Open MartinM85 opened 5 months ago
Hi @MartinM85
I don't have much expertise in this so I'm just trying to understand how the command would work.
Few remarks:
roleId
to roleDefinitionId
as used in the request. The same goes for roleName
.servicePrincipalId
to principalId
as used in the request. The same goes for servicePrincipalId
.directoryScopeId
or appScopeId
. Could you clarify this a bit? Is this command only supporting users, groups, and administrative units? When reading the docs, it looks like a lot more is possible. For example applications, attribute sets, ...Hi @MartinM85,
Scope is a set of resources that role applies to. The disadvantage here is that the Graph API exposes unified backend model for different types of RBAC providers. Based on the provider, the principal, scope and role have different allowed values. In case of Exchange RBAC provider:
@pnp/cli-for-microsoft-365-maintainers Any update on this?
@milanholemans @waldekmastykarz Any update on this?
Hi @MartinM85, sorry for the late reply. I'm trying to answer all the issues I'm participating in gradually. You say you can use the entire tenant as a scope. How can we do this with this command? Seems like there is not really a straightforward way? Let's add this as an extra example.
Examples updated
Any update on this?
Thank you for bringing this back to life @MartinM85, sorry that I lost track of this. Instead of saying that a tenant scope is by default, shouldn't we introduce an option like --scopeTenant
or something like that? This way the user will always have to define a scope. This makes sure that he knows where he wants to apply the rule to. Additionally, we don't have to repeat the If no scope is specified, the tenant-wide scope is applied by default.
for every option anymore.
Does that make sense to you?
scopeTenant
option makes sense. Spec updated
Ok, I think we're ready then. Should I assign you or open it up?
I made a slight edit and updated --scopeEdit [scopeEdit]
to a flag.
I will take it
Usage
m365 exchange role assignment add [options]
Description
Grants permissions to an application that's accessing data in Exchange Online and specify which mailboxes an app can access.
Options
--roleDefinitionId [roleDefinitionId]
roleDefinitionId
orroleDefinitionName
, but not both.--roleDefinitionName [roleDefinitionName]
roleDefinitionId
orroleDefinitionName
, but not both.--principalId [principalId]
principalId
orprincipalName
, but not both.--principalName [principalName]
principalId
orprincipalName
, but not both.--scopeUserId [scopeUserId]
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.--scopeUserName [scopeUserName]
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.--scopeGroupId [scopeGroupId]
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.--scopeGroupName [scopeGroupName]
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.--scopeAdministrativeUnitId [scopeAdministrativeUnitId]
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.--scopeAdministrativeUnitName [scopeAdministrativeUnitName]
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.--scopeTenant
scopeTenant
,scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple.Examples
Assign a role specified by id to a service principal specified by id and scope the assignment to the whole tenant
Assign a role specified by id to a service principal specified by id and scope the assignment to a user specified by id
Assign a role specified by name to a service principal specified by name and scope the assignment to a group specified by name
Assign a role specified by name to a service principal specified by id and scope the assignment to an administrative unit specified by name
Default properties
No response
Additional Info
Exchange Online RBAC is alternate to application permissions for accessing mailboxes, but without a need to allow application access policy for specific mailboxes via Exchange Online PowerShell.
It simplifies the whole process and admin can avoid to use Exchange Online PowerShell to configure application access policy.
https://learn.microsoft.com/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&tabs=http#example-5-create-a-role-assignment-for-exchange-online-provider-with-administrative-unit-scope
https://learn.microsoft.com/exchange/permissions-exo/application-rbac#supported-application-roles
I will work on this