This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 78%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have some Exchange Online PS scripts that I'm running in my own tenant using system-assigned managed identity to avoid interactive and certificate based sign in. Is it possible to run those scripts in another tenant? Say, for example, a customer wants me to run scripts to generate reports for some mail related info in their own tenant. Is there a way that I can run those scripts without having to sign in to the customer's tenant? Maybe if they provide me with their managed identity and possibly other permissions?
I've been doing loads of research but I have a very vague idea and not sure if this is an achievable approach or if there's another option.
No, unless you have access to their Azure environment. You can use a generic multi-tenant service principal instead, but they do need to consent to the required permissions (Exchange.ManageAsApp), and you will need to provide client secret or certificate to authenticate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi, @ash7f
Yes, that's right, as Vasul Michev said. Your customers can create an Azure AD application in their tenant and grant the application the necessary API permissions for Exchange Online. Admins in the customer tenant are required to provide admin consent for the requested permissions. You also need to set up a client secret or certificate for application registration.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)