Check your M365 Licenses with Azure Automation V2 (with Microsoft Graph)

Andres Bohren

2022-03-02

Hi All,

Over a Year ago i did wrote a Azure Automation Script to check your M365 Licenses.

Check your M365 Licenses with Azure Automation

https://blog.icewolf.ch/archive/2021/04/18/check-your-m365-licenses-with-azure-automation.aspx

I did rewrite that code to support Microsoft Graph for query the Licenses and also send the Mail via Microsoft Graph.

Setup Environement

I first created a new AzureAD Application (just to make a clear separation of Graph Permissions for the purpose of this Demo).

Then i uploaded a Certificate wich i also use for several other Azure AD Apps

This Script will need the following Microsoft Graph Permissions with Admin Consent

Directory.Read.All
Mail.ReadWrite
Mail.Send
User.Read.All

As you can see, with these permissions the Application could read and send from all Mailboxes. Therefore we need to secure that with an Exchange Online ApplicationAccessPolicy.

Limiting application permissions to specific Exchange Online mailboxes

https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

Limit Microsoft Graph Access to specific Exchange Mailboxes

https://blog.icewolf.ch/archive/2021/02/06/limit-microsoft-graph-access-to-specific-exchange-mailboxes.aspx

To restrict the Access you need to create a Mail Enabled Security Group, with the Member of the Mailbox you want to send mails from - in this case the Postmaster Mailbox.

After AAD Connect has sychronized the Group i can check it in Azure AD

Get-AzureADGroup -SearchString PostmasterGraphRestriction | ft DisplayName, ObjectId, SecurityEnabled, MailEnabled, Mail

Now i am able to create the ApplicationAccessPolicy in Exchange Online

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId 33554333-f7a0-4d7e-9964-1bd5696ec8e4 -PolicyScopeGroupId PostmasterGraphRestriction@icewolf.ch -Description "Restrict this app to members of this Group"