Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Parts of Exchange Admin Center are not accessible when using Azure AD group based role assignment

Iron Contributor


We're trying out the Azure AD role assignable groups (preview) to facilitate onboarding new IT staff but I noticed some strange behaviour.

When assigning the Exchange Admin role to accounts via Azure AD role assignable group, certain portions of the Exchange Admin Center give an error 500 (Public Folders, the right portion of the GUI where you can change settings) and some give error '403 access denied' (Rules + Public Folder Mailboxes).

The Azure AD group becomes member of the Exchange Admin Role 'group' which in turn is member of the Exchange Online Organization Management role group. I'm thinking maybe something with nesting of groups but not sure why most of the ECP then works except those 3 things (that I have found so far).

If I add my account individually to the Org.Mgt. role group in Exchange Online, I again have full access but that beats the point of using Azure AD role assignable groups of course :)


So not sure if it's a bug or something that needs fixing. 

5 Replies
IIRC, groups are only supported in the new EAC. Have you tried that, or is that where you're seeing the issues? Incidentally, the UI bits you mentioned above are all 'borrowing' the 'classic' EAC controls, so it might just be that.
Hi Vasil, sorry for the delayed response. Was on holiday :)
I am seeing the issues in the new EAC, the classic one isn't even accessible when using groups, you get error 403 when going to the classic EAC URL.
It will most likely indeed be because those parts of EAC still surface the classic interface... I hope someone from product group is reading this so this gets (is being?) worked on.

@Steve Hernou 

It's more like a compatibility issue between old and new exchange admin center with that permission set. Some of the settings have been moved to new places and that could be it.
Quick workaround could be to switch it back to classic admin center and it will start working if still it doesn't then you have to open a ticket with MS internally to get this sorted. 
Here is an example of new and old admin center
Old Exchange.PNGNew Exchange.PNG
best response confirmed by Steve Hernou (Iron Contributor)

@Steve Hernou  Permissions granted via Azure Privileged Identity Management won't work for Rules, Organization, or Public Folders in the modern EAC.

What's new in Exchange admin center | Microsoft Docs

Thanks for finding this useful bit of info :) I hope they fix this inconsistency soon.
1 best response

Accepted Solutions
best response confirmed by Steve Hernou (Iron Contributor)