Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
I'm following https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac to implement the modernised app access. I'm signed into Exchange Online with a member of the Global Administrator role. At the following step I receive an error, that I do not quite understand.
New-ManagementRoleAssignment -App $sp.ObjectId -Role "Application Mail.Send" -RecipientAdministrativeUnitScope $adminUnit.Id
# throws the following error:
# New-ManagementRoleAssignment: |System.InvalidOperationException|You don't have access to
# create, change, or remove the "<tenant>.onmicrosoft.com\Application Mail.Send-<$sp.objectid>"
# management role assignment. You must be assigned a delegating role assignment
# to the management role or its parent in the hierarchy without a scope restriction.
What must I do so I can continue?
I'm also using a fresh dev tenant with default configuration, so maybe the requirements should be clarified with the steps required to meet them, and added to the docs.