Office 365 pre-upgrade administrators can't sign in to the Forefront Online Protection for Exchange (FOPE) Quarantine service to access mail quarantine

Article translations Article translations
Article ID: 2587698 - View products that this article applies to.
Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
Expand all | Collapse all

PROBLEM

You're a Microsoft Office 365 pre-upgrade global administrator or Exchange Online administrator in Office 365 pre-upgrade, and you try to access mail quarantine through the Microsoft Forefront Online Protection (FOPE) Quarantine service website. To do this, you use the https://quarantine.messaging.microsoft.com URL, or you use the link in the upper-right corner of the FOPE Administration Center. However, you receive an error message that resembles the following:
You do not have permission to access this application.
When you try to add the Office 365 pre-upgrade administrator account as a FOPE user account in the FOPE Administration Center, you receive the following error message:
The e-mail address already exists.
You receive this error message even though the administrator email address isn't listed in the user list for your domain in the FOPE Administration Center.

CAUSE

By default, accounts that are created in Office 365 pre-upgrade and added to the Global Administrators, Organization Management, or View-Only organization management groups are replicated to the FOPE Administration Center as single-sign-on (SSO) accounts instead of as standard FOPE user accounts. This behavior prevents Office 365 pre-upgrade administrator accounts from accessing the FOPE quarantine portal because the user accounts aren't listed under the associated domain in your company. Because they do exist as SSO accounts, they can't be added as standard FOPE user accounts.

SOLUTION

To resolve this issue, use a second Office 365 pre-upgrade administrator account to temporarily remove the Office 365 pre-upgrade administrator role from the initial user account in the Office 365 pre-upgrade portal, manually add the user account to the FOPE Administration Center, and then reassign the administrator role to the user account in Office 365 pre-upgrade. To do this, follow these steps:
  1. If you're not already signed in, sign in to the Office 365 pre-upgrade portal by using global administrator credentials. Don't sign in by using the Office 365 pre-upgrade administrator account that's experiencing the issue.
  2. Check and remove the global administrator role from the user account in the Office 365 pre-upgrade portal. To do this, follow these steps:
    1. In the Office 365 pre-upgrade portal, click Admin, and then click Users in the left navigation pane.
    2. Click the global administrator account that you want to modify, and then click Settings.
    3. Note the value of the role assignment.
    4. Under Assign role, click No, and then click Save.
  3. Check and remove the Office 365 pre-upgrade user from the Organization Management, View-Only Organization Management, or TenantAdmins_xxxxx groups in the Exchange Control Panel. To do this, follow these steps:
    1. In the Office 365 pre-upgrade portal, click Admin, and then click Manage under Exchange Online.
    2. In the left navigation pane, click Roles & Auditing.
    3. Open the membership of the Organization Management, View-Only Organization Management, and TenantAdmins_xxxxx groups, and then look for the account.
    4. If the account exists in any of these groups, note the groups of which the account is a member. Then, click the account that has to be removed from the Members list.
    5. Note the value of the role assignment for this account.
    6. Click Remove, and then click Save.

    Note
    After you follow this step, wait at least 10 minutes before you continue to the next step.
  4. Add the user account to the Users list in the FOPE Administration Center. To do this in the Exchange Control Panel, follow these steps:
    1. In the left navigation pane, click Mail Control, and then click Configure IP safelisting, perimeter message tracing, and e-mail policies in the right pane.
    2. Click Administration, and then click Users.
    3. In the Tasks pane, click Add User.
    4. In the Add New User dialog box, enter the email address of the user account. Don't assign administrator permissions to this account.
    5. Click Save.

    Note
    If you can't add the FOPE user account, contact technical support for help.
  5. Restore the administrator roles that you noted in step 2c and step 3e to the administrator account.
Note To prevent this issue from occurring to other future administrator accounts, first add the user account as a standard FOPE user account in the FOPE Administration Center (see step 4), and then add the administrative permissions to the account in Office 365 pre-upgrade.

For more information about how to manage Office 365 pre-upgrade or Live@edu administrator accounts, see the following Microsoft websites:

WORKAROUND

Office 365 pre-upgrade global administrators can use a standard user account to access email services, including Exchange Online and the FOPE Quarantine service, and a separate global administrator account to perform administrative tasks. The global administrator account doesn't require that an additional license be consumed. 

When you use this configuration, you can set the standard user account in the FOPE Administration Center so that the user account can access mail and "spam" quarantine. For more information, see the following Microsoft TechNet topics:

MORE INFORMATION

For more information about how to add a user to the FOPE Administration Center, go to the following Microsoft website: 
http://technet.microsoft.com/en-us/library/ff715060.aspx
For more information about FOPE policy rule settings, go to the following Microsoft website: 
http://technet.microsoft.com/en-us/library/ff714983.aspx
For more information about how to configure spam quarantine, go to the following Microsoft website: 
http://technet.microsoft.com/en-us/library/ff715240.aspx
For more information about the FOPE spam quarantine mailbox, go to the following Microsoft website: 
http://technet.microsoft.com/en-us/library/how-to-use-the-fope-email-spam-quarantine-mailbox.aspx
For more information about how to log on to the FOPE Quarantine service and personalize settings, go to the following Microsoft website:
http://technet.microsoft.com/en-us/library/ff715009.aspx
Still need help? Go to the Office 365 Community website.

Properties

Article ID: 2587698 - Last Review: February 27, 2013 - Revision: 12.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Forefront Online Protection for Exchange
Keywords: 
vkbportal225 o365 o365a o365e o365062011 pre-upgrade KB2587698

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com