Feedback by UserVoice

How can we improve the tenant admin features O365?

Delegated Admin (Partner) able to convert tennant mailbox to shared.

Currently there is an issue with permissions if you use the partner delegated admin to convert a user to a shared mailbox. You must log into the tenant as a global admin in order to accomplish this.

As a delegated admin we should be able to manipulate mailboxes as needed to ensure an enjoyable client experience.

393 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Laurent S shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

28 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    Yes there is so much that doesn't work as a delegated admin and no effort on Micorosofts part to gt these things fixed.

  • Alex commented  ·   ·  Flag as inappropriate

    Final comment for today ... While researching this, I found another request which includes a broader ranger of activities we should all be able to do as Delegated Admin. See https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/36925324-partner-admin-restrictions

    ==============================================================
    I logged a ticket with MS who provided the following details on what is restricted to techs using the delegated partner admin portal.

    delegated admin will have no access to
    1. Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
    2. Will not be able to export eDiscovery results.
    3. Cannot delete the mail contacts and Mail Users.
    4. Cannot Export search results of Content Search.
    5. Cannot create guest user.
    6. Cannot Enable MFA.
    7. Several security and compliance features are not visible to the partner's from Security and Compliance portal
    8. Cannot download the EMT Results.

    I believe that all of these features should be available on the portal.
    ==============================================================

  • Alex commented  ·   ·  Flag as inappropriate

    Additional thought to my previous comment below: This feels like a permission issue. Can this not be adjusted in the AAD or Azure anywhere?

  • Alex commented  ·   ·  Flag as inappropriate

    How can an MSP using CSP do something as simple as changing a User mailbox to a Shared Mailbox WITHOUT logging as a Global Admin.

    As an MSP it is simply not practical to share Global Admin passwords with our engineers

    Is there a way to create Powershell scripts to perform this task safely and without compromising long term security ?

  • Anonymous commented  ·   ·  Flag as inappropriate

    As Joel points out, Shared admin accounts is the only viable solution to is insane restriction on Partners.

  • Joel commented  ·   ·  Flag as inappropriate

    I would like to understand why Microsoft would limit the Partner admin user’s ability to convert from or to a shared mailbox when they can perform just about any other Exchange Online administrative tasks with a Partner admin account. There was no explanation from Microsoft as to why the Partner admin users cannot perform this administrative task. Because converting to or from a shared mailbox was at one time possible, I believe that Microsoft should be identifying this as an issue and not ‘by design’.

    We administer the user accounts for 200+ tenants. In order to perform this simple function, we need to create and manage an admin account on each of our customer’s tenants. This means creating at least 200+ admin accounts for each tenant. Since we have multiple people in our Support department, does Microsoft suggest we create a separate admin account for each Support individual on each of our 200+ customer tenants? Can you imagine how difficult it would be to manage this? Shared accounts are a significant security concern. According to the documentation from Microsoft, converting a former employee’s mailbox to a shared mailbox is a recommended best practice:
    https://docs.microsoft.com/en-us/office365/admin/add-users/remove-former-employee?view=o365-worldwide#forward-a-former-employees-email-to-another-employee-or-convert-to-a-shared-mailbox

  • Anonymous commented  ·   ·  Flag as inappropriate

    Suddenly ran into this one today after it not being an issue for dozens of previous conversions. If this has been intended behaviour since October 2016 then I'd like to know why it's taken such a long time to roll out across the platform.

    I don't really understand why any limiting of delegate admin is intended behaviour if it really is intended, we as delegates can just take 10 seconds to make a global admin and do what we wanted anyway.

    I find it also quite odd that Microsoft insists throughout its training material, exams, and documentation that delegate admins have "global admin" permissions even though we don't. There is no official list of things we can and can't manage as far as I can see.
    If Microsoft aren't willing to make the permissions match their documentation, they could at least make their documentation match the permissions.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is the ludicrous response I got from Microsoft Support...
    My name is Deepak Rohila, one of the Technical Lead from Microsoft Partners Support.
    I am responding regarding your Office 365 service request 13337620.

    I was reviewing the case & found that this is by design.
    You must have a Global Admin account and permissions to perform such actions.

    Below are some of the known issues with AOBO (Admin on behalf of)

    Exchange Online perspective, delegated admin will have no access to
    Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
    Will not be able to export eDiscovery results.
    Cannot delete the mail contacts and Mail Users.
    Cannot Export search results of Content Search.
    Cannot create guest user.
    Cannot Enable MFA.
    Several security and compliance features are not visible to the partner's from Security and Compliance portal
    Cannot download the EMT Results.
    SharePoint Online, delegated admin will have no access to
    Initiate Site Workflow
    Manage Site Workflow
    Edit User profiles
    Below Admin centers will not be accessible by Delegated admin
    OneDrive
    Yammer
    PowerApps
    Flow &
    Security & Compliance Center

    They keep stating it's "by design" & yet previously I've been able to convert to shared as Delegated Admin - which by definition means its not "by design".

    Microsoft yet again ignoring their partners.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a really important feature that needs to be made available via delegated admin

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a really important feature that needs to be made available via delegated admin

  • MC commented  ·   ·  Flag as inappropriate

    Converting tenant mailbox to shared with delegate admin works from the GUI, but not from PowerShell.
    Managing 70+ tenants, and making sure all our employees has a Global Admin to all tenants is a hassle.

    The error from PowerShell is:
    Error on proxy command 'Set-Mailbox -Type:'Shared' -Identity:'<user identity>' -Confirm:$False -Force:$True' to server VI
    1P191MB0399.EURP191.PROD.OUTLOOK.COM: Server version 15.20.1516.0000, Proxy method PSWS:
    Request return error with following error message:
    The remote server returned an error: (401) Unauthorized.. [Server=AM6P191MB0295,RequestId=7ce90cbc-9655-4310-a101-22c2a
    070b3b3,TimeStamp=17-01-2019 07:18:42] .
    + CategoryInfo : NotSpecified: (:) [Set-Mailbox], CmdletProxyException
    + FullyQualifiedErrorId : Microsoft.Exchange.Configuration.CmdletProxyException,Microsoft.Exchange.Management.Reci
    pientTasks.SetMailbox
    + PSComputerName : outlook.office365.com

  • Anonymous commented  ·   ·  Flag as inappropriate

    It used to work with the Partner log in! Then it only worked in the Exchange Admin console. Now it only works with the Global admin login.

    Not great when you are managing dozens of tenants.

  • Brady Houser commented  ·   ·  Flag as inappropriate

    This would be super helpful. I think the whole idea is that you don't need to sign into the global admin all the time but you have to for this...

  • Jacob Wiley commented  ·   ·  Flag as inappropriate

    This is an issue again, just tried to convert a mailbox connected to exchange online as a delegated admin and command fails with unauthorized 401. Others on my team get the same issue. get-mailbox works so I know we are actually connected to the tenant.

  • Steve commented  ·   ·  Flag as inappropriate

    A very common admin task that can't be done as a delegated admin! We have recently switched to this away from tenant based global admin. How many more tasks are we going to find can't be done.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Seriously microsoft, WTF???? You say it's by design that a delegated admin cannot convert a mailbox to shared. Yet the option to do so is there in EAC, and when you click it, it goes green and says you have successfully converted the mailbox to shared, but it doesnt do anything.
    For a start, why would a delegated admin not be able to perform this simple task. We can delete mailboxes and everything else??????
    Secondly, if its a restriction by design then why is the option there and why does it say it was successful when we use it?
    Never seen anything more stupid. Why make it hard for someone who is selling your product for you???????

  • David Bennett commented  ·   ·  Flag as inappropriate

    This fault and others affecting delegate admin is really making life more difficult for those of us in the trenches.

← Previous 1

Feedback and Knowledge Base