blog.icewolf.ch

Let's talk about IT!
posts - 2247, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Thursday, January 19, 2023

OnPrem Exchange Server Update Status visible in M365 Admin Center (Preview)

Hi All,

The Exchange Server Update Dashboard in Microsoft 365 Admin Center was announced at MEC 2022 in September 2022.



In my Tenant this is now available in Preview.
As you can see all my OnPrem Exchange Servers are in a supported state


And also the Exchange Server have the latest Cumulative Update and Security Update installed



Hope this helps to keep your Hybrid Exchange Infrastructure up to date.

Regards
Andres Bohren


posted @ Friday, January 20, 2023 2:58 PM |

Exchange Online custom RBAC Role with App Authentication (OAuth2)

Hi All,

  • Azure AD Application Registration
  • Permission: Office 365 Exchange Online > Exchange.ManageAsApp
  • Add AAD App to Azure AD Role "Exchange Administrator" or "Exchange Recipient Administrator"

In this Article it's about custom RBAC Roles and Application Authentication
  • Azure AD Application Registration
  • Permission: Office 365 Exchange Online > Exchange.ManageAsApp
  • Create a Exchange Online Service Principal for the Azure AD App
  • Create a RoleGroup and Assign ServicePrincipal (and CustomRecipientWriteScope if you want)

Notes from the field: Using app-only authentication with customized RBAC roles in Exchange Online

I've created an Azure AD App Registration


Uploaded a Certificate


Add Permission
Add Permission > APIs my organization uses > Office 365 Exchange Online > Exchange.ManageAsApp


Grant Admin Consent



You need to create an Exchange Service Principal.
For that you need the ObjectID of the Enterprise Application



###############################################################################
# Get AzureAD Application with Microsoft.Graph PowerShell
###############################################################################
Connect-MgGraph -Scopes 'Application.Read.All'
$ServicePrincipalDetails = Get-MgServicePrincipal -Filter "DisplayName eq 'Demo-EXO-RBAC-PS'"
$ServicePrincipalDetails

###############################################################################
# Create Exchange Service Principal
###############################################################################
Connect-ExchangeOnline
New-ServicePrincipal -AppId $ServicePrincipalDetails.AppId -ServiceId $ServicePrincipalDetails.Id -DisplayName "EXO Serviceprincipal $($ServicePrincipalDetails.Displayname)"
Get-ServicePrincipal | where {$_.AppId -eq "341772e9-4f7a-4444-9b2c-66620d27aec0"}



Create the Management Scope. Please note that only the "Sitzungszimmer" Mailbox matches the Management Scope

###############################################################################
#Magagement Scope
###############################################################################
Filterable properties for the RecipientFilter parameter on Exchange cmdlets
https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?view=exchange-ps

Get-ManagementScope
Get-Recipient -RecipientPreviewFilter "(City -eq 'Z├╝rich') -and (RecipientTypeDetails -eq 'RoomMailbox')"



I've already documented how to create an Management Role in Exchange and Exchange Online

###############################################################################
#Get-ManagementRole
###############################################################################
Get-ManagementRole -Identity "ICE-UserPhoto"
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"



Now let's put it all together. Assign the App the Role "Ice-UserPhoto" and assign the ResourceScope "ZH Rooms"

###############################################################################
#New-RoleGroup
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
New-RoleGroup -Name 'Icewolf-UserPhoto' -Roles "ICE-UserPhoto" -CustomRecipientWriteScope "ZH Rooms"
Add-RoleGroupMember -Identity "Icewolf-UserPhoto" -Member $ServiceId



Note that this Action will trigger an Alert



###############################################################################
#Get-RoleGroup
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$SP = Get-ServicePrincipal | where {$_.AppId -eq $AppID}
$ServiceId = $SP.ServiceId
Get-RoleGroup | where {$_.Members -Match $ServiceId} | fl




###############################################################################
#Get-ManagementRoleAssignment
###############################################################################
Get-ManagementRoleAssignment | where {$_.Role -match "ICE-UserPhoto"} | fl




You can see the Permissions also in the Classic Exchange Online Admin Center



I recently noticed that there exists a new Menu Item Roles > Admin Roles in the Exchange Admin Center






Let's connect with the App and the Certificate

###############################################################################
#Connect-ExchangeOnline with AppId and Certificate
###############################################################################
$AppID = "341772e9-4f7a-4444-9b2c-66620d27aec0"
$CertificateThumbprint = "07eff3918f47995eb53b91848f69b5c0e78622fd"
$TenantId = "icewolfch.onmicrosoft.com"
Connect-ExchangeOnline -AppId $AppID -CertificateThumbprint $CertificateThumbprint -Organization $TenantId


Get-ConnectionInformation
Get-Comand -Module <Module>


Let's try it. I will set a UserPhoto for a Mailbox that is inside the RecipientWriteScope

Set-UserPhoto -Identity Sitzungszimmer@icewolf.ch -PictureData ([System.IO.File]::ReadAllBytes("E:\Temp\AvatarBaby.jpg"))
Get-UserPhoto -Identity Sitzungszimmer@icewolf.ch



What threw me off, at first was that get works also for Mailboxes outside the Management Scope - but remember the Parameter is "CustomRecipientWriteScope"

Get-UserPhoto -Identity Sitzungszimmer@icewolf.ch
Get-UserPhoto -Identity a.bohren@icewolf.ch



It's not possible to Set-UserPhoto for a Mailbox that is Outside the Management Scope / CustomRecipientWriteScope.
And you also get an Error, if no Picture is set on the Mailbox

Set-UserPhoto -Identity SitzungszimmerEiger@icewolf.ch -PictureData ([System.IO.File]::ReadAllBytes("E:\Temp\AvatarBaby.jpg"))
Get-UserPhoto -Identity SitzungszimmerEiger



Regards
Andres Bohren


posted @ Thursday, January 19, 2023 11:09 PM | Filed Under [ Exchange ]

Powered by:
Powered By Subtext Powered By ASP.NET