Exchange.Manage delegated permission with Organization Admin doesn't have access to all the exchange online cmdlets

Question

We have a azure ad multi tenant application with Exchange.Manage delegated permission for Office 365 Exchange Online. Once the customer authorize the application with Organization Admin, we use the access token to connect to customer's exchange online via Exchange Online Powershell module using Connect-ExchangeOnline cmdlet.

Once we connect we are creating a RBAC role and assigning to a service principle. For some of the users we have seen below error when we execute the cmedlets.

The term 'Get-ServicePrincipal' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

How can we make sure the authorize user has access to all the cmdlets that we require for our setup. Below are the all of the cmdlets that we use.

• Enable-OrganizationCustomization
• Get-RoleGroup
• New-RoleGroup
• Get-ManagementRole
• New-ManagementRole
• New-ManagementRoleAssignment
• Get-ServicePrincipal
• New-ServicePrincipal
• Get-RoleGroupMember
• Add-RoleGroupMember

For some users, even if they use a user who is a part of Organization Management role, still face the same issue.

Answer 1

The Exchange.Manage permissions basically means impersonation. On its own, it does not give you any additional permissions compared to what the user already has in Exchange Online. Thus, you need to also make sure that the user(s) in question have been granted the corresponding roles within Exchange Online's RBAC model. For example, to run the Get-ServicePrincipal cmdlet, the user will need to be a member of one of the following:

[09:59:18][O365]# Get-ManagementRole -Cmdlet Get-ServicePrincipal
Name            RoleType
----            --------
Role Management RoleManagement

Rinse and repeat for all cmdlets you want to run.