In this TechTip I want to cover an error that we ran across while helping a customer resolve some strange error messages in Office 365.
The situation: Customer has several hundred users DirSync’ed to Office 365 from on-prem AD. Due to the size of their on-prem implementation, they’ve enlisted the help of another third-party vendor to assist with migrating their email over to the 365 platform. After the user accounts have been created, one of the users wants to be set as a Global Admin – but in the process of doing so they encounter an error that will not allow them to set ANY roles from within MOP.
The error: “You can’t edit the user’s role on this page because they have one or more partner-managed roles…”
The solution: “Partner-managed” roles didn’t make a whole lot of sense. This was something we’d never seen before. Scouring through the Active Users list yielded two accounts that were created by the third-party vendor — one of which was a cloud-only user and designated as a Global Admin. Knowing this was the case, we started combing through the available roles in the ECP, but nothing there was yielding a smoking gun.
Now we turn to Powershell…
Get-MsolRole will list the ObjectID, Name, and Description of all the baked-in roles that are available in 365 to be assigned to users. Your mileage may vary, depending on who you have your 365 offering through and how customized things are, but here’s the list I got back when running it against this tenant:
It’s a short list, so it didn’t make sense for me to write a ForEach loop to iterate through it. We manually copy-pasted each ObjectID into the
Get-MsolRoleMember cmdlet to see if the user in question was a member of any of them. Lo and behold… we found him in the first one!
As a test, we opted to remove him from the Exchange Service Administrator role. The
Remove-MsolRoleMember cmdlet requires you to provide the ObjectID of the user you wish to remove, so make sure that you re-run the
Get-MsolRoleMember -RoleObjectID | fl command to grab the ID of the user you’re having a problem with. Once armed with this information, remove the user with the following command:
Remove-MsolRoleMember -RoleObjectID -RoleMemberObjectID
We then confirmed the removal by rerunning the
Get-MsolRoleMember cmdlet for that role.
Once done… we retried assigning that user Global Admin perms in MOP… and it worked!
Summary: The user’s membership in the Exchange Service Administrator MSOL role group was preventing us from assigning him Global Administrator permissions in MOP. By removing him from that group, we were then able to unlock that dropdown and add the permissions as expected.