search

microsoft / Partner-Center-PowerShell

PowerShell module for managing Partner Center resources.
https://docs.microsoft.com/powershell/partnercenter/
MIT License
130 stars 59 forks source link

Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet. #425

Open jgrzybo opened 4 months ago

jgrzybo commented 4 months ago

Steps to reproduce

Have a Microsoft Partner Portal Account Have Customers/tenants in the Portal Have an account in the Partner portal Be part of the security group AdminAgents Have an Admin Relationship with a Customer with the Microsoft Entra roles : Global Administrator assigned Assign the AdminAgents Security Group to the Admin Relaationship Open Powershell Run command "Connect-MsolService" and login with the above mentioned account

Run the following Powershell script ( GetGA.ps1 )

Working Tenant

#$tenantId = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
#NotWorking Tenant
$tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$roles = Get-MsolRole 
#Write-Host $roles.Name
$role = Get-MsolRole -RoleName "Company Administrator"
$globalAdmins = Get-MsolRoleMember -RoleObjectId $role.ObjectId -TenantId $tenantId
Write-Host  $globalAdmins.DisplayName

See the script works when the Working Tenant tenant id is uncommented Output "Admin Company Admin Break Glass Admin"

See the script fail when the NotWorking Tenant tenant id is uncommented Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet. At C:\temp\GetGA.ps1:8 char:21

Expected behavior

Would expect both runs to return a list of the Gloabal Administartors for the respective tenant Output "Admin Company Admin Break Glass Admin"

Actual behavior

On one of the accounts I get

Get-MsolRoleMember : Access Denied. You do not have permissions to call this cmdlet. At C:\temp\GetGA.ps1:8 char:21

Diagnostic logs

None

Environment

PSVersion 5.1.19041.4291 PSEdition Desktop