hi,
i'm creating automated solution for some reporting, that is to be run by 1st and 2nd line. quite recently there has been a new connect-exchangeonline feature allowing to connect with certificate, using EXO app registration
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
it's basically great feature, and script can run with automated logon experience....
the problem is that such connection has full admin permissions. i found information on application restrictions, but issue there is that it is 'per mailbox' while i need to restrict access granting RO permissions to all mailboxes (for now and for future). so this policy is highly unsustainable.
https://learn.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps
to summarize: i want to write fully automated script that has RO access to EXO.
- is there a way to limit registered app permissions globally to RO?
- is there an option, so the application (app registered in AAD) run in a context of a particular user - so then i could create roles in EXO
suggestions appreciated!