We have created a Global Reader account in order to run some PowerShell scripts to help with maintenance and security reviews.
One of the tools we are running is the CrowdStrike CRT, a reporting tool that examines Azure Active Directory and Exchange Online, and creates lists of hard-to-find or hard-to-expose permissions and settings.
In CRT, one of the commands, "SendAsGranted", runs this command to do Get-EXORecipientPermission against every mailbox in the domain. The specific line is:
$DelegateSendPerms += Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue | Get-EXORecipientPermission -ErrorAction Stop | Where-Object {$_.Trustee -ne "NT AUTHORITY\SELF"}
When running this script as a Global Administrator, it works. When running the script as a Global Reader, it fails.
I ran the command Get-EXORecipientPermission -UserPrincipalName user@keyman .name manually as the Global Reader account and this was the output (after a substantial delay):
Get-EXORecipientPermission : Error while querying REST service. HttpStatusCode=401
ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed to call
Get-RecipientPermission","innererror":{"message":"User is not allowed to call
Get-RecipientPermission","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}
At line:1 char:1
+ Get-EXORecipientPermission -UserPrincipalName user@domain.na ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ProtocolError: (:) [Get-EXORecipientPermission], RestClientException
+ FullyQualifiedErrorId : An error occurred while processing this request.,Microsoft.Exchange.Management.RestApiCl
ient.GetExoRecipientPermission
I believe that the Get-EXORecipientPermission (and its original version, Get-RecipientPermission) command should be able to be run as Global Reader, and this should be fixed.