Office365 Admin Can't Administer anymore?
We have a Hybrid Exchange 2010 deployment. Our AD is on premise and we have AD-Cloud Sync.
We have 3 admins on our IT team. All 3 users have no issues with the on premise Exchange 2010 system. Users 1 and 2 have no issues with the online admin center. User 3 has a very strange issue with the admin portal.
User 3 can log in to the online admin portal without issue. The issues start when user 3 tries to make any changes via the Office 365 Administration Portal. Example ; If user 3 tries to forward someone's email, he can make the changes, but when he hits save, it spins and spins and finally errors out with "Couldn't update mailbox email forwarding info." Users 1 and 2 can go in and forward that email without issue.
Another example: User 1 or 2 forwards someone's email. They save changes without issue. We test that email, and it is forwarding. If user 3 logs in to the admin portal and checks on that user, it shows no forwarding enabled.
Another example: If user 3 tries to initial a 'New-PSSession' in Powershell to start an 'Start-ADSyncSyncCycle', they get the Following Error:
When Looking up that Error we find many references to Servers and certificates and not being able to access Exchange Management/OWA, etc on the On-Premise servers and to check that the Server is not in any groups that have implicit Deny Permissions. Though all of those references seem to imply that no one can access the server, not just the Administrator.
Users are not experiencing any issues.
We have reset the User 3's Password, and rerun a Sync Cycle, and that did not seem to help. They are in all of the same Groups.
I'm not sure where to start with this. Any help would be greatly appreciated.
We have 3 admins on our IT team. All 3 users have no issues with the on premise Exchange 2010 system. Users 1 and 2 have no issues with the online admin center. User 3 has a very strange issue with the admin portal.
User 3 can log in to the online admin portal without issue. The issues start when user 3 tries to make any changes via the Office 365 Administration Portal. Example ; If user 3 tries to forward someone's email, he can make the changes, but when he hits save, it spins and spins and finally errors out with "Couldn't update mailbox email forwarding info." Users 1 and 2 can go in and forward that email without issue.
Another example: User 1 or 2 forwards someone's email. They save changes without issue. We test that email, and it is forwarding. If user 3 logs in to the admin portal and checks on that user, it shows no forwarding enabled.
Another example: If user 3 tries to initial a 'New-PSSession' in Powershell to start an 'Start-ADSyncSyncCycle', they get the Following Error:
New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message :
[ClientAccessServer=BY5PR17CA0003,BackEndServer=,RequestId=f976645c-43f5-4fdb-9971-ffbc5a85abd1,TimeStamp=11/1/2019
5:17:43 PM] Access Denied For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:13
+ $Session2 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri h ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : -2144108477,PSSessionOpenFailedWhen Looking up that Error we find many references to Servers and certificates and not being able to access Exchange Management/OWA, etc on the On-Premise servers and to check that the Server is not in any groups that have implicit Deny Permissions. Though all of those references seem to imply that no one can access the server, not just the Administrator.
Users are not experiencing any issues.
We have reset the User 3's Password, and rerun a Sync Cycle, and that did not seem to help. They are in all of the same Groups.
I'm not sure where to start with this. Any help would be greatly appreciated.
Vasil Michev (MVP)
Might be some sort of provisioning issue, if the user isnt using any O365 services you can try deleting/recreating the account. Resetting the permissions might help as well.
With a Hybrid deployment, many things have to be done using the On-Premises server. I cannot say for sure since we have O365 with AADConnect but are not Hybrid but I have found that many things have to be done on prem. We recently tried to hide users from the Address list. Users were synced via AADConnect but Mail was in Office365 only, no hybrid. We had to extend the onprem schema with Exchange and use ADSIEdit to hide them. A task normally done via the Exchange Management Console. Our other option was to install a hybrid server and we did not want to go that route. I would try the task using the console on you hybrid server
ASKER
The user is an Employee account, Just like mine and has all kinds of things associated with it. So deleting it would be a pretty big deal. The user can access all of the other services, Mail, Teams, etc.
We are aware of some of the On-Prem vs cloud management issues where only certain things can be maintained from the on-Prem server. Though for the things that this person was able to do last week, they are no longer able to do. I have Chrome logged in as User 3 and IE logged in as User 2 and user 2 has no issues doing anything that user 3 cannot which they were able to before. Log out, switch browsers and now they cant do it in IE and User 2 has no issues in Chrome. Tried several PCs/Mac all with the same results for user 3.
It's like they got added to a List that has an Implicit Deny or got removed from a permission list. User 3 is part of the Organization Management group we made sure of that.
Thanks!
We are aware of some of the On-Prem vs cloud management issues where only certain things can be maintained from the on-Prem server. Though for the things that this person was able to do last week, they are no longer able to do. I have Chrome logged in as User 3 and IE logged in as User 2 and user 2 has no issues doing anything that user 3 cannot which they were able to before. Log out, switch browsers and now they cant do it in IE and User 2 has no issues in Chrome. Tried several PCs/Mac all with the same results for user 3.
It's like they got added to a List that has an Implicit Deny or got removed from a permission list. User 3 is part of the Organization Management group we made sure of that.
Thanks!
What I meant was to delete the user in the cloud, not on-premises. As long as he is not using any cloud services, recreating it should be easy, and might fix any provisioning-related issues.
ASKER
His mailbox is in the cloud,
ASKER
We contacted MS Support, They did some three-way back end sync of the Tenant and the next morning we were able to use the User 3 Account to administer things the way we should be able to via the Web Admin Portal, though the Powershell commands still give an Access Denied Error.
PS C:\Windows\system32> $Session2 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outloo
k.com/powershell/ -Credential $LiveCred2
New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message :
[ClientAccessServer=BYAPR11CA0095,BackEndServer=,RequestId=a970f7d5-41e8-486a-8114-5059205b2b57,TimeStamp=11/6/2019
5:54:20 PM] Access Denied For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:13
+ $Session2 = New-PSSession -ConfigurationName Microsoft.Exchange -Conn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : -2144108477,PSSessionOpenFailedThis question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.