Skip to main content
Chat with Biamp tech support
Biamp Cornerstone

Step 2A-4. Application Role-Based Access Control

Return to the the Step 2A homepag

Return to Step 2A-3. Application Registration and API Permissions



Application Role-Based Access Control

This step configures the RBAC for Applications in Exchange Online. This allows admins to grant permissions to an application that is independently accessing data in Exchange Online.

This grant can be paired with a scope of access (resource scope) to specify which mailboxes an application can access.


  • PowerShell is needed to complete this process. 
  • You will need to access and run Windows PowerShell on your system as an administrator.
  • There are multiple methods for connecting to Exchange Online PowerShell
  • The example commands that follow in the process can be used to connect to Microsoft 365 PowerShell


1. Find Windows PowerShell on your system and select Run as an administrator when launching it.



2. Connect to your ExchangeOnline Instance.  


  • Once connected, PowerShell should display contents similar to the following example image.



4. Create a management scope using the example code below.

  • This management scope will be used to restrict the impersonation right.
  • The following example limits the scope to resources (room and equipment mailboxes)
  • Replace the with your service account and domain, the -Name “ResourceMailboxes” you provide here will be used in a later step.
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter { RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox" -or PrimarySmtpAddress -eq ""}


5. Create a service principle.

  • To grant permissions to the application you created in the first step of accessing the data in Exchange Online, you will need to provide the Application (client) ID and the Object ID. Replace the <name> with a name of your choice for the role.
New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId <Service principal object ID in AAD> -DisplayName <name>


6. Assign the management role

In this step you will assign the role you have created to the service account, you will need the Application (client) ID, and you should use the same scope name you have created in step two (Management Scope).

New-ManagementRoleAssignment -Name "ResourceImpersonation" -Role "Application EWS.AccessAsApp" -App <Client Application ID in AAD> --CustomResourceScope "ResourceMailboxes"


This completes the setup of RBAC Application Impersonation in Exchange Online



  • Was this article helpful?