Azure AD Global Reader Account Can Delete Mobile Devices From Users Mailbox

So as the title states, I was working with a customer recently and we deployed the Global Reader role to some users, as it was a useful way that IT staff could look at configurations without the worry of accidentally breaking something. This was all good so far.

However, I found that accounts who has the role assignment “Global Reader” actually can make a change….and it could be quite impactful to the end-user.

So if you are logged in to O365 Admin portal with your Global Reader account, go to Exchange Admin.

Find a users mailbox and click on Edit

Click on Mailbox Features and then scroll down to Mobile Devices and then click on View Details

In there you will see a list of mobile devices that have got a partnership with the users mailbox

If you click on one of those devices you can then his the Delete button and the device will eventually be removed.

I have raised this with Microsoft Support, and their engineer has also confirmed the same behavior in their test tenants. It has been escalated to the Product Team now and will await their response. As soon as I hear anything, I will let you know on here and update the post.

Leave a Reply

Your email address will not be published. Required fields are marked *