Problem
You’re a Microsoft Office 365 Global administrator or Exchange Online administrator trying to access mail quarantine through the Microsoft Forefront Online Protection (FOPE) Quarantine service website. You use the https://quarantine.messaging.microsoft.com URL, or the link at the upper-right corner of the FOPE Administration Center. But, you receive the following (or similar) message:
“You do not have permission to access this application.”
When you try to add the Office 365 administrator account as a FOPE user account in the FOPE Administration Center, you receive the following error message:
“The e-mail address already exists.”
You receive this error message despite the fact that the administrator email address is not listed in the user list.
Cause
By default, accounts that are created in Office 365 and added to the Global Administrators, Organization Management, or View-Only Organization Management groups, are replicated to the FOPE Administration Center as single-sign-on (SSO) accounts, not as standard FOPE user accounts. This stops Office 365 administrator accounts from accessing the FOPE quarantine portal due to the fact that the user accounts are not listed under the associated domain in your company. Since they do exist as SSO accounts, they can’t be added as standard FOPE user accounts.
Solution
The good news is that there’s a solution for this problem; Use a second Office 365 administrator account to temporarily remove the Office 365 administrator role from the initial user account in the Office 365 portal. Then, manually add the user account to the FOPE Administration Center, and reassign the administrator role to the user account in Office 365. Here’s how to do that:
A. Sign in to the Office 365 portal by using Global administrator credentials. Do not sign in by using the Office 365 administrator account that is experiencing the issue.
B. Check and remove the global administrator role from the user account in the Office 365 portal. You can do that by:
1. In the Office 365 portal, click Admin, and then click Users in the left navigation pane.
2. Click the global administrator account that you want to modify, then click Settings.
3. Note the value of the role assignment.
4. Under Assign role, click No, then click Save.
C. Check and remove the Office 365 user from the Organization Management, View-Only Organization Management, or TenantAdmins_xxxxx groups in the Exchange Control Panel (ECP). You can do that by:
1. In the Office 365 portal, click Admin, and then click Manage under Exchange Online.
2. In the left navigation pane, click Roles & Auditing.
3. Open the membership of the Organization Management, View-Only Organization Management, and TenantAdmins_xxxxx groups, and look for the account.
4. If the account exists in any of these groups, note the groups where the account is a member. Then, click the account that has to be removed from the Members list.
5. Note the value of the role assignment for this account.
6. Click Remove, and click Save.
**After you follow this step, wait a minimum of 10 minutes before you continue to the next step.**
D. Add the user account to the Users list in the FOPE Administration Center. To do this in the ECP, do the following:
1. In the left navigation pane, click Roles & Auditing, and click Configure IP safelisting, perimeter message tracing, and e-mail policies in the right pane.
2. Click Administration, and then click Users.
3. In the Tasks pane, click Add User.
4. In the Add New User dialog box, enter the email address of the user account. Do not assign administrator permissions to this account. Click Save.
**If you cannot add the FOPE user account, contact technical support for help.**
E. Restore the administrator roles that you noted in step B3 and step C5 to the administrator account.
**To prevent this issue from occurring to other future administrator accounts, first add the user account as a standard FOPE user account in the FOPE Administration Center (see step D), and add the administrative permissions to the account in Office 365.**
If you need more information about managing Office 365 or Live@edu administrator accounts, check out Microsoft’s websites:
Add or Remove Role Group Members
Give Users Administrator Permissions
Workaround
Office 365 global admins may use a standard user account to access email services, including Exchange Online and the FOPE Quarantine service, and a different global administrator account to perform administrative tasks. The global administrator account doesn’t require an additional license.
When using this configuration, you can configure the standard user account in the FOPE Administration Center so the user account can access mail and “spam” quarantine. For more information, review Microsoft’s TechNet topics:
Create, edit, or delete users (Office 365)
Manage licenses (Office 365)
Add New Users in the Administration Center (FOPE)
User Account Management (FOPE)
Understanding User Roles and Permissions (FOPE)
Configuring Spam Quarantine (FOPE)