[Azure Runbook] Managed Identity Groups Modifications

Bandurski, Mateusz 20 Reputation points
2023-11-08T11:48:07.8833333+00:00

Hello,

I have Powershell script hosted in Azure Runbook. My script tries to add a user to a security mail enabled group and displays following error. How permissions should be assigned for managed identity to work with security mail enabled groups?

Error Message: ExB6FAB5|Microsoft.Exchange.Configuration.Tasks.OperationRequiresGroupManagerException|You don't have sufficient permissions. This operation can only be performed by a manager of the group.

Code: Add-DistributionGroupMember -Identity $AddressGroup -Member $ExchangeUser.UserPrincipalName

Currently assigned permissions: Office 365 Exchange Online (Exchange.ManageAsApp)

Microsoft Exchange Online
{count} votes

Accepted answer
  1. Jarvis Sun-MSFT 10,196 Reputation points Microsoft Vendor
    2023-11-22T07:08:46.2566667+00:00

    @Bandurski, Mateusz ,

    Glad to see that your issue had already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others]", I'll repost your solution in case you'd like to "[Accept]" the answer.

     

     

     

    [Azure Runbook] Managed Identity Groups Modifications

     

    Issue Symptom:

    How permissions should be assigned for managed identity to work with security mail enabled groups?

     

    Solution:

    Managed Identity require RBAC role (Security Group Creation and Membership) in Exchange.

    https://learn.microsoft.com/en-us/powershell/module/exchange/new-serviceprincipal?view=exchange-ps
    https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

    Best,

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Jarvis Sun-MSFT 10,196 Reputation points Microsoft Vendor
    2023-11-09T05:55:40.88+00:00

    Hi @Bandurski, Mateusz ,

    Welcome to our Q&A forum!

    It seems that you need to grant the managed identity the appropriate permissions to add a user to a security mail enabled group in Azure.

    By research, one possible way to do this is to assign an application role to the managed identity that allows it to access the Microsoft Graph API and perform the Mail.Read operation. This will enable the managed identity to read the mail properties of the security group and add a user to it. You can follow the steps in this Stack Overflow answer to set up the application role and assign it to the managed identity using Azure CLI commands. Reference: https://stackoverflow.com/questions/56157050/grant-o365-mailbox-permission-to-a-managed-identity


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Bandurski, Mateusz 20 Reputation points
    2023-11-16T12:03:20.9033333+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.