Created
February 22, 2025 02:33
-
-
Save LikeCarter/0fe8c6dd39c5fdedc31eb83368ed7e10 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fixing Stripped Exchange Online Role Permissions: A Step-by-Step Solution | |
| When managing Exchange Online roles, it's easy to accidentally strip critical permissions while making modifications. Here's how I recently solved an issue where the Organization Management role lost most of its permissions, including the crucial Role Management permission. | |
| ## The Problem | |
| During a routine task of adding Import PST permissions to the Organization Management role, most other permissions were inadvertently removed. The situation was particularly challenging because: | |
| 1. The Role Management permission was among those stripped | |
| 2. The 365 Admin Center's people picker wasn't functioning | |
| 3. PowerShell commands like `Add-RoleGroupMember` and `Get-RoleGroup` were unrecognized | |
| ## The Solution | |
| The fix involves using Microsoft Graph API to restore the necessary permissions. Here's the detailed process: | |
| ### 1. Azure App Registration Setup | |
| First, create a new application registration in Azure: | |
| - Navigate to Azure Portal > App Registrations | |
| - Create a new registration | |
| - Add the `RoleManagement.ReadWrite.Exchange` API permission | |
| - Generate a new client secret | |
| ### 2. Get Authentication Token | |
| Use this curl command to obtain a bearer token: | |
| ```bash | |
| curl -X POST 'https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token' \ | |
| -H 'Content-Type: application/x-www-form-urlencoded' \ | |
| -d 'client_id={client-id}&scope=https://graph.microsoft.com/.default&client_secret={client-secret}&grant_type=client_credentials' | |
| ``` | |
| ### 3. Find the Correct Role Definition | |
| Query the available role definitions to find the one for Role Management: | |
| ```bash | |
| curl -X GET 'https://graph.microsoft.com/beta/roleManagement/exchange/roleDefinitions' \ | |
| -H 'Authorization: Bearer {your-token}' | |
| ``` | |
| Look for the role description containing: "This role enables administrators to manage management role groups; role assignment" | |
| ### 4. Assign the Role | |
| With the role ID identified, assign it to your user account: | |
| ```bash | |
| curl -X POST 'https://graph.microsoft.com/beta/roleManagement/exchange/roleAssignments' \ | |
| -H 'Authorization: Bearer {your-token}' \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{ | |
| "principalId": "/Users/{your-user-id}", | |
| "roleDefinitionId": "{role-definition-id}", | |
| "directoryScopeId": "/" | |
| }' | |
| ``` | |
| ### 5. Verify and Complete | |
| After successful role assignment: | |
| - Open Exchange Online PowerShell | |
| - Verify that `Get-RoleGroup` now works | |
| - Use PowerShell commands to restore the remaining needed permissions | |
| ## Prevention Tips | |
| To avoid similar issues in the future: | |
| - Always backup role configurations before making changes | |
| - Use PowerShell scripts to document current permissions | |
| - Test changes in a non-production environment first | |
| - Consider using role groups instead of modifying built-in roles | |
| ## Conclusion | |
| While losing critical role permissions can be stressful, the Microsoft Graph API provides a reliable way to recover access. Remember to keep your role management procedures documented and always maintain backup admin accounts with appropriate permissions. | |
| Have you encountered similar issues with Exchange Online role management? Share your experiences in the comments below. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment