Open dBase-be opened 1 month ago
Hello, does anyone have a way to perform a full export without using the built-in roles 'Global Reader' and 'Security Reader'? Since these roles necessitate PIM activation, they are not suitable for our automated process. Thanks!
Description of the issue
For the export of the Office 365 workload I'm using a Service Principal with Certificate Thumbprint. I have configured the permissions correctly on the app registration, similar as the output of Get-M365DSCCompiledPermissionList for all O365 components, shows:
However, I'm getting the following error:
I think the app registration might need an extra role to be able to export the O365 workload? I'm aware of the following article https://microsoft365dsc.com/concepts/personas/, which refers to the 'Global Reader' and 'Security Reader' role. Both these roles have a lot of permissions and are privileged roles (four eyes, need approval) which make them unsuitable for our automated backup solution.
Is there a way to built a minimal custom role which can export the O365 workload? How can we achieve this?
Side question: why does O365 need Application.ReadWrite.All for read-only mode to work? Is there any documentation/explanation on this requirement?
Microsoft 365 DSC Version
1.24.717.1
Which workloads are affected
Office 365 Admin
The DSC configuration
Verbose logs showing the problem
No response
Environment Information + PowerShell Version
No response