Open GruberMarkus opened 1 year ago
This article describes the required permissions: https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application
We will make sure this is added to the documentation
Thanks!
It will be interesting to know which of the permissions are the minimum required ones for which scenario.
From an actual M365DSC ask, what can we do to make your life easier figuring out what permissions are required? What type of documentation improvements would prove useful to your org?
At the moment, we only want to export the settings of our tenant and are evaluating Microsoft365DSC for this.
As we are restrictive with permissions, we are looking for the minimum set of permissions required for a full export.
The future steps in our roadmap:
Thanks in advance!
Ok, so to get back to the initial reported issue, the following command:
Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain')
Is expected to return all permissions and roles, whereas the other commands lists are specifying app or delegated permissions which is only Graph related and therefore Exchange specific roles aren't returned. This is the expected behavior. The recommendation is to use the cmdlet above to retrieve all required permissions and roles which are the minimal required ones for either reading or updating configuration.
In your case, you will need to grant your App Registration's Service Principal the minimum required Exchange roles.
I doubt that 'Organization Management' is the least possible priviledge to read the whole Exchange Online configuration as there is a 'View-Only Organization Management' role, but I will discuss it with the administrators.
Sorry my bad, I thought you were initially referring to the Get-M365DSCCompiledPermissionList not returning the information from the settings files. I understand now that your issue is that the permissions listed in the settings file aren't necessarily the right ones. We will investigate this further. I agree with you that View-Only permissions should be used for the Export scenario.
Hello, Is this issue answered? I am looking for a similar solution to grant least privilege access to my Azure AD App (Certificate Auth) to fetch Exchange and Compliance policies.
Hello, Is this issue answered? I am looking for a similar solution to grant least privilege access to my Azure AD App (Certificate Auth) to fetch Exchange and Compliance policies.
This seems to be a question for you, @NikCharlebois.
Hi @NikCharlebois,
do you have any updates on this issue?
Please update the required permissions for Exchange.
In out environment, 'Exchange.ManageAsApp' is not enough to read the Exchange Online configuration.
Also, Get-M365DSCCompiledPermissionList does not give consistent permission information. For read access, it would be great if the permissions followed the least priviledge principle.
The following output shows the inconsistencies I mean:
Unfortunately, the online help at https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#exchange-permissions also does not clearly describe which permissions are really needed in which scenario.