Granting access to App for Exchange Mail Trace - Least restrictive

Copper Contributor

Granting access to App for Exchange Mail Trace - Least restrictive

 

===================

We need to grant access via Oauth for an App to reach Email trace on Exchange Online

The management role for this is "message tracking" /Messagehygiene

 

The app doesn't have a service principal so we are not able to add it via Exchange Powershell New-ManagementRoleAssignment

 

Note - We do not want to grant Global reader access as this is a 3rd party managed App.

 

Reference Article - Role Based Access Control for Applications in Exchange Online (Preview) | Microsoft Learn

 

Any help is appreciated.

 

2 Replies
There is no OAuth scope that grants access to this functionality, so you have to stick to the Exchange roles, or Azure AD role that maps to them.

Hi @habeebbm 

 

I've written a Blog Articles about something similar. I know - it's not quite the same but it should help you to get on track

 

Exchange Online custom RBAC Role with App Authentication (OAuth2)

https://blog.icewolf.ch/archive/2023/01/19/exchange-online-custom-rbac-role-with-app-authentication-...

 

Exchange RBAC Role for Set-Userphoto

https://blog.icewolf.ch/archive/2020/07/24/exchange-rbac-role-for-set-userphoto.aspx

 

Regards

Andres Bohren