Test-ServicePrincipalAuthorization
This cmdlet is available only in the cloud-based service.
Use the Test-ServicePrincipalAuthorization cmdlet to test the access granted by role-based access control (RBAC) for Applications. For more information, see Role Based Access Control for Applications in Exchange Online.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Test-ServicePrincipalAuthorization
[-Identity] <ServicePrincipalIdParameter>
[-Confirm]
[-Resource <UserIdParameter>]
[-WhatIf]
[<CommonParameters>] Description
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Examples
Example 1
PS C:\> Test-ServicePrincipalAuthorization -Identity "DemoB" -Resource "Mailbox A" | Format-Table
RoleName GrantedPermissions AllowedResourceScope ScopeType InScope
-------- ------------------ -------------------- --------- ------
Application Mail.Read Mail.Read Canadian Employees CustomRecipientScope True
Application Calendars.Read Calendars.Read 4d819ce9-9257-44.. AdministrativeUnit False
Application Contacts.Read Contacts.Read Organization Organization TrueThis example tests if this service principal (the app named "DemoB") can exercise each of its assigned permissions against the target mailbox named "Mailbox A." The membership in the scope is indicated by the InScope column.
Example 2
PS C:\> Test-ServicePrincipalAuthorization -Identity "DemoB" | Format-Table
RoleName GrantedPermissions AllowedResourceScope ScopeType InScope
-------- ------------------ -------------------- --------- ------
Application Mail.Read Mail.Read Canadian Employees CustomRecipientScope Not Run
Application Calendars.Read Calendars.Read 4d819ce9-9257-44.. AdministrativeUnit Not Run
Application Contacts.Read Contacts.Read Organization Organization Not RunThis example tests the entitlement of the app named "DemoB", including which permissions it has at which scopes. Because the command doesn't use the Resource parameter, the scope membership check is not run.
Parameters
-Confirm
This parameter is reserved for internal Microsoft use.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Exchange Online Protection |
-Identity
The Identity parameter specifies the service principal that you want to test. You can use any value that uniquely identifies the service principal. For example:
- Name
- Distinguished name (DN)
- GUID
- AppId
- ServiceId
| Type: | ServicePrincipalIdParameter |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Exchange Online Protection |
-Resource
The Resource parameter specifies the target mailbox where the scoped permissions apply. You can use any value that uniquely identifies the mailbox. For example:
- Name
- Distinguished name (DN)
- Canonical DN
- GUID
| Type: | UserIdParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Exchange Online Protection |
-WhatIf
This parameter is reserved for internal Microsoft use.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Exchange Online Protection |