How to control permissions to Powershell Commands using Exchange Online Application Permissions

Piyumi Perera 106 Reputation points

Hi all,

I am having a console app created to read Journal Rules. To do that I am following the app only authentication as described in here - app-only-auth-powershell-v2

But in according to the documentation we have to add Exchange.ManageAsApp as the configured permissions. That indicates we are allowing to manage organization's exchange environment without any user interaction.

My requirement is to allow access only to get Journal Rules and when I went through the documentation I found that following permissions required to execute "Get-JournalRule" command.

  • Journaling
  • ComplianceAdmin
  • O365SupportViewConfig
  • ViewOnlyConfiguration

Is there any configuration I need to do in application level to allow for only required permissions.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,374 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,455 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 100K Reputation points MVP

    You need to assign both the Exchange.ManageAsApp permission AND an admin role to the corresponding service principal, so you do have some control over what permission it gets. Unfortunately, custom Exchange roles are not yet supported, but for your scenario you can try the Global Reader role, if only permissions to the Get-JournalRule cmdlet are required.