Office 365: 403 Sorry! Access denied


User receiving following error when trying to access Options from OWA in his Office 365 mailbox:


 Sorry! Access denied :(

 You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

 You're still signed in. If you want to sign out, use the link below.
 sign out
 more info  

 Email address:
 Correlation ID:

 Client Access server name:
 Client Access server version:
 Time (UTC):


That is happening if user do not have appropriate permission configured by RBAC policy. There could be multiple reasons for that, one of common ones is that Default RBAC policy become corrupted when tenant upgrading from Wave 14 to Wave 15.


First if all we need to make sure that problem is related to RBAC policy. To do that you need to run two commands, first one to see which RBAC policy assigned to problematic mailbox and second one to check if appropriate role is configured by that policy.

You have to be connected to your O365 tenant. First command:

Get-Mailbox -Identity | Select-Object -Expand RoleAssignmentPolicy

Just replace with user identity you experienced issues with. You will receive name of RBAC policy applied to that particular mailbox.

Second command you need to execute:

Get-RoleAssignmentPolicy -Identity "Default Role Assignment Policy" | Select-Object -ExpandProperty AssignedRoles

In response to the command you will get list of roles that are configured by that policy. It must include management role called “MyBaseOptions”. That role containing permission required to make user able to get and set its own mailbox options. In normal circumstances your output should look like (click on the picture to enlarge):


There is option to use single command instead of two above:

Get-Mailbox -Identity | Select-object -exp RoleAssignmentPolicy | Get-RoleAssignmentPolicy | Select-Object -Expand AssignedRoles

In case you see that “MyBaseOptions” role is not configured, it is reason why user receiving error 403 when accessing OWA Options.


Instead of fixing Default Role Assignment Policy I would advice to create new default policy and assign that to all mailboxes. Advantage of that approach is that potentially broken policy will not be used.

First step is to create new Role Assignment Policy with appropriate roles and make it default:

New-RoleAssignmentPolicy -Name DefaultRBAC -Roles @("MyBaseOptions","MyProfileInformation","MyContactInformation","MyDistributionGroups","MyDistributionGroupMembership","MyVoiceMail","MyTextMessaging","MyRetentionPolicies","MyMailSubscriptions","My Marketplace Apps","MyTeamMailboxes") -IsDefault:$True

Then you need to assign newly created policy to all existing mailboxes in your organization:

Get-Mailbox | Set-Mailbox -RoleAssignmentPolicy DefaultRBAC

Please note that you have to wait up to 15 minutes before new policy will be applied. After next login affected user should be able to access their OWA options.