Share via

Security & Compliance PowerShell module: eDiscovery cmdlets are not available when using app-only authentication.

Roman Leshchenko 10 Reputation points
2023-05-22T15:26:58.32+00:00

Hi Team!

I would like to use my own Azure application so I can work with the Security & Compliance cmdlets. So I've created a multitenant Azure application and added Exchange.ManageAsApp API permission (application scope) and granted it.

User's image

After that I added 2 Azure built-in roles for app service principal:

Exchange Administrator

  • Compliance administrator

User's image

All the steps above I did based on MS documentation.

I also assigned all needed roles in MS Purview portal based on this documentation.

User's image

So, when I get a token from https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

using the following body:

client_id: <client_id>
client_secret <client_secret>
scope: https://outlook.office365.com/.default

*grant_type: client_credentials
*
I use this token to connect to Security & Compliance:

$accessToken = "<access_token>"
$exTokValue = (ConvertTo-SecureString "Bearer $accessToken" -AsPlainText -Force)
$exCred = New-Object System.Management.Automation.PSCredential("<tenant_upn>", $exTokValue)
$exUrl = "https://ps.compliance.protection.outlook.com/powershell-liveid?BasicAuthToOAuthConversion=true"
$O365Sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $exUrl -Credential $exCred -Authentication Basic -AllowRedirection
Import-PSSession $O365Sess

So, as a result I get all commands in the session, except eDiscovery commands like, Add-eDiscoveryCaseAdmin, Get-eDiscoveryCaseAdmin.

User's image

Can you help me where I am missing something?

Microsoft 365 and Office Install, redeem, activate For business Windows
Exchange Exchange Server Development
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff
    2023-05-23T06:45:27.0433333+00:00

    Hi @ Roman Leshchenko,

    If you want users to use any eDiscovery-related tools in the Microsoft Purview  compliance portal, you must assign them the appropriate permissions. By default, eDiscovery-related tools and features are unavailable to global or compliance administrators.

    We need to assign the following role permissions to administrators to use the relevant tools and commands:

    eDiscovery Manager

    eDiscovery Administrator 

    The same goes for Azure applications, and I recommend that you see if anything changes after assigning permissions.

     

    For more information about eDiscovery permissions, refer to this link:Assign eDiscovery permissions in the Microsoft Purview compliance portal - Microsoft Purview (compliance) | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.