-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathInvoke-ExoRBACForEntraIDApp.ps1
56 lines (47 loc) · 2.53 KB
/
Invoke-ExoRBACForEntraIDApp.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<#
.SYNOPSIS
A script to enable RBAC permissions to an Entra ID App in Exchange Online. Scoping access to a native Administrative Unit.
.DESCRIPTION
This script will create an intermediary Service Principal in Exchange Online and add the required roles to it.
The intermediary Service Principal will be scoped to a native Administrative Unit in Exchange Online.
You must have added a mailbox to the adminsitrative unit, so the test on the last line can work.
.EXAMPLE
Adjust the Declarations with values from Entra ID and Exchange Online Application Roles and run the script.
.NOTES
Version: 1.0
Author: Michael Mardahl
Creation Date: 2023-11-23
Purpose/Change: Initial script development
.LINK
https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
https://github.com/mardahl
#>
#Requires -Module ExchangeOnlineManagement
#declarations
$EntraAppName = "My mail integration app" #From the App Reg, not the Enterprise App
$EntraAppId = "cergerg7-9erte-4er5-9ff3-171ywershg8" #From the App Reg, not the Enterprise App
$EntraAppObectId = "0dtyjhh6-ert5-u6t7-afgg-dsgsg06a" #From the App Reg, not the Enterprise App
$EntraAdministativeUnitObjectId = "ceggss8-eegsegf-4sgd-8gb0-c8gg23eggf3b" #The Entra ID native Administrative unit Object Id
$ExoAppRoles = @("Application Calendars.ReadWrite","Application Mail.ReadWrite") #Native Exchange Online App Roles
$mailboxForAccessVerification = "companymailbox@comapny.org"
#executing the connection to Exchange Online
Connect-ExchangeOnline
#creating intermediary Service Principal in the Exchange Online environment
Write-Host "Creating intermediary Service Principal for $EntraAppName"
$exoSP = New-ServicePrincipal -AppId $EntraAppId -ObjectId $EntraAppObectId -DisplayName "EntraID - $EntraAppName"
#Adding scoping to the intermediary Service Principal for the administrative unit (looping through list of roles defined in variable $ExoAppRoles)
foreach ($role in $ExoAppRoles) {
#Writting what roles is being added to the intermediary Service Principal
Write-Host "Adding role $role to $EntraAppName"
try {
New-ManagementRoleAssignment -App $exoSP.AppId -Role $role -RecipientAdministrativeUnitScope $EntraAdministativeUnitObjectId
}
catch {
Write-Host "Role $role not set on $EntraAppName"
#writing the exception message
Write-Host $_.Exception.Message
}
}
#test command
Test-ServicePrincipalAuthorization -Identity $exoSP.AppId -resource $mailboxForAccessVerification
Disconnect-ExchangeOnline