Exchange Online Role Based Access Control (RBAC) for Applications
Hi All
On December 01 Microsoft has announced in the Exchange Team Blog that they Support Role Based Access Control (RBAC) for Applications in Exchange Online.
The most important Takeaways are:
- The Preview is now available to all customers in our worldwide multi-tenant environment, and we expect to reach general availability in H1 2023
- This feature extends our current RBAC model and will replace the current Application Access Policy feature.
- Service Principals representing apps must be manually created in Exchange Online during the Preview, but this process will be automated to offer a more efficient user experience at GA
- The Preview provides two resource scoping mechanisms, both of which are supported by Exchange RBAC: management scopes, and admin units
Announcing Public Preview of Role Based Access Control for Applications in Exchange Online
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-role-based-access-control-for/ba-p/3688228
Notes from the field: Using app-only authentication with customized RBAC roles in Exchange Online
https://techcommunity.microsoft.com/t5/exchange-team-blog/notes-from-the-field-using-app-only-authentication-with/ba-p/3690083
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-role-based-access-control-for/ba-p/3688228
Notes from the field: Using app-only authentication with customized RBAC roles in Exchange Online
https://techcommunity.microsoft.com/t5/exchange-team-blog/notes-from-the-field-using-app-only-authentication-with/ba-p/3690083
First you need to Create an Azure AD App Registration.
I have uploaded a Certificate to Connect with the Application
The Interesting part ist, that you don't have to assign any Graph Permissions as the Permissions will be assigned in Exchange with RBAC.
First of all we need to create an Exchange Online Service Principal.
###############################################################################
# Get AzureAD Application with Microsoft.Graph PowerShell
###############################################################################
Connect-MgGraph -Scopes 'Application.Read.All'
$ServicePrincipalDetails = Get-MgServicePrincipal -Filter "DisplayName eq 'Demo-EXO-RBAC'"
$ServicePrincipalDetails
# Get AzureAD Application with Microsoft.Graph PowerShell
###############################################################################
Connect-MgGraph -Scopes 'Application.Read.All'
$ServicePrincipalDetails = Get-MgServicePrincipal -Filter "DisplayName eq 'Demo-EXO-RBAC'"
$ServicePrincipalDetails
The ID is the Object ID of the Application in Azure AD Enterprise applications
Now we have all the Data to create the Service Principal in Exchange Online
###############################################################################
# Create Exchange Service Principal
###############################################################################
Connect-ExchangeOnline
New-ServicePrincipal -AppId $ServicePrincipalDetails.AppId -ServiceId $ServicePrincipalDetails.Id -DisplayName "EXO Serviceprincipal $($ServicePrincipalDetails.Displayname)"
Get-ServicePrincipal | where {$_.AppId -eq "cd32481c-6da8-47a1-b55b-742d2c3af888"}
# Create Exchange Service Principal
###############################################################################
Connect-ExchangeOnline
New-ServicePrincipal -AppId $ServicePrincipalDetails.AppId -ServiceId $ServicePrincipalDetails.Id -DisplayName "EXO Serviceprincipal $($ServicePrincipalDetails.Displayname)"
Get-ServicePrincipal | where {$_.AppId -eq "cd32481c-6da8-47a1-b55b-742d2c3af888"}
The ServiceID is the Object ID of the Application in Azure AD Enterprise applications
Now i can create a Management Scope for Room Mailboxes in City "Zürich"
###############################################################################
#New-ManagementScope
###############################################################################
New-ManagementScope
https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementscope?view=exchange-ps
Filterable properties for the RecipientFilter parameter on Exchange cmdlets
https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?view=exchange-ps
New-ManagementScope -Name "ZH Rooms" -RecipientRestrictionFilter "city -eq 'Zürich' -and RecipientTypeDetails -eq 'RoomMailbox'"
Get-Recipient -RecipientPreviewFilter "(City -eq 'Zürich') -and (RecipientTypeDetails -eq 'RoomMailbox')"
#New-ManagementScope
###############################################################################
New-ManagementScope
https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementscope?view=exchange-ps
Filterable properties for the RecipientFilter parameter on Exchange cmdlets
https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?view=exchange-ps
New-ManagementScope -Name "ZH Rooms" -RecipientRestrictionFilter "city -eq 'Zürich' -and RecipientTypeDetails -eq 'RoomMailbox'"
Get-Recipient -RecipientPreviewFilter "(City -eq 'Zürich') -and (RecipientTypeDetails -eq 'RoomMailbox')"
There are some Application Management Roles. You can list them with the command below
###############################################################################
#Get-ManagementRole
###############################################################################
Get-ManagementRole | where {$_.Name -like "Application*"}
#Get-ManagementRole
###############################################################################
Get-ManagementRole | where {$_.Name -like "Application*"}
Now i can assign the Role with the ServicePrincipal and the ManagementScope
###############################################################################
#New-ManagementRoleAssignment
###############################################################################
$AppID = "cd32481c-6da8-47a1-b55b-742d2c3af888"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
New-ManagementRoleAssignment -App $ServiceId -Role "Application Mail.Read" -CustomResourceScope "ZH Rooms"
#New-ManagementRoleAssignment
###############################################################################
$AppID = "cd32481c-6da8-47a1-b55b-742d2c3af888"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
New-ManagementRoleAssignment -App $ServiceId -Role "Application Mail.Read" -CustomResourceScope "ZH Rooms"
You can check the ManagementRoleAssignment with the command Below
###############################################################################
#Get-ManagementRoleAssignment
###############################################################################
Get-ManagementRoleAssignment | where {$_.App -eq $ServiceId}
#Get-ManagementRoleAssignment
###############################################################################
Get-ManagementRoleAssignment | where {$_.App -eq $ServiceId}
Get-ManagementRoleAssignment | where {$_.App -eq $ServiceId} | fl
Let's connect with MgGraph. As you can see there are no Scopes set in Get-MgContext
###############################################################################
#Connect-MgGraph
#https://github.com/microsoftgraph/msgraph-sdk-powershell
###############################################################################
#Connect with Certificate
$TenantId = "icewolfch.onmicrosoft.com"
$Scope = "https://graph.microsoft.com/.default"
$AppID = "cd32481c-6da8-47a1-b55b-742d2c3af888" #Demo-EXO-RBAC
$CertificateThumbprint = "07eff3918f47995eb53b91848f69b5c0e78622fd"
Connect-MgGraph -AppId $AppID -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId
Get-MgContext
#Connect-MgGraph
#https://github.com/microsoftgraph/msgraph-sdk-powershell
###############################################################################
#Connect with Certificate
$TenantId = "icewolfch.onmicrosoft.com"
$Scope = "https://graph.microsoft.com/.default"
$AppID = "cd32481c-6da8-47a1-b55b-742d2c3af888" #Demo-EXO-RBAC
$CertificateThumbprint = "07eff3918f47995eb53b91848f69b5c0e78622fd"
Connect-MgGraph -AppId $AppID -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId
Get-MgContext
I can read the Mailfolders of the Mailbox Sitzungszimmer (in the Management Scope)
###############################################################################
#Get mailFolder
#https://docs.microsoft.com/en-us/graph/api/mailfolder-get?view=graph-rest-1.0&tabs=http
#Get mailFolder
#https://docs.microsoft.com/en-us/graph/api/mailfolder-get?view=graph-rest-1.0&tabs=http
###############################################################################
$Mailbox = "sitzungszimmer@icewolf.ch"
Import-Module Microsoft.Graph.Mail
$Result = Get-MgUserMailFolder -UserId $Mailbox
$Result | Format-List DisplayName, TotalItemCount, UnreadItemCount, id
#SubFolders
$Folder = $Result | where {$_.DisplayName -eq "Posteingang"} | select id
Get-MgUserMailFolderChildFolder -UserId $Mailbox -MailFolderId $Folder.ID | ft displayName, ID, ChildFolderCount
$Result = Get-MgUserMailFolder -UserId $Mailbox
$Result | Format-List DisplayName, TotalItemCount, UnreadItemCount, id
#SubFolders
$Folder = $Result | where {$_.DisplayName -eq "Posteingang"} | select id
Get-MgUserMailFolderChildFolder -UserId $Mailbox -MailFolderId $Folder.ID | ft displayName, ID, ChildFolderCount
I can't read any Mailbox that is not in the Management Scope
###############################################################################
#Get mailFolder
#https://docs.microsoft.com/en-us/graph/api/mailfolder-get?view=graph-rest-1.0&tabs=http
###############################################################################
#Get mailFolder
#https://docs.microsoft.com/en-us/graph/api/mailfolder-get?view=graph-rest-1.0&tabs=http
###############################################################################
$Mailbox = "postmaster@icewolf.ch"
Import-Module Microsoft.Graph.Mail
$Result = Get-MgUserMailFolder -UserId $Mailbox
$Result = Get-MgUserMailFolder -UserId $Mailbox
Regards
Andres Bohren
