Exchange.Manage delegated permission with Organization Admin doesn't have access to all the exchange online cmdlets

Yasitha Pandithawatta 141 Reputation points
2024-04-03T02:01:30.75+00:00

We have a azure ad multi tenant application with Exchange.Manage delegated permission for Office 365 Exchange Online. Once the customer authorize the application with Organization Admin, we use the access token to connect to customer's exchange online via Exchange Online Powershell module using Connect-ExchangeOnline cmdlet.

Once we connect we are creating a RBAC role and assigning to a service principle. For some of the users we have seen below error when we execute the cmedlets.

The term 'Get-ServicePrincipal' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

How can we make sure the authorize user has access to all the cmdlets that we require for our setup. Below are the all of the cmdlets that we use.

  • Enable-OrganizationCustomization
  • Get-RoleGroup
  • New-RoleGroup
  • Get-ManagementRole
  • New-ManagementRole
  • New-ManagementRoleAssignment
  • Get-ServicePrincipal
  • New-ServicePrincipal
  • Get-RoleGroupMember
  • Add-RoleGroupMember

For some users, even if they use a user who is a part of Organization Management role, still face the same issue.

Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,631 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,489 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 109.9K Reputation points MVP
    2024-04-03T07:18:37.9433333+00:00

    The Exchange.Manage permissions basically means impersonation. On its own, it does not give you any additional permissions compared to what the user already has in Exchange Online. Thus, you need to also make sure that the user(s) in question have been granted the corresponding roles within Exchange Online's RBAC model. For example, to run the Get-ServicePrincipal cmdlet, the user will need to be a member of one of the following:

    [09:59:18][O365]# Get-ManagementRole -Cmdlet Get-ServicePrincipal
    Name            RoleType
    ----            --------
    Role Management RoleManagement
    

    Rinse and repeat for all cmdlets you want to run.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.