The installer was unable to add all required permissions

Owned by Matthew Sywulak
Oct 15, 2024
3 min read

Summary

At the beginning of an install, the installer checks that it has all required Exchange permissions (roles). If it doesn’t, and it can’t fix the problem automatically, it will display the error:

The installer was unable to add all required permissions. The following Exchange roles should be manually added to the "INKY Setup and Maintenance" role group: (list of roles)

This article describes how to add the listed roles to the group and why this is needed.

Background

When the user grants permissions for the INKY installer to connect to Exchange PowerShell, we also make the app’s identity a Global Administrator on the tenant. Normally this grants us all permissions we need, but some tenants are set up differently such that Global Administrators don’t have all the permissions in Exchange that they normally do (in all the cases we’ve seen so far, this appears to have been due to a misconfiguration).

Global Administrators have permissions in Exchange because they are automatically members of a special Exchange role group named “TenantAdmins_(some unique set of characters),” which is in turn a member of the “Organization Management” group. This group has a number of Exchange roles that allow it to run the various Exchange PowerShell commands. However, in some tenants this group is missing roles that it normally has, and this is the cause of the problem.

For each role, there is a corresponding “delegating” role that allows granting the role. When a role is missing but Organization Management does have the delegating version of the role, the installer will use it to grant the role to itself. To do this, it creates a service principal for itself using the PowerShell command New-ServicePrincipal, and the assigns the role to that. If it is unable to grant all the roles it needs, it will also create the role group “INKY Setup and Maintenance” and add the service principal to it, and then request that the user add the remaining required permissions manually to that group.

How to Add Permissions (Roles)

Note that since the installer was not able to automatically add the required permissions, it is possible that the user will not be able to either. If you try the following procedure and receive an error message, contact Microsoft support for help adding these roles to the INKY Setup and Maintenance role group.

In the Exchange Admin portal, in the navigation pane on the left choose Roles → Admin Roles. Or go directly to the admin roles page: https://admin.exchange.microsoft.com/#/adminRoles

step_1.png

On the page that comes up, find the “INKY Setup and Maintenance Group” and click on its name.

step_2.png

In the pane that pops up on the right, click “Permissions.”

The permissions tab lists all possible permissions; the permissions that the group has will have a checkmark next to them. To add permissions, check the boxes next to them and click “Save.” Note that this does not just add checked permissions to the existing set; it completely replaces it with just the checked permissions.

If you use the Search box, note that you must wait for each character you type to appear before typing the next one. If you type additional characters before one appears, only one character will be registered.

After adding all permissions (roles) that the installer asked for, run the install again. It should now have all the permissions it needs.