This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 59%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have defined an Azure App with read only permission for unattended script use to monitor and report on Azure AD accounts and Mailboxes (Users and Shared). A script I am working on to facilitate user offboarding is to remove delegated mailbox access for leavers. I am trying to retrieve delegated mailbox access details and I am having an issue with permission to run Get-RecipientPermission (Get-EXORecipientPermission).
If I Connect manually using Connect-Exchangeonline with Admin creds. the permissions are retrieved successfully.
If I connect using certificate based auth' (Connect-Exchangeonline -appid $appid -organization $orgName -certificatethumbprint $certthumb), I can retrieve mailbox detail but not the delegated permission. I receive a permission error.
$TrusteeMailbox = Get-Mailbox "SharedMaibox" | get-exorecipientpermission | Where-Object {$_.trustee -eq $LeaverUPN}
get-exorecipientpermission : Error while querying REST service. HttpStatusCode=401 ErrorMessage={"error":{"code":"Unauthorized","message":"User is not allowed
to call Get-RecipientPermission","innererror":{"message":"User is not allowed to call
Get-RecipientPermission","type":"Microsoft.Exchange.Admin.OData.Core.ODataServiceException"}}}
At line:1 char:52
+ ... = Get-Mailbox "SharedMaibox" | get-exorecipientpermission | Where ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
*+ CategoryInfo : ProtocolError: (:) [Get-EXORecipientPermission], RestClientException*
*+ FullyQualifiedErrorId : An error occurred while processing this request.,Microsoft.Exchange.Management.RestApiClient.GetExoRecipientPermission*
```Azure registered App permissions are:
What App permission is required to retrieve the delegated permission?
Any Help much appreciated.
Mark
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 35%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXQ%3C/text%3E%3C/svg%3E)
Hi, @Mark_S
Just wanted to check if the answer shared below helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well.
Hi, @Mark_S
Just wanted to check if the answer shared below helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hi, @Mark_S
If the answer is helpful please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.
You will need to delegate an Exchange mgmt role and Exchange.ManageAsApp
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps