Delegated Admin (Partner) able to convert tennant mailbox to shared.
Currently there is an issue with permissions if you use the partner delegated admin to convert a user to a shared mailbox. You must log into the tenant as a global admin in order to accomplish this.
As a delegated admin we should be able to manipulate mailboxes as needed to ensure an enjoyable client experience.
Laurent S
shared this idea
28 comments
-
Anonymous
commented
Yes there is so much that doesn't work as a delegated admin and no effort on Micorosofts part to gt these things fixed.
-
Alex
commented
Final comment for today ... While researching this, I found another request which includes a broader ranger of activities we should all be able to do as Delegated Admin. See https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/36925324-partner-admin-restrictions
==============================================================
I logged a ticket with MS who provided the following details on what is restricted to techs using the delegated partner admin portal.delegated admin will have no access to
1. Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
2. Will not be able to export eDiscovery results.
3. Cannot delete the mail contacts and Mail Users.
4. Cannot Export search results of Content Search.
5. Cannot create guest user.
6. Cannot Enable MFA.
7. Several security and compliance features are not visible to the partner's from Security and Compliance portal
8. Cannot download the EMT Results.I believe that all of these features should be available on the portal.
============================================================== -
Alex
commented
Additional thought to my previous comment below: This feels like a permission issue. Can this not be adjusted in the AAD or Azure anywhere?
-
Alex
commented
How can an MSP using CSP do something as simple as changing a User mailbox to a Shared Mailbox WITHOUT logging as a Global Admin.
As an MSP it is simply not practical to share Global Admin passwords with our engineers
Is there a way to create Powershell scripts to perform this task safely and without compromising long term security ?
-
Anonymous
commented
As Joel points out, Shared admin accounts is the only viable solution to is insane restriction on Partners.
-
Joel
commented
I would like to understand why Microsoft would limit the Partner admin user’s ability to convert from or to a shared mailbox when they can perform just about any other Exchange Online administrative tasks with a Partner admin account. There was no explanation from Microsoft as to why the Partner admin users cannot perform this administrative task. Because converting to or from a shared mailbox was at one time possible, I believe that Microsoft should be identifying this as an issue and not ‘by design’.
We administer the user accounts for 200+ tenants. In order to perform this simple function, we need to create and manage an admin account on each of our customer’s tenants. This means creating at least 200+ admin accounts for each tenant. Since we have multiple people in our Support department, does Microsoft suggest we create a separate admin account for each Support individual on each of our 200+ customer tenants? Can you imagine how difficult it would be to manage this? Shared accounts are a significant security concern. According to the documentation from Microsoft, converting a former employee’s mailbox to a shared mailbox is a recommended best practice:
https://docs.microsoft.com/en-us/office365/admin/add-users/remove-former-employee?view=o365-worldwide#forward-a-former-employees-email-to-another-employee-or-convert-to-a-shared-mailbox -
Anonymous
commented
Suddenly ran into this one today after it not being an issue for dozens of previous conversions. If this has been intended behaviour since October 2016 then I'd like to know why it's taken such a long time to roll out across the platform.
I don't really understand why any limiting of delegate admin is intended behaviour if it really is intended, we as delegates can just take 10 seconds to make a global admin and do what we wanted anyway.
I find it also quite odd that Microsoft insists throughout its training material, exams, and documentation that delegate admins have "global admin" permissions even though we don't. There is no official list of things we can and can't manage as far as I can see.
If Microsoft aren't willing to make the permissions match their documentation, they could at least make their documentation match the permissions. -
Anonymous
commented
This is the ludicrous response I got from Microsoft Support...
My name is Deepak Rohila, one of the Technical Lead from Microsoft Partners Support.
I am responding regarding your Office 365 service request 13337620.I was reviewing the case & found that this is by design.
You must have a Global Admin account and permissions to perform such actions.Below are some of the known issues with AOBO (Admin on behalf of)
Exchange Online perspective, delegated admin will have no access to
Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
Will not be able to export eDiscovery results.
Cannot delete the mail contacts and Mail Users.
Cannot Export search results of Content Search.
Cannot create guest user.
Cannot Enable MFA.
Several security and compliance features are not visible to the partner's from Security and Compliance portal
Cannot download the EMT Results.
SharePoint Online, delegated admin will have no access to
Initiate Site Workflow
Manage Site Workflow
Edit User profiles
Below Admin centers will not be accessible by Delegated admin
OneDrive
Yammer
PowerApps
Flow &
Security & Compliance CenterThey keep stating it's "by design" & yet previously I've been able to convert to shared as Delegated Admin - which by definition means its not "by design".
Microsoft yet again ignoring their partners.
-
Anonymous
commented
This is a really important feature that needs to be made available via delegated admin
-
Anonymous
commented
This is a really important feature that needs to be made available via delegated admin
-
MC
commented
Converting tenant mailbox to shared with delegate admin works from the GUI, but not from PowerShell.
Managing 70+ tenants, and making sure all our employees has a Global Admin to all tenants is a hassle.The error from PowerShell is:
Error on proxy command 'Set-Mailbox -Type:'Shared' -Identity:'<user identity>' -Confirm:$False -Force:$True' to server VI
1P191MB0399.EURP191.PROD.OUTLOOK.COM: Server version 15.20.1516.0000, Proxy method PSWS:
Request return error with following error message:
The remote server returned an error: (401) Unauthorized.. [Server=AM6P191MB0295,RequestId=7ce90cbc-9655-4310-a101-22c2a
070b3b3,TimeStamp=17-01-2019 07:18:42] .
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], CmdletProxyException
+ FullyQualifiedErrorId : Microsoft.Exchange.Configuration.CmdletProxyException,Microsoft.Exchange.Management.Reci
pientTasks.SetMailbox
+ PSComputerName : outlook.office365.com -
Anonymous
commented
It used to work with the Partner log in! Then it only worked in the Exchange Admin console. Now it only works with the Global admin login.
Not great when you are managing dozens of tenants.
-
Brady Houser
commented
This would be super helpful. I think the whole idea is that you don't need to sign into the global admin all the time but you have to for this...
-
MJ
commented
hope to get this feature soon
-
Jacob Wiley
commented
This is an issue again, just tried to convert a mailbox connected to exchange online as a delegated admin and command fails with unauthorized 401. Others on my team get the same issue. get-mailbox works so I know we are actually connected to the tenant.
-
seanbean
commented
This feature would be very helpful for us.
-
Cang Dao
commented
We really need this feature.
-
Steve
commented
A very common admin task that can't be done as a delegated admin! We have recently switched to this away from tenant based global admin. How many more tasks are we going to find can't be done.
-
Anonymous
commented
Seriously microsoft, WTF???? You say it's by design that a delegated admin cannot convert a mailbox to shared. Yet the option to do so is there in EAC, and when you click it, it goes green and says you have successfully converted the mailbox to shared, but it doesnt do anything.
For a start, why would a delegated admin not be able to perform this simple task. We can delete mailboxes and everything else??????
Secondly, if its a restriction by design then why is the option there and why does it say it was successful when we use it?
Never seen anything more stupid. Why make it hard for someone who is selling your product for you??????? -
David Bennett
commented
This fault and others affecting delegate admin is really making life more difficult for those of us in the trenches.