AzureAD Role - Application Certificate - AzureAD Role level of perms required for EXO and O365 unclear.

[OhhHellooow]

Hello,

I am using the method of backing up all resources using App Certificate.
I am having issues with EXO* and O365*, as it relates to Exchange Roles.

All .Read. Application Graph Permissions as well as Exchange.ManageAsApp have been tested/granted and working without issue. This issue comes into play whereas there are no direct Graph perms for Exchange and as I understand Roles need to be added to the App.

1. Is "Exchange Administrator" the only Role that can be granted for this to work, even if I am only gathering resources, and not deploying? (read, not readwrite).
2. Where within the Official M365DSC is this specific documentation located? I see many issue tickets that contain generic articles how how to add Azure Roles to an App, however, I am looking specifically how M365DSC interacts with AzureAD Role permissions, and why permissions are required to be set a certain way. (for example, I see mentioned to add "Exchange Administrator", but I do not see specific detail on why it operates this way, or how adding other types of roles allows the use to read within the resources).
3. I am hoping this ticket helps define the specifics and added to documentation for easier access for other users.

Thanks.

Current error:

>> Export-M365DSCConfiguration -Components @("O365AdminAuditLogConfig", `
>> "O365Group", "O365OrgCustomizationSetting", "O365OrgSettings", "O365SearchAndIntelligenceConfigurations") `
>> -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId -Path $ExportingPath

Connecting to {ExchangeOnline}...❌

The role assigned to application a-a-a-a-a isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD
Application for EXO App-Only Authentication.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0\netFramework\ExchangeOnlineManagement.psm1:766 char:21
+                     throw $_.Exception;
+                     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], SystemException
    + FullyQualifiedErrorId : The role assigned to application a-a-a-a-a isn't supported in this scenario. Please check online documentation for assigning correct Di
   rectory Roles to Azure AD Application for EXO App-Only Authentication.

[andikrueger]

In a read only (export) case you can assign the app global reader and security reader rights. This should cover all required personas.

[dBase-be]

@andikrueger also having issues with the O365 workload. What I don't understand is: when running Export-M365DSCConfiguration on the O365 workload with f.e. only component 'O365Group' it faults with: 'Connecting to {ExchangeOnline}...?'

It is however documented on https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/ that it uses the powershell module 'Microsoft.Graph.Authentication (Connect-MgGraph)'. So, why does it try to connect to ExchangeOnlineManagement (Connect-ExchangeOnline)?