Required minimum permission to run a powershell script

%3CLINGO-SUB%20id%3D%22lingo-sub-778548%22%20slang%3D%22en-US%22%3ERequired%20minimum%20permission%20to%20run%20a%20powershell%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778548%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20going%20to%20automate%20a%20powershell%20script%20to%20get%26nbsp%3BOffice%20365%20Mail%20Traffic%20Statistics%20by%20User.%20We%20need%20to%20assign%20least%20privileges%20to%20the%20account%20this%20script%20runs.%20What%20permissins%2Froles%20do%20we%20have%20to%20assign%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EKavindu%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-778548%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-778880%22%20slang%3D%22en-US%22%3ERe%3A%20Required%20minimum%20permission%20to%20run%20a%20powershell%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778880%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20recommend%20to%20use%20the%20Microsoft%20Graph%20API%20for%20this%20kind%20of%20reports%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Freport%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Freport%3Fview%3Dgraph-rest-1.0%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20run%20a%20PowerShell%20script%20automatically%2C%20you%20can't%20protect%20the%20account%20with%20a%20second%20factor%20like%20Azure%20MFA.%20But%2C%20of%20course%2C%20you%20can%20do%20this%20with%20RBAC%20(Role%20Based%20Access%20Control)%20and%20only%20allow%20the%20account%20to%20run%20specific%20PowerShell%20cmdlets%20like%20Get-MessageTrace%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CUsers%5Cdomin%26gt%3B%20Get-ManagementRoleEntry%20*%5CGet-MessageTrace*%3C%2FP%3E%0A%3CP%3EName%20Role%20Parameters%3CBR%20%2F%3E----%20----%20----------%3CBR%20%2F%3EGet-MessageTraceDetail%20Compliance%20Admin%20%7BAction%2C%20EndDate%2C%20ErrorAction%2C%20ErrorVariable...%7D%3CBR%20%2F%3EGet-MessageTrace%20Compliance%20Admin%20%7BEndDate%2C%20ErrorAction%2C%20ErrorVariable%2C%20Expression...%7D%3CBR%20%2F%3EGet-MessageTraceDetail%20Data%20Loss%20Prevention%20%7BAction%2C%20EndDate%2C%20ErrorAction%2C%20ErrorVariable...%7D%3CBR%20%2F%3EGet-MessageTrace%20Data%20Loss%20Prevention%20%7BEndDate%2C%20ErrorAction%2C%20ErrorVariable%2C%20Expression...%7D%3CBR%20%2F%3EGet-MessageTrace%20Security%20Admin%20%7BEndDate%2C%20ErrorAction%2C%20ErrorVariable%2C%20Expression...%7D%3CBR%20%2F%3EGet-MessageTraceDetail%20Security%20Admin%20%7BAction%2C%20EndDate%2C%20ErrorAction%2C%20ErrorVariable...%7D%3CBR%20%2F%3EGet-MessageTrace%20Security%20Reader%20%7BEndDate%2C%20ErrorAction%2C%20ErrorVariable%2C%20Expression...%7D%3CBR%20%2F%3EGet-MessageTraceDetail%20Security%20Reader%20%7BAction%2C%20EndDate%2C%20ErrorAction%2C%20ErrorVariable...%7D%3CBR%20%2F%3EGet-MessageTrace%20View-Only%20Recipients%20%7BEndDate%2C%20ErrorAction%2C%20ErrorVariable%2C%20Expression...%7D%3CBR%20%2F%3EGet-MessageTraceDetail%20View-Only%20Recipients%20%7BAction%2C%20EndDate%2C%20ErrorAction%2C%20ErrorVariable...%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We are going to automate a powershell script to get Office 365 Mail Traffic Statistics by User. We need to assign least privileges to the account this script runs. What permissins/roles do we have to assign?

 

Regards,

Kavindu

1 Reply

I would recommend to use the Microsoft Graph API for this kind of reports: https://docs.microsoft.com/en-us/graph/api/resources/report?view=graph-rest-1.0

 

If you want to run a PowerShell script automatically, you can't protect the account with a second factor like Azure MFA. But, of course, you can do this with RBAC (Role Based Access Control) and only allow the account to run specific PowerShell cmdlets like Get-MessageTrace:

 

PS C:\Users\domin> Get-ManagementRoleEntry *\Get-MessageTrace*

Name Role Parameters
---- ---- ----------
Get-MessageTraceDetail Compliance Admin {Action, EndDate, ErrorAction, ErrorVariable...}
Get-MessageTrace Compliance Admin {EndDate, ErrorAction, ErrorVariable, Expression...}
Get-MessageTraceDetail Data Loss Prevention {Action, EndDate, ErrorAction, ErrorVariable...}
Get-MessageTrace Data Loss Prevention {EndDate, ErrorAction, ErrorVariable, Expression...}
Get-MessageTrace Security Admin {EndDate, ErrorAction, ErrorVariable, Expression...}
Get-MessageTraceDetail Security Admin {Action, EndDate, ErrorAction, ErrorVariable...}
Get-MessageTrace Security Reader {EndDate, ErrorAction, ErrorVariable, Expression...}
Get-MessageTraceDetail Security Reader {Action, EndDate, ErrorAction, ErrorVariable...}
Get-MessageTrace View-Only Recipients {EndDate, ErrorAction, ErrorVariable, Expression...}
Get-MessageTraceDetail View-Only Recipients {Action, EndDate, ErrorAction, ErrorVariable...}