Step 2A-4. Application Role-Based Access Control
Return to Step 2A homepage
Return to Step 2A-3. Application Registration and API Permissions
Application Role-Based Access Control
This step configures the RBAC for Applications in Exchange Online. This allows admins to grant permissions to an application that is independently accessing data in Exchange Online.
This grant can be paired with a scope of access (resource scope) to specify which mailboxes an application can access.
Note:
- PowerShell is needed to complete this process.
- You will need to access and run Windows PowerShell on your system as an administrator.
- There are multiple methods for connecting to Exchange Online PowerShell.
- The example commands that follow in the process can be used to connect to Microsoft 365 PowerShell
1. Find Windows PowerShell on your system and select Run as an administrator when launching it.
2. Connect to your ExchangeOnline Instance.
- In this section, we will use michael@demo.evoko.se as the example Admin Email. You can run the following command and replace the michael@demo.evoko.se with the UPN of your Global Admin account:
- Connect-ExchangeOnline -UserPrincipalName michael@demo.evoko.se
- Once connected, PowerShell should display contents similar to the following example image.
4. Create a management scope using the example code below.
- This management scope will be used to restrict the impersonation right.
- The following example limits the scope to resources (room and equipment mailboxes)
- Replace the service-account@domain.com with your service account and domain, the -Name “ResourceMailboxes” you provide here will be used in a later step.
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter { RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox" -or PrimarySmtpAddress -eq "service-account@domain.com"}
5. Create a service principle.
- To grant permissions to the application you created in the first step of accessing the data in Exchange Online, you will need to provide the Application (client) ID and the Object ID. Replace the <name> with a name of your choice for the role.
- The –objectID, (Refer to Step 2A-3 no 10), to identify correct Object ID
New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId <Service principal object ID in AAD> -DisplayName <name>
6. Assign the management role
In this step you will assign the role you have created to the service account, you will need the Application (client) ID, and you should use the same scope name you have created in step two (Management Scope).
New-ManagementRoleAssignment -Name "ResourceImpersonation" -Role "Application EWS.AccessAsApp" -App <Client Application ID in AAD> -CustomResourceScope "ResourceMailboxes"
This completes the setup of RBAC Application Impersonation in Exchange Online
Home
- Return to Step 2A homepage