simply work with the default config? Am I overlooking something or is this some RBAC glitchiness?

2 Replies
The Compliance center uses a different set of roles/role groups than what you see in Exchange, their membership is not matched. Use the relevant controls in the Compliance Center UI, not the Exchange admin center ones.
I don't think that's accurate. In this case the fix was to assign the global admin user to the Organization Management rolegroup in EAC. It was the Mailbox Import Export role that was needed, which is an Exchange role. I didn't have to do anything with Compliance permissions to make it work.

The root of my question really comes down to permission inheritance. If a user is assigned to a rolegroup, in this case TenantAdmins (or more specifically TenantAdmins_-1382031418 for this tenant), and TenantAdmins belongs to another rolegroup such as Organization Management, should the user inherit all of the permissions of the Organization Management rolegroup?