cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Removing self from Global Administrator built-in role is not allowed

nverma2023
Copper Contributor

‎Nov 13 2023 06:06 AM - edited ‎Nov 14 2023 12:58 AM

‎Nov 13 2023 06:06 AM - edited ‎Nov 14 2023 12:58 AM

Removing self from Global Administrator built-in role is not allowed

Hi - I am using Java APIs to assign "Security Administrator".

The java code looks like this.

 

 

 

 

  final DirectoryObject dirObjectCreated = Objects.requireNonNull(graphClient
                            .directoryRoles(ROLE_TEMPLATE_ID + "=" + SECURITY_ADMIN_TEMPLATE_ID)
                            .members()
                            .references())
                    .buildRequest()
                    .post(directoryObject);

 

 

 

 

This works fine.

 

When I try to remove this "Security Administrator", I am getting the error 

 

 

 

Removing self from Global Administrator built-in role is not allowed.

 

 

I have tried following URL

Method: DELETE

URL: https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/y-RKG-FULL-ID

 
I am able to remove the role after I manually login into the Office 365.
 
It seems removing the role is not allowed. I looked the example 11 at this link https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-assign-graph
 
This link at example 11 says 

 

 

 

We prevent users from deleting their own Global Administrator role to avoid a scenario where a tenant has zero Global Administrators. Removing other roles assigned to self is allowed.

 

 

 

My token has following roles

 

 

 

"roles": [
    "Mail.ReadWrite",
    "Domain.ReadWrite.All",
    "Group.Read.All",
    "Directory.Read.All",
    "User.Read.All",
    "Domain.Read.All",
    "RoleManagement.ReadWrite.Directory",
    "Application.Read.All"
  ]

 

 

 

 

Question: How can I remove "Security Administrator" role?

 

231 Views
0 Likes
6 Replies
Reply
6 Replies
Vasil Michev

‎Nov 13 2023 07:46 AM

‎Nov 13 2023 07:46 AM

Re: Removing self from Global Administrator built-in role is not allowed

Are you passing the correct ID? The error message above suggests that you are trying to remove the Global admin role, not Security admin one.
0 Likes
Reply
nverma2023

‎Nov 13 2023 07:58 AM

‎Nov 13 2023 07:58 AM

Re: Removing self from Global Administrator built-in role is not allowed

@Vasil Michev 

Yes I am. I can assure you that I am passing the correct ID.

I think the error message is generic if you try to remove any admin (Security Admin or Office Administrator etc)

0 Likes
Reply
Vasil Michev

‎Nov 13 2023 11:00 PM

‎Nov 13 2023 11:00 PM

Re: Removing self from Global Administrator built-in role is not allowed

Still, double-check things. I just tried to reproduce the issue, and I have no problem removing any additional roles assigned to the (only) Global admin. Only when trying to remove the GA role I get the error above.

 

VasilMichev_0-1699945237826.png

 

0 Likes
Reply
nverma2023

‎Nov 14 2023 12:58 AM

‎Nov 14 2023 12:58 AM

Re: Removing self from Global Administrator built-in role is not allowed

Thanks Vasil. That Beta API and we can't use it in production system.
Is that a suggested way?
0 Likes
Reply
nverma2023

‎Nov 14 2023 01:29 AM

‎Nov 14 2023 01:29 AM

Re: Removing self from Global Administrator built-in role is not allowed

I fired these queries and changing the ID is resulting in the same error. Please see below.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq 'be2ca6a9-d999-4e94-9123-eac0946944f7'
Returns
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments",
"value": [
{
"id": "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1",
"principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
"directoryScopeId": "/",
"roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d"
},
{
"id": "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1",
"principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
"directoryScopeId": "/",
"roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de"
}
]
}


Then DELETE
https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/y-RKGSaxskC9W2CRs4CXfammLL...
returns
"error": {
"code": "Request_BadRequest",
"message": "Removing self from Global Administrator built-in role is not allowed.",
"innerError": {
"date": "2023-11-14T09:25:33",
"request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9",
"client-request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9"
}
}
}
I know the ID of security admin is "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" but I have tried both "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" and "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1" and I get the same error.
0 Likes
Reply
Vasil Michev

‎Nov 14 2023 08:10 AM

‎Nov 14 2023 08:10 AM

Re: Removing self from Global Administrator built-in role is not allowed

Well, the user in question doesn't even have the GA role assigned, so obviously it's something else. Open a support case, no point guessing.
0 Likes
Reply