search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.63k stars 502 forks source link

AzureAD Role - Application Certificate - AzureAD Role level of perms required for EXO and O365 unclear. #4531

Open OhhHellooow opened 7 months ago

OhhHellooow commented 7 months ago

Hello,

I am using the method of backing up all resources using App Certificate. I am having issues with EXO and O365, as it relates to Exchange Roles.

All .Read. Application Graph Permissions as well as Exchange.ManageAsApp have been tested/granted and working without issue. This issue comes into play whereas there are no direct Graph perms for Exchange and as I understand Roles need to be added to the App.

  1. Is "Exchange Administrator" the only Role that can be granted for this to work, even if I am only gathering resources, and not deploying? (read, not readwrite).
  2. Where within the Official M365DSC is this specific documentation located? I see many issue tickets that contain generic articles how how to add Azure Roles to an App, however, I am looking specifically how M365DSC interacts with AzureAD Role permissions, and why permissions are required to be set a certain way. (for example, I see mentioned to add "Exchange Administrator", but I do not see specific detail on why it operates this way, or how adding other types of roles allows the use to read within the resources).
  3. I am hoping this ticket helps define the specifics and added to documentation for easier access for other users.

Thanks.

Current error:

>> Export-M365DSCConfiguration -Components @("O365AdminAuditLogConfig", `
>> "O365Group", "O365OrgCustomizationSetting", "O365OrgSettings", "O365SearchAndIntelligenceConfigurations") `
>> -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId -Path $ExportingPath

Connecting to {ExchangeOnline}...❌

The role assigned to application a-a-a-a-a isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD
Application for EXO App-Only Authentication.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0\netFramework\ExchangeOnlineManagement.psm1:766 char:21
+                     throw $_.Exception;
+                     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], SystemException
    + FullyQualifiedErrorId : The role assigned to application a-a-a-a-a isn't supported in this scenario. Please check online documentation for assigning correct Di
   rectory Roles to Azure AD Application for EXO App-Only Authentication.
andikrueger commented 7 months ago

In a read only (export) case you can assign the app global reader and security reader rights. This should cover all required personas.

dBase-be commented 4 months ago

@andikrueger also having issues with the O365 workload. What I don't understand is: when running Export-M365DSCConfiguration on the O365 workload with f.e. only component 'O365Group' it faults with: 'Connecting to {ExchangeOnline}...?'

It is however documented on https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/ that it uses the powershell module 'Microsoft.Graph.Authentication (Connect-MgGraph)'. So, why does it try to connect to ExchangeOnlineManagement (Connect-ExchangeOnline)?