Delegated Admin (Partner) able to convert tennant mailbox to shared.
Currently there is an issue with permissions if you use the partner delegated admin to convert a user to a shared mailbox. You must log into the tenant as a global admin in order to accomplish this.
As a delegated admin we should be able to manipulate mailboxes as needed to ensure an enjoyable client experience.
Dave Webster commented
Just adding to this.
I did have an interesting conversation with someone at MS today as the new protection center sent me over the edge so in my really polite way I gave it to the support tech full bore with regards to this and they told me decisions in relation to uservoice items are decided on based on the number of votes they receive to which I explained admins and especially partners are only going to be a really small % of the user base but yet we are the guys and girls who have to use this stuff.
So I'm now left wondering if we need to start abusing our power and sending out requests to our customers to start voting on these items so they can get enough votes to actually get some action on otherwise it's just going to be more of the same crud rolled out from the MS teams.
The other preferred option would be if MS had a different portal for partners to use and report items back to so our voice don't get lost in the crowd.
Seriously If all sent a mailer out asking nicely if all users could just click this link and throw us a few votes on to make our job easier I wonder how long before this was the top item.
Back to the main item though one issue with these global admin under the tenants is with them being unlicensed you can't use 2FA so they are actually less secure than just using you own logins what are well monitored and have 2FA.
Being an MS Partner is rapidly just becoming a punchline to a joke.
Starting on august 1st, Microsoft requires 2-step authentication, what by default is a good thing. However: This means only one user can use the global admin account; who might not be availible (vacation/sick). This means it is a really big issue that a delegated admin cannot do certain things what a global admin can do. Please fix ASAP!!!!
It also seems that Microsoft does not allow Partner to even set up email forwarding on the Admin Center's Active Users Page now. Can you confirm if you're having the same issue now?
Yes there is so much that doesn't work as a delegated admin and no effort on Micorosofts part to gt these things fixed.
Final comment for today ... While researching this, I found another request which includes a broader ranger of activities we should all be able to do as Delegated Admin. See https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/36925324-partner-admin-restrictions
I logged a ticket with MS who provided the following details on what is restricted to techs using the delegated partner admin portal.
delegated admin will have no access to
1. Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
2. Will not be able to export eDiscovery results.
3. Cannot delete the mail contacts and Mail Users.
4. Cannot Export search results of Content Search.
5. Cannot create guest user.
6. Cannot Enable MFA.
7. Several security and compliance features are not visible to the partner's from Security and Compliance portal
8. Cannot download the EMT Results.
I believe that all of these features should be available on the portal.
Additional thought to my previous comment below: This feels like a permission issue. Can this not be adjusted in the AAD or Azure anywhere?
How can an MSP using CSP do something as simple as changing a User mailbox to a Shared Mailbox WITHOUT logging as a Global Admin.
As an MSP it is simply not practical to share Global Admin passwords with our engineers
Is there a way to create Powershell scripts to perform this task safely and without compromising long term security ?
As Joel points out, Shared admin accounts is the only viable solution to is insane restriction on Partners.
I would like to understand why Microsoft would limit the Partner admin user’s ability to convert from or to a shared mailbox when they can perform just about any other Exchange Online administrative tasks with a Partner admin account. There was no explanation from Microsoft as to why the Partner admin users cannot perform this administrative task. Because converting to or from a shared mailbox was at one time possible, I believe that Microsoft should be identifying this as an issue and not ‘by design’.
We administer the user accounts for 200+ tenants. In order to perform this simple function, we need to create and manage an admin account on each of our customer’s tenants. This means creating at least 200+ admin accounts for each tenant. Since we have multiple people in our Support department, does Microsoft suggest we create a separate admin account for each Support individual on each of our 200+ customer tenants? Can you imagine how difficult it would be to manage this? Shared accounts are a significant security concern. According to the documentation from Microsoft, converting a former employee’s mailbox to a shared mailbox is a recommended best practice:
Suddenly ran into this one today after it not being an issue for dozens of previous conversions. If this has been intended behaviour since October 2016 then I'd like to know why it's taken such a long time to roll out across the platform.
I don't really understand why any limiting of delegate admin is intended behaviour if it really is intended, we as delegates can just take 10 seconds to make a global admin and do what we wanted anyway.
I find it also quite odd that Microsoft insists throughout its training material, exams, and documentation that delegate admins have "global admin" permissions even though we don't. There is no official list of things we can and can't manage as far as I can see.
If Microsoft aren't willing to make the permissions match their documentation, they could at least make their documentation match the permissions.
This is the ludicrous response I got from Microsoft Support...
My name is Deepak Rohila, one of the Technical Lead from Microsoft Partners Support.
I am responding regarding your Office 365 service request 13337620.
I was reviewing the case & found that this is by design.
You must have a Global Admin account and permissions to perform such actions.
Below are some of the known issues with AOBO (Admin on behalf of)
Exchange Online perspective, delegated admin will have no access to
Cannot convert User Mailbox to Shared Mailbox ( Vice versa )
Will not be able to export eDiscovery results.
Cannot delete the mail contacts and Mail Users.
Cannot Export search results of Content Search.
Cannot create guest user.
Cannot Enable MFA.
Several security and compliance features are not visible to the partner's from Security and Compliance portal
Cannot download the EMT Results.
SharePoint Online, delegated admin will have no access to
Initiate Site Workflow
Manage Site Workflow
Edit User profiles
Below Admin centers will not be accessible by Delegated admin
Security & Compliance Center
They keep stating it's "by design" & yet previously I've been able to convert to shared as Delegated Admin - which by definition means its not "by design".
Microsoft yet again ignoring their partners.
This is a really important feature that needs to be made available via delegated admin
This is a really important feature that needs to be made available via delegated admin
Converting tenant mailbox to shared with delegate admin works from the GUI, but not from PowerShell.
Managing 70+ tenants, and making sure all our employees has a Global Admin to all tenants is a hassle.
The error from PowerShell is:
Error on proxy command 'Set-Mailbox -Type:'Shared' -Identity:'<user identity>' -Confirm:$False -Force:$True' to server VI
1P191MB0399.EURP191.PROD.OUTLOOK.COM: Server version 15.20.1516.0000, Proxy method PSWS:
Request return error with following error message:
The remote server returned an error: (401) Unauthorized.. [Server=AM6P191MB0295,RequestId=7ce90cbc-9655-4310-a101-22c2a
070b3b3,TimeStamp=17-01-2019 07:18:42] .
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], CmdletProxyException
+ FullyQualifiedErrorId : Microsoft.Exchange.Configuration.CmdletProxyException,Microsoft.Exchange.Management.Reci
+ PSComputerName : outlook.office365.com
It used to work with the Partner log in! Then it only worked in the Exchange Admin console. Now it only works with the Global admin login.
Not great when you are managing dozens of tenants.
Brady Houser commented
This would be super helpful. I think the whole idea is that you don't need to sign into the global admin all the time but you have to for this...
hope to get this feature soon
Jacob Wiley commented
This is an issue again, just tried to convert a mailbox connected to exchange online as a delegated admin and command fails with unauthorized 401. Others on my team get the same issue. get-mailbox works so I know we are actually connected to the tenant.
This feature would be very helpful for us.
Cang Dao commented
We really need this feature.