Unable to Access policies in Security and Compliance

%3CLINGO-SUB%20id%3D%22lingo-sub-1143921%22%20slang%3D%22en-US%22%3EUnable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1143921%22%20slang%3D%22en-US%22%3E%3CP%3EIll%20try%20to%20summarize%20our%20issue%20as%20best%20I%20can%20but%20will%20admit%20it%20may%20require%20more%20info%20than%20I%20am%20providing.%20Hopefully%2C%20based%20on%20the%20issue%2C%20theres%20enough%20to%20provide%20suggestions%20on%20where%20we%20should%20focus%20our%20efforts%20to%20troubleshoot%20further.%3C%2FP%3E%3CP%3EIm%20currently%20troubleshooting%20an%20issue%20while%20assigned%20the%20Security%20Administrator%20role%20through%20Azure%20privileged%20identity%20management.%20When%20accessing%20the%20Security%20and%20Compliance%20portal%20it%20appears%20we%20can%20perform%20all%20necessary%20functions%20except%20modify%20%2F%20view%20any%20of%20the%20policies.%20The%20policy%20tab%20is%20visible%20under%20Threat%20Management%20but%20viewing%20any%20policy%20produces%20an%20error%20message%20and%20each%20error%20is%20pretty%20similar.%3C%2FP%3E%3CP%3EFor%20example%2C%20Anti-malware%20policy%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20requested%20search%20root%20'NAMPR12A003.PROD.OUTLOOK.COM%2FConfigurationUnits%2Fxyz365.onmicrosoft.com%2FConfiguration%2FTransport%20Settings%2FRules%2FMalwareFilterVersioned'%20is%20not%20within%20the%20scope%20of%20this%20operation.%20Cannot%20perform%20searches%20outside%20the%20scope%20'namprd12.prod.outlook.com%2FConfiguration%2FServices%2FMicrosoft%20Exchange%2FExchangeLabs'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20hybrid%20enterprise%20deployment%20and%20we%20utilize%20on%20prem%20accounts%20that%20authenticate%20through%20SSO.%20Our%20Exchange%20and%20Cloud%20Services%20team%20are%20limited%20in%20identifying%20root%20cause.%20The%20role%20assignment%20through%20Azure%20%22should%22%20have%20necessary%20permissions%20as%20stated%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23available-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23available-roles%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20still%20reads%20like%20a%20permissions%20issue%20and%20we%20were%20going%20to%20try%20requesting%20to%20be%20added%20to%20Hygiene%20management%20in%20Exchange%20as%20we%20thought%20maybe%20were%20missing%20necessary%20privileges%20In%20Exchange%20related%20to%20Anti%20malware%20%2FAnti%20Spam.%20Any%20suggestions%20or%20recommendations%20are%20welcome%20to%20steer%20us%20in%20the%20right%20direction%20are%20appreciated.%20Thanks%20in%20advance!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1143921%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Security%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144404%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144404%22%20slang%3D%22en-US%22%3EI%20have%20seen%20this%20issue%20while%20I%20had%20my%20permission%20assigned%20through%20Priviliged%20Identity%20Management%2C%20is%20that%20the%20case%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144608%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144608%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20indeed%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144613%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144613%22%20slang%3D%22en-US%22%3EI%20have%20seen%20that%20you%20need%20to%20wait%20opto%2045%20minutes%20before%20PIM%20rights%20are%20propagated%20to%20Sec%26amp%3BCompl%3CBR%20%2F%3E%3CBR%20%2F%3ETry%20waiting%20a%20while%20and%20logging%20out%20and%20back%20in%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144681%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144681%22%20slang%3D%22en-US%22%3E%3CP%3EYep%20the%20Azure%20sec%20admin%20account%20is%20set%20to%20stay%20active%20for%202%20hours%20and%20we%20have%20the%20same%20experience%26nbsp%3B%20through%20the%20length%20of%20that%20window%20-%20mindful%20that%20Im%20logged%20out%20and%20logging%20in%20again%20to%20ensure%20were%20avoiding%20a%20cached%20permissions%20scenario..%20Weve%20also%20tried%20having%20our%20Exchange%20Admin%20(Organization%20Management%20role)%20grant%20me%20the%20Exchange%20RBAC%20role%20of%20%E2%80%98Security%20Administrator%E2%80%99%20directly%20in%20Security%20and%20Compliance%20and%20I%20gave%20that%20a%20few%20hours%20before%20attempting%20to%20access%20the%20policy.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1146992%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1146992%22%20slang%3D%22en-US%22%3EAre%20other%20admins%20in%20your%20org%20also%20experiencing%20this%20issue%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1157046%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1157046%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20the%20person%20that%20has%20been%20able%20to%20access%20with%20no%20issues%20is%20the%20exchange%20admin%20(organizational%20management%20role)%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1157750%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1157750%22%20slang%3D%22en-US%22%3EI%20would%20look%20into%20specifying%20permissions%20directly%20in%20security%20%26amp%3B%20compliance%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1160579%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1160579%22%20slang%3D%22en-US%22%3E%3CP%3Eyes%2C%20we%20tried%20that%20as%20well.%20I%20had%20the%20exchange%20admin%20add%20me%20as%20Security%20Admin%20directly%20in%20Sec%20and%20compliance%20and%20gave%20it%20a%20few%20hours%20then%20attempted%20to%20access%20the%20policies%20with%20same%20errors.%20Unfortunately%20this%20one%20isn't%20as%20straight%20forward%20as%20it%20should%20be%20%3A%20%2F%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1170322%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170322%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20some%20problem%20like%20that%20also%2C%20try%20deleting%20your%20browser%20cookies%2C%20that%20sometimes%20works%20for%20me.%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20option%20is%20to%20try%20an%20in-private%20session%2C%20that%20just%20worked%20for%20me%20-%20I'm%20using%20Edge%20V%3CSPAN%3Eersion%2080.0.361.50%20(Official%20build)%20(64-bit)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1174439%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20Access%20policies%20in%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1174439%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%20Actually%20managed%20to%20figure%20this%20one%20out%20this%20morning.%20Had%20our%20exchange%20admin%20add%20us%20to%20%22hygiene%20management%22%20role%20in%20the%20exchange%20environment.%20Its%20not%20documented%20anywhere%2C%20but%20because%20of%20our%20hybrid%20environment%20I%20don't%20think%20this%20scenario%20quite%20applies%20to%20the%20general%20implementation%20of%20Sec%20and%20Compliance..%20Its%20interesting%20though%20that%20for%20us%2C%20Sec%20administrator%20role%20in%20exchange%20nor%20Sec%20administrator%20role%20in%20Sec%20and%20Compliance%20were%20sufficient%20enough%20to%20access%20any%20of%20those%20policies.%20Maybe%20its%20tied%20to%20how%20our%20email%20team%20migrated%20from%20exchange%20to%20O365...%20I%20fixed%20it%20so%20Ill%20leave%20that%20for%20them%20to%20figure%20out%20%3A%20)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Ill try to summarize our issue as best I can but will admit it may require more info than I am providing. Hopefully, based on the issue, theres enough to provide suggestions on where we should focus our efforts to troubleshoot further.

Im currently troubleshooting an issue while assigned the Security Administrator role through Azure privileged identity management. When accessing the Security and Compliance portal it appears we can perform all necessary functions except modify / view any of the policies. The policy tab is visible under Threat Management but viewing any policy produces an error message and each error is pretty similar.

For example, Anti-malware policy error:

 

The requested search root 'NAMPR12A003.PROD.OUTLOOK.COM/ConfigurationUnits/xyz365.onmicrosoft.com/Configuration/Transport Settings/Rules/MalwareFilterVersioned' is not within the scope of this operation. Cannot perform searches outside the scope 'namprd12.prod.outlook.com/Configuration/Services/Microsoft Exchange/ExchangeLabs'.

 

We have a hybrid enterprise deployment and we utilize on prem accounts that authenticate through SSO. Our Exchange and Cloud Services team are limited in identifying root cause. The role assignment through Azure "should" have necessary permissions as stated:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

This still reads like a permissions issue and we were going to try requesting to be added to Hygiene management in Exchange as we thought maybe were missing necessary privileges In Exchange related to Anti malware /Anti Spam. Any suggestions or recommendations are welcome to steer us in the right direction and are appreciated. Thanks in advance! 

10 Replies
I have seen this issue while I had my permission assigned through Priviliged Identity Management, is that the case?
I have seen that you need to wait opto 45 minutes before PIM rights are propagated to Sec&Compl

Try waiting a while and logging out and back in

Yep the Azure sec admin account is set to stay active for 2 hours and we have the same experience  through the length of that window - mindful that Im logged out and logging in again to ensure were avoiding a cached permissions scenario.. Weve also tried having our Exchange Admin (Organization Management role) grant me the Exchange RBAC role of ‘Security Administrator’ directly in Security and Compliance and I gave that a few hours before attempting to access the policy. @Thijs Lecomte 

Are other admins in your org also experiencing this issue?

Yes, the person that has been able to access with no issues is the exchange admin (organizational management role) @Thijs Lecomte 

I would look into specifying permissions directly in security & compliance

yes, we tried that as well. I had the exchange admin add me as Security Admin directly in Sec and compliance and gave it a few hours then attempted to access the policies with same errors. Unfortunately this one isn't as straight forward as it should be : /  @Thijs Lecomte 

I have some problem like that also, try deleting your browser cookies, that sometimes works for me. 

Another option is to try an in-private session, that just worked for me - I'm using Edge Version 80.0.361.50 (Official build) (64-bit)

@Dean Gross @Thijs Lecomte  Actually managed to figure this one out this morning. Had our exchange admin add us to "hygiene management" role in the exchange environment. Its not documented anywhere, but because of our hybrid environment I don't think this scenario quite applies to the general implementation of Sec and Compliance.. Its interesting though that for us, Sec administrator role in exchange nor Sec administrator role in Sec and Compliance were sufficient enough to access any of those policies. Maybe its tied to how our email team migrated from exchange to O365... I fixed it so Ill leave that for them to figure out : )