Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
_cparker I ran the script found one Mailbox with App Id, that application is already registered in Azure and having below API Permission.
Now, I need to create Management Scope for that application and mailbox, correct?
1. First, I need to create Service Principal in Exchange.
New-ServicePrincipal -Appid 5abfe6a2-d44d-48ae -ObjectID 4db7a00a-265c- -DisplayName "Example"
2. Create Management Scope, Is display name from step1 would be same to step2??
New-ManagementScope -Name "example" -RecipientRestrictionFilter "RecipientType -eq 'UserMailbox'"
3. Role Assignment., In this step App Id will be object ID from step1??
New-ManagementRoleAssignment -App 4db7a00a-265c- -Role "Application EWS.AccessAsUser.All" -CustomResourceScope "example"
4. Do I need to create each role assignment for each application role, i.e.
New-ManagementRoleAssignment -App 4db7a00a-265c- -Role "Application Mail.ReadWrite" -CustomResourceScope "example"
do we expect any downtime\impact?
how can we make sure the steps we performed created successfully? how can we test?
Once we create scoped and if everything works, Do we need to remove RBAC role or just let it be and do not need to do anything?
Looking for your answers.