This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 90%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
We are trying to automate mail flow reporting via Azure runbooks using an app registration (service principal) to authenticate. The runbook will query Exhchange Online powershell modules for mailflow data.
The only Entra permissions that seem to allow this is Global Admin or Global Reader.
If we were running this script and authenticating as a user then we could apply one of the compliance portal permissions to the user (Organization Management) for example
This script however is running in azure via a schedule and the app registration (service principal) required entra level permissions.
Surely there is another way this can be automated?
We use runbooks to query API's and store the resulting data in Azure container storage and then out to PowerBI reporting.
We would really like to report on mailfllow in this manner without having to over privelage our (service principal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 18%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Hi @Daniel Birrell ,
Just checking in to see if the information was helpful.
If the issue has been resolved, please mark the helpful replies as answers.
If the answer is any of help to you, please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions to reference. It will also help the community grow to help you better in the future!
Thanks for your understanding.
Accepting an answer helps other community members to know the answer helped you. It is also a way to thank and recognize the person who helped you.
Security reader should also work. And if you want to go more granular, Exchange Online now supports role assignments to service principals, so in theory you can create/use a role with just the cmdlets you want. I have some notes on the process here: https://michev.info/blog/post/4302/exo-rbac-improvements-3-limiting-cba