Skip to content
This repository was archived by the owner on Jul 22, 2024. It is now read-only.
This repository was archived by the owner on Jul 22, 2024. It is now read-only.

Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet. #425

Open
Open
Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet.#425
@jgrzybo

Description

@jgrzybo
jgrzybo
opened on May 6, 2024

Steps to reproduce

Have a Microsoft Partner Portal Account
Have Customers/tenants in the Portal
Have an account in the Partner portal
Be part of the security group AdminAgents
Have an Admin Relationship with a Customer with the Microsoft Entra roles : Global Administrator assigned
Assign the AdminAgents Security Group to the Admin Relaationship
Open Powershell
Run command "Connect-MsolService" and login with the above mentioned account

Run the following Powershell script ( GetGA.ps1 )
#Working Tenant
#$tenantId = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
#NotWorking Tenant
$tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$roles = Get-MsolRole
#Write-Host $roles.Name
$role = Get-MsolRole -RoleName "Company Administrator"
$globalAdmins = Get-MsolRoleMember -RoleObjectId $role.ObjectId -TenantId $tenantId
Write-Host $globalAdmins.DisplayName

See the script works when the Working Tenant tenant id is uncommented
Output "Admin Company Admin Break Glass Admin"

See the script fail when the NotWorking Tenant tenant id is uncommented
Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet.
At C:\temp\GetGA.ps1:8 char:21

  • ... balAdmins = Get-MsolRoleMember -RoleObjectId $role.ObjectId -TenantId ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (:) [Get-MsolRoleMember], MicrosoftOnlineException
    • FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini
      stration.Automation.GetRoleMember

Expected behavior

Would expect both runs to return a list of the Gloabal Administartors for the respective tenant
Output "Admin Company Admin Break Glass Admin"

Actual behavior

On one of the accounts I get

Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet.
At C:\temp\GetGA.ps1:8 char:21

  • ... balAdmins = Get-MsolRoleMember -RoleObjectId $role.ObjectId -TenantId ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (:) [Get-MsolRoleMember], MicrosoftOnlineException
    • FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Admini
      stration.Automation.GetRoleMember

Diagnostic logs

None

Environment

PSVersion 5.1.19041.4291
PSEdition Desktop

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions