User receiving following error when trying to access Options from OWA in his Office 365 mailbox:
403 Sorry! Access denied :( You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again. You're still signed in. If you want to sign out, use the link below. sign out more info Email address: email@example.com Correlation ID: Client Access server name: xxxxx02MB045.namprd02.prod.outlook.com Client Access server version: 15.0.810.5 Time (UTC): 2000-10-02T11:23:47.5909377Z
That is happening if user do not have appropriate permission configured by RBAC policy. There could be multiple reasons for that, one of common ones is that Default RBAC policy become corrupted when tenant upgrading from Wave 14 to Wave 15.
First if all we need to make sure that problem is related to RBAC policy. To do that you need to run two commands, first one to see which RBAC policy assigned to problematic mailbox and second one to check if appropriate role is configured by that policy.
You have to be connected to your O365 tenant. First command:
Get-Mailbox -Identity firstname.lastname@example.org | Select-Object -Expand RoleAssignmentPolicy
Just replace email@example.com with user identity you experienced issues with. You will receive name of RBAC policy applied to that particular mailbox.
Second command you need to execute:
Get-RoleAssignmentPolicy -Identity "Default Role Assignment Policy" | Select-Object -ExpandProperty AssignedRoles
In response to the command you will get list of roles that are configured by that policy. It must include management role called “MyBaseOptions”. That role containing permission required to make user able to get and set its own mailbox options. In normal circumstances your output should look like (click on the picture to enlarge):
There is option to use single command instead of two above:
Get-Mailbox -Identity firstname.lastname@example.org | Select-object -exp RoleAssignmentPolicy | Get-RoleAssignmentPolicy | Select-Object -Expand AssignedRoles
In case you see that “MyBaseOptions” role is not configured, it is reason why user receiving error 403 when accessing OWA Options.
Instead of fixing Default Role Assignment Policy I would advice to create new default policy and assign that to all mailboxes. Advantage of that approach is that potentially broken policy will not be used.
First step is to create new Role Assignment Policy with appropriate roles and make it default:
New-RoleAssignmentPolicy -Name DefaultRBAC -Roles @("MyBaseOptions","MyProfileInformation","MyContactInformation","MyDistributionGroups","MyDistributionGroupMembership","MyVoiceMail","MyTextMessaging","MyRetentionPolicies","MyMailSubscriptions","My Marketplace Apps","MyTeamMailboxes") -IsDefault:$True
Then you need to assign newly created policy to all existing mailboxes in your organization:
Get-Mailbox | Set-Mailbox -RoleAssignmentPolicy DefaultRBAC
Please note that you have to wait up to 15 minutes before new policy will be applied. After next login affected user should be able to access their OWA options.