Removing self from Global Administrator built-in role is not allowed

Copper Contributor

Hi - I am using Java APIs to assign "Security Administrator".

The java code looks like this.





  final DirectoryObject dirObjectCreated = Objects.requireNonNull(graphClient
                            .directoryRoles(ROLE_TEMPLATE_ID + "=" + SECURITY_ADMIN_TEMPLATE_ID)





This works fine.


When I try to remove this "Security Administrator", I am getting the error 




Removing self from Global Administrator built-in role is not allowed.



I have tried following URL

Method: DELETE


I am able to remove the role after I manually login into the Office 365.
It seems removing the role is not allowed. I looked the example 11 at this link
This link at example 11 says 




We prevent users from deleting their own Global Administrator role to avoid a scenario where a tenant has zero Global Administrators. Removing other roles assigned to self is allowed.




My token has following roles




"roles": [





Question: How can I remove "Security Administrator" role?


6 Replies
Are you passing the correct ID? The error message above suggests that you are trying to remove the Global admin role, not Security admin one.

@Vasil Michev 

Yes I am. I can assure you that I am passing the correct ID.

I think the error message is generic if you try to remove any admin (Security Admin or Office Administrator etc)

Still, double-check things. I just tried to reproduce the issue, and I have no problem removing any additional roles assigned to the (only) Global admin. Only when trying to remove the GA role I get the error above.




Thanks Vasil. That Beta API and we can't use it in production system.
Is that a suggested way?
I fired these queries and changing the ID is resulting in the same error. Please see below.

GET$filter=principalId eq 'be2ca6a9-d999-4e94-9123-eac0946944f7'
"@odata.context": "$metadata#roleManagement/directory/roleAssignments",
"value": [
"id": "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1",
"principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
"directoryScopeId": "/",
"roleDefinitionId": "194ae4cb-b126-40b2-bd5b-6091b380977d"
"id": "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1",
"principalId": "be2ca6a9-d999-4e94-9123-eac0946944f7",
"directoryScopeId": "/",
"roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de"

"error": {
"code": "Request_BadRequest",
"message": "Removing self from Global Administrator built-in role is not allowed.",
"innerError": {
"date": "2023-11-14T09:25:33",
"request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9",
"client-request-id": "699aae4c-532d-408e-8f3e-d943c54f32d9"
I know the ID of security admin is "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" but I have tried both "y-RKGSaxskC9W2CRs4CXfammLL6Z2ZROkSPqwJRpRPc-1" and "3ywjKSOT_UKt4h0JevPk3qmmLL6Z2ZROkSPqwJRpRPc-1" and I get the same error.
Well, the user in question doesn't even have the GA role assigned, so obviously it's something else. Open a support case, no point guessing.