Reputation: 125
Access O365 Exchange Online with an Azure Managed Identity or Service Principal
I have a program in Powershell which runs in an Azure Function app which also has a managed identity called "AuditO365". It uses the managed identity to connect to Azure Key Vault to retrieve user credentials. It uses these credentials to connect to O365 Exchange Online to get the required data. This works fine:
$uSecret = $ENV:APPSETTING_SecretUsername
$pSecret = $ENV:APPSETTING_SecretPassword
$sasSecret = $ENV:APPSETTING_SecretSAS
$securePassword = ConvertTo-SecureString -String $pSecret -AsPlainText -Force
$UserCredential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $uSecret, $securePassword
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $session
The credential is a basic user account created in Azure Active Directory and the user is visible to the data source (O365 Exchange Online). In O365 under Exchange Admin Centre, I can see the username and I am able to assign the username to the correct custom role group ("View Audit Readers") with the required permission ("View-Only Audit Logs").
However I would now like to try using a managed identity instead so that the solution is more robust. Since the Function already has a managed identity ("AuditO365"), I'd like to replace the current user account with this identity in the custom role group in Exchange Online above, but it appears that O365 can't see the managed identity! All the Azure resources and O365 are running under the same account/subscription.
I have also tried creating a service principal (with API permissions for O365) in Azure but this also cannot be seen by O365:
1. How can I make the Azure Function's managed identity visible to O365 / Exchange Online?
2. Can I use this managed identity to authenticate the app against Exchange Online, connect and retrieve the data as it currently does with a normal user account?
Upvotes: 4
Views: 5160
Answers (1)
Reputation: 23111
If you want to connect Exchange Online in Azure function with Azure MSI, please refer to the blog
The detailed steps are as below.
Create Azure function
Configure some settings for the MSI
a. Assign Exchange Online API permissions
Exchange.ManageAsAppto the MSI. After doing that, the application has permission to manage Exchange OnlineConnect-AzureAD #assign permmions $sp =Get-AzureADServicePrincipal -Filter "displayName eq 'Office 365 Exchange Online'" $permision=$sp.AppRoles.Where({$_.Value -eq 'Exchange.ManageAsApp'}) New-AzureADServiceAppRoleAssignment -ObjectId <the Objectid of MSI> -Id $permision[0].Id -PrincipalId <the Objectid of MSI> -ResourceId $sp.ObjectIdb. Assign Azure AD roles. The application needs to have the appropriate AD roles assigned. Because the apps are provisioned in Azure AD, you can use any of the built-in roles. The following roles are supported:
- Global administrator
- Compliance administrator
- Security reader
- Security administrator
- Helpdesk administrator
- Exchange administrator
- Global Reader
Regarding how to assign a role, please refer to here. For example
Connect-AzureAD #assign role $role=Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Reader'" Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId a5d5a5e1-0f26-474d-a105-3553004c973bFunction
#get token with MSI
$resourceURI = "https://outlook.office365.com/"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$Authorization = "Bearer {0}" -f $accessToken
$Password = ConvertTo-SecureString -AsPlainText $Authorization -Force
$Ctoken = New-Object System.Management.Automation.PSCredential -ArgumentList "OAuthUser@<your tenant GUID>",$Password
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true -Credential $Ctoken -Authentication Basic -AllowRedirection -Verbose
Import-PSSession $Session | Format-List
Get-Mailbox
Remove-PSSession $Session
Upvotes: 4
Related Questions
- Connect-ExchangeOnline UnAuthorized
- Office 365 Exchange Online - Client credentials - IMAP No Authentication
- Azure AD Service Principal client credentials grant AUTHENTICATE failed accessing outlook.office365.com mailbox via IMAP
- Create a new AzureAD user and add to distribution list
- Is is possible to connect to exchange powershell online using azure-AD app ID/secret?
- Connecting Exchange Online with Powershell without basic authentication
- How to access Outlook email accounts through IMAP
- Connecting to Exchange Online with PowerShell and Modern Authentication (without any dependencies)
- Couldn't login with Microsoft Exchange account with azure login
- Connect Office 365 Exchange Online through Powershell