- last edited on
Ill try to summarize our issue as best I can but will admit it may require more info than I am providing. Hopefully, based on the issue, theres enough to provide suggestions on where we should focus our efforts to troubleshoot further.
Im currently troubleshooting an issue while assigned the Security Administrator role through Azure privileged identity management. When accessing the Security and Compliance portal it appears we can perform all necessary functions except modify / view any of the policies. The policy tab is visible under Threat Management but viewing any policy produces an error message and each error is pretty similar.
For example, Anti-malware policy error:
The requested search root 'NAMPR12A003.PROD.OUTLOOK.COM/ConfigurationUnits/xyz365.onmicrosoft.com/Configuration/Transport Settings/Rules/MalwareFilterVersioned' is not within the scope of this operation. Cannot perform searches outside the scope 'namprd12.prod.outlook.com/Configuration/Services/Microsoft Exchange/ExchangeLabs'.
We have a hybrid enterprise deployment and we utilize on prem accounts that authenticate through SSO. Our Exchange and Cloud Services team are limited in identifying root cause. The role assignment through Azure "should" have necessary permissions as stated:
This still reads like a permissions issue and we were going to try requesting to be added to Hygiene management in Exchange as we thought maybe were missing necessary privileges In Exchange related to Anti malware /Anti Spam. Any suggestions or recommendations are welcome to steer us in the right direction and are appreciated. Thanks in advance!
01-31-2020 10:17 AM
01-31-2020 11:40 AM
01-31-2020 12:12 PM
Yep the Azure sec admin account is set to stay active for 2 hours and we have the same experience through the length of that window - mindful that Im logged out and logging in again to ensure were avoiding a cached permissions scenario.. Weve also tried having our Exchange Admin (Organization Management role) grant me the Exchange RBAC role of ‘Security Administrator’ directly in Security and Compliance and I gave that a few hours before attempting to access the policy. @Thijs Lecomte
02-06-2020 01:34 PM
Yes, the person that has been able to access with no issues is the exchange admin (organizational management role) @Thijs Lecomte
02-07-2020 01:10 PM
yes, we tried that as well. I had the exchange admin add me as Security Admin directly in Sec and compliance and gave it a few hours then attempted to access the policies with same errors. Unfortunately this one isn't as straight forward as it should be : / @Thijs Lecomte
02-12-2020 11:34 AM - edited 02-12-2020 12:45 PM
I have some problem like that also, try deleting your browser cookies, that sometimes works for me.
Another option is to try an in-private session, that just worked for me - I'm using Edge Version 80.0.361.50 (Official build) (64-bit)
02-14-2020 09:31 AM
@Dean Gross @Thijs Lecomte Actually managed to figure this one out this morning. Had our exchange admin add us to "hygiene management" role in the exchange environment. Its not documented anywhere, but because of our hybrid environment I don't think this scenario quite applies to the general implementation of Sec and Compliance.. Its interesting though that for us, Sec administrator role in exchange nor Sec administrator role in Sec and Compliance were sufficient enough to access any of those policies. Maybe its tied to how our email team migrated from exchange to O365... I fixed it so Ill leave that for them to figure out : )