Forum Discussion
Accessing Content explorer data via SPN
Hi all, I am trying to get all the data from Content explorer for SITs matched files using https://learn.microsoft.com/en-us/powershell/module/exchange/export-contentexplorerdata?view=exchange-ps. I can run the command(Export-ContentExplorerData) when using User-Principle login but having issues while running it on SPN.
For SPN Permissions, we followed the steps here https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
assigned all the permissions on the page but still having issues when running the script.
One of the permission for SPN that seems mandatory is Content Explorer Content viewer. Now in purview portal, we are not able to assign this permissions to SPN as it throws an errror "Adding SPN to purview role groups is not supported"
Can we run this command(Export-ContentExplorerData) based on SPN(using application permission)? if yes what are the permission we need to assign to that SPN.
Thanks in advance
IIRC application permissions are not supported for the cmdlet, but you assign role groups to a service principal via PowerShell:
Add-RoleGroupMember -Identity "ContentExplorerContentViewer" -Member xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Make sure to provision the SP first via New-ServicePrincipal. But again, afaik even if you grant the permissions, it is not currently supported.
3 Replies
IIRC application permissions are not supported for the cmdlet, but you assign role groups to a service principal via PowerShell:
Add-RoleGroupMember -Identity "ContentExplorerContentViewer" -Member xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Make sure to provision the SP first via New-ServicePrincipal. But again, afaik even if you grant the permissions, it is not currently supported.
Although I was not able to add "Content Explorer List Viewer" role group to the SPN But I was able to add "Information Protection Investigators" which included similar role as of "Content Explorer List Viewer". With the latest version 3.8 of ExchangeOnlineManagement this functinalty seems to be working.
Added SPN to Microsoft Purview via this CMD
New-ServicePrincipal -AppId $<VariableName1>.AppId -ObjectId $<VariableName1>.Id -DisplayName "<Descriptive Name>"
Prathista IlangoMicrosoft
Hello
Make sure you followed all the steps to set up certificate-based authentication as below,
If this is configured properly, then the permissions required is Content Explorer List Viewer role, as per the below article
Hope this helps!
Regards,
PI
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.
