Test-ServicePrincipalAuthorization

Reference

Module:: ExchangePowerShell

Applies to:: Exchange Online, Exchange Online Protection

This cmdlet is available only in the cloud-based service.

Use the Test-ServicePrincipalAuthorization cmdlet to test the access granted by role-based access control (RBAC) for Applications. For more information, see Role Based Access Control for Applications in Exchange Online.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Test-ServicePrincipalAuthorization
    [-Identity] <ServicePrincipalIdParameter>
    [-Confirm]
    [-Resource <UserIdParameter>]
    [-WhatIf]
    [<CommonParameters>]

Description

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

PS C:\> Test-ServicePrincipalAuthorization -Identity "DemoB" -Resource "Mailbox A" | Format-Table

RoleName                      GrantedPermissions          AllowedResourceScope        ScopeType                 InScope
--------                      ------------------          --------------------        ---------                 ------
Application Mail.Read         Mail.Read                   Canadian Employees           CustomRecipientScope     True
Application Calendars.Read    Calendars.Read              4d819ce9-9257-44..           AdministrativeUnit       False
Application Contacts.Read     Contacts.Read               Organization                 Organization             True

This example tests if this service principal (the app named "DemoB") can exercise each of its assigned permissions against the target mailbox named "Mailbox A." The membership in the scope is indicated by the InScope column.

Example 2

PS C:\> Test-ServicePrincipalAuthorization -Identity "DemoB" | Format-Table

RoleName                      GrantedPermissions          AllowedResourceScope        ScopeType                 InScope
--------                      ------------------          --------------------        ---------                 ------
Application Mail.Read         Mail.Read                   Canadian Employees           CustomRecipientScope     Not Run
Application Calendars.Read    Calendars.Read              4d819ce9-9257-44..           AdministrativeUnit       Not Run
Application Contacts.Read     Contacts.Read               Organization                 Organization             Not Run

This example tests the entitlement of the app named "DemoB", including which permissions it has at which scopes. Because the command doesn't use the Resource parameter, the scope membership check is not run.

Parameters

-Confirm

This parameter is reserved for internal Microsoft use.

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Online, Exchange Online Protection

-Identity

The Identity parameter specifies the service principal that you want to test. You can use any value that uniquely identifies the service principal. For example:

Name
Distinguished name (DN)
GUID
AppId
ServiceId

Type:	ServicePrincipalIdParameter
Position:	0
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False
Applies to:	Exchange Online, Exchange Online Protection

-Resource

The Resource parameter specifies the target mailbox where the scoped permissions apply. You can use any value that uniquely identifies the mailbox. For example:

Name
Distinguished name (DN)
Canonical DN
GUID

Type:	UserIdParameter
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False
Applies to:	Exchange Online, Exchange Online Protection

-WhatIf