Update 7/31/2023: This feature has been fully released (is not in preview anymore).
If, as an administrator, you’ve ever consented to app-only permissions like Mail.Read in Azure Active Directory (...
Updated Jul 31, 2023
Version 2.0
Blog Post
4 MIN READ
Announcing Public Preview of Role Based Access Control for Applications in Exchange Online
ScottSchnoll +1 to Branko984
just recently a customer wanted to switch his SelfServiceSolution for Forwarding (Self or by manager) to an AppRegistration instead of an (MFA excempt) Useraccount.
But a) we cant scope the DEV-Version to only a RecipientWriteScope.
And b) we cant create a custom role to only allow Set-Mailbox cmdlet with -Forwarding... parameters as we can with "Full RBAC" using svc_myScriptUser.
Connect-ExchangeOnline -CertificateThumbprint "E691708E313BE8B529C9A82432E218A777099B51" -AppID "cd336608-5f8b-4360-a9b6-2b6374a9dc75" -Organization "xyxyyx.onmicrosoft.com"
"The role assigned to application cd336608-5f8b-4360-a9b6-2b6374a9dc75 isn't supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD Application for EXO App-Only Authentication."
Will that be coming at some point? would be great.
So currently the lowest permissions are "Exchange Recipient Administrator"
Thanks
Thorsten