Update 7/31/2023: This feature has been fully released (is not in preview anymore).
If, as an administrator, you’ve ever consented to app-only permissions like Mail.Read in Azure Active Directory (...
Updated Jul 31, 2023
Version 2.0
Blog Post
4 MIN READ
Announcing Public Preview of Role Based Access Control for Applications in Exchange Online
Hello. I had documented the instructions for setting up RBAC for Apps in EXO for the team I'm working on. I had saved a note, stating that our need to create the service principal in EXO would only be during the preview. That was based on this part of this blog post:
"Service Principals representing apps must be manually created in Exchange Online during the Preview, but this process will be automated to offer a more efficient user experience at GA. For the Preview, you should consider the Service Principal in Exchange Online to be a pointer to a Service Principal in Azure AD. Azure AD manages Service Principal registrations within tenants, so the Azure Active Directory admin center, MS Graph PowerShell, or the Azure CLI can be used to create and manage them."
Now that it's GA, I see the instructions page still shows to be the same, with these main steps (#2 being the Service Principal creation in EXO, representing the app in Entra ID):
Configuration Instructions
The following steps will guide you to create these Application RBAC assignments:
- Create a new resource scope (optional)
- Create a pointer to a Microsoft Entra service principal
- Select the appropriate application role
- Create a New Role assignment
- Test the New Service principal
I am totally fine with this, the way it is right now, but I would like to ask - should I update my document, or do you think this change is still going to come? I actually have a script which sets up all the EXO pieces, so if/when it does change, I'd need to update that as well.
Thanks in advance.