Azue runbook - Exchange PowerShell

Daniel Birrell 41 Reputation points
2024-07-12T14:18:19.4366667+00:00

We are trying to automate mail flow reporting via Azure runbooks using an app registration (service principal) to authenticate. The runbook will query Exhchange Online powershell modules for mailflow data.

The only Entra permissions that seem to allow this is Global Admin or Global Reader.

If we were running this script and authenticating as a user then we could apply one of the compliance portal permissions to the user (Organization Management) for example

This script however is running in azure via a schedule and the app registration (service principal) required entra level permissions.

https://learn.microsoft.com/en-us/powershell/exchange/find-exchange-cmdlet-permissions?view=exchange-ps

Surely there is another way this can be automated?

We use runbooks to query API's and store the resulting data in Azure container storage and then out to PowerBI reporting.

We would really like to report on mailfllow in this manner without having to over privelage our (service principal

Microsoft Exchange Online
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,253 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,257 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,582 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 107.7K Reputation points MVP
    2024-07-12T15:34:07.53+00:00

    Security reader should also work. And if you want to go more granular, Exchange Online now supports role assignments to service principals, so in theory you can create/use a role with just the cmdlets you want. I have some notes on the process here: https://michev.info/blog/post/4302/exo-rbac-improvements-3-limiting-cba

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.