Delegated Admin (Partner) able to convert tennant mailbox to shared.
Currently there is an issue with permissions if you use the partner delegated admin to convert a user to a shared mailbox. You must log into the tenant as a global admin in order to accomplish this.
As a delegated admin we should be able to manipulate mailboxes as needed to ensure an enjoyable client experience.
Still experienced this issue today with trying to convert user to a shared mailbox... This really needs to be fixed to keep things secure. Otherwise non MFA admin accounts will be created by MSP's so multiple techs can manage client accounts
Update, this is now available via the Office 365 admin portal. You need to have your CSP status in check and have DAP enabled for your customer tenancies then you can use the new Organization Switcher to flick between tenants. https://www.microsoft.com/en-us/microsoft-365/roadmap?rtc=1&filters=&searchterms=60975
This limitation is outlined in the convert a mailbox page listed below. You need to be a global admin of the tenant in which you are trying do the conversion.
These limitations make no sense. As a delegated admin, I could easily create a new global admin user, log in using his credentials and make all required changes. In other words, I have the actual permissions to do everything. So why make me jump through several hoops first?
Has anyone at MIcrosoft acknowledged this will be addressed? Currently the CSP delegate admin is not only useless but it forces partners into managing their customers in less secure configurations.
At the very least they could clarify their documentation because it is misleading to say that the delegate admin will have Global Admin privileges.
HI i saw a post This is the ludicrous response I got from Microsoft Support...
My name is Deepak Rohila, one of the Technical Lead from Microsoft Partners Support.
I am responding regarding your Office 365 service request 13337620.
I was reviewing the case & found that this is by design.
You must have a Global Admin account and permissions to perform such actions.
Below are some of the known issues with AOBO (Admin on behalf of)
Exchange Online perspective, delegated admin will have no access to
Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
Will not be able to export eDiscovery results.
Cannot delete the mail contacts and Mail Users.
Cannot Export search results of Content Search.
Cannot create guest user.
Cannot Enable MFA.
Several security and compliance features are not visible to the partner's from Security and Compliance portal
Cannot download the EMT Results.
SharePoint Online, delegated admin will have no access to
Initiate Site Workflow
Manage Site Workflow
Edit User profiles
Below Admin centers will not be accessible by Delegated admin
Security & Compliance Center
They keep stating it's "by design" & yet previously I've been able to convert to shared as Delegated Admin - which by definition means its not "by design".
is there any public documment available for this...
This needs to be corrected. I have multiple clients and is a pain not being able to complete all tasks associated with administration of their O365 accounts.
this is much needed, but on top of this- - -why does a user need to be a Global Admin? isn't that a bit of overkill? . .. and exchange admin can't convert?
This is surely a must have!
Here are my two cents:
Lots of issues can be fixed from our end without interacting with the customer. This will reduce our work load trying to get hold of the client. A nightmare if you have to deal with Microsoft and the client at the same time. We should have a global admin permission to better assist out customers and make life a bit easier for us.
Michael Schunder commented
It is still a huge issue.
We need to be able to do everything as delegated admins, so please fix that asap!
If you dont want to implement this, at least make a usefull Error msg!
Stephen Eble commented
Just came to say between this, and the security and compliance center not being available I seem to find something new every week that prohibits me from doing my job.
Dave Webster commented
Just adding to this.
I did have an interesting conversation with someone at MS today as the new protection center sent me over the edge so in my really polite way I gave it to the support tech full bore with regards to this and they told me decisions in relation to uservoice items are decided on based on the number of votes they receive to which I explained admins and especially partners are only going to be a really small % of the user base but yet we are the guys and girls who have to use this stuff.
So I'm now left wondering if we need to start abusing our power and sending out requests to our customers to start voting on these items so they can get enough votes to actually get some action on otherwise it's just going to be more of the same crud rolled out from the MS teams.
The other preferred option would be if MS had a different portal for partners to use and report items back to so our voice don't get lost in the crowd.
Seriously If all sent a mailer out asking nicely if all users could just click this link and throw us a few votes on to make our job easier I wonder how long before this was the top item.
Back to the main item though one issue with these global admin under the tenants is with them being unlicensed you can't use 2FA so they are actually less secure than just using you own logins what are well monitored and have 2FA.
Being an MS Partner is rapidly just becoming a punchline to a joke.
Starting on august 1st, Microsoft requires 2-step authentication, what by default is a good thing. However: This means only one user can use the global admin account; who might not be availible (vacation/sick). This means it is a really big issue that a delegated admin cannot do certain things what a global admin can do. Please fix ASAP!!!!
It also seems that Microsoft does not allow Partner to even set up email forwarding on the Admin Center's Active Users Page now. Can you confirm if you're having the same issue now?
Yes there is so much that doesn't work as a delegated admin and no effort on Micorosofts part to gt these things fixed.
Final comment for today ... While researching this, I found another request which includes a broader ranger of activities we should all be able to do as Delegated Admin. See https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/36925324-partner-admin-restrictions
I logged a ticket with MS who provided the following details on what is restricted to techs using the delegated partner admin portal.
delegated admin will have no access to
1. Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
2. Will not be able to export eDiscovery results.
3. Cannot delete the mail contacts and Mail Users.
4. Cannot Export search results of Content Search.
5. Cannot create guest user.
6. Cannot Enable MFA.
7. Several security and compliance features are not visible to the partner's from Security and Compliance portal
8. Cannot download the EMT Results.
I believe that all of these features should be available on the portal.
Additional thought to my previous comment below: This feels like a permission issue. Can this not be adjusted in the AAD or Azure anywhere?
How can an MSP using CSP do something as simple as changing a User mailbox to a Shared Mailbox WITHOUT logging as a Global Admin.
As an MSP it is simply not practical to share Global Admin passwords with our engineers
Is there a way to create Powershell scripts to perform this task safely and without compromising long term security ?