Assign Compliance Center Admin Roles to Service Principal

Mairc Campbell 6 Reputation points
2022-06-27T10:41:41.16+00:00

We are migrating our PowerShell scripts away from legacy auth and moving to use a Service principal and Certificate Based Authentication in our unattended PowerShell scripts.

We can successfully connect to Exchange Online and run all of our scripts as we could with legacy authentication. The problem comes when we connect to the Security & Compliance Center PowerShell module. We can connect fine (Connect-IPPSession -appID xxx -certificateThumbprint xxx) but the problem is assigning correct permissions to the Service Principal to enable us to perform Exchange Compliance Searches.

New-ComplianceSearch --> Command completes OK
Start-ComplianceSearch --> Error
New-ComplianceSearchAction --> Error

Unable to execute the task. Reason: Compliance search initialization for "Search Name" failed with exception: Object reference not set to an instance of an object.

I suspect the error is because the Service Principal is not a member of Organization Management, Discovery Manager or Compliance Management in the compliance center. However, unlike the Azure AD Admin roles we cannot add a service prinicpal to the compliance center admin roles.

I added the Service Principal as a Global Admin in Azure AD to test if that would fix but the error continued.

Is there a way to run Start-ComplianceSearch command as a Service Principal in an unattended PowerShell script? Is there an equivalent to this command in Microsoft Graph?

UPDATE: For anyone encountering this, adding Service Principals to custom roles in SCC is now supported via Power Shell. See: https://learn.microsoft.com/en-gb/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#assign-custom-role-groups-to-the-application-using-service-principals

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,582 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,175 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.6K Reputation points MVP
    2022-06-27T11:26:07.303+00:00

    You could create a custom Azure AD Security group then assign a SCC role to it and see if this works:
    First create the group and make it role assignable:
    https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible

    215392-image.png

    Then assign the SCC role to it via the SCC Powershell: 

    Add-RoleGroupMember "<Role Group Name>" -Member "<Your Custom Azure Security Group>"`

    Then assign membership of that Security Principal membership in the Azure AD Group

    0 comments
  2. Mairc Campbell 6 Reputation points
    2022-06-27T13:02:27.757+00:00

    Hi @Andy David - MVP ,

    Thanks for the suggestion. Unfortunately it doesn't seem to solve the issue.

    I created an role assignable Azure AD group and added my Service Principal as a member. I then added this AAD group to the SCC roles: Organization, Discovery and Compliance management via PowerShell.

    215340-image.png

    I can create the compliance search but starting it still returns an error. (Note I can start the search when logged in with a user account so the query is sound, the issue remains the permissions for the Service Principal I believe.)

    215412-image.png

    Thanks for the help on this.

    0 comments
  3. Andy David - MVP 141.6K Reputation points MVP
    2022-06-27T14:07:58.863+00:00

    Ok, wasnt confident about that since there are only some supported roles :)
    So you followed this and adding the service principal to the Compliance Mgmt didnt work?
    https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

    I was under the impression that compliance manager could see the searches:
    https://learn.microsoft.com/en-us/microsoft-365/compliance/assign-ediscovery-permissions?view=o365-worldwide#rbac-roles-related-to-ediscovery

  4. Mairc Campbell 6 Reputation points
    2022-06-30T13:44:10.463+00:00

    Yes I followed the app only authentication link AndyDavid posted. That's how I'm logging in to SCC using the app with certificate based authentication. I've added the Service Principal to the Compliance Mgmt AAD role but no joy. I can create and see compliance searches but not start or action them. (New-ComplianceSearch & Get-ComplianceSearch run fine)

    From reading up, it looks like app only auth will only connect with Application Permissions. It looks like delegated permissions are required to Start-ComplianceSearch and New-ComplianceSearchACTION.

    I set up a connection to SCC PowerShell using the Secure Application Model, which allows connection with delegated permissions. I'm retrieving the connection token from an Azure KeyVault to connect to EXO and then SCC and then saving the refresh token back to the key vault for the next connection attempt. All seems to be working fine and I can successfully run the compliance searches in an unattended script without legacy auth, so mission accomplished.

    Thanks for the assistance.

    automating-with-powershell-using-the-secure-application-model-updates

  5. PERERA Ashen 0 Reputation points
    2023-04-19T04:04:28.6+00:00

    Hi @Mairc Campbell Im currently struggling with getting this to work. Could you post a code snippet which I can use? I did read through the cyberdrain articles but im stuck on getting this to work. Thanks alot.

    0 comments