You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Grants permissions to an application that's accessing data in Exchange Online and specify which mailboxes an app can access.
Options
Option
Description
--roleDefinitionId [roleDefinitionId]
Id of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both.
--roleDefinitionName [roleDefinitionName]
Name of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both.
--principalId [principalId]
Id of a service principal to which the assignment is granted. Specify either principalId or principalName, but not both.
--principalName [principalName]
Name of a service principal to which the assignment is granted. Specify either principalId or principalName, but not both.
--scopeUserId [scopeUserId]
Id of a user to which the assignment is scoped. Specify either scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, or scopeAdministrativeUnitName, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.
--scopeUserName [scopeUserName]
UPN of a user to which the assignment is scoped. Specify either scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, or scopeAdministrativeUnitName, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.
--scopeGroupId [scopeGroupId]
Id of a group to which the assignment is scoped. Specify either scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, or scopeAdministrativeUnitName, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.
--scopeGroupName [scopeGroupName]
Name of a group to which the assignment is scoped. Specify either scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, or scopeAdministrativeUnitName, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.
Id of an administrative unit to which the assignment is scoped. Specify either scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, or scopeAdministrativeUnitName, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.
Name of an administrative unit to which the assignment is scoped. Specify either scopeUserId, scopeUserName, scopeGroupId, scopeGroupName, scopeAdministrativeUnitId, or scopeAdministrativeUnitName, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.
Examples
Assign a role specified by id to a service principal specified by id and scope the assignment to a user specified by id
Exchange Online RBAC is alternate to application permissions for accessing mailboxes, but without a need to allow application access policy for specific mailboxes via Exchange Online PowerShell.
It simplifies the whole process and admin can avoid to use Exchange Online PowerShell to configure application access policy.
I don't have much expertise in this so I'm just trying to understand how the command would work.
Few remarks:
Let's rename roleId to roleDefinitionId as used in the request. The same goes for roleName.
Let's rename servicePrincipalId to principalId as used in the request. The same goes for servicePrincipalId.
For the other options, I don't really see how these translate to directoryScopeId or appScopeId. Could you clarify this a bit? Is this command only supporting users, groups, and administrative units? When reading the docs, it looks like a lot more is possible. For example applications, attribute sets, ...
Is it currently possible to grant permissions to the entire tenant?
Scope is a set of resources that role applies to. The disadvantage here is that the Graph API exposes unified backend model for different types of RBAC providers. Based on the provider, the principal, scope and role have different allowed values.
In case of Exchange RBAC provider:
principal is only a service principal.
scope can be
user - a service principal will be able to access mails/calendars/contacts of a specific user
group - a service principal will be able to access mails/calendars/contacts of users that are members of a specific group
administrative unit - a service principal will be able to access mails/calendars/contacts of users that are members of a specific administrative unit
the entire tenant - a service principal will be able to access mails/calendars/contacts of all users
Usage
m365 exchange role assignment add [options]
Description
Grants permissions to an application that's accessing data in Exchange Online and specify which mailboxes an app can access.
Options
--roleDefinitionId [roleDefinitionId]
roleDefinitionId
orroleDefinitionName
, but not both.--roleDefinitionName [roleDefinitionName]
roleDefinitionId
orroleDefinitionName
, but not both.--principalId [principalId]
principalId
orprincipalName
, but not both.--principalName [principalName]
principalId
orprincipalName
, but not both.--scopeUserId [scopeUserId]
scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.--scopeUserName [scopeUserName]
scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.--scopeGroupId [scopeGroupId]
scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.--scopeGroupName [scopeGroupName]
scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.--scopeAdministrativeUnitId [scopeAdministrativeUnitId]
scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.--scopeAdministrativeUnitName [scopeAdministrativeUnitName]
scopeUserId
,scopeUserName
,scopeGroupId
,scopeGroupName
,scopeAdministrativeUnitId
, orscopeAdministrativeUnitName
, but not multiple. If no scope is specified, the tenant-wide scope is applied by default.Examples
Assign a role specified by id to a service principal specified by id and scope the assignment to a user specified by id
Assign a role specified by name to a service principal specified by name and scope the assignment to a group specified by name
Assign a role specified by name to a service principal specified by id and scope the assignment to an administrative unit specified by name
Default properties
No response
Additional Info
Exchange Online RBAC is alternate to application permissions for accessing mailboxes, but without a need to allow application access policy for specific mailboxes via Exchange Online PowerShell.
It simplifies the whole process and admin can avoid to use Exchange Online PowerShell to configure application access policy.
https://learn.microsoft.com/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&tabs=http#example-5-create-a-role-assignment-for-exchange-online-provider-with-administrative-unit-scope
https://learn.microsoft.com/exchange/permissions-exo/application-rbac#supported-application-roles
I will work on this
The text was updated successfully, but these errors were encountered: