Office 365: 403 Sorry! Access denied

by Oleg

Problem

User receiving following error when trying to access Options from OWA in his Office 365 mailbox:

403

 Sorry! Access denied :(

 You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

 You're still signed in. If you want to sign out, use the link below.
 sign out
 more info  

 Email address:
 your@email.com
 Correlation ID:

 Client Access server name:
 xxxxx02MB045.namprd02.prod.outlook.com
 Client Access server version:
 15.0.810.5
 Time (UTC):
 2000-10-02T11:23:47.5909377Z

Cause

That is happening if user do not have appropriate permission configured by RBAC policy. There could be multiple reasons for that, one of common ones is that Default RBAC policy become corrupted when tenant upgrading from Wave 14 to Wave 15.

Troubleshooting

First if all we need to make sure that problem is related to RBAC policy. To do that you need to run two commands, first one to see which RBAC policy assigned to problematic mailbox and second one to check if appropriate role is configured by that policy.

You have to be connected to your O365 tenant. First command:

Get-Mailbox -Identity your@email.com | Select-Object -Expand RoleAssignmentPolicy

Just replace your@email.com with user identity you experienced issues with. You will receive name of RBAC policy applied to that particular mailbox.

Second command you need to execute:

Get-RoleAssignmentPolicy -Identity "Default Role Assignment Policy" | Select-Object -ExpandProperty AssignedRoles

In response to the command you will get list of roles that are configured by that policy. It must include management role called “MyBaseOptions”. That role containing permission required to make user able to get and set its own mailbox options. In normal circumstances your output should look like (click on the picture to enlarge):

RBAC_2

There is option to use single command instead of two above:

Get-Mailbox -Identity your@email.com | Select-object -exp RoleAssignmentPolicy | Get-RoleAssignmentPolicy | Select-Object -Expand AssignedRoles

In case you see that “MyBaseOptions” role is not configured, it is reason why user receiving error 403 when accessing OWA Options.

Resolution

Instead of fixing Default Role Assignment Policy I would advice to create new default policy and assign that to all mailboxes. Advantage of that approach is that potentially broken policy will not be used.

First step is to create new Role Assignment Policy with appropriate roles and make it default:

New-RoleAssignmentPolicy -Name DefaultRBAC -Roles @("MyBaseOptions","MyProfileInformation","MyContactInformation","MyDistributionGroups","MyDistributionGroupMembership","MyVoiceMail","MyTextMessaging","MyRetentionPolicies","MyMailSubscriptions","My Marketplace Apps","MyTeamMailboxes") -IsDefault:$True

Then you need to assign newly created policy to all existing mailboxes in your organization:

Get-Mailbox | Set-Mailbox -RoleAssignmentPolicy DefaultRBAC

Please note that you have to wait up to 15 minutes before new policy will be applied. After next login affected user should be able to access their OWA options.