Forum Discussion
habeebbm
Apr 12, 2023Copper Contributor
Granting access to App for Exchange Mail Trace - Least restrictive
Granting access to App for Exchange Mail Trace - Least restrictive
===================
We need to grant access via Oauth for an App to reach Email trace on Exchange Online
The management role for this is "message tracking" /Messagehygiene
The app doesn't have a service principal so we are not able to add it via Exchange Powershell New-ManagementRoleAssignment
Note - We do not want to grant Global reader access as this is a 3rd party managed App.
Reference Article - Role Based Access Control for Applications in Exchange Online (Preview) | Microsoft Learn
Any help is appreciated.
- Andres-BohrenSteel Contributor
Hi habeebbm
I've written a Blog Articles about something similar. I know - it's not quite the same but it should help you to get on track
Exchange Online custom RBAC Role with App Authentication (OAuth2)
Exchange RBAC Role for Set-Userphoto
https://blog.icewolf.ch/archive/2020/07/24/exchange-rbac-role-for-set-userphoto.aspx
Regards
Andres Bohren
- There is no OAuth scope that grants access to this functionality, so you have to stick to the Exchange roles, or Azure AD role that maps to them.