Office 365 administrators cannot sign in to the Forefront (FOPE) Quarantine service to access mail quarantine
You are a Microsoft Office 365 Global administrator or Exchange Online administrator, and you try to access mail quarantine through the Microsoft Forefront Online Protection (FOPE) Quarantine service website. To do this, you use the https://quarantine.messaging.microsoft.com URL, or you use the link in the upper-right corner of the FOPE Administration Center. However, you receive an error message that resembles the following message:
You do not have permission to access this application.
When you try to add the Office 365 administrator account as a FOPE user account in the FOPE Administration Center, you receive the following error message:
The e-mail address already exists.
You receive this error message even though the administrator email address is not listed in the user list for your domain in the FOPE Administration Center.
By default, accounts that are created in Office 365 and added to the Global Administrators, Organization Management, or View-Only Organization Management groups are replicated to the FOPE Administration Center as single-sign-on (SSO) accounts instead of as standard FOPE user accounts. This behavior prevents Office 365 administrator accounts from accessing the FOPE quarantine portal because the user accounts are not listed under the associated domain in your company. Because they do exist as SSO accounts, they cannot be added as standard FOPE user accounts.
To resolve this issue, use a second Office 365 administrator account to temporarily remove the Office 365 administrator role from the initial user account in the Office 365 portal, manually add the user account to the FOPE Administration Center, and then reassign the administrator role to the user account in Office 365. To do this, follow these steps:
- If you are not already signed in, sign in to the Office 365 portal by using Global administrator credentials. Do not sign in by using the Office 365 administrator account that is experiencing the issue.
- Check and remove the global administrator role from the user account in the Office 365 portal. To do this, follow these steps:
- In the Office 365 portal, click Admin, and then click Users in the left navigation pane.
- Click the global administrator account that you want to modify, and then click Settings.
- Note the value of the role assignment.
- Under Assign role, click No, and then click Save.
- Check and remove the Office 365 user from the Organization Management, View-Only Organization Management, or TenantAdmins_xxxxx groups in the Exchange Control Panel (ECP). To do this, follow these steps:
- In the Office 365 portal, click Admin, and then click Manage under Exchange Online.
- In the left navigation pane, click Roles & Auditing.
- Open the membership of the Organization Management, View-Only Organization Management, and TenantAdmins_xxxxx groups, and then look for the account.
- If the account exists in any of these groups, note the groups of which the account is a member. Then, click the account that has to be removed from the Members list.
- Note the value of the role assignment for this account.
- Click Remove, and then click Save.
Note After you follow this step, wait at least 10 minutes before you continue to the next step.
- Add the user account to the Users list in the FOPE Administration Center. To do this in the ECP, follow these steps:
- In the left navigation pane, click Roles & Auditing, and then click Configure IP safelisting, perimeter message tracing, and e-mail policies in the right pane.
- Click Administration, and then click Users.
- In the Tasks pane, click Add User.
- In the Add New User dialog box, enter the email address of the user account. Do not assign administrator permissions to this account.
- Click Save.
Note If you cannot add the FOPE user account, contact technical support for help.
- Restore the administrator roles that you noted in step 2c and step 3e to the administrator account.
Note To prevent this issue from occurring to other future administrator accounts, first add the user account as a standard FOPE user account in the FOPE Administration Center (see step 4), and then add the administrative permissions to the account in Office 365.
For more information about how to manage Office 365 or Live@edu administrator accounts, see the following Microsoft websites: