search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.53k stars 472 forks source link

Request: Please update required permissions for Exchange #3080

Open GruberMarkus opened 1 year ago

GruberMarkus commented 1 year ago

Please update the required permissions for Exchange.

In out environment, 'Exchange.ManageAsApp' is not enough to read the Exchange Online configuration.

Also, Get-M365DSCCompiledPermissionList does not give consistent permission information. For read access, it would be great if the permissions followed the least priviledge principle.

The following output shows the inconsistencies I mean:

PS C:\> Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain')
Name                           Value
----                           -----
RequiredRoles                  {Retention Management, Remote and Accepted Domains, Distribution Groups, View-Only Co...
Read                           {System.Collections.Hashtable}
RequiredRoleGroups             {Organization Management}
Update                         {System.Collections.Hashtable}                                                                                                                                                                                                                                                                                                           

PS C:\> Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain') -AccessType 'Read' -PermissionType 'Delegated'

PS C:\> Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain') -AccessType 'Update' -PermissionType 'Delegated'

PS C:\> Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain') -AccessType 'Read' -PermissionType 'Application'
Name                           Value
----                           -----
API                            Exchange
PermissionName                 Exchange.ManageAsApp

PS C:\> Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain') -AccessType 'Update' -PermissionType 'Application'

Name                           Value
----                           -----
API                            Exchange
PermissionName                 Exchange.ManageAsApp

Unfortunately, the online help at https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#exchange-permissions also does not clearly describe which permissions are really needed in which scenario.

ykuijs commented 1 year ago

This article describes the required permissions: https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application

We will make sure this is added to the documentation

GruberMarkus commented 1 year ago

Thanks!

It will be interesting to know which of the permissions are the minimum required ones for which scenario.

NikCharlebois commented 1 year ago

From an actual M365DSC ask, what can we do to make your life easier figuring out what permissions are required? What type of documentation improvements would prove useful to your org?

GruberMarkus commented 1 year ago

At the moment, we only want to export the settings of our tenant and are evaluating Microsoft365DSC for this.

As we are restrictive with permissions, we are looking for the minimum set of permissions required for a full export.

The future steps in our roadmap:

Thanks in advance!

NikCharlebois commented 1 year ago

Ok, so to get back to the initial reported issue, the following command:

Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain')

Is expected to return all permissions and roles, whereas the other commands lists are specifying app or delegated permissions which is only Graph related and therefore Exchange specific roles aren't returned. This is the expected behavior. The recommendation is to use the cmdlet above to retrieve all required permissions and roles which are the minimal required ones for either reading or updating configuration.

In your case, you will need to grant your App Registration's Service Principal the minimum required Exchange roles.

GruberMarkus commented 1 year ago

I doubt that 'Organization Management' is the least possible priviledge to read the whole Exchange Online configuration as there is a 'View-Only Organization Management' role, but I will discuss it with the administrators.

NikCharlebois commented 1 year ago

Sorry my bad, I thought you were initially referring to the Get-M365DSCCompiledPermissionList not returning the information from the settings files. I understand now that your issue is that the permissions listed in the settings file aren't necessarily the right ones. We will investigate this further. I agree with you that View-Only permissions should be used for the Export scenario.

Infy-Ayusi commented 11 months ago

Hello, Is this issue answered? I am looking for a similar solution to grant least privilege access to my Azure AD App (Certificate Auth) to fetch Exchange and Compliance policies.

GruberMarkus commented 11 months ago

Hello, Is this issue answered? I am looking for a similar solution to grant least privilege access to my Azure AD App (Certificate Auth) to fetch Exchange and Compliance policies.

This seems to be a question for you, @NikCharlebois.

GruberMarkus commented 10 months ago

Hi @NikCharlebois,

do you have any updates on this issue?