Share via

custom RBAC for Enterprise Application in Azure AD?

AZLearner 96 Reputation points
2022-03-01T00:04:39.093+00:00

Hi,

I have an internal application that connects to an Enterprise Application in Azure which in terms uses the following PowerShell cmdlets to find Exchange online message tracking information.

New-ExoPSSession
Get-MessageTrace

Essentially I am following https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application to set it up. The above URL mentions only the listed built-in Azure AD roles are supported. If I add the new Enterprise App to the Exchange Administrator role, it works fine but it gives the app full privileges to Exchange Online which is not good. I am curious whether I can create a custom role in the Azure AD portal with more limited access to Exchange Online such as read-only access. However, when I go to Azure portal > Roles and Administrators > New Custom Role, there is no Exchange-related actions listed. And it looks like it does not allow cloning from a built-in role either.

Anyone has an idea whether I can create a custom role similar to the built-in Exchange Administrator role? Or a better way to grant the enterprise application access to Exchange Online?

Thank you.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,181 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
978 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AZLearner 96 Reputation points
    2022-03-02T03:21:02.07+00:00

    Also, I am trying to create a custom role based on https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create#create-the-custom-role to see I can include microsoft.office365.exchange/allEntities/standard/read in the new custom role but it does not recognize New-AzureADMSRoleDefinition cmdlet. I have AzureAD 2.0.2.128 module loaded and I see many other cmdlets but not New-AzureADMSRoleDefinition. Any idea what's missing here? 

    PS C:\> get-module AzureAD | select -ExpandProperty ExportedCommands | findstr New-AzureADMS  
New-AzureADMSAdministrativeUnit                                   New-AzureADMSAdministrativeUnit  
New-AzureADMSApplication                                          New-AzureADMSApplication  
New-AzureADMSApplicationExtensionProperty                         New-AzureADMSApplicationExtensionProperty  
New-AzureADMSApplicationKey                                       New-AzureADMSApplicationKey  
New-AzureADMSApplicationPassword                                  New-AzureADMSApplicationPassword  
New-AzureADMSConditionalAccessPolicy                              New-AzureADMSConditionalAccessPolicy  
New-AzureADMSGroup                                                New-AzureADMSGroup  
New-AzureADMSGroupLifecyclePolicy                                 New-AzureADMSGroupLifecyclePolicy  
New-AzureADMSIdentityProvider                                     New-AzureADMSIdentityProvider  
New-AzureADMSInvitation                                           New-AzureADMSInvitation  
New-AzureADMSNamedLocationPolicy                                  New-AzureADMSNamedLocationPolicy  
New-AzureADMSPermissionGrantConditionSet                          New-AzureADMSPermissionGrantConditionSet  
New-AzureADMSPermissionGrantPolicy                                New-AzureADMSPermissionGrantPolicy  
PS C:\>

    Thank you.

  2. Rob Shinwell 1 Reputation point
    2022-11-16T09:41:44.17+00:00

    Hi @AZLearner did you find an answer to this. I am also wanting to create a custom role with limited Exchange access for exactly the same purpose.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.